diff options
| author | Jakob Schlyter <jakob@cvs.openbsd.org> | 2006-04-05 17:36:37 +0000 |
|---|---|---|
| committer | Jakob Schlyter <jakob@cvs.openbsd.org> | 2006-04-05 17:36:37 +0000 |
| commit | 0505bad000912a66c4f92c91a72202b9250e4bd5 (patch) | |
| tree | 00d8701ac1f3ee5feadd765c0274e9ff0a95aeac /usr.sbin/bind/bin | |
| parent | 1da54ca1fd7764e567cd4bc055abd54d602773e1 (diff) | |
resolve conflicts
Diffstat (limited to 'usr.sbin/bind/bin')
47 files changed, 3888 insertions, 9699 deletions
diff --git a/usr.sbin/bind/bin/check/named-checkconf.html b/usr.sbin/bind/bin/check/named-checkconf.html index 9973700e3a9..7be9399a37e 100644 --- a/usr.sbin/bind/bin/check/named-checkconf.html +++ b/usr.sbin/bind/bin/check/named-checkconf.html @@ -1,216 +1,92 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2002 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2002 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: named-checkconf.html,v 1.5.2.1.4.5 2004/08/22 23:38:57 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->named-checkconf</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->named-checkconf</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->named-checkconf</SPAN -> -- named configuration file syntax checking tool</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->named-checkconf</B -> [<VAR -CLASS="OPTION" ->-v</VAR ->] [<VAR -CLASS="OPTION" ->-j</VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->directory</VAR -></VAR ->] {filename} [<VAR -CLASS="OPTION" ->-z</VAR ->]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN26" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->named-checkconf</B -> checks the syntax, but not +<!-- $ISC: named-checkconf.html,v 1.5.2.1.4.12 2005/10/13 02:33:42 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>named-checkconf</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">named-checkconf</span> — named configuration file syntax checking tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525865"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">named-checkconf</strong></span> checks the syntax, but not the semantics, of a named configuration file. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN30" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-t <VAR -CLASS="REPLACEABLE" ->directory</VAR -></DT -><DD -><P -> chroot to <TT -CLASS="FILENAME" ->directory</TT -> so that include + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525878"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> +<dd><p> + chroot to <code class="filename">directory</code> so that include directives in the configuration file are processed as if run by a similarly chrooted named. - </P -></DD -><DT ->-v</DT -><DD -><P -> Print the version of the <B -CLASS="COMMAND" ->named-checkconf</B -> + </p></dd> +<dt><span class="term">-v</span></dt> +<dd><p> + Print the version of the <span><strong class="command">named-checkconf</strong></span> program and exit. - </P -></DD -><DT ->-z</DT -><DD -><P -> Perform a check load the master zonefiles found in - <TT -CLASS="FILENAME" ->named.conf</TT ->. - </P -></DD -><DT ->-j</DT -><DD -><P -> When loading a zonefile read the journal if it exists. - </P -></DD -><DT ->filename</DT -><DD -><P -> The name of the configuration file to be checked. If not - specified, it defaults to <TT -CLASS="FILENAME" ->/etc/named.conf</TT ->. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN58" -></A -><H2 ->RETURN VALUES</H2 -><P -> <B -CLASS="COMMAND" ->named-checkconf</B -> returns an exit status of 1 if + </p></dd> +<dt><span class="term">-z</span></dt> +<dd><p> + Perform a check load the master zonefiles found in + <code class="filename">named.conf</code>. + </p></dd> +<dt><span class="term">-j</span></dt> +<dd><p> + When loading a zonefile read the journal if it exists. + </p></dd> +<dt><span class="term">filename</span></dt> +<dd><p> + The name of the configuration file to be checked. If not + specified, it defaults to <code class="filename">/etc/named.conf</code>. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525970"></a><h2>RETURN VALUES</h2> +<p> + <span><strong class="command">named-checkconf</strong></span> returns an exit status of 1 if errors were detected and 0 otherwise. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN62" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN69" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525982"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526006"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/dig/dig.1 b/usr.sbin/bind/bin/dig/dig.1 index b22602e762d..c83d290c634 100644 --- a/usr.sbin/bind/bin/dig/dig.1 +++ b/usr.sbin/bind/bin/dig/dig.1 @@ -1,216 +1,244 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2003 Internet Software Consortium. -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2003 Internet Software Consortium. +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: dig.1,v 1.14.2.4.2.6 2004/06/23 09:11:01 marka Exp $ +.\" $ISC: dig.1,v 1.14.2.4.2.10 2005/10/13 02:33:42 marka Exp $ .\" -.TH "DIG" "1" "Jun 30, 2000" "BIND9" "" -.SH NAME +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "DIG" "1" "Jun 30, 2000" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" dig \- DNS lookup utility -.SH SYNOPSIS -.sp -\fBdig\fR [ \fB@server\fR ] [ \fB-b \fIaddress\fB\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-f \fIfilename\fB\fR ] [ \fB-k \fIfilename\fB\fR ] [ \fB-p \fIport#\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-x \fIaddr\fB\fR ] [ \fB-y \fIname:key\fB\fR ] [ \fB-4\fR ] [ \fB-6\fR ] [ \fBname\fR ] [ \fBtype\fR ] [ \fBclass\fR ] [ \fBqueryopt\fR\fI...\fR ] -.sp -\fBdig\fR [ \fB-h\fR ] -.sp -\fBdig\fR [ \fBglobal-queryopt\fR\fI...\fR ] [ \fBquery\fR\fI...\fR ] +.SH "SYNOPSIS" +.HP 4 +\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...] +.HP 4 +\fBdig\fR [\fB\-h\fR] +.HP 4 +\fBdig\fR [global\-queryopt...] [query...] .SH "DESCRIPTION" .PP -\fBdig\fR (domain information groper) is a flexible tool -for interrogating DNS name servers. It performs DNS lookups and -displays the answers that are returned from the name server(s) that -were queried. Most DNS administrators use \fBdig\fR to -troubleshoot DNS problems because of its flexibility, ease of use and -clarity of output. Other lookup tools tend to have less functionality -than \fBdig\fR. +\fBdig\fR +(domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use +\fBdig\fR +to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than +\fBdig\fR. .PP -Although \fBdig\fR is normally used with command-line -arguments, it also has a batch mode of operation for reading lookup -requests from a file. A brief summary of its command-line arguments -and options is printed when the \fB-h\fR option is given. -Unlike earlier versions, the BIND9 implementation of -\fBdig\fR allows multiple lookups to be issued from the -command line. +Although +\fBdig\fR +is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command\-line arguments and options is printed when the +\fB\-h\fR +option is given. Unlike earlier versions, the BIND9 implementation of +\fBdig\fR +allows multiple lookups to be issued from the command line. .PP Unless it is told to query a specific name server, -\fBdig\fR will try each of the servers listed in +\fBdig\fR +will try each of the servers listed in \fI/etc/resolv.conf\fR. .PP -When no command line arguments or options are given, will perform an -NS query for "." (the root). +When no command line arguments or options are given, will perform an NS query for "." (the root). .PP -It is possible to set per-user defaults for \fBdig\fR via -\fI${HOME}/.digrc\fR. This file is read and any options in it -are applied before the command line arguments. +It is possible to set per\-user defaults for +\fBdig\fR +via +\fI${HOME}/.digrc\fR. This file is read and any options in it are applied before the command line arguments. .SH "SIMPLE USAGE" .PP -A typical invocation of \fBdig\fR looks like: +A typical invocation of +\fBdig\fR +looks like: .sp .nf dig @server name type -.sp .fi +.sp where: .TP \fBserver\fR -is the name or IP address of the name server to query. This can be an IPv4 -address in dotted-decimal notation or an IPv6 -address in colon-delimited notation. When the supplied -\fIserver\fR argument is a hostname, -\fBdig\fR resolves that name before querying that name -server. If no \fIserver\fR argument is provided, -\fBdig\fR consults \fI/etc/resolv.conf\fR -and queries the name servers listed there. The reply from the name -server that responds is displayed. +is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied +\fIserver\fR +argument is a hostname, +\fBdig\fR +resolves that name before querying that name server. If no +\fIserver\fR +argument is provided, +\fBdig\fR +consults +\fI/etc/resolv.conf\fR +and queries the name servers listed there. The reply from the name server that responds is displayed. .TP \fBname\fR is the name of the resource record that is to be looked up. .TP \fBtype\fR -indicates what type of query is required \(em -ANY, A, MX, SIG, etc. -\fItype\fR can be any valid query type. If no -\fItype\fR argument is supplied, -\fBdig\fR will perform a lookup for an A record. +indicates what type of query is required \(em ANY, A, MX, SIG, etc. +\fItype\fR +can be any valid query type. If no +\fItype\fR +argument is supplied, +\fBdig\fR +will perform a lookup for an A record. .SH "OPTIONS" .PP -The \fB-b\fR option sets the source IP address of the query -to \fIaddress\fR. This must be a valid address on -one of the host's network interfaces or "0.0.0.0" or "::". An optional port -may be specified by appending "#<port>" +The +\fB\-b\fR +option sets the source IP address of the query to +\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>" .PP The default query class (IN for internet) is overridden by the -\fB-c\fR option. \fIclass\fR is any valid -class, such as HS for Hesiod records or CH for CHAOSNET records. +\fB\-c\fR +option. +\fIclass\fR +is any valid class, such as HS for Hesiod records or CH for CHAOSNET records. .PP -The \fB-f\fR option makes \fBdig \fR operate -in batch mode by reading a list of lookup requests to process from the -file \fIfilename\fR. The file contains a number of -queries, one per line. Each entry in the file should be organised in -the same way they would be presented as queries to -\fBdig\fR using the command-line interface. +The +\fB\-f\fR +option makes +\fBdig \fR +operate in batch mode by reading a list of lookup requests to process from the file +\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to +\fBdig\fR +using the command\-line interface. .PP -If a non-standard port number is to be queried, the -\fB-p\fR option is used. \fIport#\fR is -the port number that \fBdig\fR will send its queries -instead of the standard DNS port number 53. This option would be used -to test a name server that has been configured to listen for queries -on a non-standard port number. +If a non\-standard port number is to be queried, the +\fB\-p\fR +option is used. +\fIport#\fR +is the port number that +\fBdig\fR +will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number. .PP -The \fB-4\fR option forces \fBdig\fR to only -use IPv4 query transport. The \fB-6\fR option forces -\fBdig\fR to only use IPv6 query transport. +The +\fB\-4\fR +option forces +\fBdig\fR +to only use IPv4 query transport. The +\fB\-6\fR +option forces +\fBdig\fR +to only use IPv6 query transport. .PP -The \fB-t\fR option sets the query type to -\fItype\fR. It can be any valid query type which is -supported in BIND9. The default query type "A", unless the -\fB-x\fR option is supplied to indicate a reverse lookup. -A zone transfer can be requested by specifying a type of AXFR. When -an incremental zone transfer (IXFR) is required, -\fItype\fR is set to ixfr=N. -The incremental zone transfer will contain the changes made to the zone -since the serial number in the zone's SOA record was +The +\fB\-t\fR +option sets the query type to +\fItype\fR. It can be any valid query type which is supported in BIND9. The default query type "A", unless the +\fB\-x\fR +option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, +\fItype\fR +is set to +ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was \fIN\fR. .PP -Reverse lookups - mapping addresses to names - are simplified by the -\fB-x\fR option. \fIaddr\fR is an IPv4 -address in dotted-decimal notation, or a colon-delimited IPv6 address. -When this option is used, there is no need to provide the -\fIname\fR, \fIclass\fR and -\fItype\fR arguments. \fBdig\fR +Reverse lookups \- mapping addresses to names \- are simplified by the +\fB\-x\fR +option. +\fIaddr\fR +is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When this option is used, there is no need to provide the +\fIname\fR, +\fIclass\fR +and +\fItype\fR +arguments. +\fBdig\fR automatically performs a lookup for a name like -11.12.13.10.in-addr.arpa and sets the query type and -class to PTR and IN respectively. By default, IPv6 addresses are -looked up using nibble format under the IP6.ARPA domain. -To use the older RFC1886 method using the IP6.INT domain -specify the \fB-i\fR option. Bit string labels (RFC2874) -are now experimental and are not attempted. +11.12.13.10.in\-addr.arpa +and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the +\fB\-i\fR +option. Bit string labels (RFC2874) are now experimental and are not attempted. .PP -To sign the DNS queries sent by \fBdig\fR and their -responses using transaction signatures (TSIG), specify a TSIG key file -using the \fB-k\fR option. You can also specify the TSIG -key itself on the command line using the \fB-y\fR option; -\fIname\fR is the name of the TSIG key and -\fIkey\fR is the actual key. The key is a base-64 -encoded string, typically generated by \fBdnssec-keygen\fR(8). -Caution should be taken when using the \fB-y\fR option on -multi-user systems as the key can be visible in the output from -\fBps\fR(1) or in the shell's history file. When -using TSIG authentication with \fBdig\fR, the name -server that is queried needs to know the key and algorithm that is -being used. In BIND, this is done by providing appropriate -\fBkey\fR and \fBserver\fR statements in +To sign the DNS queries sent by +\fBdig\fR +and their responses using transaction signatures (TSIG), specify a TSIG key file using the +\fB\-k\fR +option. You can also specify the TSIG key itself on the command line using the +\fB\-y\fR +option; +\fIname\fR +is the name of the TSIG key and +\fIkey\fR +is the actual key. The key is a base\-64 encoded string, typically generated by +\fBdnssec\-keygen\fR(8). Caution should be taken when using the +\fB\-y\fR +option on multi\-user systems as the key can be visible in the output from +\fBps\fR(1 ) +or in the shell's history file. When using TSIG authentication with +\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate +\fBkey\fR +and +\fBserver\fR +statements in \fInamed.conf\fR. .SH "QUERY OPTIONS" .PP -\fBdig\fR provides a number of query options which affect -the way in which lookups are made and the results displayed. Some of -these set or reset flag bits in the query header, some determine which -sections of the answer get printed, and others determine the timeout -and retry strategies. +\fBdig\fR +provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies. .PP -Each query option is identified by a keyword preceded by a plus sign -(+). Some keywords set or reset an option. These may be preceded -by the string no to negate the meaning of that keyword. Other -keywords assign values to options like the timeout interval. They -have the form \fB+keyword=value\fR. -The query options are: +Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string +no +to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form +\fB+keyword=value\fR. The query options are: .TP \fB+[no]tcp\fR -Use [do not use] TCP when querying name servers. The default -behaviour is to use UDP unless an AXFR or IXFR query is requested, in -which case a TCP connection is used. +Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used. .TP \fB+[no]vc\fR -Use [do not use] TCP when querying name servers. This alternate -syntax to \fI+[no]tcp\fR is provided for backwards -compatibility. The "vc" stands for "virtual circuit". +Use [do not use] TCP when querying name servers. This alternate syntax to +\fI+[no]tcp\fR +is provided for backwards compatibility. The "vc" stands for "virtual circuit". .TP \fB+[no]ignore\fR -Ignore truncation in UDP responses instead of retrying with TCP. By -default, TCP retries are performed. +Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed. .TP \fB+domain=somename\fR Set the search list to contain the single domain \fIsomename\fR, as if specified in a -\fBdomain\fR directive in -\fI/etc/resolv.conf\fR, and enable search list -processing as if the \fI+search\fR option were given. +\fBdomain\fR +directive in +\fI/etc/resolv.conf\fR, and enable search list processing as if the +\fI+search\fR +option were given. .TP \fB+[no]search\fR -Use [do not use] the search list defined by the searchlist or domain -directive in \fIresolv.conf\fR (if any). -The search list is not used by default. +Use [do not use] the search list defined by the searchlist or domain directive in +\fIresolv.conf\fR +(if any). The search list is not used by default. .TP \fB+[no]defname\fR -Deprecated, treated as a synonym for \fI+[no]search\fR +Deprecated, treated as a synonym for +\fI+[no]search\fR .TP \fB+[no]aaonly\fR Sets the "aa" flag in the query. .TP \fB+[no]aaflag\fR -A synonym for \fI+[no]aaonly\fR. +A synonym for +\fI+[no]aaonly\fR. .TP \fB+[no]adflag\fR -Set [do not set] the AD (authentic data) bit in the query. The AD bit -currently has a standard meaning only in responses, not in queries, -but the ability to set the bit in the query is provided for -completeness. +Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness. .TP \fB+[no]cdflag\fR -Set [do not set] the CD (checking disabled) bit in the query. This -requests the server to not perform DNSSEC validation of responses. +Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. .TP \fB+[no]cl\fR Display [do not display] the CLASS when printing the record. @@ -219,170 +247,164 @@ Display [do not display] the CLASS when printing the record. Display [do not display] the TTL when printing the record. .TP \fB+[no]recurse\fR -Toggle the setting of the RD (recursion desired) bit in the query. -This bit is set by default, which means \fBdig\fR -normally sends recursive queries. Recursion is automatically disabled -when the \fI+nssearch\fR or -\fI+trace\fR query options are used. +Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means +\fBdig\fR +normally sends recursive queries. Recursion is automatically disabled when the +\fI+nssearch\fR +or +\fI+trace\fR +query options are used. .TP \fB+[no]nssearch\fR -When this option is set, \fBdig\fR attempts to find the -authoritative name servers for the zone containing the name being -looked up and display the SOA record that each name server has for the -zone. +When this option is set, +\fBdig\fR +attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone. .TP \fB+[no]trace\fR -Toggle tracing of the delegation path from the root name servers for -the name being looked up. Tracing is disabled by default. When -tracing is enabled, \fBdig\fR makes iterative queries to -resolve the name being looked up. It will follow referrals from the -root servers, showing the answer from each server that was used to -resolve the lookup. +Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, +\fBdig\fR +makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup. .TP \fB+[no]cmd\fR -toggles the printing of the initial comment in the output identifying -the version of \fBdig\fR and the query options that have -been applied. This comment is printed by default. +toggles the printing of the initial comment in the output identifying the version of +\fBdig\fR +and the query options that have been applied. This comment is printed by default. .TP \fB+[no]short\fR -Provide a terse answer. The default is to print the answer in a -verbose form. +Provide a terse answer. The default is to print the answer in a verbose form. .TP \fB+[no]identify\fR -Show [or do not show] the IP address and port number that supplied the -answer when the \fI+short\fR option is enabled. If -short form answers are requested, the default is not to show the -source address and port number of the server that provided the answer. +Show [or do not show] the IP address and port number that supplied the answer when the +\fI+short\fR +option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer. .TP \fB+[no]comments\fR -Toggle the display of comment lines in the output. The default is to -print comments. +Toggle the display of comment lines in the output. The default is to print comments. .TP \fB+[no]stats\fR -This query option toggles the printing of statistics: when the query -was made, the size of the reply and so on. The default behaviour is -to print the query statistics. +This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics. .TP \fB+[no]qr\fR -Print [do not print] the query as it is sent. -By default, the query is not printed. +Print [do not print] the query as it is sent. By default, the query is not printed. .TP \fB+[no]question\fR -Print [do not print] the question section of a query when an answer is -returned. The default is to print the question section as a comment. +Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment. .TP \fB+[no]answer\fR -Display [do not display] the answer section of a reply. The default -is to display it. +Display [do not display] the answer section of a reply. The default is to display it. .TP \fB+[no]authority\fR -Display [do not display] the authority section of a reply. The -default is to display it. +Display [do not display] the authority section of a reply. The default is to display it. .TP \fB+[no]additional\fR -Display [do not display] the additional section of a reply. -The default is to display it. +Display [do not display] the additional section of a reply. The default is to display it. .TP \fB+[no]all\fR Set or clear all display flags. .TP \fB+time=T\fR Sets the timeout for a query to -\fIT\fR seconds. The default time out is 5 seconds. -An attempt to set \fIT\fR to less than 1 will result -in a query timeout of 1 second being applied. +\fIT\fR +seconds. The default time out is 5 seconds. An attempt to set +\fIT\fR +to less than 1 will result in a query timeout of 1 second being applied. .TP \fB+tries=T\fR Sets the number of times to try UDP queries to server to -\fIT\fR instead of the default, 3. If -\fIT\fR is less than or equal to zero, the number of -tries is silently rounded up to 1. +\fIT\fR +instead of the default, 3. If +\fIT\fR +is less than or equal to zero, the number of tries is silently rounded up to 1. .TP \fB+retry=T\fR Sets the number of times to retry UDP queries to server to -\fIT\fR instead of the default, 2. Unlike -\fI+tries\fR, this does not include the initial -query. +\fIT\fR +instead of the default, 2. Unlike +\fI+tries\fR, this does not include the initial query. .TP \fB+ndots=D\fR Set the number of dots that have to appear in -\fIname\fR to \fID\fR for it to be -considered absolute. The default value is that defined using the -ndots statement in \fI/etc/resolv.conf\fR, or 1 if no -ndots statement is present. Names with fewer dots are interpreted as -relative names and will be searched for in the domains listed in the -\fBsearch\fR or \fBdomain\fR directive in +\fIname\fR +to +\fID\fR +for it to be considered absolute. The default value is that defined using the ndots statement in +\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the +\fBsearch\fR +or +\fBdomain\fR +directive in \fI/etc/resolv.conf\fR. .TP \fB+bufsize=B\fR Set the UDP message buffer size advertised using EDNS0 to -\fIB\fR bytes. The maximum and minimum sizes of this -buffer are 65535 and 0 respectively. Values outside this range are -rounded up or down appropriately. +\fIB\fR +bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. .TP \fB+[no]multiline\fR -Print records like the SOA records in a verbose multi-line -format with human-readable comments. The default is to print -each record on a single line, to facilitate machine parsing -of the \fBdig\fR output. +Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the +\fBdig\fR +output. .TP \fB+[no]fail\fR -Do not try the next server if you receive a SERVFAIL. The default is -to not try the next server which is the reverse of normal stub resolver -behaviour. +Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour. .TP \fB+[no]besteffort\fR -Attempt to display the contents of messages which are malformed. -The default is to not display malformed answers. +Attempt to display the contents of messages which are malformed. The default is to not display malformed answers. .TP \fB+[no]dnssec\fR -Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) -in the OPT record in the additional section of the query. +Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query. .TP \fB+[no]sigchase\fR -Chase DNSSEC signature chains. Requires dig be compiled with --DDIG_SIGCHASE. +Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE. .TP -\fB+trusted-key=####\fR -Specify a trusted key to be used with \fB+sigchase\fR. -Requires dig be compiled with -DDIG_SIGCHASE. +\fB+trusted\-key=####\fR +Specifies a file containing trusted keys to be used with +\fB+sigchase\fR. Each DNSKEY record must be on its own line. +.sp +If not specified +\fBdig\fR +will look for +\fI/etc/trusted\-key.key\fR +then +\fItrusted\-key.key\fR +in the current directory. +.sp +Requires dig be compiled with \-DDIG_SIGCHASE. .TP \fB+[no]topdown\fR -When chasing DNSSEC signature chains perform a top down validation. -Requires dig be compiled with -DDIG_SIGCHASE. +When chasing DNSSEC signature chains perform a top down validation. Requires dig be compiled with \-DDIG_SIGCHASE. .SH "MULTIPLE QUERIES" .PP -The BIND 9 implementation of \fBdig \fR supports -specifying multiple queries on the command line (in addition to -supporting the \fB-f\fR batch file option). Each of those -queries can be supplied with its own set of flags, options and query -options. +The BIND 9 implementation of +\fBdig \fR +supports specifying multiple queries on the command line (in addition to supporting the +\fB\-f\fR +batch file option). Each of those queries can be supplied with its own set of flags, options and query options. .PP -In this case, each \fIquery\fR argument represent an -individual query in the command-line syntax described above. Each -consists of any of the standard options and flags, the name to be -looked up, an optional query type and class and any query options that -should be applied to that query. +In this case, each +\fIquery\fR +argument represent an individual query in the command\-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query. .PP -A global set of query options, which should be applied to all queries, -can also be supplied. These global query options must precede the -first tuple of name, class, type, options, flags, and query options -supplied on the command line. Any global query options (except -the \fB+[no]cmd\fR option) can be -overridden by a query-specific set of query options. For example: +A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except the +\fB+[no]cmd\fR +option) can be overridden by a query\-specific set of query options. For example: .sp .nf -dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -.sp +dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr .fi -shows how \fBdig\fR could be used from the command line -to make three lookups: an ANY query for www.isc.org, a -reverse lookup of 127.0.0.1 and a query for the NS records of -isc.org. -A global query option of \fI+qr\fR is applied, so -that \fBdig\fR shows the initial query it made for each -lookup. The final query has a local query option of -\fI+noqr\fR which means that \fBdig\fR +.sp +shows how +\fBdig\fR +could be used from the command line to make three lookups: an ANY query for +www.isc.org, a reverse lookup of 127.0.0.1 and a query for the NS records of +isc.org. A global query option of +\fI+qr\fR +is applied, so that +\fBdig\fR +shows the initial query it made for each lookup. The final query has a local query option of +\fI+noqr\fR +which means that +\fBdig\fR will not print the initial query when it looks up the NS records for isc.org. .SH "FILES" @@ -394,8 +416,8 @@ isc.org. .PP \fBhost\fR(1), \fBnamed\fR(8), -\fBdnssec-keygen\fR(8), -\fIRFC1035\fR. -.SH "BUGS" +\fBdnssec\-keygen\fR(8), +RFC1035. +.SH "BUGS " .PP -There are probably too many query options. +There are probably too many query options. diff --git a/usr.sbin/bind/bin/dig/dig.c b/usr.sbin/bind/bin/dig/dig.c index 423eadbefd4..9e1f53f9b35 100644 --- a/usr.sbin/bind/bin/dig/dig.c +++ b/usr.sbin/bind/bin/dig/dig.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dig.c,v 1.157.2.13.2.25 2004/09/16 02:14:14 marka Exp $ */ +/* $ISC: dig.c,v 1.157.2.13.2.29 2005/10/14 01:38:40 marka Exp $ */ #include <config.h> #include <stdlib.h> @@ -45,10 +45,6 @@ #include <dig/dig.h> -extern ISC_LIST(dig_lookup_t) lookup_list; -extern dig_serverlist_t server_list; -extern ISC_LIST(dig_searchlist_t) search_list; - #define ADD_STRING(b, s) { \ if (strlen(s) >= isc_buffer_availablelength(b)) \ return (ISC_R_NOSPACE); \ @@ -58,31 +54,8 @@ extern ISC_LIST(dig_searchlist_t) search_list; #define DIG_MAX_ADDRESSES 20 -extern isc_boolean_t have_ipv4, have_ipv6, specified_source, - usesearch, qr; -extern in_port_t port; -extern unsigned int timeout; -extern isc_mem_t *mctx; -extern dns_messageid_t id; -extern int sendcount; -extern int ndots; -extern int lookup_counter; -extern int exitcode; -extern isc_sockaddr_t bind_address; -extern char keynametext[MXNAME]; -extern char keyfile[MXNAME]; -extern char keysecret[MXNAME]; -#ifdef DIG_SIGCHASE -extern char trustedkey[MXNAME]; -#endif -extern dns_tsigkey_t *key; -extern isc_boolean_t validated; -extern isc_taskmgr_t *taskmgr; -extern isc_task_t *global_task; -extern isc_boolean_t free_now; dig_lookup_t *default_lookup = NULL; -extern isc_boolean_t debugging, memdebugging; static char *batchname = NULL; static FILE *batchfp = NULL; static char *argv0; @@ -133,8 +106,6 @@ static const char *rcodetext[] = { "BADVERS" }; -extern char *progname; - static void print_usage(FILE *fp) { fputs( @@ -593,6 +564,7 @@ buftoosmall: } } } + if (headers && query->lookup->comments && !short_form) printf("\n"); @@ -808,7 +780,7 @@ plus_option(char *option, isc_boolean_t is_batchfile, break; case 'l': /* cl */ FULLCHECK("cl"); - noclass = !state; + noclass = ISC_TF(!state); break; case 'm': /* cmd */ FULLCHECK("cmd"); @@ -881,7 +853,7 @@ plus_option(char *option, isc_boolean_t is_batchfile, lookup->ns_search_only = state; if (state) { lookup->trace_root = ISC_TRUE; - lookup->recurse = ISC_FALSE; + lookup->recurse = ISC_TRUE; lookup->identify = ISC_TRUE; lookup->stats = ISC_FALSE; lookup->comments = ISC_FALSE; @@ -1043,7 +1015,7 @@ plus_option(char *option, isc_boolean_t is_batchfile, break; case 't': /* ttlid */ FULLCHECK("ttlid"); - nottl = !state; + nottl = ISC_TF(!state); break; default: goto invalid_option; diff --git a/usr.sbin/bind/bin/dig/dig.docbook b/usr.sbin/bind/bin/dig/dig.docbook index 26471240b16..57984c186a8 100644 --- a/usr.sbin/bind/bin/dig/dig.docbook +++ b/usr.sbin/bind/bin/dig/dig.docbook @@ -1,6 +1,8 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" + "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" + [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -16,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: dig.docbook,v 1.4.2.7.4.9 2004/06/23 04:19:41 marka Exp $ --> +<!-- $ISC: dig.docbook,v 1.4.2.7.4.12 2005/08/30 00:50:29 marka Exp $ --> <refentry> @@ -30,6 +32,21 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <docinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2000</year> + <year>2001</year> + <year>2002</year> + <year>2003</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </docinfo> + <refnamediv> <refname>dig</refname> <refpurpose>DNS lookup utility</refpurpose> @@ -38,7 +55,7 @@ <refsynopsisdiv> <cmdsynopsis> <command>dig</command> -<arg choice=opt>@server</arg> +<arg choice="opt">@server</arg> <arg><option>-b <replaceable class="parameter">address</replaceable></option></arg> <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> <arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg> @@ -49,10 +66,10 @@ <arg><option>-y <replaceable class="parameter">name:key</replaceable></option></arg> <arg><option>-4</option></arg> <arg><option>-6</option></arg> -<arg choice=opt>name</arg> -<arg choice=opt>type</arg> -<arg choice=opt>class</arg> -<arg choice=opt rep=repeat>queryopt</arg> +<arg choice="opt">name</arg> +<arg choice="opt">type</arg> +<arg choice="opt">class</arg> +<arg choice="opt" rep="repeat">queryopt</arg> </cmdsynopsis> <cmdsynopsis> @@ -62,8 +79,8 @@ <cmdsynopsis> <command>dig</command> -<arg choice=opt rep=repeat>global-queryopt</arg> -<arg choice=opt rep=repeat>query</arg> +<arg choice="opt" rep="repeat">global-queryopt</arg> +<arg choice="opt" rep="repeat">query</arg> </cmdsynopsis> </refsynopsisdiv> @@ -513,11 +530,24 @@ Chase DNSSEC signature chains. Requires dig be compiled with -DDIG_SIGCHASE. </para></listitem></varlistentry> -<varlistentry><term><option>+trusted-key=####</option></term> -<listitem><para> -Specify a trusted key to be used with <option>+sigchase</option>. -Requires dig be compiled with -DDIG_SIGCHASE. -</para></listitem></varlistentry> + <varlistentry> + <term><option>+trusted-key=####</option></term> + <listitem> + <para> + Specifies a file containing trusted keys to be used with + <option>+sigchase</option>. Each DNSKEY record must be + on its own line. + </para> + <para> + If not specified <command>dig</command> will look for + <filename>/etc/trusted-key.key</filename> then + <filename>trusted-key.key</filename> in the current directory. + </para> + <para> + Requires dig be compiled with -DDIG_SIGCHASE. + </para> + </listitem> + </varlistentry> <varlistentry><term><option>+[no]topdown</option></term> <listitem><para> diff --git a/usr.sbin/bind/bin/dig/dig.html b/usr.sbin/bind/bin/dig/dig.html index 9035ecb5d70..71a09a6aa89 100644 --- a/usr.sbin/bind/bin/dig/dig.html +++ b/usr.sbin/bind/bin/dig/dig.html @@ -1,1174 +1,514 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000-2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: dig.html,v 1.6.2.4.2.7 2004/08/22 23:38:57 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->dig</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->dig</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->dig -- DNS lookup utility</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN11" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->dig</B -> [@server] [<VAR -CLASS="OPTION" ->-b <VAR -CLASS="REPLACEABLE" ->address</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->class</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-f <VAR -CLASS="REPLACEABLE" ->filename</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-k <VAR -CLASS="REPLACEABLE" ->filename</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-p <VAR -CLASS="REPLACEABLE" ->port#</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->type</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-x <VAR -CLASS="REPLACEABLE" ->addr</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-y <VAR -CLASS="REPLACEABLE" ->name:key</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-4</VAR ->] [<VAR -CLASS="OPTION" ->-6</VAR ->] [name] [type] [class] [queryopt...]</P -><P -><B -CLASS="COMMAND" ->dig</B -> [<VAR -CLASS="OPTION" ->-h</VAR ->]</P -><P -><B -CLASS="COMMAND" ->dig</B -> [global-queryopt...] [query...]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN55" -></A -><H2 ->DESCRIPTION</H2 -><P -><B -CLASS="COMMAND" ->dig</B -> (domain information groper) is a flexible tool +<!-- $ISC: dig.html,v 1.6.2.4.2.13 2005/10/13 02:33:43 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>dig</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>dig — DNS lookup utility</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">dig</code> [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div> +<div class="cmdsynopsis"><p><code class="command">dig</code> [<code class="option">-h</code>]</p></div> +<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525976"></a><h2>DESCRIPTION</h2> +<p> +<span><strong class="command">dig</strong></span> (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that -were queried. Most DNS administrators use <B -CLASS="COMMAND" ->dig</B -> to +were queried. Most DNS administrators use <span><strong class="command">dig</strong></span> to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality -than <B -CLASS="COMMAND" ->dig</B ->.</P -><P ->Although <B -CLASS="COMMAND" ->dig</B -> is normally used with command-line +than <span><strong class="command">dig</strong></span>. +</p> +<p> +Although <span><strong class="command">dig</strong></span> is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments -and options is printed when the <VAR -CLASS="OPTION" ->-h</VAR -> option is given. +and options is printed when the <code class="option">-h</code> option is given. Unlike earlier versions, the BIND9 implementation of -<B -CLASS="COMMAND" ->dig</B -> allows multiple lookups to be issued from the -command line.</P -><P ->Unless it is told to query a specific name server, -<B -CLASS="COMMAND" ->dig</B -> will try each of the servers listed in -<TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->.</P -><P ->When no command line arguments or options are given, will perform an -NS query for "." (the root).</P -><P ->It is possible to set per-user defaults for <B -CLASS="COMMAND" ->dig</B -> via -<TT -CLASS="FILENAME" ->${HOME}/.digrc</TT ->. This file is read and any options in it -are applied before the command line arguments.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN72" -></A -><H2 ->SIMPLE USAGE</H2 -><P ->A typical invocation of <B -CLASS="COMMAND" ->dig</B -> looks like: -<PRE -CLASS="PROGRAMLISTING" -> dig @server name type </PRE -> where: +<span><strong class="command">dig</strong></span> allows multiple lookups to be issued from the +command line. +</p> +<p> +Unless it is told to query a specific name server, +<span><strong class="command">dig</strong></span> will try each of the servers listed in +<code class="filename">/etc/resolv.conf</code>. +</p> +<p> +When no command line arguments or options are given, will perform an +NS query for "." (the root). +</p> +<p> +It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via +<code class="filename">${HOME}/.digrc</code>. This file is read and any options in it +are applied before the command line arguments. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526035"></a><h2>SIMPLE USAGE</h2> +<p> +A typical invocation of <span><strong class="command">dig</strong></span> looks like: +</p> +<pre class="programlisting"> dig @server name type </pre> +<p> where: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->server</CODE -></DT -><DD -><P ->is the name or IP address of the name server to query. This can be an IPv4 +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">server</code></span></dt> +<dd><p> +is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied -<VAR -CLASS="PARAMETER" ->server</VAR -> argument is a hostname, -<B -CLASS="COMMAND" ->dig</B -> resolves that name before querying that name -server. If no <VAR -CLASS="PARAMETER" ->server</VAR -> argument is provided, -<B -CLASS="COMMAND" ->dig</B -> consults <TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -> +<em class="parameter"><code>server</code></em> argument is a hostname, +<span><strong class="command">dig</strong></span> resolves that name before querying that name +server. If no <em class="parameter"><code>server</code></em> argument is provided, +<span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code> and queries the name servers listed there. The reply from the name -server that responds is displayed.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->name</CODE -></DT -><DD -><P ->is the name of the resource record that is to be looked up.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->type</CODE -></DT -><DD -><P ->indicates what type of query is required — +server that responds is displayed. +</p></dd> +<dt><span class="term"><code class="constant">name</code></span></dt> +<dd><p> +is the name of the resource record that is to be looked up. +</p></dd> +<dt><span class="term"><code class="constant">type</code></span></dt> +<dd><p> +indicates what type of query is required — ANY, A, MX, SIG, etc. -<VAR -CLASS="PARAMETER" ->type</VAR -> can be any valid query type. If no -<VAR -CLASS="PARAMETER" ->type</VAR -> argument is supplied, -<B -CLASS="COMMAND" ->dig</B -> will perform a lookup for an A record.</P -></DD -></DL -></DIV -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN101" -></A -><H2 ->OPTIONS</H2 -><P ->The <VAR -CLASS="OPTION" ->-b</VAR -> option sets the source IP address of the query -to <VAR -CLASS="PARAMETER" ->address</VAR ->. This must be a valid address on +<em class="parameter"><code>type</code></em> can be any valid query type. If no +<em class="parameter"><code>type</code></em> argument is supplied, +<span><strong class="command">dig</strong></span> will perform a lookup for an A record. +</p></dd> +</dl></div> +<p> +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526114"></a><h2>OPTIONS</h2> +<p> +The <code class="option">-b</code> option sets the source IP address of the query +to <em class="parameter"><code>address</code></em>. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port -may be specified by appending "#<port>"</P -><P ->The default query class (IN for internet) is overridden by the -<VAR -CLASS="OPTION" ->-c</VAR -> option. <VAR -CLASS="PARAMETER" ->class</VAR -> is any valid -class, such as HS for Hesiod records or CH for CHAOSNET records.</P -><P ->The <VAR -CLASS="OPTION" ->-f</VAR -> option makes <B -CLASS="COMMAND" ->dig </B -> operate +may be specified by appending "#<port>" +</p> +<p> +The default query class (IN for internet) is overridden by the +<code class="option">-c</code> option. <em class="parameter"><code>class</code></em> is any valid +class, such as HS for Hesiod records or CH for CHAOSNET records. +</p> +<p> +The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span> operate in batch mode by reading a list of lookup requests to process from the -file <VAR -CLASS="PARAMETER" ->filename</VAR ->. The file contains a number of +file <em class="parameter"><code>filename</code></em>. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to -<B -CLASS="COMMAND" ->dig</B -> using the command-line interface.</P -><P ->If a non-standard port number is to be queried, the -<VAR -CLASS="OPTION" ->-p</VAR -> option is used. <VAR -CLASS="PARAMETER" ->port#</VAR -> is -the port number that <B -CLASS="COMMAND" ->dig</B -> will send its queries +<span><strong class="command">dig</strong></span> using the command-line interface. +</p> +<p> +If a non-standard port number is to be queried, the +<code class="option">-p</code> option is used. <em class="parameter"><code>port#</code></em> is +the port number that <span><strong class="command">dig</strong></span> will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries -on a non-standard port number.</P -><P ->The <VAR -CLASS="OPTION" ->-4</VAR -> option forces <B -CLASS="COMMAND" ->dig</B -> to only -use IPv4 query transport. The <VAR -CLASS="OPTION" ->-6</VAR -> option forces -<B -CLASS="COMMAND" ->dig</B -> to only use IPv6 query transport.</P -><P ->The <VAR -CLASS="OPTION" ->-t</VAR -> option sets the query type to -<VAR -CLASS="PARAMETER" ->type</VAR ->. It can be any valid query type which is +on a non-standard port number. +</p> +<p> +The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span> to only +use IPv4 query transport. The <code class="option">-6</code> option forces +<span><strong class="command">dig</strong></span> to only use IPv6 query transport. +</p> +<p> +The <code class="option">-t</code> option sets the query type to +<em class="parameter"><code>type</code></em>. It can be any valid query type which is supported in BIND9. The default query type "A", unless the -<VAR -CLASS="OPTION" ->-x</VAR -> option is supplied to indicate a reverse lookup. +<code class="option">-x</code> option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, -<VAR -CLASS="PARAMETER" ->type</VAR -> is set to <VAR -CLASS="LITERAL" ->ixfr=N</VAR ->. +<em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was -<VAR -CLASS="PARAMETER" ->N</VAR ->.</P -><P ->Reverse lookups - mapping addresses to names - are simplified by the -<VAR -CLASS="OPTION" ->-x</VAR -> option. <VAR -CLASS="PARAMETER" ->addr</VAR -> is an IPv4 +<em class="parameter"><code>N</code></em>. +</p> +<p> +Reverse lookups - mapping addresses to names - are simplified by the +<code class="option">-x</code> option. <em class="parameter"><code>addr</code></em> is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 address. When this option is used, there is no need to provide the -<VAR -CLASS="PARAMETER" ->name</VAR ->, <VAR -CLASS="PARAMETER" ->class</VAR -> and -<VAR -CLASS="PARAMETER" ->type</VAR -> arguments. <B -CLASS="COMMAND" ->dig</B -> +<em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and +<em class="parameter"><code>type</code></em> arguments. <span><strong class="command">dig</strong></span> automatically performs a lookup for a name like -<VAR -CLASS="LITERAL" ->11.12.13.10.in-addr.arpa</VAR -> and sets the query type and +<code class="literal">11.12.13.10.in-addr.arpa</code> and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain -specify the <VAR -CLASS="OPTION" ->-i</VAR -> option. Bit string labels (RFC2874) -are now experimental and are not attempted.</P -><P ->To sign the DNS queries sent by <B -CLASS="COMMAND" ->dig</B -> and their +specify the <code class="option">-i</code> option. Bit string labels (RFC2874) +are now experimental and are not attempted. +</p> +<p> +To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and their responses using transaction signatures (TSIG), specify a TSIG key file -using the <VAR -CLASS="OPTION" ->-k</VAR -> option. You can also specify the TSIG -key itself on the command line using the <VAR -CLASS="OPTION" ->-y</VAR -> option; -<VAR -CLASS="PARAMETER" ->name</VAR -> is the name of the TSIG key and -<VAR -CLASS="PARAMETER" ->key</VAR -> is the actual key. The key is a base-64 -encoded string, typically generated by <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->. +using the <code class="option">-k</code> option. You can also specify the TSIG +key itself on the command line using the <code class="option">-y</code> option; +<em class="parameter"><code>name</code></em> is the name of the TSIG key and +<em class="parameter"><code>key</code></em> is the actual key. The key is a base-64 +encoded string, typically generated by <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. -Caution should be taken when using the <VAR -CLASS="OPTION" ->-y</VAR -> option on +Caution should be taken when using the <code class="option">-y</code> option on multi-user systems as the key can be visible in the output from -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->ps</SPAN ->(1)</SPAN -> or in the shell's history file. When -using TSIG authentication with <B -CLASS="COMMAND" ->dig</B ->, the name +<span class="citerefentry"><span class="refentrytitle">ps</span>(1 +)</span> or in the shell's history file. When +using TSIG authentication with <span><strong class="command">dig</strong></span>, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate -<B -CLASS="COMMAND" ->key</B -> and <B -CLASS="COMMAND" ->server</B -> statements in -<TT -CLASS="FILENAME" ->named.conf</TT ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN156" -></A -><H2 ->QUERY OPTIONS</H2 -><P -><B -CLASS="COMMAND" ->dig</B -> provides a number of query options which affect +<span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in +<code class="filename">named.conf</code>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526365"></a><h2>QUERY OPTIONS</h2> +<p> +<span><strong class="command">dig</strong></span> provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout -and retry strategies.</P -><P ->Each query option is identified by a keyword preceded by a plus sign -(<VAR -CLASS="LITERAL" ->+</VAR ->). Some keywords set or reset an option. These may be preceded -by the string <VAR -CLASS="LITERAL" ->no</VAR -> to negate the meaning of that keyword. Other +and retry strategies. +</p> +<p> +Each query option is identified by a keyword preceded by a plus sign +(<code class="literal">+</code>). Some keywords set or reset an option. These may be preceded +by the string <code class="literal">no</code> to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They -have the form <VAR -CLASS="OPTION" ->+keyword=value</VAR ->. +have the form <code class="option">+keyword=value</code>. The query options are: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><VAR -CLASS="OPTION" ->+[no]tcp</VAR -></DT -><DD -><P ->Use [do not use] TCP when querying name servers. The default +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="option">+[no]tcp</code></span></dt> +<dd><p> +Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in -which case a TCP connection is used.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]vc</VAR -></DT -><DD -><P ->Use [do not use] TCP when querying name servers. This alternate -syntax to <VAR -CLASS="PARAMETER" ->+[no]tcp</VAR -> is provided for backwards -compatibility. The "vc" stands for "virtual circuit".</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]ignore</VAR -></DT -><DD -><P ->Ignore truncation in UDP responses instead of retrying with TCP. By -default, TCP retries are performed.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+domain=somename</VAR -></DT -><DD -><P ->Set the search list to contain the single domain -<VAR -CLASS="PARAMETER" ->somename</VAR ->, as if specified in a -<B -CLASS="COMMAND" ->domain</B -> directive in -<TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->, and enable search list -processing as if the <VAR -CLASS="PARAMETER" ->+search</VAR -> option were given.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]search</VAR -></DT -><DD -><P ->Use [do not use] the search list defined by the searchlist or domain -directive in <TT -CLASS="FILENAME" ->resolv.conf</TT -> (if any). -The search list is not used by default.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]defname</VAR -></DT -><DD -><P ->Deprecated, treated as a synonym for <VAR -CLASS="PARAMETER" ->+[no]search</VAR -></P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]aaonly</VAR -></DT -><DD -><P ->Sets the "aa" flag in the query.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]aaflag</VAR -></DT -><DD -><P ->A synonym for <VAR -CLASS="PARAMETER" ->+[no]aaonly</VAR ->.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]adflag</VAR -></DT -><DD -><P ->Set [do not set] the AD (authentic data) bit in the query. The AD bit +which case a TCP connection is used. +</p></dd> +<dt><span class="term"><code class="option">+[no]vc</code></span></dt> +<dd><p> +Use [do not use] TCP when querying name servers. This alternate +syntax to <em class="parameter"><code>+[no]tcp</code></em> is provided for backwards +compatibility. The "vc" stands for "virtual circuit". +</p></dd> +<dt><span class="term"><code class="option">+[no]ignore</code></span></dt> +<dd><p> +Ignore truncation in UDP responses instead of retrying with TCP. By +default, TCP retries are performed. +</p></dd> +<dt><span class="term"><code class="option">+domain=somename</code></span></dt> +<dd><p> +Set the search list to contain the single domain +<em class="parameter"><code>somename</code></em>, as if specified in a +<span><strong class="command">domain</strong></span> directive in +<code class="filename">/etc/resolv.conf</code>, and enable search list +processing as if the <em class="parameter"><code>+search</code></em> option were given. +</p></dd> +<dt><span class="term"><code class="option">+[no]search</code></span></dt> +<dd><p> +Use [do not use] the search list defined by the searchlist or domain +directive in <code class="filename">resolv.conf</code> (if any). +The search list is not used by default. +</p></dd> +<dt><span class="term"><code class="option">+[no]defname</code></span></dt> +<dd><p> +Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em> +</p></dd> +<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt> +<dd><p> +Sets the "aa" flag in the query. +</p></dd> +<dt><span class="term"><code class="option">+[no]aaflag</code></span></dt> +<dd><p> +A synonym for <em class="parameter"><code>+[no]aaonly</code></em>. +</p></dd> +<dt><span class="term"><code class="option">+[no]adflag</code></span></dt> +<dd><p> +Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for -completeness.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]cdflag</VAR -></DT -><DD -><P ->Set [do not set] the CD (checking disabled) bit in the query. This -requests the server to not perform DNSSEC validation of responses.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]cl</VAR -></DT -><DD -><P ->Display [do not display] the CLASS when printing the record.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]ttlid</VAR -></DT -><DD -><P ->Display [do not display] the TTL when printing the record.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]recurse</VAR -></DT -><DD -><P ->Toggle the setting of the RD (recursion desired) bit in the query. -This bit is set by default, which means <B -CLASS="COMMAND" ->dig</B -> +completeness. +</p></dd> +<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt> +<dd><p> +Set [do not set] the CD (checking disabled) bit in the query. This +requests the server to not perform DNSSEC validation of responses. +</p></dd> +<dt><span class="term"><code class="option">+[no]cl</code></span></dt> +<dd><p> +Display [do not display] the CLASS when printing the record. +</p></dd> +<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt> +<dd><p> +Display [do not display] the TTL when printing the record. +</p></dd> +<dt><span class="term"><code class="option">+[no]recurse</code></span></dt> +<dd><p> +Toggle the setting of the RD (recursion desired) bit in the query. +This bit is set by default, which means <span><strong class="command">dig</strong></span> normally sends recursive queries. Recursion is automatically disabled -when the <VAR -CLASS="PARAMETER" ->+nssearch</VAR -> or -<VAR -CLASS="PARAMETER" ->+trace</VAR -> query options are used.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]nssearch</VAR -></DT -><DD -><P ->When this option is set, <B -CLASS="COMMAND" ->dig</B -> attempts to find the +when the <em class="parameter"><code>+nssearch</code></em> or +<em class="parameter"><code>+trace</code></em> query options are used. +</p></dd> +<dt><span class="term"><code class="option">+[no]nssearch</code></span></dt> +<dd><p> +When this option is set, <span><strong class="command">dig</strong></span> attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the -zone.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]trace</VAR -></DT -><DD -><P ->Toggle tracing of the delegation path from the root name servers for +zone. +</p></dd> +<dt><span class="term"><code class="option">+[no]trace</code></span></dt> +<dd><p> +Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When -tracing is enabled, <B -CLASS="COMMAND" ->dig</B -> makes iterative queries to +tracing is enabled, <span><strong class="command">dig</strong></span> makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to -resolve the lookup.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]cmd</VAR -></DT -><DD -><P ->toggles the printing of the initial comment in the output identifying -the version of <B -CLASS="COMMAND" ->dig</B -> and the query options that have -been applied. This comment is printed by default.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]short</VAR -></DT -><DD -><P ->Provide a terse answer. The default is to print the answer in a -verbose form.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]identify</VAR -></DT -><DD -><P ->Show [or do not show] the IP address and port number that supplied the -answer when the <VAR -CLASS="PARAMETER" ->+short</VAR -> option is enabled. If +resolve the lookup. +</p></dd> +<dt><span class="term"><code class="option">+[no]cmd</code></span></dt> +<dd><p> +toggles the printing of the initial comment in the output identifying +the version of <span><strong class="command">dig</strong></span> and the query options that have +been applied. This comment is printed by default. +</p></dd> +<dt><span class="term"><code class="option">+[no]short</code></span></dt> +<dd><p> +Provide a terse answer. The default is to print the answer in a +verbose form. +</p></dd> +<dt><span class="term"><code class="option">+[no]identify</code></span></dt> +<dd><p> +Show [or do not show] the IP address and port number that supplied the +answer when the <em class="parameter"><code>+short</code></em> option is enabled. If short form answers are requested, the default is not to show the -source address and port number of the server that provided the answer.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]comments</VAR -></DT -><DD -><P ->Toggle the display of comment lines in the output. The default is to -print comments.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]stats</VAR -></DT -><DD -><P ->This query option toggles the printing of statistics: when the query +source address and port number of the server that provided the answer. +</p></dd> +<dt><span class="term"><code class="option">+[no]comments</code></span></dt> +<dd><p> +Toggle the display of comment lines in the output. The default is to +print comments. +</p></dd> +<dt><span class="term"><code class="option">+[no]stats</code></span></dt> +<dd><p> +This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is -to print the query statistics.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]qr</VAR -></DT -><DD -><P ->Print [do not print] the query as it is sent. -By default, the query is not printed.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]question</VAR -></DT -><DD -><P ->Print [do not print] the question section of a query when an answer is -returned. The default is to print the question section as a comment.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]answer</VAR -></DT -><DD -><P ->Display [do not display] the answer section of a reply. The default -is to display it.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]authority</VAR -></DT -><DD -><P ->Display [do not display] the authority section of a reply. The -default is to display it.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]additional</VAR -></DT -><DD -><P ->Display [do not display] the additional section of a reply. -The default is to display it.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]all</VAR -></DT -><DD -><P ->Set or clear all display flags.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+time=T</VAR -></DT -><DD -><P -> Sets the timeout for a query to -<VAR -CLASS="PARAMETER" ->T</VAR -> seconds. The default time out is 5 seconds. -An attempt to set <VAR -CLASS="PARAMETER" ->T</VAR -> to less than 1 will result -in a query timeout of 1 second being applied.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+tries=T</VAR -></DT -><DD -><P ->Sets the number of times to try UDP queries to server to -<VAR -CLASS="PARAMETER" ->T</VAR -> instead of the default, 3. If -<VAR -CLASS="PARAMETER" ->T</VAR -> is less than or equal to zero, the number of -tries is silently rounded up to 1.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+retry=T</VAR -></DT -><DD -><P ->Sets the number of times to retry UDP queries to server to -<VAR -CLASS="PARAMETER" ->T</VAR -> instead of the default, 2. Unlike -<VAR -CLASS="PARAMETER" ->+tries</VAR ->, this does not include the initial -query.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+ndots=D</VAR -></DT -><DD -><P ->Set the number of dots that have to appear in -<VAR -CLASS="PARAMETER" ->name</VAR -> to <VAR -CLASS="PARAMETER" ->D</VAR -> for it to be +to print the query statistics. +</p></dd> +<dt><span class="term"><code class="option">+[no]qr</code></span></dt> +<dd><p> +Print [do not print] the query as it is sent. +By default, the query is not printed. +</p></dd> +<dt><span class="term"><code class="option">+[no]question</code></span></dt> +<dd><p> +Print [do not print] the question section of a query when an answer is +returned. The default is to print the question section as a comment. +</p></dd> +<dt><span class="term"><code class="option">+[no]answer</code></span></dt> +<dd><p> +Display [do not display] the answer section of a reply. The default +is to display it. +</p></dd> +<dt><span class="term"><code class="option">+[no]authority</code></span></dt> +<dd><p> +Display [do not display] the authority section of a reply. The +default is to display it. +</p></dd> +<dt><span class="term"><code class="option">+[no]additional</code></span></dt> +<dd><p> +Display [do not display] the additional section of a reply. +The default is to display it. +</p></dd> +<dt><span class="term"><code class="option">+[no]all</code></span></dt> +<dd><p> +Set or clear all display flags. +</p></dd> +<dt><span class="term"><code class="option">+time=T</code></span></dt> +<dd><p> + +Sets the timeout for a query to +<em class="parameter"><code>T</code></em> seconds. The default time out is 5 seconds. +An attempt to set <em class="parameter"><code>T</code></em> to less than 1 will result +in a query timeout of 1 second being applied. +</p></dd> +<dt><span class="term"><code class="option">+tries=T</code></span></dt> +<dd><p> +Sets the number of times to try UDP queries to server to +<em class="parameter"><code>T</code></em> instead of the default, 3. If +<em class="parameter"><code>T</code></em> is less than or equal to zero, the number of +tries is silently rounded up to 1. +</p></dd> +<dt><span class="term"><code class="option">+retry=T</code></span></dt> +<dd><p> +Sets the number of times to retry UDP queries to server to +<em class="parameter"><code>T</code></em> instead of the default, 2. Unlike +<em class="parameter"><code>+tries</code></em>, this does not include the initial +query. +</p></dd> +<dt><span class="term"><code class="option">+ndots=D</code></span></dt> +<dd><p> +Set the number of dots that have to appear in +<em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be considered absolute. The default value is that defined using the -ndots statement in <TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->, or 1 if no +ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the -<VAR -CLASS="OPTION" ->search</VAR -> or <VAR -CLASS="OPTION" ->domain</VAR -> directive in -<TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+bufsize=B</VAR -></DT -><DD -><P ->Set the UDP message buffer size advertised using EDNS0 to -<VAR -CLASS="PARAMETER" ->B</VAR -> bytes. The maximum and minimum sizes of this +<code class="option">search</code> or <code class="option">domain</code> directive in +<code class="filename">/etc/resolv.conf</code>. +</p></dd> +<dt><span class="term"><code class="option">+bufsize=B</code></span></dt> +<dd><p> +Set the UDP message buffer size advertised using EDNS0 to +<em class="parameter"><code>B</code></em> bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are -rounded up or down appropriately.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]multiline</VAR -></DT -><DD -><P ->Print records like the SOA records in a verbose multi-line +rounded up or down appropriately. +</p></dd> +<dt><span class="term"><code class="option">+[no]multiline</code></span></dt> +<dd><p> +Print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing -of the <B -CLASS="COMMAND" ->dig</B -> output.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]fail</VAR -></DT -><DD -><P ->Do not try the next server if you receive a SERVFAIL. The default is +of the <span><strong class="command">dig</strong></span> output. +</p></dd> +<dt><span class="term"><code class="option">+[no]fail</code></span></dt> +<dd><p> +Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver -behaviour.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]besteffort</VAR -></DT -><DD -><P ->Attempt to display the contents of messages which are malformed. -The default is to not display malformed answers.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]dnssec</VAR -></DT -><DD -><P ->Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) -in the OPT record in the additional section of the query.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]sigchase</VAR -></DT -><DD -><P ->Chase DNSSEC signature chains. Requires dig be compiled with --DDIG_SIGCHASE.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+trusted-key=####</VAR -></DT -><DD -><P ->Specify a trusted key to be used with <VAR -CLASS="OPTION" ->+sigchase</VAR ->. -Requires dig be compiled with -DDIG_SIGCHASE.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]topdown</VAR -></DT -><DD -><P ->When chasing DNSSEC signature chains perform a top down validation. -Requires dig be compiled with -DDIG_SIGCHASE.</P -></DD -></DL -></DIV -> </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN385" -></A -><H2 ->MULTIPLE QUERIES</H2 -><P ->The BIND 9 implementation of <B -CLASS="COMMAND" ->dig </B -> supports +behaviour. +</p></dd> +<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt> +<dd><p> +Attempt to display the contents of messages which are malformed. +The default is to not display malformed answers. +</p></dd> +<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt> +<dd><p> +Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) +in the OPT record in the additional section of the query. +</p></dd> +<dt><span class="term"><code class="option">+[no]sigchase</code></span></dt> +<dd><p> +Chase DNSSEC signature chains. Requires dig be compiled with +-DDIG_SIGCHASE. +</p></dd> +<dt><span class="term"><code class="option">+trusted-key=####</code></span></dt> +<dd> +<p> + Specifies a file containing trusted keys to be used with + <code class="option">+sigchase</code>. Each DNSKEY record must be + on its own line. + </p> +<p> + If not specified <span><strong class="command">dig</strong></span> will look for + <code class="filename">/etc/trusted-key.key</code> then + <code class="filename">trusted-key.key</code> in the current directory. + </p> +<p> + Requires dig be compiled with -DDIG_SIGCHASE. + </p> +</dd> +<dt><span class="term"><code class="option">+[no]topdown</code></span></dt> +<dd><p> +When chasing DNSSEC signature chains perform a top down validation. +Requires dig be compiled with -DDIG_SIGCHASE. +</p></dd> +</dl></div> +<p> + +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2527033"></a><h2>MULTIPLE QUERIES</h2> +<p> +The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports specifying multiple queries on the command line (in addition to -supporting the <VAR -CLASS="OPTION" ->-f</VAR -> batch file option). Each of those +supporting the <code class="option">-f</code> batch file option). Each of those queries can be supplied with its own set of flags, options and query -options.</P -><P ->In this case, each <VAR -CLASS="PARAMETER" ->query</VAR -> argument represent an +options. +</p> +<p> +In this case, each <em class="parameter"><code>query</code></em> argument represent an individual query in the command-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that -should be applied to that query.</P -><P ->A global set of query options, which should be applied to all queries, +should be applied to that query. +</p> +<p> +A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except -the <VAR -CLASS="OPTION" ->+[no]cmd</VAR -> option) can be +the <code class="option">+[no]cmd</code> option) can be overridden by a query-specific set of query options. For example: -<PRE -CLASS="PROGRAMLISTING" ->dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr</PRE -> -shows how <B -CLASS="COMMAND" ->dig</B -> could be used from the command line -to make three lookups: an ANY query for <VAR -CLASS="LITERAL" ->www.isc.org</VAR ->, a +</p> +<pre class="programlisting"> +dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr +</pre> +<p> +shows how <span><strong class="command">dig</strong></span> could be used from the command line +to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a reverse lookup of 127.0.0.1 and a query for the NS records of -<VAR -CLASS="LITERAL" ->isc.org</VAR ->. +<code class="literal">isc.org</code>. -A global query option of <VAR -CLASS="PARAMETER" ->+qr</VAR -> is applied, so -that <B -CLASS="COMMAND" ->dig</B -> shows the initial query it made for each +A global query option of <em class="parameter"><code>+qr</code></em> is applied, so +that <span><strong class="command">dig</strong></span> shows the initial query it made for each lookup. The final query has a local query option of -<VAR -CLASS="PARAMETER" ->+noqr</VAR -> which means that <B -CLASS="COMMAND" ->dig</B -> +<em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span> will not print the initial query when it looks up the NS records for -<VAR -CLASS="LITERAL" ->isc.org</VAR ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN403" -></A -><H2 ->FILES</H2 -><P -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></P -><P -><TT -CLASS="FILENAME" ->${HOME}/.digrc</TT -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN409" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->host</SPAN ->(1)</SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->, -<I -CLASS="CITETITLE" ->RFC1035</I ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN422" -></A -><H2 ->BUGS </H2 -><P ->There are probably too many query options. </P -></DIV -></BODY -></HTML -> +<code class="literal">isc.org</code>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2527092"></a><h2>FILES</h2> +<p> +<code class="filename">/etc/resolv.conf</code> +</p> +<p> +<code class="filename">${HOME}/.digrc</code> +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2527111"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, +<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, +<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, +<em class="citetitle">RFC1035</em>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2527149"></a><h2>BUGS </h2> +<p> +There are probably too many query options. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/dig/dighost.c b/usr.sbin/bind/bin/dig/dighost.c index f4b07b932d0..57bc3118f5e 100644 --- a/usr.sbin/bind/bin/dig/dighost.c +++ b/usr.sbin/bind/bin/dig/dighost.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dighost.c,v 1.221.2.19.2.20 2004/11/22 23:30:31 marka Exp $ */ +/* $ISC: dighost.c,v 1.221.2.19.2.31 2005/10/14 01:38:40 marka Exp $ */ /* * Notice to programmers: Do not use this code as an example of how to @@ -37,7 +37,6 @@ #include <dns/dnssec.h> #include <dns/ds.h> #include <dns/nsec.h> -#include <isc/file.h> #include <isc/random.h> #include <ctype.h> #endif @@ -58,6 +57,7 @@ #include <isc/app.h> #include <isc/base64.h> #include <isc/entropy.h> +#include <isc/file.h> #include <isc/lang.h> #include <isc/netaddr.h> #ifdef DIG_SIGCHASE @@ -90,9 +90,9 @@ static lwres_context_t *lwctx = NULL; static lwres_conf_t *lwconf; -ISC_LIST(dig_lookup_t) lookup_list; +dig_lookuplist_t lookup_list; dig_serverlist_t server_list; -ISC_LIST(dig_searchlist_t) search_list; +dig_searchlistlist_t search_list; isc_boolean_t have_ipv4 = ISC_FALSE, @@ -146,7 +146,7 @@ dig_lookup_t *current_lookup = NULL; #ifdef DIG_SIGCHASE -isc_result_t get_trusted_key(isc_mem_t *mctx); +isc_result_t get_trusted_key(isc_mem_t *mctx); dns_rdataset_t * sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, isc_boolean_t *lookedup, @@ -156,103 +156,104 @@ dns_rdataset_t * chase_scanname_section(dns_message_t *msg, dns_rdatatype_t type, dns_rdatatype_t covers, int section); -isc_result_t advanced_rrsearch(dns_rdataset_t **rdataset, +isc_result_t advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers, isc_boolean_t *lookedup); -isc_result_t sigchase_verify_sig_key(dns_name_t *name, +isc_result_t sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t* dnsseckey, dns_rdataset_t *sigrdataset, isc_mem_t *mctx); -isc_result_t sigchase_verify_sig(dns_name_t *name, +isc_result_t sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *keyrdataset, dns_rdataset_t *sigrdataset, isc_mem_t *mctx); -isc_result_t sigchase_verify_ds(dns_name_t *name, +isc_result_t sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdataset_t *dsrdataset, isc_mem_t *mctx); -void sigchase(dns_message_t *msg); -void print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx); -void print_rdataset(dns_name_t *name, +void sigchase(dns_message_t *msg); +void print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx); +void print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx); -void dup_name(dns_name_t *source, dns_name_t* target, +void dup_name(dns_name_t *source, dns_name_t* target, isc_mem_t *mctx); -void dump_database(void); -void dump_database_section(dns_message_t *msg, int section); +void free_name(dns_name_t *name, isc_mem_t *mctx); +void dump_database(void); +void dump_database_section(dns_message_t *msg, int section); dns_rdataset_t * search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers); -isc_result_t contains_trusted_key(dns_name_t *name, +isc_result_t contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, isc_mem_t *mctx); -void print_type(dns_rdatatype_t type); -isc_result_t prove_nx_domain(dns_message_t * msg, +void print_type(dns_rdatatype_t type); +isc_result_t prove_nx_domain(dns_message_t * msg, dns_name_t * name, dns_name_t * rdata_name, dns_rdataset_t ** rdataset, dns_rdataset_t ** sigrdataset); -isc_result_t prove_nx_type(dns_message_t * msg, dns_name_t *name, +isc_result_t prove_nx_type(dns_message_t * msg, dns_name_t *name, dns_rdataset_t *nsec, dns_rdataclass_t class, dns_rdatatype_t type, dns_name_t * rdata_name, dns_rdataset_t ** rdataset, dns_rdataset_t ** sigrdataset); -isc_result_t prove_nx(dns_message_t * msg, dns_name_t * name, +isc_result_t prove_nx(dns_message_t * msg, dns_name_t * name, dns_rdataclass_t class, dns_rdatatype_t type, dns_name_t * rdata_name, dns_rdataset_t ** rdataset, dns_rdataset_t ** sigrdataset); static void nameFromString(const char *str, dns_name_t *p_ret); -int inf_name(dns_name_t * name1, dns_name_t * name2); -isc_result_t opentmpkey(isc_mem_t *mctx, const char *file, +int inf_name(dns_name_t * name1, dns_name_t * name2); +isc_result_t opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp); -isc_result_t removetmpkey(isc_mem_t *mctx, const char *file); -void clean_trustedkey(void ); -void insert_trustedkey(dst_key_t * key); +isc_result_t removetmpkey(isc_mem_t *mctx, const char *file); +void clean_trustedkey(void); +void insert_trustedkey(dst_key_t * key); #if DIG_SIGCHASE_BU -isc_result_t getneededrr(dns_message_t *msg); -void sigchase_bottom_up(dns_message_t *msg); -void sigchase_bu(dns_message_t *msg); +isc_result_t getneededrr(dns_message_t *msg); +void sigchase_bottom_up(dns_message_t *msg); +void sigchase_bu(dns_message_t *msg); #endif #if DIG_SIGCHASE_TD -isc_result_t initialization(dns_name_t *name); -isc_result_t prepare_lookup(dns_name_t *name); -isc_result_t grandfather_pb_test(dns_name_t * zone_name, +isc_result_t initialization(dns_name_t *name); +isc_result_t prepare_lookup(dns_name_t *name); +isc_result_t grandfather_pb_test(dns_name_t * zone_name, dns_rdataset_t *sigrdataset); -isc_result_t child_of_zone(dns_name_t *name, +isc_result_t child_of_zone(dns_name_t *name, dns_name_t *zone_name, dns_name_t *child_name); -void sigchase_td(dns_message_t *msg); +void sigchase_td(dns_message_t *msg); #endif char trustedkey[MXNAME] = ""; -dns_rdataset_t * chase_rdataset = NULL; -dns_rdataset_t * chase_sigrdataset = NULL; -dns_rdataset_t * chase_dsrdataset = NULL; -dns_rdataset_t * chase_sigdsrdataset = NULL; -dns_rdataset_t * chase_keyrdataset = NULL; -dns_rdataset_t * chase_sigkeyrdataset = NULL; -dns_rdataset_t * chase_nsrdataset = NULL; +dns_rdataset_t *chase_rdataset = NULL; +dns_rdataset_t *chase_sigrdataset = NULL; +dns_rdataset_t *chase_dsrdataset = NULL; +dns_rdataset_t *chase_sigdsrdataset = NULL; +dns_rdataset_t *chase_keyrdataset = NULL; +dns_rdataset_t *chase_sigkeyrdataset = NULL; +dns_rdataset_t *chase_nsrdataset = NULL; -dns_name_t chase_name; /* the query name */ +dns_name_t chase_name; /* the query name */ #if DIG_SIGCHASE_TD /* * the current name is the parent name when we follow delegation */ -dns_name_t chase_current_name; +dns_name_t chase_current_name; /* * the child name is used for delegation (NS DS responses in AUTHORITY section) */ -dns_name_t chase_authority_name; +dns_name_t chase_authority_name; #endif #if DIG_SIGCHASE_BU -dns_name_t chase_signame; +dns_name_t chase_signame; #endif @@ -274,7 +275,7 @@ dns_message_t * error_message = NULL; #endif isc_boolean_t dsvalidating = ISC_FALSE; -isc_boolean_t chase_name_dup = ISC_FALSE; +isc_boolean_t chase_name_dup = ISC_FALSE; ISC_LIST(dig_message_t) chase_message_list; ISC_LIST(dig_message_t) chase_message_list2; @@ -282,11 +283,11 @@ ISC_LIST(dig_message_t) chase_message_list2; #define MAX_TRUSTED_KEY 5 typedef struct struct_trusted_key_list { - dst_key_t * key[MAX_TRUSTED_KEY]; - int nb_tk; + dst_key_t * key[MAX_TRUSTED_KEY]; + int nb_tk; } struct_tk_list; -struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0}; +struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0}; #endif @@ -579,7 +580,7 @@ set_nameserver(char *opt) { return; result = bind9_getaddresses(opt, 0, sockaddrs, - DIG_MAX_ADDRESSES, &count); + DIG_MAX_ADDRESSES, &count); if (result != ISC_R_SUCCESS) fatal("couldn't get address for '%s': %s", opt, isc_result_totext(result)); @@ -688,13 +689,13 @@ make_empty_lookup(void) { #ifdef DIG_SIGCHASE looknew->sigchase = ISC_FALSE; #if DIG_SIGCHASE_TD - looknew->do_topdown = ISC_FALSE; + looknew->do_topdown = ISC_FALSE; looknew->trace_root_sigchase = ISC_FALSE; looknew->rdtype_sigchaseset = ISC_FALSE; looknew->rdtype_sigchase = dns_rdatatype_any; looknew->qrdtype_sigchase = dns_rdatatype_any; looknew->rdclass_sigchase = dns_rdataclass_in; - looknew->rdclass_sigchaseset = ISC_FALSE; + looknew->rdclass_sigchaseset = ISC_FALSE; #endif #endif looknew->udpsize = 0; @@ -763,9 +764,9 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { #ifdef DIG_SIGCHASE looknew->sigchase = lookold->sigchase; #if DIG_SIGCHASE_TD - looknew->do_topdown = lookold->do_topdown; + looknew->do_topdown = lookold->do_topdown; looknew->trace_root_sigchase = lookold->trace_root_sigchase; - looknew->rdtype_sigchaseset = lookold->rdtype_sigchaseset; + looknew->rdtype_sigchaseset = lookold->rdtype_sigchaseset; looknew->rdtype_sigchase = lookold->rdtype_sigchase; looknew->qrdtype_sigchase = lookold->qrdtype_sigchase; looknew->rdclass_sigchase = lookold->rdclass_sigchase; @@ -940,14 +941,17 @@ setup_system(void) { if (lwresult != LWRES_R_SUCCESS) fatal("lwres_context_create failed"); - (void)lwres_conf_parse(lwctx, RESOLV_CONF); + if (isc_file_exists(RESOLV_CONF)) + lwresult = lwres_conf_parse(lwctx, RESOLV_CONF); + if (lwresult != LWRES_R_SUCCESS) + fatal("parse of %s failed", RESOLV_CONF); + lwconf = lwres_conf_get(lwctx); /* Make the search list */ if (lwconf->searchnxt > 0) create_search_list(lwconf); - else { - /* No search list. Use the domain name if any */ + else { /* No search list. Use the domain name if any */ if (lwconf->domainname != NULL) { domain = make_searchlist_entry(lwconf->domainname); ISC_LIST_INITANDAPPEND(search_list, domain, link); @@ -955,8 +959,10 @@ setup_system(void) { } } - ndots = lwconf->ndots; - debug("ndots is %d.", ndots); + if (ndots == -1) { + ndots = lwconf->ndots; + debug("ndots is %d.", ndots); + } /* If we don't find a nameserver fall back to localhost */ if (lwconf->nsnext == 0) { @@ -981,15 +987,15 @@ setup_system(void) { setup_text_key(); #ifdef DIG_SIGCHASE /* Setup the list of messages for +sigchase */ - ISC_LIST_INIT(chase_message_list); - ISC_LIST_INIT(chase_message_list2); + ISC_LIST_INIT(chase_message_list); + ISC_LIST_INIT(chase_message_list2); dns_name_init(&chase_name, NULL); #if DIG_SIGCHASE_TD dns_name_init(&chase_current_name, NULL); dns_name_init(&chase_authority_name, NULL); #endif #if DIG_SIGCHASE_BU - dns_name_init(&chase_signame, NULL); + dns_name_init(&chase_signame, NULL); #endif #endif @@ -1206,8 +1212,7 @@ try_clear_lookup(dig_lookup_t *lookup) { if (debugging) { q = ISC_LIST_HEAD(lookup->q); while (q != NULL) { - debug("query to %s still pending", - q->servname); + debug("query to %s still pending", q->servname); q = ISC_LIST_NEXT(q, link); } return (ISC_FALSE); @@ -1220,8 +1225,7 @@ try_clear_lookup(dig_lookup_t *lookup) { debug("cleared"); s = ISC_LIST_HEAD(lookup->my_server_list); while (s != NULL) { - debug("freeing server %p belonging to %p", - s, lookup); + debug("freeing server %p belonging to %p", s, lookup); ptr = s; s = ISC_LIST_NEXT(s, link); ISC_LIST_DEQUEUE(lookup->my_server_list, @@ -1274,12 +1278,12 @@ start_lookup(void) { #if DIG_SIGCHASE_TD if (current_lookup->do_topdown && !current_lookup->rdtype_sigchaseset) { - dst_key_t * trustedkey = NULL; + dst_key_t *trustedkey = NULL; isc_buffer_t *b = NULL; isc_region_t r; isc_result_t result; dns_name_t query_name; - dns_name_t * key_name; + dns_name_t *key_name; int i; result = get_trusted_key(mctx); @@ -1292,9 +1296,9 @@ start_lookup(void) { dns_name_init(&query_name, NULL); nameFromString(current_lookup->textname, &query_name); - for (i = 0; i< tk_list.nb_tk; i++) { + for (i = 0; i < tk_list.nb_tk; i++) { key_name = dst_key_name(tk_list.key[i]); - + if (dns_name_issubdomain(&query_name, key_name) == ISC_TRUE) trustedkey = tk_list.key[i]; @@ -1309,35 +1313,32 @@ start_lookup(void) { printf(" isn't a subdomain of any Trusted Keys" ": +sigchase option is disable\n"); current_lookup->sigchase = ISC_FALSE; - dns_name_free(&query_name, mctx); + free_name(&query_name, mctx); goto novalidation; } - dns_name_free(&query_name, mctx); + free_name(&query_name, mctx); - current_lookup->rdtype_sigchase - = current_lookup->rdtype; + = current_lookup->rdtype; current_lookup->rdtype_sigchaseset - = current_lookup->rdtypeset; + = current_lookup->rdtypeset; current_lookup->rdtype = dns_rdatatype_ns; - - + current_lookup->qrdtype_sigchase = current_lookup->qrdtype; current_lookup->qrdtype = dns_rdatatype_ns; - + current_lookup->rdclass_sigchase = current_lookup->rdclass; current_lookup->rdclass_sigchaseset = current_lookup->rdclassset; current_lookup->rdclass = dns_rdataclass_in; - strlcpy(current_lookup->textnamesigchase, current_lookup->textname, MXNAME); current_lookup->trace_root_sigchase = ISC_TRUE; - + result = isc_buffer_allocate(mctx, &b, BUFSIZE); check_result(result, "isc_buffer_allocate"); result = dns_name_totext(dst_key_name(trustedkey), @@ -1462,6 +1463,8 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) lookup->ns_search_only = query->lookup->ns_search_only; lookup->trace_root = ISC_FALSE; + if (lookup->ns_search_only) + lookup->recurse = ISC_FALSE; } srv = make_server(namestr, namestr); debug("adding server %s", srv->servername); @@ -1632,9 +1635,9 @@ setup_lookup(dig_lookup_t *lookup) { /* XXX New search here? */ if ((count_dots(lookup->textname) >= ndots) || !usesearch) lookup->origin = NULL; /* Force abs lookup */ - else if (lookup->origin == NULL && lookup->new_search && usesearch) { + else if (lookup->origin == NULL && lookup->new_search && usesearch) lookup->origin = ISC_LIST_HEAD(search_list); - } + if (lookup->origin != NULL) { debug("trying origin %s", lookup->origin->origin); result = dns_message_gettempname(lookup->sendmsg, @@ -1918,21 +1921,17 @@ bringup_timer(dig_query_t *query, unsigned int default_timeout) { if (ISC_LIST_NEXT(query, link) != NULL) local_timeout = SERVER_TIMEOUT; else { - if (timeout == 0) { + if (timeout == 0) local_timeout = default_timeout; - } else + else local_timeout = timeout; } debug("have local timeout of %d", local_timeout); isc_interval_set(&l->interval, local_timeout, 0); if (l->timer != NULL) isc_timer_detach(&l->timer); - result = isc_timer_create(timermgr, - isc_timertype_once, - NULL, - &l->interval, - global_task, - connect_timeout, + result = isc_timer_create(timermgr, isc_timertype_once, NULL, + &l->interval, global_task, connect_timeout, l, &l->timer); check_result(result, "isc_timer_create"); } @@ -2025,8 +2024,7 @@ send_udp(dig_query_t *query) { l = query->lookup; bringup_timer(query, UDP_TIMEOUT); l->current_query = query; - debug("working on lookup %p, query %p", - query->lookup, query); + debug("working on lookup %p, query %p", query->lookup, query); if (!query->recv_made) { /* XXX Check the sense of this, need assertion? */ query->waiting_connect = ISC_FALSE; @@ -2052,12 +2050,9 @@ send_udp(dig_query_t *query) { ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link); debug("recving with lookup=%p, query=%p, sock=%p", - query->lookup, query, - query->sock); - result = isc_socket_recvv(query->sock, - &query->recvlist, 1, - global_task, recv_done, - query); + query->lookup, query, query->sock); + result = isc_socket_recvv(query->sock, &query->recvlist, 1, + global_task, recv_done, query); check_result(result, "isc_socket_recvv"); recvcount++; debug("recvcount=%d", recvcount); @@ -2093,7 +2088,7 @@ send_udp(dig_query_t *query) { */ static void connect_timeout(isc_task_t *task, isc_event_t *event) { - dig_lookup_t *l = NULL, *n; + dig_lookup_t *l = NULL; dig_query_t *query = NULL, *cq; UNUSED(task); @@ -2129,7 +2124,7 @@ connect_timeout(isc_task_t *task, isc_event_t *event) { debug("making new TCP request, %d tries left", l->retries); l->retries--; - n = requeue_lookup(l, ISC_TRUE); + requeue_lookup(l, ISC_TRUE); cancel_lookup(l); check_next_lookup(l); } @@ -2216,8 +2211,7 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) { ENSURE(ISC_LIST_EMPTY(query->recvlist)); ISC_LINK_INIT(&query->recvbuf, link); ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link); - debug("recving with lookup=%p, query=%p", - query->lookup, query); + debug("recving with lookup=%p, query=%p", query->lookup, query); result = isc_socket_recvv(query->sock, &query->recvlist, length, task, recv_done, query); check_result(result, "isc_socket_recvv"); @@ -2335,8 +2329,7 @@ connect_done(isc_task_t *task, isc_event_t *event) { debug("unsuccessful connection: %s", isc_result_totext(sevent->result)); - isc_sockaddr_format(&query->sockaddr, sockstr, - sizeof(sockstr)); + isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr)); if (sevent->result != ISC_R_CANCELED) printf(";; Connection to %s(%s) for %s failed: " "%s.\n", sockstr, @@ -2426,8 +2419,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg, if ((!query->first_soa_rcvd) && (rdata.type != dns_rdatatype_soa)) { puts("; Transfer failed. " - "Didn't start with " - "SOA answer."); + "Didn't start with SOA answer."); return (ISC_TRUE); } if ((!query->second_rr_rcvd) && @@ -2604,7 +2596,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { char buf2[ISC_SOCKADDR_FORMATSIZE]; isc_sockaddr_t any; - if (isc_sockaddr_pf(&query->sockaddr) == AF_INET) + if (isc_sockaddr_pf(&query->sockaddr) == AF_INET) isc_sockaddr_any(&any); else isc_sockaddr_any6(&any); @@ -2625,7 +2617,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { else #endif /* - * We don't expect a match above when the packet is + * We don't expect a match above when the packet is * sent to 0.0.0.0, :: or to a multicast addresses. * XXXMPA broadcast needs to be handled here as well. */ @@ -2839,9 +2831,6 @@ recv_done(isc_task_t *task, isc_event_t *event) { } if (!l->doing_xfr || l->xfr_q == query) { -#ifdef DIG_SIGCHASE - int count = 0; -#endif if (msg->rcode != dns_rcode_noerror && l->origin != NULL) { if (!next_origin(msg, query)) { printmessage(query, msg, ISC_TRUE); @@ -2854,11 +2843,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { printmessage(query, msg, ISC_TRUE); } else if (l->trace) { int n = 0; -#ifdef DIG_SIGCHASE - count = msg->counts[DNS_SECTION_ANSWER]; -#else int count = msg->counts[DNS_SECTION_ANSWER]; -#endif debug("in TRACE code"); if (!l->ns_search_only) @@ -2881,7 +2866,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { if (l->trace_root) { /* - * This is the initial NS query. + * This is the initial NS query. */ int n; @@ -2896,9 +2881,9 @@ recv_done(isc_task_t *task, isc_event_t *event) { if (!do_sigchase) #endif printmessage(query, msg, ISC_TRUE); - } + } #ifdef DIG_SIGCHASE - if ( do_sigchase) { + if (do_sigchase) { chase_msg = isc_mem_allocate(mctx, sizeof(dig_message_t)); if (chase_msg == NULL) { @@ -2912,16 +2897,16 @@ recv_done(isc_task_t *task, isc_event_t *event) { fatal("dns_message_create in %s:%d", __FILE__, __LINE__); } - + isc_buffer_usedregion(b, &r); result = isc_buffer_allocate(mctx, &buf, r.length); - + check_result(result, "isc_buffer_allocate"); result = isc_buffer_copyregion(buf, &r); check_result(result, "isc_buffer_copyregion"); - + result = dns_message_parse(msg_temp, buf, 0); - + isc_buffer_free(&buf); chase_msg->msg = msg_temp; @@ -2938,9 +2923,9 @@ recv_done(isc_task_t *task, isc_event_t *event) { #endif } - + #ifdef DIG_SIGCHASE - if (l->sigchase && ISC_LIST_EMPTY(lookup_list) ) { + if (l->sigchase && ISC_LIST_EMPTY(lookup_list)) { sigchase(msg_temp); } #endif @@ -3097,7 +3082,7 @@ cancel_all(void) { */ void destroy_libs(void) { -#ifdef DIG_SIGCHASE +#ifdef DIG_SIGCHASE void * ptr; dig_message_t *chase_msg; #endif @@ -3167,7 +3152,7 @@ destroy_libs(void) { debug("Destroy the messages kept for sigchase"); /* Destroy the messages kept for sigchase */ - chase_msg = ISC_LIST_HEAD(chase_message_list); + chase_msg = ISC_LIST_HEAD(chase_message_list); while (chase_msg != NULL) { INSIST(chase_msg->msg != NULL); @@ -3187,16 +3172,16 @@ destroy_libs(void) { isc_mem_free(mctx, ptr); } if (dns_name_dynamic(&chase_name)) - dns_name_free(&chase_name, mctx); + free_name(&chase_name, mctx); #if DIG_SIGCHASE_TD if (dns_name_dynamic(&chase_current_name)) - dns_name_free(&chase_current_name, mctx); + free_name(&chase_current_name, mctx); if (dns_name_dynamic(&chase_authority_name)) - dns_name_free(&chase_authority_name, mctx); + free_name(&chase_authority_name, mctx); #endif #if DIG_SIGCHASE_BU if (dns_name_dynamic(&chase_signame)) - dns_name_free(&chase_signame, mctx); + free_name(&chase_signame, mctx); #endif debug("Destroy memory"); @@ -3208,7 +3193,7 @@ destroy_libs(void) { isc_mem_destroy(&mctx); } - + #ifdef DIG_SIGCHASE @@ -3218,32 +3203,31 @@ print_type(dns_rdatatype_t type) isc_buffer_t * b = NULL; isc_result_t result; isc_region_t r; - + result = isc_buffer_allocate(mctx, &b, 4000); check_result(result, "isc_buffer_allocate"); result = dns_rdatatype_totext(type, b); check_result(result, "print_type"); - + isc_buffer_usedregion(b, &r); r.base[r.length] = '\0'; - + printf("%s", r.base); isc_buffer_free(&b); } - void -dump_database_section( dns_message_t *msg, int section) +dump_database_section(dns_message_t *msg, int section) { dns_name_t *msg_name=NULL; - + dns_rdataset_t *rdataset; do { dns_message_currentname(msg, section, &msg_name); - + for (rdataset = ISC_LIST_HEAD(msg_name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { dns_name_print(msg_name, stdout); @@ -3252,35 +3236,32 @@ dump_database_section( dns_message_t *msg, int section) printf("end\n"); } msg_name = NULL; - } while ( dns_message_nextname(msg, section) == ISC_R_SUCCESS); + } while (dns_message_nextname(msg, section) == ISC_R_SUCCESS); } - -void dump_database(void) -{ +void +dump_database(void) { dig_message_t * msg; for (msg = ISC_LIST_HEAD(chase_message_list); msg != NULL; msg = ISC_LIST_NEXT(msg, link)) { if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER) - == ISC_R_SUCCESS) + == ISC_R_SUCCESS) dump_database_section(msg->msg, DNS_SECTION_ANSWER); - + if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY) - == ISC_R_SUCCESS) + == ISC_R_SUCCESS) dump_database_section(msg->msg, DNS_SECTION_AUTHORITY); if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL) - == ISC_R_SUCCESS) + == ISC_R_SUCCESS) dump_database_section(msg->msg, DNS_SECTION_ADDITIONAL); } } -dns_rdataset_t * search_type(dns_name_t *name, - dns_rdatatype_t type, - dns_rdatatype_t covers) -{ +dns_rdataset_t * +search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) { dns_rdataset_t *rdataset; dns_rdata_sig_t siginfo; dns_rdata_t sigrdata; @@ -3290,10 +3271,9 @@ dns_rdataset_t * search_type(dns_name_t *name, rdataset = ISC_LIST_NEXT(rdataset, link)) { if (type == dns_rdatatype_any) { if (rdataset->type != dns_rdatatype_rrsig) - return rdataset; - } - else if ((type == dns_rdatatype_rrsig) && - (rdataset->type == dns_rdatatype_rrsig)) { + return (rdataset); + } else if ((type == dns_rdatatype_rrsig) && + (rdataset->type == dns_rdatatype_rrsig)) { dns_rdata_init(&sigrdata); result = dns_rdataset_first(rdataset); check_result(result, "empty rdataset"); @@ -3305,38 +3285,35 @@ dns_rdataset_t * search_type(dns_name_t *name, (covers == dns_rdatatype_any)) { dns_rdata_reset(&sigrdata); dns_rdata_freestruct(&siginfo); - return rdataset; + return (rdataset); } dns_rdata_reset(&sigrdata); dns_rdata_freestruct(&siginfo); - } - else if (rdataset->type == type) - return rdataset; + } else if (rdataset->type == type) + return (rdataset); } - return NULL; + return (NULL); } dns_rdataset_t * -chase_scanname_section(dns_message_t *msg, - dns_name_t *name, - dns_rdatatype_t type, - dns_rdatatype_t covers, +chase_scanname_section(dns_message_t *msg, dns_name_t *name, + dns_rdatatype_t type, dns_rdatatype_t covers, int section) { dns_rdataset_t *rdataset; dns_name_t *msg_name = NULL; - + do { dns_message_currentname(msg, section, &msg_name); if (dns_name_compare(msg_name, name) == 0) { rdataset = search_type(msg_name, type, covers); - if ( rdataset != NULL) - return rdataset; + if (rdataset != NULL) + return (rdataset); } msg_name = NULL; - } while ( dns_message_nextname(msg, section) == ISC_R_SUCCESS); - - return(NULL); + } while (dns_message_nextname(msg, section) == ISC_R_SUCCESS); + + return (NULL); } @@ -3345,7 +3322,7 @@ chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) { dns_rdataset_t *rdataset = NULL; dig_message_t * msg; - + for (msg = ISC_LIST_HEAD(chase_message_list2); msg != NULL; msg = ISC_LIST_NEXT(msg, link)) { if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER) @@ -3354,7 +3331,7 @@ chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) type, covers, DNS_SECTION_ANSWER); if (rdataset != NULL) - return rdataset; + return (rdataset); if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY) == ISC_R_SUCCESS) rdataset = @@ -3362,7 +3339,7 @@ chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) type, covers, DNS_SECTION_AUTHORITY); if (rdataset != NULL) - return rdataset; + return (rdataset); if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL) == ISC_R_SUCCESS) rdataset = @@ -3370,16 +3347,15 @@ chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) covers, DNS_SECTION_ADDITIONAL); if (rdataset != NULL) - return rdataset; + return (rdataset); } - return NULL; + return (NULL); } dns_rdataset_t * sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, - isc_boolean_t * lookedup, - dns_name_t *rdata_name ) + isc_boolean_t * lookedup, dns_name_t *rdata_name) { dig_lookup_t *lookup; isc_buffer_t *b = NULL; @@ -3388,18 +3364,17 @@ sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, dns_rdataset_t * temp; dns_rdatatype_t querytype; - if ((temp=chase_scanname(rdata_name, type, covers))!=NULL) { - return(temp); - } + temp = chase_scanname(rdata_name, type, covers); + if (temp != NULL) + return (temp); - if (*lookedup == ISC_TRUE) { - return(NULL); - } + if (*lookedup == ISC_TRUE) + return (NULL); lookup = clone_lookup(current_lookup, ISC_TRUE); lookup->trace_root = ISC_FALSE; lookup->new_search = ISC_TRUE; - + result = isc_buffer_allocate(mctx, &b, BUFSIZE); check_result(result, "isc_buffer_allocate"); result = dns_name_totext(rdata_name, ISC_FALSE, b); @@ -3413,9 +3388,10 @@ sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, querytype = covers; else querytype = type; + if (querytype == 0 || querytype == 255) { printf("Error in the queried type: %d\n", querytype); - return(NULL); + return (NULL); } lookup->rdtype = querytype; @@ -3427,11 +3403,11 @@ sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, printf("\n\nLaunch a query to find a RRset of type "); print_type(type); printf(" for zone: %s\n", lookup->textname); - return(NULL); + return (NULL); } void -insert_trustedkey(dst_key_t * key) +insert_trustedkey(dst_key_t * key) { if (key == NULL) return; @@ -3439,7 +3415,7 @@ insert_trustedkey(dst_key_t * key) return; tk_list.key[tk_list.nb_tk++] = key; - return; + return; } void @@ -3451,8 +3427,7 @@ clean_trustedkey() if (tk_list.key[i] != NULL) { dst_key_free(&tk_list.key[i]); tk_list.key[i] = NULL; - } - else + } else break; } tk_list.nb_tk = 0; @@ -3463,14 +3438,14 @@ char alphnum[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; isc_result_t -removetmpkey(isc_mem_t *mctx, const char *file) +removetmpkey(isc_mem_t *mctx, const char *file) { char *tempnamekey = NULL; int tempnamekeylen; isc_result_t result; - + tempnamekeylen = strlen(file)+10; - + tempnamekey = isc_mem_allocate(mctx, tempnamekeylen); if (tempnamekey == NULL) return (ISC_R_NOMEMORY); @@ -3479,20 +3454,21 @@ removetmpkey(isc_mem_t *mctx, const char *file) strlcat(tempnamekey, file, tempnamekeylen); strlcat(tempnamekey,".key", tempnamekeylen); + isc_file_remove(tempnamekey); result = isc_file_remove(tempnamekey); isc_mem_free(mctx, tempnamekey); - return(result); + return (result); } isc_result_t opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { - FILE *f = NULL; - isc_result_t result; - char *tempname = NULL; + FILE *f = NULL; + isc_result_t result; + char *tempname = NULL; char *tempnamekey = NULL; - int tempnamelen; + int tempnamelen; int tempnamekeylen; char *x; char *cp; @@ -3516,14 +3492,14 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { isc_mem_free(mctx, tempname); return (ISC_R_FAILURE); } - + x = cp--; while (cp >= tempname && *cp == 'X') { isc_random_get(&which); *cp = alphnum[which % (sizeof(alphnum) - 1)]; x = cp--; } - + tempnamekeylen = tempnamelen+5; tempnamekey = isc_mem_allocate(mctx, tempnamekeylen); if (tempnamekey == NULL) @@ -3533,7 +3509,7 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { strlcpy(tempnamekey, tempname, tempnamelen); strlcat(tempnamekey ,".key", tempnamelen); - + if (isc_file_exists(tempnamekey)) { isc_mem_free(mctx, tempnamekey); isc_mem_free(mctx, tempname); @@ -3543,19 +3519,19 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { if ((f = fopen(tempnamekey, "w")) == NULL) { printf("get_trusted_key(): trusted key not found %s\n", tempnamekey); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } break; } isc_mem_free(mctx, tempnamekey); - *tempp = tempname; - *fp = f; - return (ISC_R_SUCCESS); + *tempp = tempname; + *fp = f; + return (ISC_R_SUCCESS); cleanup: - isc_mem_free(mctx, tempname); + isc_mem_free(mctx, tempname); - return (result); + return (result); } @@ -3563,57 +3539,55 @@ isc_result_t get_trusted_key(isc_mem_t *mctx) { isc_result_t result; - const char * filename = NULL; - char * filetemp =NULL; + const char *filename = NULL; + char *filetemp = NULL; char buf[1500]; - FILE *fp , *fptemp; - dst_key_t * key = NULL; - - result = isc_file_exists(trustedkey); + FILE *fp, *fptemp; + dst_key_t *key = NULL; + + result = isc_file_exists(trustedkey); if (result != ISC_TRUE) { - result = isc_file_exists("/etc/trusted-key.key"); + result = isc_file_exists("/etc/trusted-key.key"); if (result != ISC_TRUE) { - result = isc_file_exists("./trusted-key.key"); + result = isc_file_exists("./trusted-key.key"); if (result != ISC_TRUE) - return ISC_R_FAILURE; + return (ISC_R_FAILURE); else filename = "./trusted-key.key"; - } - else + } else filename = "/etc/trusted-key.key"; - } - else + } else filename = trustedkey; if (filename == NULL) { printf("No trusted key\n"); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } if ((fp = fopen(filename, "r")) == NULL) { printf("get_trusted_key(): trusted key not found %s\n", filename); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } while (fgets(buf, 1500, fp) != NULL) { result = opentmpkey(mctx,"tmp_file", &filetemp, &fptemp); if (result != ISC_R_SUCCESS) { fclose(fp); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } - if (fputs(buf, fptemp)<0) { + if (fputs(buf, fptemp) < 0) { fclose(fp); fclose(fptemp); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } fclose(fptemp); result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC, mctx, &key); removetmpkey(mctx, filetemp); isc_mem_free(mctx, filetemp); - if (result != ISC_R_SUCCESS ) { + if (result != ISC_R_SUCCESS) { fclose(fp); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } insert_trustedkey(key); #if 0 @@ -3621,7 +3595,7 @@ get_trusted_key(isc_mem_t *mctx) #endif key = NULL; } - return ISC_R_SUCCESS; + return (ISC_R_SUCCESS); } @@ -3644,19 +3618,19 @@ nameFromString(const char *str, dns_name_t *p_ret) { check_result(result, "nameFromString"); if (dns_name_dynamic(p_ret)) - dns_name_free(p_ret, mctx); - + free_name(p_ret, mctx); + result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret); check_result(result, "nameFromString"); -} +} #if DIG_SIGCHASE_TD -isc_result_t +isc_result_t prepare_lookup(dns_name_t *name) { - isc_result_t result; - dig_lookup_t * lookup = NULL; + isc_result_t result; + dig_lookup_t *lookup = NULL; dig_server_t *s; void *ptr; @@ -3670,7 +3644,7 @@ prepare_lookup(dns_name_t *name) lookup->rdtype = lookup->rdtype_sigchase; lookup->rdtypeset = ISC_TRUE; lookup->qrdtype = lookup->qrdtype_sigchase; - + s = ISC_LIST_HEAD(lookup->my_server_list); while (s != NULL) { debug("freeing server %p belonging to %p", @@ -3681,7 +3655,7 @@ prepare_lookup(dns_name_t *name) (dig_server_t *)ptr, link); isc_mem_free(mctx, ptr); } - + for (result = dns_rdataset_first(chase_nsrdataset); result == ISC_R_SUCCESS; @@ -3690,13 +3664,13 @@ prepare_lookup(dns_name_t *name) dns_rdata_ns_t ns; dns_rdata_t rdata = DNS_RDATA_INIT; dig_server_t * srv = NULL; -#define __FOLLOW_GLUE__ +#define __FOLLOW_GLUE__ #ifdef __FOLLOW_GLUE__ - isc_buffer_t * b = NULL; + isc_buffer_t *b = NULL; isc_result_t result; isc_region_t r; - dns_rdataset_t * rdataset =NULL; - isc_boolean_t true = ISC_TRUE; + dns_rdataset_t *rdataset = NULL; + isc_boolean_t true = ISC_TRUE; #endif memset(namestr, 0, DNS_NAME_FORMATSIZE); @@ -3704,11 +3678,11 @@ prepare_lookup(dns_name_t *name) dns_rdataset_current(chase_nsrdataset, &rdata); (void)dns_rdata_tostruct(&rdata, &ns, NULL); - - - + + + #ifdef __FOLLOW_GLUE__ - + result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_aaaa, dns_rdatatype_any, &true); @@ -3732,12 +3706,12 @@ prepare_lookup(dns_name_t *name) srv = make_server(namestr, namestr); - + ISC_LIST_APPEND(lookup->my_server_list, srv, link); } } - + rdataset = NULL; result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a, dns_rdatatype_any, &true); @@ -3759,28 +3733,28 @@ prepare_lookup(dns_name_t *name) isc_buffer_free(&b); dns_rdata_reset(&a); printf("ns name: %s\n", namestr); - + srv = make_server(namestr, namestr); - + ISC_LIST_APPEND(lookup->my_server_list, srv, link); } } #else - + dns_name_format(&ns.name, namestr, sizeof(namestr)); printf("ns name: "); dns_name_print(&ns.name, stdout); printf("\n"); srv = make_server(namestr, namestr); - + ISC_LIST_APPEND(lookup->my_server_list, srv, link); -#endif +#endif dns_rdata_freestruct(&ns); dns_rdata_reset(&rdata); - + } ISC_LIST_APPEND(lookup_list, lookup, link); @@ -3790,7 +3764,7 @@ prepare_lookup(dns_name_t *name) printf(" with nameservers:"); printf("\n"); print_rdataset(name, chase_nsrdataset, mctx); - return ISC_R_SUCCESS; + return (ISC_R_SUCCESS); } @@ -3803,15 +3777,14 @@ child_of_zone(dns_name_t * name, dns_name_t * zone_name, unsigned int nlabelsp; name_reln = dns_name_fullcompare(name, zone_name, &orderp, &nlabelsp); - if ( (name_reln != dns_namereln_subdomain) || - (dns_name_countlabels(name) <= - dns_name_countlabels(zone_name) +1)) { + if (name_reln != dns_namereln_subdomain || + dns_name_countlabels(name) <= dns_name_countlabels(zone_name) + 1) { printf("\n;; ERROR : "); dns_name_print(name, stdout); printf(" is not a subdomain of: "); dns_name_print(zone_name, stdout); printf(" FAILED\n\n"); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } dns_name_getlabelsequence(name, @@ -3819,11 +3792,11 @@ child_of_zone(dns_name_t * name, dns_name_t * zone_name, dns_name_countlabels(zone_name) -1, dns_name_countlabels(zone_name) +1, child_name); - return ISC_R_SUCCESS; + return (ISC_R_SUCCESS); } isc_result_t -grandfather_pb_test(dns_name_t * zone_name, dns_rdataset_t * sigrdataset) +grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset) { isc_result_t result; dns_rdata_t sigrdata; @@ -3832,31 +3805,31 @@ grandfather_pb_test(dns_name_t * zone_name, dns_rdataset_t * sigrdataset) result = dns_rdataset_first(sigrdataset); check_result(result, "empty RRSIG dataset"); dns_rdata_init(&sigrdata); - + do { dns_rdataset_current(sigrdataset, &sigrdata); - + result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); check_result(result, "sigrdata tostruct siginfo"); - + if (dns_name_compare(&siginfo.signer, zone_name) == 0) { dns_rdata_freestruct(&siginfo); dns_rdata_reset(&sigrdata); - return ISC_R_SUCCESS; + return (ISC_R_SUCCESS); } dns_rdata_freestruct(&siginfo); - + } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); dns_rdata_reset(&sigrdata); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } isc_result_t -initialization(dns_name_t * name) +initialization(dns_name_t *name) { isc_result_t result; isc_boolean_t true = ISC_TRUE; @@ -3867,21 +3840,21 @@ initialization(dns_name_t * name) if (result != ISC_R_SUCCESS) { printf("\n;; NS RRset is missing to continue validation:" " FAILED\n\n"); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } INSIST(chase_nsrdataset != NULL); prepare_lookup(name); dup_name(name, &chase_current_name, mctx); - return ISC_R_SUCCESS; + return (ISC_R_SUCCESS); } -#endif +#endif void -print_rdataset(dns_name_t * name, dns_rdataset_t *rdataset, isc_mem_t *mctx) +print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx) { - isc_buffer_t * b = NULL; + isc_buffer_t *b = NULL; isc_result_t result; isc_region_t r; @@ -3900,16 +3873,22 @@ print_rdataset(dns_name_t * name, dns_rdataset_t *rdataset, isc_mem_t *mctx) } -void +void dup_name(dns_name_t *source, dns_name_t *target, isc_mem_t *mctx) { - isc_result_t result; - + isc_result_t result; + if (dns_name_dynamic(target)) - dns_name_free(target, mctx); + free_name(target, mctx); result = dns_name_dup(source, mctx, target); check_result(result, "dns_name_dup"); } +void +free_name(dns_name_t *name, isc_mem_t *mctx) { + dns_name_free(name, mctx); + dns_name_init(name, NULL); +} + /* * * take a DNSKEY RRset and the RRSIG RRset corresponding in parameter @@ -3927,13 +3906,12 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, { isc_result_t result; dns_rdata_t rdata; - dst_key_t * trustedKey = NULL; - dst_key_t * dnsseckey = NULL; + dst_key_t *trustedKey = NULL; + dst_key_t *dnsseckey = NULL; int i; - - if (name == NULL || rdataset == NULL) { - return ISC_R_FAILURE; - } + + if (name == NULL || rdataset == NULL) + return (ISC_R_FAILURE); result = dns_rdataset_first(rdataset); check_result(result, "empty rdataset"); @@ -3942,13 +3920,13 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, do { dns_rdataset_current(rdataset, &rdata); INSIST(rdata.type == dns_rdatatype_dnskey); - + result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); - - for (i = 0; i< tk_list.nb_tk; i++) { + + for (i = 0; i < tk_list.nb_tk; i++) { if (dst_key_compare(tk_list.key[i], dnsseckey) == ISC_TRUE) { dns_rdata_reset(&rdata); @@ -3963,11 +3941,11 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, == ISC_R_SUCCESS) { dst_key_free(&dnsseckey); dnsseckey = NULL; - return ISC_R_SUCCESS; + return (ISC_R_SUCCESS); } } } - + dns_rdata_reset(&rdata); if (dnsseckey != NULL) dst_key_free(&dnsseckey); @@ -3976,8 +3954,8 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, if (trustedKey != NULL) dst_key_free(&trustedKey); trustedKey = NULL; - - return ISC_R_NOTFOUND; + + return (ISC_R_NOTFOUND); } isc_result_t @@ -3988,7 +3966,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, { isc_result_t result; dns_rdata_t keyrdata; - dst_key_t * dnsseckey = NULL; + dst_key_t *dnsseckey = NULL; result = dns_rdataset_first(keyrdataset); check_result(result, "empty DNSKEY dataset"); @@ -3997,7 +3975,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, do { dns_rdataset_current(keyrdataset, &keyrdata); INSIST(keyrdata.type == dns_rdatatype_dnskey); - + result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); @@ -4007,20 +3985,20 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, if (result == ISC_R_SUCCESS) { dns_rdata_reset(&keyrdata); dst_key_free(&dnsseckey); - return(ISC_R_SUCCESS); + return (ISC_R_SUCCESS); } dst_key_free(&dnsseckey); } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); - + dns_rdata_reset(&keyrdata); - - return ISC_R_NOTFOUND; + + return (ISC_R_NOTFOUND); } isc_result_t sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, - dst_key_t* dnsseckey, - dns_rdataset_t *sigrdataset, isc_mem_t *mctx) + dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset, + isc_mem_t *mctx) { isc_result_t result; dns_rdata_t sigrdata; @@ -4029,22 +4007,22 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, result = dns_rdataset_first(sigrdataset); check_result(result, "empty RRSIG dataset"); dns_rdata_init(&sigrdata); - + do { dns_rdataset_current(sigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); check_result(result, "sigrdata tostruct siginfo"); - + /* * Test if the id of the DNSKEY is * the id of the DNSKEY signer's */ if (siginfo.keyid == dst_key_id(dnsseckey)) { - + result = dns_rdataset_first(rdataset); check_result(result, "empty DS dataset"); - + result = dns_dnssec_verify(name, rdataset, dnsseckey, ISC_FALSE, mctx, &sigrdata); @@ -4054,19 +4032,19 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, dns_name_print(name, stdout); printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey), isc_result_totext(result)); - + if (result == ISC_R_SUCCESS) { dns_rdata_reset(&sigrdata); - return result; + return (result); } } dns_rdata_freestruct(&siginfo); - + } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); dns_rdata_reset(&sigrdata); - return ISC_R_NOTFOUND; + return (ISC_R_NOTFOUND); } @@ -4079,7 +4057,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdata_t newdsrdata; dns_rdata_t dsrdata; dns_rdata_ds_t dsinfo; - dst_key_t* dnsseckey = NULL; + dst_key_t *dnsseckey = NULL; unsigned char dsbuf[DNS_DS_BUFFERSIZE]; result = dns_rdataset_first(dsrdataset); @@ -4087,18 +4065,18 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdata_init(&dsrdata); do { dns_rdataset_current(dsrdataset, &dsrdata); - + result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL); check_result(result, "dns_rdata_tostruct for DS"); - + result = dns_rdataset_first(keyrdataset); check_result(result, "empty KEY dataset"); - dns_rdata_init(&keyrdata); + dns_rdata_init(&keyrdata); do { dns_rdataset_current(keyrdataset, &keyrdata); INSIST(keyrdata.type == dns_rdatatype_dnskey); - + result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); @@ -4113,17 +4091,17 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, result = dns_ds_buildrdata(name, &keyrdata, dsinfo.digest_type, dsbuf, &newdsrdata); - dns_rdata_freestruct(&dsinfo); + dns_rdata_freestruct(&dsinfo); if (result != ISC_R_SUCCESS) { dns_rdata_reset(&keyrdata); dns_rdata_reset(&newdsrdata); dns_rdata_reset(&dsrdata); dst_key_free(&dnsseckey); - dns_rdata_freestruct(&dsinfo); + dns_rdata_freestruct(&dsinfo); printf("Oops: impossible to build" " new DS rdata\n"); - return result; + return (result); } @@ -4134,7 +4112,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, printf(";; Now verify that this" " DNSKEY validates the " "DNSKEY RRset\n"); - + result = sigchase_verify_sig_key(name, keyrdataset, dnsseckey, @@ -4145,11 +4123,10 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdata_reset(&newdsrdata); dns_rdata_reset(&dsrdata); dst_key_free(&dnsseckey); - - return result; + + return (result); } - } - else { + } else { printf(";; This DS is NOT the DS for" " the chasing KEY: FAILED\n"); } @@ -4160,13 +4137,13 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dnsseckey = NULL; } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); dns_rdata_reset(&keyrdata); - + } while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS); #if 0 dns_rdata_reset(&dsrdata); WARNING #endif - - return ISC_R_NOTFOUND; + + return (ISC_R_NOTFOUND); } /* @@ -4178,20 +4155,19 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, * ISC_R_SUCCESS: if we found the rrset * ISC_R_NOTFOUND: we do not found the rrset in cache * and we do a query on the net - * ISC_R_FAILURE: rrset not found + * ISC_R_FAILURE: rrset not found */ isc_result_t -advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t * name, - dns_rdatatype_t type, - dns_rdatatype_t covers, +advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t *name, + dns_rdatatype_t type, dns_rdatatype_t covers, isc_boolean_t *lookedup) -{ +{ isc_boolean_t tmplookedup; INSIST(rdataset != NULL); if (*rdataset != NULL) - return(ISC_R_SUCCESS); + return (ISC_R_SUCCESS); tmplookedup = *lookedup; if ((*rdataset = sigchase_scanname(type, covers, @@ -4201,20 +4177,19 @@ advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t * name, return (ISC_R_NOTFOUND); } *lookedup = ISC_FALSE; - return(ISC_R_SUCCESS); + return (ISC_R_SUCCESS); } #if DIG_SIGCHASE_TD void -sigchase_td(dns_message_t * msg) +sigchase_td(dns_message_t *msg) { - isc_result_t result; - dns_name_t * name = NULL; - isc_boolean_t have_answer = ISC_FALSE; - - isc_boolean_t true = ISC_TRUE; + isc_result_t result; + dns_name_t *name = NULL; + isc_boolean_t have_answer = ISC_FALSE; + isc_boolean_t true = ISC_TRUE; if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) == ISC_R_SUCCESS) { @@ -4224,8 +4199,7 @@ sigchase_td(dns_message_t * msg) return; } have_answer = true; - } - else { + } else { if (!current_lookup->trace_root_sigchase) { result = dns_message_firstname(msg, DNS_SECTION_AUTHORITY); @@ -4245,8 +4219,7 @@ sigchase_td(dns_message_t * msg) " in authority section:"); dns_name_print(name, stdout); printf("\n"); - } - else { + } else { printf("no response and no delegation in " "authority section but a reference" " to: "); @@ -4254,17 +4227,16 @@ sigchase_td(dns_message_t * msg) printf("\n"); error_message = msg; } - } - else { + } else { printf(";; NO ANSWERS: %s\n", isc_result_totext(result)); - dns_name_free(&chase_name, mctx); + free_name(&chase_name, mctx); clean_trustedkey(); return; } } - + if (have_answer) { chase_rdataset = chase_scanname_section(msg, &chase_name, @@ -4316,8 +4288,7 @@ sigchase_td(dns_message_t * msg) chase_keyrdataset, chase_sigkeyrdataset, mctx); - } - else { + } else { INSIST(chase_dsrdataset != NULL); INSIST(chase_sigdsrdataset != NULL); result = sigchase_verify_ds(&chase_current_name, @@ -4325,13 +4296,12 @@ sigchase_td(dns_message_t * msg) chase_dsrdataset, mctx); } - + if (result != ISC_R_SUCCESS) { printf("\n;; chain of trust can't be validated:" " FAILED\n\n"); goto cleanandgo; - } - else { + } else { chase_dsrdataset = NULL; chase_sigdsrdataset = NULL; } @@ -4353,9 +4323,8 @@ sigchase_td(dns_message_t * msg) " FAILED\n\n"); goto cleanandgo; } - - } - else { + + } else { result = advanced_rrsearch(&chase_sigrdataset, &chase_authority_name, dns_rdatatype_rrsig, @@ -4379,20 +4348,19 @@ sigchase_td(dns_message_t * msg) chase_sigrdataset = NULL; have_response = ISC_FALSE; have_delegation_ns = ISC_FALSE; - + dns_name_init(&tmp_name, NULL); result = child_of_zone(&chase_name, &chase_current_name, &tmp_name); if (dns_name_dynamic(&chase_authority_name)) - dns_name_free( &chase_authority_name, mctx); + free_name(&chase_authority_name, mctx); dup_name(&tmp_name, &chase_authority_name, mctx); printf(";; and we try to continue chain of trust" " validation of the zone: "); dns_name_print(&chase_authority_name, stdout); printf("\n"); have_delegation_ns = ISC_TRUE; - } - else { + } else { if (have_response) goto finalstep; else @@ -4416,7 +4384,7 @@ sigchase_td(dns_message_t * msg) return; } INSIST(chase_nsrdataset != NULL); - + result = advanced_rrsearch(&chase_dsrdataset, &chase_authority_name, dns_rdatatype_ds, @@ -4459,8 +4427,8 @@ sigchase_td(dns_message_t * msg) } chase_keyrdataset = NULL; chase_sigkeyrdataset = NULL; - - + + prepare_lookup(&chase_authority_name); have_response = ISC_FALSE; @@ -4468,24 +4436,24 @@ sigchase_td(dns_message_t * msg) delegation_follow = ISC_TRUE; error_message = NULL; dup_name(&chase_authority_name, &chase_current_name, mctx); - dns_name_free(&chase_authority_name, mctx); + free_name(&chase_authority_name, mctx); return; } - + if (error_message != NULL) { - dns_rdataset_t * rdataset; - dns_rdataset_t * sigrdataset; - dns_name_t rdata_name; - isc_result_t ret = ISC_R_FAILURE; + dns_rdataset_t *rdataset; + dns_rdataset_t *sigrdataset; + dns_name_t rdata_name; + isc_result_t ret = ISC_R_FAILURE; dns_name_init(&rdata_name, NULL); result = prove_nx(error_message, &chase_name, current_lookup->rdclass_sigchase, current_lookup->rdtype_sigchase, &rdata_name, &rdataset, &sigrdataset); - if (&rdata_name == NULL || rdataset == NULL || - sigrdataset == NULL) { + if (rdataset == NULL || sigrdataset == NULL || + dns_name_countlabels(&rdata_name) == 0) { printf("\n;; Impossible to verify the non-existence," " the NSEC RRset can't be validated:" " FAILED\n\n"); @@ -4495,18 +4463,17 @@ sigchase_td(dns_message_t * msg) chase_keyrdataset, sigrdataset, mctx); if (ret != ISC_R_SUCCESS) { - dns_name_free(&rdata_name, mctx); + free_name(&rdata_name, mctx); printf("\n;; Impossible to verify the NSEC RR to prove" " the non-existence : FAILED\n\n"); goto cleanandgo; } - dns_name_free(&rdata_name, mctx); + free_name(&rdata_name, mctx); if (result != ISC_R_SUCCESS) { printf("\n;; Impossible to verify the non-existence:" " FAILED\n\n"); goto cleanandgo; - } - else { + } else { printf("\n;; OK the query doesn't have response but" " we have validate this fact : SUCCESS\n\n"); goto cleanandgo; @@ -4516,9 +4483,9 @@ sigchase_td(dns_message_t * msg) cleanandgo: printf(";; cleanandgo \n"); if (dns_name_dynamic(&chase_current_name)) - dns_name_free(&chase_current_name, mctx); + free_name(&chase_current_name, mctx); if (dns_name_dynamic(&chase_authority_name)) - dns_name_free(&chase_authority_name, mctx); + free_name(&chase_authority_name, mctx); clean_trustedkey(); return; @@ -4547,8 +4514,7 @@ sigchase_td(dns_message_t * msg) printf("\n"); */ goto cleanandgo; - } - else { + } else { printf("\n;; The Answer:\n"); print_rdataset(&chase_name , chase_rdataset, mctx); @@ -4558,7 +4524,7 @@ sigchase_td(dns_message_t * msg) } } -#endif +#endif #if DIG_SIGCHASE_BU @@ -4575,12 +4541,10 @@ getneededrr(dns_message_t *msg) if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) != ISC_R_SUCCESS) { printf(";; NO ANSWERS: %s\n", isc_result_totext(result)); - - if (chase_name.ndata == NULL) { - return ISC_R_ADDRNOTAVAIL; - } - } - else { + + if (chase_name.ndata == NULL) + return (ISC_R_ADDRNOTAVAIL); + } else { dns_message_currentname(msg, DNS_SECTION_ANSWER, &name); } @@ -4591,7 +4555,7 @@ getneededrr(dns_message_t *msg) dns_rdatatype_any, &true); if (result != ISC_R_SUCCESS) { printf("\n;; No Answers: Validation FAILED\n\n"); - return ISC_R_NOTFOUND; + return (ISC_R_NOTFOUND); } dup_name(name, &chase_name, mctx); printf(";; RRset to chase:\n"); @@ -4609,18 +4573,18 @@ getneededrr(dns_message_t *msg) printf("\n;; RRSIG is missing for continue validation:" " FAILED\n\n"); if (dns_name_dynamic(&chase_name)) - dns_name_free(&chase_name, mctx); - return ISC_R_NOTFOUND; + free_name(&chase_name, mctx); + return (ISC_R_NOTFOUND); } if (result == ISC_R_NOTFOUND) { - return(ISC_R_NOTFOUND); + return (ISC_R_NOTFOUND); } printf("\n;; RRSIG of the RRset to chase:\n"); print_rdataset(&chase_name, chase_sigrdataset, mctx); } INSIST(chase_sigrdataset != NULL); - + /* first find the DNSKEY name */ result = dns_rdataset_first(chase_sigrdataset); check_result(result, "empty RRSIG dataset"); @@ -4631,7 +4595,7 @@ getneededrr(dns_message_t *msg) dup_name(&siginfo.signer, &chase_signame, mctx); dns_rdata_freestruct(&siginfo); dns_rdata_reset(&sigrdata); - + /* Do we have a key? */ if (chase_keyrdataset == NULL) { result = advanced_rrsearch(&chase_keyrdataset, @@ -4642,14 +4606,14 @@ getneededrr(dns_message_t *msg) if (result == ISC_R_FAILURE) { printf("\n;; DNSKEY is missing to continue validation:" " FAILED\n\n"); - dns_name_free(&chase_signame, mctx); + free_name(&chase_signame, mctx); if (dns_name_dynamic(&chase_name)) - dns_name_free(&chase_name, mctx); - return ISC_R_NOTFOUND; + free_name(&chase_name, mctx); + return (ISC_R_NOTFOUND); } if (result == ISC_R_NOTFOUND) { - dns_name_free(&chase_signame, mctx); - return(ISC_R_NOTFOUND); + free_name(&chase_signame, mctx); + return (ISC_R_NOTFOUND); } printf("\n;; DNSKEYset that signs the RRset to chase:\n"); print_rdataset(&chase_signame, chase_keyrdataset, mctx); @@ -4665,14 +4629,14 @@ getneededrr(dns_message_t *msg) if (result == ISC_R_FAILURE) { printf("\n;; RRSIG for DNSKEY is missing to continue" " validation : FAILED\n\n"); - dns_name_free(&chase_signame, mctx); + free_name(&chase_signame, mctx); if (dns_name_dynamic(&chase_name)) - dns_name_free(&chase_name, mctx); - return ISC_R_NOTFOUND; + free_name(&chase_name, mctx); + return (ISC_R_NOTFOUND); } if (result == ISC_R_NOTFOUND) { - dns_name_free(&chase_signame, mctx); - return(ISC_R_NOTFOUND); + free_name(&chase_signame, mctx); + return (ISC_R_NOTFOUND); } printf("\n;; RRSIG of the DNSKEYset that signs the " "RRset to chase:\n"); @@ -4692,15 +4656,15 @@ getneededrr(dns_message_t *msg) printf("\n"); } if (result == ISC_R_NOTFOUND) { - dns_name_free(&chase_signame, mctx); - return(ISC_R_NOTFOUND); + free_name(&chase_signame, mctx); + return (ISC_R_NOTFOUND); } if (chase_dsrdataset != NULL) { printf("\n;; DSset of the DNSKEYset\n"); print_rdataset(&chase_signame, chase_dsrdataset, mctx); } } - + if (chase_dsrdataset != NULL) { /* * if there is no RRSIG of DS, @@ -4718,14 +4682,13 @@ getneededrr(dns_message_t *msg) * because the DNSKEY could be a Trusted Key. */ chase_dsrdataset = NULL; - } - else { + } else { printf("\n;; RRSIG of the DSset of the DNSKEYset\n"); print_rdataset(&chase_signame, chase_sigdsrdataset, mctx); } } - return(1); + return (1); } @@ -4744,28 +4707,29 @@ sigchase_bu(dns_message_t *msg) } } - + ret = getneededrr(msg); if (ret == ISC_R_NOTFOUND) return; if (ret == ISC_R_ADDRNOTAVAIL) { /* We have no response */ - dns_rdataset_t * rdataset; - dns_rdataset_t * sigrdataset; - dns_name_t rdata_name; - dns_name_t query_name; + dns_rdataset_t *rdataset; + dns_rdataset_t *sigrdataset; + dns_name_t rdata_name; + dns_name_t query_name; dns_name_init(&query_name, NULL); + dns_name_init(&rdata_name, NULL); nameFromString(current_lookup->textname, &query_name); - + result = prove_nx(msg, &query_name, current_lookup->rdclass, current_lookup->rdtype, &rdata_name, &rdataset, &sigrdataset); - dns_name_free(&query_name, mctx); - if (&rdata_name == NULL || rdataset == NULL || - sigrdataset == NULL) { + free_name(&query_name, mctx); + if (rdataset == NULL || sigrdataset == NULL || + dns_name_countlabels(&rdata_name) == 0) { printf("\n;; Impossible to verify the Non-existence," " the NSEC RRset can't be validated: " "FAILED\n\n"); @@ -4783,7 +4747,7 @@ sigchase_bu(dns_message_t *msg) " Now we want validate this NSEC\n"); dup_name(&rdata_name, &chase_name, mctx); - dns_name_free(&rdata_name, mctx); + free_name(&rdata_name, mctx); chase_rdataset = rdataset; chase_sigrdataset = sigrdataset; chase_keyrdataset = NULL; @@ -4798,7 +4762,7 @@ sigchase_bu(dns_message_t *msg) clean_trustedkey(); return; } - + printf("\n\n\n;; WE HAVE MATERIAL, WE NOW DO VALIDATION\n"); @@ -4806,8 +4770,8 @@ sigchase_bu(dns_message_t *msg) chase_keyrdataset, chase_sigrdataset, mctx); if (result != ISC_R_SUCCESS) { - dns_name_free(&chase_name, mctx); - dns_name_free(&chase_signame, mctx); + free_name(&chase_name, mctx); + free_name(&chase_signame, mctx); printf(";; No DNSKEY is valid to check the RRSIG" " of the RRset: FAILED\n"); clean_trustedkey(); @@ -4818,8 +4782,8 @@ sigchase_bu(dns_message_t *msg) result = contains_trusted_key(&chase_signame, chase_keyrdataset, chase_sigkeyrdataset, mctx); if (result == ISC_R_SUCCESS) { - dns_name_free(&chase_name, mctx); - dns_name_free(&chase_signame, mctx); + free_name(&chase_name, mctx); + free_name(&chase_signame, mctx); printf("\n;; Ok this DNSKEY is a Trusted Key," " DNSSEC validation is ok: SUCCESS\n\n"); clean_trustedkey(); @@ -4829,8 +4793,8 @@ sigchase_bu(dns_message_t *msg) printf(";; Now, we are going to validate this DNSKEY by the DS\n"); if (chase_dsrdataset == NULL) { - dns_name_free(&chase_name, mctx); - dns_name_free(&chase_signame, mctx); + free_name(&chase_name, mctx); + free_name(&chase_signame, mctx); printf(";; the DNSKEY isn't trusted-key and there isn't" " DS to validate the DNSKEY: FAILED\n"); clean_trustedkey(); @@ -4840,21 +4804,20 @@ sigchase_bu(dns_message_t *msg) result = sigchase_verify_ds(&chase_signame, chase_keyrdataset, chase_dsrdataset, mctx); if (result != ISC_R_SUCCESS) { - dns_name_free(&chase_signame, mctx); - dns_name_free(&chase_name, mctx); + free_name(&chase_signame, mctx); + free_name(&chase_name, mctx); printf(";; ERROR no DS validates a DNSKEY in the" " DNSKEY RRset: FAILED\n"); clean_trustedkey(); return; - } - else + } else printf(";; OK this DNSKEY (validated by the DS) validates" " the RRset of the DNSKEYs, thus the DNSKEY validates" " the RRset\n"); INSIST(chase_sigdsrdataset != NULL); dup_name(&chase_signame, &chase_name, mctx); - dns_name_free(&chase_signame, mctx); + free_name(&chase_signame, mctx); chase_rdataset = chase_dsrdataset; chase_sigrdataset = chase_sigdsrdataset; chase_keyrdataset = NULL; @@ -4863,7 +4826,7 @@ sigchase_bu(dns_message_t *msg) chase_sigdsrdataset = NULL; chase_siglookedup = chase_keylookedup = ISC_FALSE; chase_dslookedup = chase_sigdslookedup = ISC_FALSE; - + printf(";; Now, we want to validate the DS : recursive call\n"); sigchase(msg); return; @@ -4871,8 +4834,7 @@ sigchase_bu(dns_message_t *msg) #endif void -sigchase(dns_message_t * msg) -{ +sigchase(dns_message_t *msg) { #if DIG_SIGCHASE_TD if (current_lookup->do_topdown) { sigchase_td(msg); @@ -4888,12 +4850,12 @@ sigchase(dns_message_t * msg) /* * return 1 if name1 < name2 - * 0 if name1 == name2 - * -1 if name1 > name2 + * 0 if name1 == name2 + * -1 if name1 > name2 * and -2 if problem */ int -inf_name(dns_name_t * name1, dns_name_t * name2) +inf_name(dns_name_t *name1, dns_name_t *name2) { dns_label_t label1; dns_label_t label2; @@ -4916,19 +4878,19 @@ inf_name(dns_name_t * name1, dns_name_t * name2) dns_name_getlabel(name1, nblabel1 -1 - i, &label1); dns_name_getlabel(name2, nblabel2 -1 - i, &label2); if ((ret = isc_region_compare(&label1, &label2)) != 0) { - if (ret <0 ) - return -1; - else if (ret >0 ) - return 1; + if (ret < 0) + return (-1); + else if (ret > 0) + return (1); } } if (nblabel1 == nblabel2) - return 0; + return (0); if (nblabel1 < nblabel2) - return -1; + return (-1); else - return 1; + return (1); } /** @@ -4940,24 +4902,24 @@ isc_result_t prove_nx_domain(dns_message_t *msg, dns_name_t *name, dns_name_t *rdata_name, - dns_rdataset_t ** rdataset, + dns_rdataset_t **rdataset, dns_rdataset_t **sigrdataset) { - isc_result_t ret = ISC_R_FAILURE; - isc_result_t result = ISC_R_NOTFOUND; - dns_rdataset_t * nsecset = NULL; - dns_rdataset_t * signsecset = NULL ; - dns_rdata_t nsec = DNS_RDATA_INIT; - dns_name_t * nsecname; - dns_rdata_nsec_t nsecstruct; - + isc_result_t ret = ISC_R_FAILURE; + isc_result_t result = ISC_R_NOTFOUND; + dns_rdataset_t *nsecset = NULL; + dns_rdataset_t *signsecset = NULL ; + dns_rdata_t nsec = DNS_RDATA_INIT; + dns_name_t *nsecname; + dns_rdata_nsec_t nsecstruct; + if ((result = dns_message_firstname(msg, DNS_SECTION_AUTHORITY)) != ISC_R_SUCCESS) { printf(";; nothing in authority section : impossible to" " validate the non-existence : FAILED\n"); - return(ISC_R_FAILURE); + return (ISC_R_FAILURE); } - + do { nsecname = NULL; dns_message_currentname(msg, DNS_SECTION_AUTHORITY, &nsecname); @@ -4985,7 +4947,7 @@ prove_nx_domain(dns_message_t *msg, printf(";; no RRSIG NSEC in authority section:" " impossible to validate the " "non-existence: FAILED\n"); - return(ISC_R_FAILURE); + return (ISC_R_FAILURE); } ret = dns_rdata_tostruct(&nsec, &nsecstruct, NULL); @@ -4999,8 +4961,8 @@ prove_nx_domain(dns_message_t *msg, *rdataset = nsecset; *sigrdataset = signsecset; dup_name(nsecname, rdata_name, mctx); - - return ISC_R_SUCCESS; + + return (ISC_R_SUCCESS); } dns_rdata_freestruct(&nsecstruct); @@ -5011,7 +4973,7 @@ prove_nx_domain(dns_message_t *msg, *rdataset = NULL; *sigrdataset = NULL; rdata_name = NULL; - return(ISC_R_FAILURE); + return (ISC_R_FAILURE); } /** @@ -5022,27 +4984,22 @@ prove_nx_domain(dns_message_t *msg, * */ isc_result_t -prove_nx_type(dns_message_t * msg, - dns_name_t *name, - dns_rdataset_t *nsecset, - dns_rdataclass_t class, - dns_rdatatype_t type, - dns_name_t * rdata_name, - dns_rdataset_t ** rdataset, - dns_rdataset_t ** sigrdataset) +prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset, + dns_rdataclass_t class, dns_rdatatype_t type, + dns_name_t *rdata_name, dns_rdataset_t **rdataset, + dns_rdataset_t **sigrdataset) { - isc_result_t ret; - dns_rdataset_t * signsecset; - dns_rdata_t nsec = DNS_RDATA_INIT; + isc_result_t ret; + dns_rdataset_t *signsecset; + dns_rdata_t nsec = DNS_RDATA_INIT; UNUSED(class); - UNUSED(rdata_name); - + ret = dns_rdataset_first(nsecset); check_result(ret,"dns_rdataset_first"); dns_rdataset_current(nsecset, &nsec); - + ret = dns_nsec_typepresent(&nsec, type); if (ret == ISC_R_SUCCESS) printf("OK the NSEC said that the type doesn't exist \n"); @@ -5053,8 +5010,9 @@ prove_nx_type(dns_message_t * msg, DNS_SECTION_AUTHORITY); if (signsecset == NULL) { printf("There isn't RRSIG NSEC for the zone \n"); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } + dup_name(name, rdata_name, mctx); *rdataset = nsecset; *sigrdataset = signsecset; @@ -5068,17 +5026,12 @@ prove_nx_type(dns_message_t * msg, * */ isc_result_t -prove_nx(dns_message_t * msg, - dns_name_t * name, - dns_rdataclass_t class, - dns_rdatatype_t type, - dns_name_t * rdata_name, - dns_rdataset_t ** rdataset, - dns_rdataset_t ** sigrdataset) +prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class, + dns_rdatatype_t type, dns_name_t *rdata_name, + dns_rdataset_t **rdataset, dns_rdataset_t **sigrdataset) { isc_result_t ret; - dns_rdataset_t * nsecset = NULL; - + dns_rdataset_t *nsecset = NULL; printf("We want to prove the non-existance of a type of rdata %d" " or of the zone: \n", type); @@ -5087,7 +5040,7 @@ prove_nx(dns_message_t * msg, != ISC_R_SUCCESS) { printf(";; nothing in authority section : impossible to" " validate the non-existence : FAILED\n"); - return(ISC_R_FAILURE); + return (ISC_R_FAILURE); } nsecset = chase_scanname_section(msg, name, dns_rdatatype_nsec, @@ -5100,18 +5053,17 @@ prove_nx(dns_message_t * msg, sigrdataset); if (ret != ISC_R_SUCCESS) { printf("prove_nx: ERROR type exist\n"); - return(ret); + return (ret); } else { printf("prove_nx: OK type does not exist\n"); - return(ISC_R_SUCCESS); + return (ISC_R_SUCCESS); } } else { printf("there is no NSEC for this zone: validating " "that the zone doesn't exist\n"); ret = prove_nx_domain(msg, name, rdata_name, rdataset, sigrdataset); - return(ret); + return (ret); } - /* Never get here */ } #endif diff --git a/usr.sbin/bind/bin/dig/host.1 b/usr.sbin/bind/bin/dig/host.1 index e4ffca4bf3c..5eb74434d96 100644 --- a/usr.sbin/bind/bin/dig/host.1 +++ b/usr.sbin/bind/bin/dig/host.1 @@ -1,132 +1,181 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2002 Internet Software Consortium. -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2002 Internet Software Consortium. +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: host.1,v 1.11.2.1.4.4 2004/04/13 04:11:03 marka Exp $ +.\" $ISC: host.1,v 1.11.2.1.4.7 2005/10/13 02:33:43 marka Exp $ .\" -.TH "HOST" "1" "Jun 30, 2000" "BIND9" "" -.SH NAME +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "HOST" "1" "Jun 30, 2000" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" host \- DNS lookup utility -.SH SYNOPSIS -.sp -\fBhost\fR [ \fB-aCdlnrTwv\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-N \fIndots\fB\fR ] [ \fB-R \fInumber\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-W \fIwait\fB\fR ] [ \fB-4\fR ] [ \fB-6\fR ] \fBname\fR [ \fBserver\fR ] +.SH "SYNOPSIS" +.HP 5 +\fBhost\fR [\fB\-aCdlnrTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-4\fR] [\fB\-6\fR] {name} [server] .SH "DESCRIPTION" .PP \fBhost\fR -is a simple utility for performing DNS lookups. -It is normally used to convert names to IP addresses and vice versa. -When no arguments or options are given, +is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, \fBhost\fR prints a short summary of its command line arguments and options. .PP -\fIname\fR is the domain name that is to be looked -up. It can also be a dotted-decimal IPv4 address or a colon-delimited -IPv6 address, in which case \fBhost\fR will by default -perform a reverse lookup for that address. -\fIserver\fR is an optional argument which is either -the name or IP address of the name server that \fBhost\fR +\fIname\fR +is the domain name that is to be looked up. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case +\fBhost\fR +will by default perform a reverse lookup for that address. +\fIserver\fR +is an optional argument which is either the name or IP address of the name server that +\fBhost\fR should query instead of the server or servers listed in \fI/etc/resolv.conf\fR. .PP -The \fB-a\fR (all) option is equivalent to setting the -\fB-v\fR option and asking \fBhost\fR to make -a query of type ANY. +The +\fB\-a\fR +(all) option is equivalent to setting the +\fB\-v\fR +option and asking +\fBhost\fR +to make a query of type ANY. .PP -When the \fB-C\fR option is used, \fBhost\fR +When the +\fB\-C\fR +option is used, +\fBhost\fR will attempt to display the SOA records for zone -\fIname\fR from all the listed authoritative name -servers for that zone. The list of name servers is defined by the NS -records that are found for the zone. -.PP -The \fB-c\fR option instructs to make a DNS query of class -\fIclass\fR. This can be used to lookup Hesiod or -Chaosnet class resource records. The default class is IN (Internet). -.PP -Verbose output is generated by \fBhost\fR when the -\fB-d\fR or \fB-v\fR option is used. The two -options are equivalent. They have been provided for backwards -compatibility. In previous versions, the \fB-d\fR option -switched on debugging traces and \fB-v\fR enabled verbose -output. -.PP -List mode is selected by the \fB-l\fR option. This makes -\fBhost\fR perform a zone transfer for zone -\fIname\fR. Transfer the zone printing out the NS, PTR -and address records (A/AAAA). If combined with \fB-a\fR -all records will be printed. -.PP -The \fB-i\fR -option specifies that reverse lookups of IPv6 addresses should -use the IP6.INT domain as defined in RFC1886. -The default is to use IP6.ARPA. -.PP -The \fB-N\fR option sets the number of dots that have to be -in \fIname\fR for it to be considered absolute. The -default value is that defined using the ndots statement in -\fI/etc/resolv.conf\fR, or 1 if no ndots statement is -present. Names with fewer dots are interpreted as relative names and -will be searched for in the domains listed in the \fBsearch\fR -or \fBdomain\fR directive in +\fIname\fR +from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone. +.PP +The +\fB\-c\fR +option instructs to make a DNS query of class +\fIclass\fR. This can be used to lookup Hesiod or Chaosnet class resource records. The default class is IN (Internet). +.PP +Verbose output is generated by +\fBhost\fR +when the +\fB\-d\fR +or +\fB\-v\fR +option is used. The two options are equivalent. They have been provided for backwards compatibility. In previous versions, the +\fB\-d\fR +option switched on debugging traces and +\fB\-v\fR +enabled verbose output. +.PP +List mode is selected by the +\fB\-l\fR +option. This makes +\fBhost\fR +perform a zone transfer for zone +\fIname\fR. Transfer the zone printing out the NS, PTR and address records (A/AAAA). If combined with +\fB\-a\fR +all records will be printed. +.PP +The +\fB\-i\fR +option specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC1886. The default is to use IP6.ARPA. +.PP +The +\fB\-N\fR +option sets the number of dots that have to be in +\fIname\fR +for it to be considered absolute. The default value is that defined using the ndots statement in +\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the +\fBsearch\fR +or +\fBdomain\fR +directive in \fI/etc/resolv.conf\fR. .PP The number of UDP retries for a lookup can be changed with the -\fB-R\fR option. \fInumber\fR indicates -how many times \fBhost\fR will repeat a query that does -not get answered. The default number of retries is 1. If -\fInumber\fR is negative or zero, the number of -retries will default to 1. -.PP -Non-recursive queries can be made via the \fB-r\fR option. -Setting this option clears the \fBRD\fR \(em recursion -desired \(em bit in the query which \fBhost\fR makes. -This should mean that the name server receiving the query will not -attempt to resolve \fIname\fR. The -\fB-r\fR option enables \fBhost\fR to mimic -the behaviour of a name server by making non-recursive queries and -expecting to receive answers to those queries that are usually -referrals to other name servers. -.PP -By default \fBhost\fR uses UDP when making queries. The -\fB-T\fR option makes it use a TCP connection when querying -the name server. TCP will be automatically selected for queries that -require it, such as zone transfer (AXFR) requests. -.PP -The \fB-4\fR option forces \fBhost\fR to only -use IPv4 query transport. The \fB-6\fR option forces -\fBhost\fR to only use IPv6 query transport. -.PP -The \fB-t\fR option is used to select the query type. -\fItype\fR can be any recognised query type: CNAME, -NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, -\fBhost\fR automatically selects an appropriate query -type. By default it looks for A records, but if the -\fB-C\fR option was given, queries will be made for SOA -records, and if \fIname\fR is a dotted-decimal IPv4 -address or colon-delimited IPv6 address, \fBhost\fR will -query for PTR records. If a query type of IXFR is chosen the starting -serial number can be specified by appending an equal followed by the -starting serial number (e.g. -t IXFR=12345678). +\fB\-R\fR +option. +\fInumber\fR +indicates how many times +\fBhost\fR +will repeat a query that does not get answered. The default number of retries is 1. If +\fInumber\fR +is negative or zero, the number of retries will default to 1. +.PP +Non\-recursive queries can be made via the +\fB\-r\fR +option. Setting this option clears the +\fBRD\fR +\(em recursion desired \(em bit in the query which +\fBhost\fR +makes. This should mean that the name server receiving the query will not attempt to resolve +\fIname\fR. The +\fB\-r\fR +option enables +\fBhost\fR +to mimic the behaviour of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers. +.PP +By default +\fBhost\fR +uses UDP when making queries. The +\fB\-T\fR +option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests. +.PP +The +\fB\-4\fR +option forces +\fBhost\fR +to only use IPv4 query transport. The +\fB\-6\fR +option forces +\fBhost\fR +to only use IPv6 query transport. +.PP +The +\fB\-t\fR +option is used to select the query type. +\fItype\fR +can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, +\fBhost\fR +automatically selects an appropriate query type. By default it looks for A records, but if the +\fB\-C\fR +option was given, queries will be made for SOA records, and if +\fIname\fR +is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address, +\fBhost\fR +will query for PTR records. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (e.g. \-t IXFR=12345678). .PP The time to wait for a reply can be controlled through the -\fB-W\fR and \fB-w\fR options. The -\fB-W\fR option makes \fBhost\fR wait for -\fIwait\fR seconds. If \fIwait\fR +\fB\-W\fR +and +\fB\-w\fR +options. The +\fB\-W\fR +option makes +\fBhost\fR +wait for +\fIwait\fR +seconds. If +\fIwait\fR is less than one, the wait interval is set to one second. When the -\fB-w\fR option is used, \fBhost\fR will -effectively wait forever for a reply. The time to wait for a response -will be set to the number of seconds given by the hardware's maximum -value for an integer quantity. +\fB\-w\fR +option is used, +\fBhost\fR +will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity. .SH "FILES" .PP \fI/etc/resolv.conf\fR diff --git a/usr.sbin/bind/bin/dig/host.c b/usr.sbin/bind/bin/dig/host.c index ea90b10544f..8ced431d8a0 100644 --- a/usr.sbin/bind/bin/dig/host.c +++ b/usr.sbin/bind/bin/dig/host.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: host.c,v 1.76.2.5.2.10 2004/09/06 01:33:05 marka Exp $ */ +/* $ISC: host.c,v 1.76.2.5.2.13 2005/07/04 03:29:45 marka Exp $ */ #include <config.h> #include <limits.h> @@ -40,21 +40,6 @@ #include <dig/dig.h> -extern ISC_LIST(dig_lookup_t) lookup_list; -extern dig_serverlist_t server_list; -extern ISC_LIST(dig_searchlist_t) search_list; - -extern isc_boolean_t have_ipv4, have_ipv6; -extern isc_boolean_t usesearch; -extern isc_boolean_t debugging; -extern unsigned int timeout; -extern isc_mem_t *mctx; -extern int ndots; -extern int tries; -extern char *progname; -extern isc_task_t *global_task; -extern int fatalexit; - static isc_boolean_t short_form = ISC_TRUE, listed_server = ISC_FALSE; static isc_boolean_t default_lookups = ISC_TRUE; static int seen_error = -1; @@ -602,6 +587,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { } else list_type = rdtype; list_addresses = ISC_FALSE; + default_lookups = ISC_FALSE; break; case 'c': tr.base = isc_commandline_argument; diff --git a/usr.sbin/bind/bin/dig/host.docbook b/usr.sbin/bind/bin/dig/host.docbook index 9132823b68e..12cecbf15b9 100644 --- a/usr.sbin/bind/bin/dig/host.docbook +++ b/usr.sbin/bind/bin/dig/host.docbook @@ -1,6 +1,8 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" + "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" + [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -16,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: host.docbook,v 1.2.2.2.4.5 2004/04/13 01:26:26 marka Exp $ --> +<!-- $ISC: host.docbook,v 1.2.2.2.4.7 2005/05/13 01:22:32 marka Exp $ --> <refentry> @@ -30,6 +32,20 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <docinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2000</year> + <year>2001</year> + <year>2002</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </docinfo> + <refnamediv> <refname>host</refname> <refpurpose>DNS lookup utility</refpurpose> @@ -46,8 +62,8 @@ <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg> <arg><option>-4</option></arg> <arg><option>-6</option></arg> - <arg choice=req>name</arg> - <arg choice=opt>server</arg> + <arg choice="req">name</arg> + <arg choice="opt">server</arg> </cmdsynopsis> </refsynopsisdiv> diff --git a/usr.sbin/bind/bin/dig/host.html b/usr.sbin/bind/bin/dig/host.html index dbbb479adf0..e993de1a248 100644 --- a/usr.sbin/bind/bin/dig/host.html +++ b/usr.sbin/bind/bin/dig/host.html @@ -1,434 +1,171 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000-2002 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2002 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: host.html,v 1.4.2.1.4.6 2004/08/22 23:38:58 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->host</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->host</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->host -- DNS lookup utility</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN11" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->host</B -> [<VAR -CLASS="OPTION" ->-aCdlnrTwv</VAR ->] [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->class</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-N <VAR -CLASS="REPLACEABLE" ->ndots</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-R <VAR -CLASS="REPLACEABLE" ->number</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->type</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-W <VAR -CLASS="REPLACEABLE" ->wait</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-4</VAR ->] [<VAR -CLASS="OPTION" ->-6</VAR ->] {name} [server]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN37" -></A -><H2 ->DESCRIPTION</H2 -><P -><B -CLASS="COMMAND" ->host</B -> +<!-- $ISC: host.html,v 1.4.2.1.4.12 2005/10/13 02:33:44 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>host</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>host — DNS lookup utility</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525901"></a><h2>DESCRIPTION</h2> +<p> +<span><strong class="command">host</strong></span> is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, -<B -CLASS="COMMAND" ->host</B -> -prints a short summary of its command line arguments and options.</P -><P -><VAR -CLASS="PARAMETER" ->name</VAR -> is the domain name that is to be looked +<span><strong class="command">host</strong></span> +prints a short summary of its command line arguments and options. +</p> +<p> +<em class="parameter"><code>name</code></em> is the domain name that is to be looked up. It can also be a dotted-decimal IPv4 address or a colon-delimited -IPv6 address, in which case <B -CLASS="COMMAND" ->host</B -> will by default +IPv6 address, in which case <span><strong class="command">host</strong></span> will by default perform a reverse lookup for that address. -<VAR -CLASS="PARAMETER" ->server</VAR -> is an optional argument which is either -the name or IP address of the name server that <B -CLASS="COMMAND" ->host</B -> +<em class="parameter"><code>server</code></em> is an optional argument which is either +the name or IP address of the name server that <span><strong class="command">host</strong></span> should query instead of the server or servers listed in -<TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->.</P -><P ->The <VAR -CLASS="OPTION" ->-a</VAR -> (all) option is equivalent to setting the -<VAR -CLASS="OPTION" ->-v</VAR -> option and asking <B -CLASS="COMMAND" ->host</B -> to make -a query of type ANY.</P -><P ->When the <VAR -CLASS="OPTION" ->-C</VAR -> option is used, <B -CLASS="COMMAND" ->host</B -> +<code class="filename">/etc/resolv.conf</code>. +</p> +<p> +The <code class="option">-a</code> (all) option is equivalent to setting the +<code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make +a query of type ANY. +</p> +<p> +When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span> will attempt to display the SOA records for zone -<VAR -CLASS="PARAMETER" ->name</VAR -> from all the listed authoritative name +<em class="parameter"><code>name</code></em> from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS -records that are found for the zone.</P -><P ->The <VAR -CLASS="OPTION" ->-c</VAR -> option instructs to make a DNS query of class -<VAR -CLASS="PARAMETER" ->class</VAR ->. This can be used to lookup Hesiod or -Chaosnet class resource records. The default class is IN (Internet).</P -><P ->Verbose output is generated by <B -CLASS="COMMAND" ->host</B -> when the -<VAR -CLASS="OPTION" ->-d</VAR -> or <VAR -CLASS="OPTION" ->-v</VAR -> option is used. The two +records that are found for the zone. +</p> +<p> +The <code class="option">-c</code> option instructs to make a DNS query of class +<em class="parameter"><code>class</code></em>. This can be used to lookup Hesiod or +Chaosnet class resource records. The default class is IN (Internet). +</p> +<p> +Verbose output is generated by <span><strong class="command">host</strong></span> when the +<code class="option">-d</code> or <code class="option">-v</code> option is used. The two options are equivalent. They have been provided for backwards -compatibility. In previous versions, the <VAR -CLASS="OPTION" ->-d</VAR -> option -switched on debugging traces and <VAR -CLASS="OPTION" ->-v</VAR -> enabled verbose -output.</P -><P ->List mode is selected by the <VAR -CLASS="OPTION" ->-l</VAR -> option. This makes -<B -CLASS="COMMAND" ->host</B -> perform a zone transfer for zone -<VAR -CLASS="PARAMETER" ->name</VAR ->. Transfer the zone printing out the NS, PTR -and address records (A/AAAA). If combined with <VAR -CLASS="OPTION" ->-a</VAR -> -all records will be printed. </P -><P ->The <VAR -CLASS="OPTION" ->-i</VAR -> +compatibility. In previous versions, the <code class="option">-d</code> option +switched on debugging traces and <code class="option">-v</code> enabled verbose +output. +</p> +<p> +List mode is selected by the <code class="option">-l</code> option. This makes +<span><strong class="command">host</strong></span> perform a zone transfer for zone +<em class="parameter"><code>name</code></em>. Transfer the zone printing out the NS, PTR +and address records (A/AAAA). If combined with <code class="option">-a</code> +all records will be printed. +</p> +<p> +The <code class="option">-i</code> option specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC1886. -The default is to use IP6.ARPA.</P -><P ->The <VAR -CLASS="OPTION" ->-N</VAR -> option sets the number of dots that have to be -in <VAR -CLASS="PARAMETER" ->name</VAR -> for it to be considered absolute. The +The default is to use IP6.ARPA. +</p> +<p> +The <code class="option">-N</code> option sets the number of dots that have to be +in <em class="parameter"><code>name</code></em> for it to be considered absolute. The default value is that defined using the ndots statement in -<TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->, or 1 if no ndots statement is +<code class="filename">/etc/resolv.conf</code>, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and -will be searched for in the domains listed in the <SPAN -CLASS="TYPE" ->search</SPAN -> -or <SPAN -CLASS="TYPE" ->domain</SPAN -> directive in -<TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->.</P -><P ->The number of UDP retries for a lookup can be changed with the -<VAR -CLASS="OPTION" ->-R</VAR -> option. <VAR -CLASS="PARAMETER" ->number</VAR -> indicates -how many times <B -CLASS="COMMAND" ->host</B -> will repeat a query that does +will be searched for in the domains listed in the <span class="type">search</span> +or <span class="type">domain</span> directive in +<code class="filename">/etc/resolv.conf</code>. +</p> +<p> +The number of UDP retries for a lookup can be changed with the +<code class="option">-R</code> option. <em class="parameter"><code>number</code></em> indicates +how many times <span><strong class="command">host</strong></span> will repeat a query that does not get answered. The default number of retries is 1. If -<VAR -CLASS="PARAMETER" ->number</VAR -> is negative or zero, the number of -retries will default to 1.</P -><P ->Non-recursive queries can be made via the <VAR -CLASS="OPTION" ->-r</VAR -> option. -Setting this option clears the <SPAN -CLASS="TYPE" ->RD</SPAN -> — recursion -desired — bit in the query which <B -CLASS="COMMAND" ->host</B -> makes. +<em class="parameter"><code>number</code></em> is negative or zero, the number of +retries will default to 1. +</p> +<p> +Non-recursive queries can be made via the <code class="option">-r</code> option. +Setting this option clears the <span class="type">RD</span> — recursion +desired — bit in the query which <span><strong class="command">host</strong></span> makes. This should mean that the name server receiving the query will not -attempt to resolve <VAR -CLASS="PARAMETER" ->name</VAR ->. The -<VAR -CLASS="OPTION" ->-r</VAR -> option enables <B -CLASS="COMMAND" ->host</B -> to mimic +attempt to resolve <em class="parameter"><code>name</code></em>. The +<code class="option">-r</code> option enables <span><strong class="command">host</strong></span> to mimic the behaviour of a name server by making non-recursive queries and expecting to receive answers to those queries that are usually -referrals to other name servers.</P -><P ->By default <B -CLASS="COMMAND" ->host</B -> uses UDP when making queries. The -<VAR -CLASS="OPTION" ->-T</VAR -> option makes it use a TCP connection when querying +referrals to other name servers. +</p> +<p> +By default <span><strong class="command">host</strong></span> uses UDP when making queries. The +<code class="option">-T</code> option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that -require it, such as zone transfer (AXFR) requests.</P -><P ->The <VAR -CLASS="OPTION" ->-4</VAR -> option forces <B -CLASS="COMMAND" ->host</B -> to only -use IPv4 query transport. The <VAR -CLASS="OPTION" ->-6</VAR -> option forces -<B -CLASS="COMMAND" ->host</B -> to only use IPv6 query transport.</P -><P ->The <VAR -CLASS="OPTION" ->-t</VAR -> option is used to select the query type. -<VAR -CLASS="PARAMETER" ->type</VAR -> can be any recognised query type: CNAME, +require it, such as zone transfer (AXFR) requests. +</p> +<p> +The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only +use IPv4 query transport. The <code class="option">-6</code> option forces +<span><strong class="command">host</strong></span> to only use IPv6 query transport. +</p> +<p> +The <code class="option">-t</code> option is used to select the query type. +<em class="parameter"><code>type</code></em> can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, -<B -CLASS="COMMAND" ->host</B -> automatically selects an appropriate query +<span><strong class="command">host</strong></span> automatically selects an appropriate query type. By default it looks for A records, but if the -<VAR -CLASS="OPTION" ->-C</VAR -> option was given, queries will be made for SOA -records, and if <VAR -CLASS="PARAMETER" ->name</VAR -> is a dotted-decimal IPv4 -address or colon-delimited IPv6 address, <B -CLASS="COMMAND" ->host</B -> will +<code class="option">-C</code> option was given, queries will be made for SOA +records, and if <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4 +address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will query for PTR records. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the -starting serial number (e.g. -t IXFR=12345678).</P -><P ->The time to wait for a reply can be controlled through the -<VAR -CLASS="OPTION" ->-W</VAR -> and <VAR -CLASS="OPTION" ->-w</VAR -> options. The -<VAR -CLASS="OPTION" ->-W</VAR -> option makes <B -CLASS="COMMAND" ->host</B -> wait for -<VAR -CLASS="PARAMETER" ->wait</VAR -> seconds. If <VAR -CLASS="PARAMETER" ->wait</VAR -> +starting serial number (e.g. -t IXFR=12345678). +</p> +<p> +The time to wait for a reply can be controlled through the +<code class="option">-W</code> and <code class="option">-w</code> options. The +<code class="option">-W</code> option makes <span><strong class="command">host</strong></span> wait for +<em class="parameter"><code>wait</code></em> seconds. If <em class="parameter"><code>wait</code></em> is less than one, the wait interval is set to one second. When the -<VAR -CLASS="OPTION" ->-w</VAR -> option is used, <B -CLASS="COMMAND" ->host</B -> will +<code class="option">-w</code> option is used, <span><strong class="command">host</strong></span> will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum -value for an integer quantity.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN115" -></A -><H2 ->FILES</H2 -><P -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN119" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dig</SPAN ->(1)</SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->.</P -></DIV -></BODY -></HTML -> +value for an integer quantity. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526241"></a><h2>FILES</h2> +<p> +<code class="filename">/etc/resolv.conf</code> +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526253"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>, +<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/dig/include/dig/dig.h b/usr.sbin/bind/bin/dig/include/dig/dig.h index 751e7df319b..f84652966cd 100644 --- a/usr.sbin/bind/bin/dig/include/dig/dig.h +++ b/usr.sbin/bind/bin/dig/include/dig/dig.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dig.h,v 1.71.2.6.2.7 2004/09/06 01:33:06 marka Exp $ */ +/* $ISC: dig.h,v 1.71.2.6.2.11 2005/07/04 03:29:45 marka Exp $ */ #ifndef DIG_H #define DIG_H @@ -35,7 +35,7 @@ #include <isc/sockaddr.h> #include <isc/socket.h> -#define MXSERV 6 +#define MXSERV 20 #define MXNAME (DNS_NAME_MAXTEXT+1) #define MXRD 32 #define BUFSIZE 512 @@ -66,14 +66,6 @@ * in a tight loop of constant lookups. It's value is arbitrary. */ -#define ROOTNS 1 -/* - * Set the number of root servers to ask for information when running in - * trace mode. - * XXXMWS -- trace mode is currently semi-broken, and this number *MUST* - * be 1. - */ - /* * Defaults for the sigchase suboptions. Consolidated here because * these control the layout of dig_lookup_t (among other things). @@ -224,6 +216,46 @@ struct dig_message { ISC_LINK(dig_message_t) link; }; #endif + +typedef ISC_LIST(dig_searchlist_t) dig_searchlistlist_t; +typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t; + +/* + * Externals from dighost.c + */ + +extern dig_lookuplist_t lookup_list; +extern dig_serverlist_t server_list; +extern dig_searchlistlist_t search_list; + +extern isc_boolean_t have_ipv4, have_ipv6, specified_source, + usesearch, qr; +extern in_port_t port; +extern unsigned int timeout; +extern isc_mem_t *mctx; +extern dns_messageid_t id; +extern int sendcount; +extern int ndots; +extern int lookup_counter; +extern int exitcode; +extern isc_sockaddr_t bind_address; +extern char keynametext[MXNAME]; +extern char keyfile[MXNAME]; +extern char keysecret[MXNAME]; +#ifdef DIG_SIGCHASE +extern char trustedkey[MXNAME]; +#endif +extern dns_tsigkey_t *key; +extern isc_boolean_t validated; +extern isc_taskmgr_t *taskmgr; +extern isc_task_t *global_task; +extern isc_boolean_t free_now; +extern isc_boolean_t debugging, memdebugging; + +extern char *progname; +extern int tries; +extern int fatalexit; + /* * Routines in dighost.c. */ diff --git a/usr.sbin/bind/bin/dig/nslookup.1 b/usr.sbin/bind/bin/dig/nslookup.1 index 73953d84d4f..6bb946b0e5e 100644 --- a/usr.sbin/bind/bin/dig/nslookup.1 +++ b/usr.sbin/bind/bin/dig/nslookup.1 @@ -1,76 +1,75 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: nslookup.1,v 1.1.6.2 2004/08/20 02:29:39 marka Exp $ +.\" $ISC: nslookup.1,v 1.1.6.5 2005/10/13 02:33:43 marka Exp $ .\" -.TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "" -.SH NAME +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" nslookup \- query Internet name servers interactively -.SH SYNOPSIS -.sp -\fBnslookup\fR [ \fB-option\fR ] [ \fBname | -\fR ] [ \fBserver\fR ] +.SH "SYNOPSIS" +.HP 9 +\fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server] .SH "DESCRIPTION" .PP \fBNslookup\fR -is a program to query Internet domain name servers. \fBNslookup\fR -has two modes: interactive and non-interactive. Interactive mode allows -the user to query name servers for information about various hosts and -domains or to print a list of hosts in a domain. Non-interactive mode is -used to print just the name and requested information for a host or -domain. +is a program to query Internet domain name servers. +\fBNslookup\fR +has two modes: interactive and non\-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non\-interactive mode is used to print just the name and requested information for a host or domain. .SH "ARGUMENTS" .PP Interactive mode is entered in the following cases: -.IP 1. +.TP 3 +1. when no arguments are given (the default name server will be used) -.IP 2. -when the first argument is a hyphen (-) and the second argument is -the host name or Internet address of a name server. -.PP -Non-interactive mode is used when the name or Internet address of the -host to be looked up is given as the first argument. The optional second -argument specifies the host name or address of a name server. +.TP +2. +when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server. .PP -Options can also be specified on the command line if they precede the -arguments and are prefixed with a hyphen. For example, to -change the default query type to host information, and the initial timeout to 10 seconds, type: +Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server. .PP -.sp +Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type: +.IP .nf -nslookup -query=hinfo -timeout=10 -.sp +nslookup \-query=hinfo \-timeout=10 .fi .SH "INTERACTIVE COMMANDS" .TP -\fBhost [server]\fR -Look up information for host using the current default server or -using server, if specified. If host is an Internet address and -the query type is A or PTR, the name of the host is returned. -If host is a name and does not have a trailing period, the -search list is used to qualify the name. - -To look up a host not in the current domain, append a period to -the name. -.TP -\fBserver \fIdomain\fB\fR -.TP -\fBlserver \fIdomain\fB\fR -Change the default server to \fIdomain\fR; lserver uses the initial -server to look up information about \fIdomain\fR, while server uses -the current default server. If an authoritative answer can't be -found, the names of servers that might have the answer are -returned. +host [server] +Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name. +.sp +To look up a host not in the current domain, append a period to the name. +.TP +\fBserver\fR \fIdomain\fR +.TP +\fBlserver\fR \fIdomain\fR +Change the default server to +\fIdomain\fR; +\fBlserver\fR +uses the initial server to look up information about +\fIdomain\fR, while +\fBserver\fR +uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned. .TP \fBroot\fR not implemented @@ -93,17 +92,15 @@ not implemented \fBexit\fR Exits the program. .TP -\fBset \fIkeyword[=value]\fB\fR -This command is used to change state information that affects -the lookups. Valid keywords are: +\fBset\fR \fIkeyword\fR\fI[=value]\fR +This command is used to change state information that affects the lookups. Valid keywords are: .RS .TP \fBall\fR -Prints the current values of the frequently used -options to \fBset\fR. Information about the current default -server and host is also printed. +Prints the current values of the frequently used options to +\fBset\fR. Information about the current default server and host is also printed. .TP -\fBclass=\fIvalue\fB\fR +\fBclass=\fR\fIvalue\fR Change the query class to one of: .RS .TP @@ -119,66 +116,61 @@ the Hesiod class \fBANY\fR wildcard .RE -.PP +.IP The class specifies the protocol group of the information. - +.sp (Default = IN; abbreviation = cl) .TP -\fB\fI[no]\fBdebug\fR -Turn debugging mode on. A lot more information is -printed about the packet sent to the server and the -resulting answer. - -(Default = nodebug; abbreviation = [no]deb) -.TP -\fB\fI[no]\fBd2\fR -Turn debugging mode on. A lot more information is -printed about the packet sent to the server and the -resulting answer. - +\fB\fI[no]\fR\fR\fBdebug\fR +Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer. +.sp +(Default = nodebug; abbreviation = +[no]deb) +.TP +\fB\fI[no]\fR\fR\fBd2\fR +Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer. +.sp (Default = nod2) .TP -\fBdomain=\fIname\fB\fR -Sets the search list to \fIname\fR. +\fBdomain=\fR\fIname\fR +Sets the search list to +\fIname\fR. .TP -\fB\fI[no]\fBsearch\fR -If the lookup request contains at least one period but -doesn't end with a trailing period, append the domain -names in the domain search list to the request until an -answer is received. - +\fB\fI[no]\fR\fR\fBsearch\fR +If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received. +.sp (Default = search) .TP -\fBport=\fIvalue\fB\fR -Change the default TCP/UDP name server port to \fIvalue\fR. - +\fBport=\fR\fIvalue\fR +Change the default TCP/UDP name server port to +\fIvalue\fR. +.sp (Default = 53; abbreviation = po) .TP -\fBquerytype=\fIvalue\fB\fR +\fBquerytype=\fR\fIvalue\fR .TP \fBtype=\fIvalue\fB\fR Change the type of the information query. - +.sp (Default = A; abbreviations = q, ty) .TP -\fB\fI[no]\fBrecurse\fR -Tell the name server to query other servers if it does not have the -information. - +\fB\fI[no]\fR\fR\fBrecurse\fR +Tell the name server to query other servers if it does not have the information. +.sp (Default = recurse; abbreviation = [no]rec) .TP -\fBretry=\fInumber\fB\fR +\fBretry=\fR\fInumber\fR Set the number of retries to number. .TP -\fBtimeout=\fInumber\fB\fR -Change the initial timeout interval for waiting for a -reply to number seconds. +\fBtimeout=\fR\fInumber\fR +Change the initial timeout interval for waiting for a reply to number seconds. .TP -\fB\fI[no]\fBvc\fR +\fB\fI[no]\fR\fR\fBvc\fR Always use a virtual circuit when sending requests to the server. - +.sp (Default = novc) .RE +.IP .SH "FILES" .PP \fI/etc/resolv.conf\fR diff --git a/usr.sbin/bind/bin/dig/nslookup.c b/usr.sbin/bind/bin/dig/nslookup.c index c0db69e5659..ca1d98cf754 100644 --- a/usr.sbin/bind/bin/dig/nslookup.c +++ b/usr.sbin/bind/bin/dig/nslookup.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: nslookup.c,v 1.90.2.4.2.8 2004/09/06 01:33:05 marka Exp $ */ +/* $ISC: nslookup.c,v 1.90.2.4.2.10 2005/07/12 05:47:42 marka Exp $ */ #include <config.h> @@ -44,19 +44,6 @@ #include <dig/dig.h> -extern ISC_LIST(dig_lookup_t) lookup_list; -extern dig_serverlist_t server_list; -extern ISC_LIST(dig_searchlist_t) search_list; - -extern isc_boolean_t usesearch, debugging; -extern in_port_t port; -extern unsigned int timeout; -extern isc_mem_t *mctx; -extern int tries; -extern int lookup_counter; -extern isc_task_t *global_task; -extern char *progname; - static isc_boolean_t short_form = ISC_TRUE, tcpmode = ISC_FALSE, identify = ISC_FALSE, stats = ISC_TRUE, diff --git a/usr.sbin/bind/bin/dnssec/dnssec-keygen.html b/usr.sbin/bind/bin/dnssec/dnssec-keygen.html index 2c1e379609e..07b44d1f065 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-keygen.html +++ b/usr.sbin/bind/bin/dnssec/dnssec-keygen.html @@ -1,544 +1,228 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: dnssec-keygen.html,v 1.5.2.1.4.6 2004/08/22 23:38:58 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->dnssec-keygen</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->dnssec-keygen</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->dnssec-keygen</SPAN -> -- DNSSEC key generation tool</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->dnssec-keygen</B -> {-a <VAR -CLASS="REPLACEABLE" ->algorithm</VAR ->} {-b <VAR -CLASS="REPLACEABLE" ->keysize</VAR ->} {-n <VAR -CLASS="REPLACEABLE" ->nametype</VAR ->} [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->class</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-e</VAR ->] [<VAR -CLASS="OPTION" ->-f <VAR -CLASS="REPLACEABLE" ->flag</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-g <VAR -CLASS="REPLACEABLE" ->generator</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-h</VAR ->] [<VAR -CLASS="OPTION" ->-k</VAR ->] [<VAR -CLASS="OPTION" ->-p <VAR -CLASS="REPLACEABLE" ->protocol</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-r <VAR -CLASS="REPLACEABLE" ->randomdev</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-s <VAR -CLASS="REPLACEABLE" ->strength</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->type</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-v <VAR -CLASS="REPLACEABLE" ->level</VAR -></VAR ->] {name}</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN53" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->dnssec-keygen</B -> generates keys for DNSSEC +<!-- $ISC: dnssec-keygen.html,v 1.5.2.1.4.13 2005/10/13 02:33:45 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>dnssec-keygen</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525956"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN57" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-a <VAR -CLASS="REPLACEABLE" ->algorithm</VAR -></DT -><DD -><P -> Selects the cryptographic algorithm. The value of - <VAR -CLASS="OPTION" ->algorithm</VAR -> must be one of RSAMD5 (RSA) or RSASHA1, + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525969"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> +<dd> +<p> + Selects the cryptographic algorithm. The value of + <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC-MD5. These values are case insensitive. - </P -><P -> Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, + </p> +<p> + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. - </P -><P -> Note 2: HMAC-MD5 and DH automatically set the -k flag. - </P -></DD -><DT ->-b <VAR -CLASS="REPLACEABLE" ->keysize</VAR -></DT -><DD -><P -> Specifies the number of bits in the key. The choice of key + </p> +<p> + Note 2: HMAC-MD5 and DH automatically set the -k flag. + </p> +</dd> +<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt> +<dd><p> + Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC-MD5 keys must be between 1 and 512 bits. - </P -></DD -><DT ->-n <VAR -CLASS="REPLACEABLE" ->nametype</VAR -></DT -><DD -><P -> Specifies the owner type of the key. The value of - <VAR -CLASS="OPTION" ->nametype</VAR -> must either be ZONE (for a DNSSEC + </p></dd> +<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt> +<dd><p> + Specifies the owner type of the key. The value of + <code class="option">nametype</code> must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. - </P -></DD -><DT ->-c <VAR -CLASS="REPLACEABLE" ->class</VAR -></DT -><DD -><P -> Indicates that the DNS record containing the key should have + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> +<dd><p> + Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. - </P -></DD -><DT ->-e</DT -><DD -><P -> If generating an RSAMD5/RSASHA1 key, use a large exponent. - </P -></DD -><DT ->-f <VAR -CLASS="REPLACEABLE" ->flag</VAR -></DT -><DD -><P -> Set the specified flag in the flag field of the KEY/DNSKEY record. + </p></dd> +<dt><span class="term">-e</span></dt> +<dd><p> + If generating an RSAMD5/RSASHA1 key, use a large exponent. + </p></dd> +<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt> +<dd><p> + Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY. - </P -></DD -><DT ->-g <VAR -CLASS="REPLACEABLE" ->generator</VAR -></DT -><DD -><P -> If generating a Diffie Hellman key, use this generator. + </p></dd> +<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt> +<dd><p> + If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2. - </P -></DD -><DT ->-h</DT -><DD -><P -> Prints a short summary of the options and arguments to - <B -CLASS="COMMAND" ->dnssec-keygen</B ->. - </P -></DD -><DT ->-k</DT -><DD -><P -> Generate KEY records rather than DNSKEY records. - </P -></DD -><DT ->-p <VAR -CLASS="REPLACEABLE" ->protocol</VAR -></DT -><DD -><P -> Sets the protocol value for the generated key. The protocol + </p></dd> +<dt><span class="term">-h</span></dt> +<dd><p> + Prints a short summary of the options and arguments to + <span><strong class="command">dnssec-keygen</strong></span>. + </p></dd> +<dt><span class="term">-k</span></dt> +<dd><p> + Generate KEY records rather than DNSKEY records. + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt> +<dd><p> + Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors. - </P -></DD -><DT ->-r <VAR -CLASS="REPLACEABLE" ->randomdev</VAR -></DT -><DD -><P -> Specifies the source of randomness. If the operating - system does not provide a <TT -CLASS="FILENAME" ->/dev/random</TT -> + </p></dd> +<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> +<dd><p> + Specifies the source of randomness. If the operating + system does not provide a <code class="filename">/dev/random</code> or equivalent device, the default source of randomness - is keyboard input. <TT -CLASS="FILENAME" ->randomdev</TT -> specifies + is keyboard input. <code class="filename">randomdev</code> specifies the name of a character device or file containing random data to be used instead of the default. The special value - <TT -CLASS="FILENAME" ->keyboard</TT -> indicates that keyboard + <code class="filename">keyboard</code> indicates that keyboard input should be used. - </P -></DD -><DT ->-s <VAR -CLASS="REPLACEABLE" ->strength</VAR -></DT -><DD -><P -> Specifies the strength value of the key. The strength is + </p></dd> +<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt> +<dd><p> + Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC. - </P -></DD -><DT ->-t <VAR -CLASS="REPLACEABLE" ->type</VAR -></DT -><DD -><P -> Indicates the use of the key. <VAR -CLASS="OPTION" ->type</VAR -> must be + </p></dd> +<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt> +<dd><p> + Indicates the use of the key. <code class="option">type</code> must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data. - </P -></DD -><DT ->-v <VAR -CLASS="REPLACEABLE" ->level</VAR -></DT -><DD -><P -> Sets the debugging level. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN136" -></A -><H2 ->GENERATED KEYS</H2 -><P -> When <B -CLASS="COMMAND" ->dnssec-keygen</B -> completes successfully, - it prints a string of the form <TT -CLASS="FILENAME" ->Knnnn.+aaa+iiiii</TT -> + </p></dd> +<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> +<dd><p> + Sets the debugging level. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526306"></a><h2>GENERATED KEYS</h2> +<p> + When <span><strong class="command">dnssec-keygen</strong></span> completes successfully, + it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code> to the standard output. This is an identification string for - the key it has generated. These strings can be used as arguments - to <B -CLASS="COMMAND" ->dnssec-makekeyset</B ->. - </P -><P -></P -><UL -><LI -><P -> <TT -CLASS="FILENAME" ->nnnn</TT -> is the key name. - </P -></LI -><LI -><P -> <TT -CLASS="FILENAME" ->aaa</TT -> is the numeric representation of the + the key it has generated. + </p> +<div class="itemizedlist"><ul type="disc"> +<li><p> + <code class="filename">nnnn</code> is the key name. + </p></li> +<li><p> + <code class="filename">aaa</code> is the numeric representation of the algorithm. - </P -></LI -><LI -><P -> <TT -CLASS="FILENAME" ->iiiii</TT -> is the key identifier (or footprint). - </P -></LI -></UL -><P -> <B -CLASS="COMMAND" ->dnssec-keygen</B -> creates two file, with names based - on the printed string. <TT -CLASS="FILENAME" ->Knnnn.+aaa+iiiii.key</TT -> + </p></li> +<li><p> + <code class="filename">iiiii</code> is the key identifier (or footprint). + </p></li> +</ul></div> +<p> + <span><strong class="command">dnssec-keygen</strong></span> creates two file, with names based + on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code> contains the public key, and - <TT -CLASS="FILENAME" ->Knnnn.+aaa+iiiii.private</TT -> contains the private + <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the private key. - </P -><P -> The <TT -CLASS="FILENAME" ->.key</TT -> file contains a DNS KEY record that + </p> +<p> + The <code class="filename">.key</code> file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement). - </P -><P -> The <TT -CLASS="FILENAME" ->.private</TT -> file contains algorithm specific + </p> +<p> + The <code class="filename">.private</code> file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission. - </P -><P -> Both <TT -CLASS="FILENAME" ->.key</TT -> and <TT -CLASS="FILENAME" ->.private</TT -> + </p> +<p> + Both <code class="filename">.key</code> and <code class="filename">.private</code> files are generated for symmetric encryption algorithm such as HMAC-MD5, even though the public and private key are equivalent. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN163" -></A -><H2 ->EXAMPLE</H2 -><P -> To generate a 768-bit DSA key for the domain - <KBD -CLASS="USERINPUT" ->example.com</KBD ->, the following command would be + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526394"></a><h2>EXAMPLE</h2> +<p> + To generate a 768-bit DSA key for the domain + <strong class="userinput"><code>example.com</code></strong>, the following command would be issued: - </P -><P -> <KBD -CLASS="USERINPUT" ->dnssec-keygen -a DSA -b 768 -n ZONE example.com</KBD -> - </P -><P -> The command would print a string of the form: - </P -><P -> <KBD -CLASS="USERINPUT" ->Kexample.com.+003+26160</KBD -> - </P -><P -> In this example, <B -CLASS="COMMAND" ->dnssec-keygen</B -> creates - the files <TT -CLASS="FILENAME" ->Kexample.com.+003+26160.key</TT -> and - <TT -CLASS="FILENAME" ->Kexample.com.+003+26160.private</TT -> - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN176" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-signzone</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->, - <I -CLASS="CITETITLE" ->RFC 2535</I ->, - <I -CLASS="CITETITLE" ->RFC 2845</I ->, - <I -CLASS="CITETITLE" ->RFC 2539</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN186" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + </p> +<p> + <strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong> + </p> +<p> + The command would print a string of the form: + </p> +<p> + <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> + </p> +<p> + In this example, <span><strong class="command">dnssec-keygen</strong></span> creates + the files <code class="filename">Kexample.com.+003+26160.key</code> and + <code class="filename">Kexample.com.+003+26160.private</code> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526440"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>, + <em class="citetitle">RFC 2535</em>, + <em class="citetitle">RFC 2845</em>, + <em class="citetitle">RFC 2539</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526473"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.8 b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.8 deleted file mode 100644 index b55ca723cbf..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.8 +++ /dev/null @@ -1,113 +0,0 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $ISC: dnssec-makekeyset.8,v 1.16.2.2.4.1 2004/03/06 07:41:39 marka Exp $ -.\" -.TH "DNSSEC-MAKEKEYSET" "8" "June 30, 2000" "BIND9" "" -.SH NAME -dnssec-makekeyset \- DNSSEC zone signing tool -.SH SYNOPSIS -.sp -\fBdnssec-makekeyset\fR [ \fB-a\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-t\fIttl\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkey\fR\fI...\fR -.SH "DESCRIPTION" -.PP -\fBdnssec-makekeyset\fR generates a key set from one -or more keys created by \fBdnssec-keygen\fR. It creates -a file containing a KEY record for each key, and self-signs the key -set with each zone key. The output file is of the form -\fIkeyset-nnnn.\fR, where \fInnnn\fR -is the zone name. -.SH "OPTIONS" -.TP -\fB-a\fR -Verify all generated signatures. -.TP -\fB-s \fIstart-time\fB\fR -Specify the date and time when the generated SIG records -become valid. This can be either an absolute or relative -time. An absolute start time is indicated by a number -in YYYYMMDDHHMMSS notation; 20000530144500 denotes -14:45:00 UTC on May 30th, 2000. A relative start time is -indicated by +N, which is N seconds from the current time. -If no \fBstart-time\fR is specified, the current -time is used. -.TP -\fB-e \fIend-time\fB\fR -Specify the date and time when the generated SIG records -expire. As with \fBstart-time\fR, an absolute -time is indicated in YYYYMMDDHHMMSS notation. A time relative -to the start time is indicated with +N, which is N seconds from -the start time. A time relative to the current time is -indicated with now+N. If no \fBend-time\fR is -specified, 30 days from the start time is used as a default. -.TP -\fB-h\fR -Prints a short summary of the options and arguments to -\fBdnssec-makekeyset\fR. -.TP -\fB-p\fR -Use pseudo-random data when signing the zone. This is faster, -but less secure, than using real random data. This option -may be useful when signing large zones or when the entropy -source is limited. -.TP -\fB-r \fIrandomdev\fB\fR -Specifies the source of randomness. If the operating -system does not provide a \fI/dev/random\fR -or equivalent device, the default source of randomness -is keyboard input. \fIrandomdev\fR specifies -the name of a character device or file containing random -data to be used instead of the default. The special value -\fIkeyboard\fR indicates that keyboard -input should be used. -.TP -\fB-t \fIttl\fB\fR -Specify the TTL (time to live) of the KEY and SIG records. -The default is 3600 seconds. -.TP -\fB-v \fIlevel\fB\fR -Sets the debugging level. -.TP -\fBkey\fR -The list of keys to be included in the keyset file. These keys -are expressed in the form \fIKnnnn.+aaa+iiiii\fR -as generated by \fBdnssec-keygen\fR. -.SH "EXAMPLE" -.PP -The following command generates a keyset containing the DSA key for -\fBexample.com\fR generated in the -\fBdnssec-keygen\fR man page. -.PP -\fBdnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160\fR -.PP -In this example, \fBdnssec-makekeyset\fR creates -the file \fIkeyset-example.com.\fR. This file -contains the specified key and a self-generated signature. -.PP -The DNS administrator for \fBexample.com\fR could -send \fIkeyset-example.com.\fR to the DNS -administrator for \fB.com\fR for signing, if the -\&.com zone is DNSSEC-aware and the administrators of the two zones -have some mechanism for authenticating each other and exchanging -the keys and signatures securely. -.SH "SEE ALSO" -.PP -\fBdnssec-keygen\fR(8), -\fBdnssec-signkey\fR(8), -\fIBIND 9 Administrator Reference Manual\fR, -\fIRFC 2535\fR. -.SH "AUTHOR" -.PP -Internet Software Consortium diff --git a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.c b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.c deleted file mode 100644 index 535f9105300..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.c +++ /dev/null @@ -1,402 +0,0 @@ -/* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 2000-2003 Internet Software Consortium. - * Portions Copyright (C) 1995-2000 by Network Associates, Inc. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE - * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR - * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: dnssec-makekeyset.c,v 1.52.2.1.10.7 2004/08/28 06:25:27 marka Exp $ */ - -#include <config.h> - -#include <stdlib.h> - -#include <isc/commandline.h> -#include <isc/entropy.h> -#include <isc/mem.h> -#include <isc/print.h> -#include <isc/string.h> -#include <isc/util.h> - -#include <dns/db.h> -#include <dns/diff.h> -#include <dns/dnssec.h> -#include <dns/fixedname.h> -#include <dns/log.h> -#include <dns/rdata.h> -#include <dns/rdataset.h> -#include <dns/result.h> -#include <dns/secalg.h> -#include <dns/time.h> - -#include <dst/dst.h> - -#include "dnssectool.h" - -const char *program = "dnssec-makekeyset"; -int verbose; - -typedef struct keynode keynode_t; -struct keynode { - dst_key_t *key; - ISC_LINK(keynode_t) link; -}; -typedef ISC_LIST(keynode_t) keylist_t; - -static isc_stdtime_t starttime = 0, endtime = 0, now; -static int ttl = -1; - -static isc_mem_t *mctx = NULL; -static isc_entropy_t *ectx = NULL; - -static keylist_t keylist; - -static void -usage(void) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, "\t%s [options] keys\n", program); - - fprintf(stderr, "\n"); - - fprintf(stderr, "Version: %s\n", VERSION); - - fprintf(stderr, "Options: (default value in parenthesis) \n"); - fprintf(stderr, "\t-a\n"); - fprintf(stderr, "\t\tverify generated signatures\n"); - fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n"); - fprintf(stderr, "\t\tSIG start time - absolute|offset (now)\n"); - fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); - fprintf(stderr, "\t\tSIG end time - " - "absolute|from start|from now (now + 30 days)\n"); - fprintf(stderr, "\t-t ttl\n"); - fprintf(stderr, "\t-p\n"); - fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n"); - fprintf(stderr, "\t-r randomdev:\n"); - fprintf(stderr, "\t\ta file containing random data\n"); - fprintf(stderr, "\t-v level:\n"); - fprintf(stderr, "\t\tverbose level (0)\n"); - - fprintf(stderr, "\n"); - - fprintf(stderr, "keys:\n"); - fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n"); - - fprintf(stderr, "\n"); - - fprintf(stderr, "Output:\n"); - fprintf(stderr, "\tkeyset (keyset-<name>)\n"); - exit(0); -} - -static isc_boolean_t -zonekey_on_list(dst_key_t *key) { - keynode_t *keynode; - for (keynode = ISC_LIST_HEAD(keylist); - keynode != NULL; - keynode = ISC_LIST_NEXT(keynode, link)) - { - if (dst_key_compare(keynode->key, key)) - return (ISC_TRUE); - } - return (ISC_FALSE); -} - -int -main(int argc, char *argv[]) { - int i, ch; - char *startstr = NULL, *endstr = NULL; - dns_fixedname_t fdomain; - dns_name_t *domain = NULL; - char *output = NULL; - char *endp; - unsigned char data[65536]; - dns_db_t *db; - dns_dbversion_t *version; - dns_diff_t diff; - dns_difftuple_t *tuple; - dns_fixedname_t tname; - dst_key_t *key = NULL; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdataset_t rdataset; - dns_rdataclass_t rdclass; - isc_result_t result; - isc_buffer_t b; - isc_region_t r; - isc_log_t *log = NULL; - keynode_t *keynode; - unsigned int eflags; - isc_boolean_t pseudorandom = ISC_FALSE; - isc_boolean_t tryverify = ISC_FALSE; - - result = isc_mem_create(0, 0, &mctx); - if (result != ISC_R_SUCCESS) - fatal("failed to create memory context: %s", - isc_result_totext(result)); - - dns_result_register(); - - while ((ch = isc_commandline_parse(argc, argv, "as:e:t:r:v:ph")) != -1) - { - switch (ch) { - case 'a': - tryverify = ISC_TRUE; - break; - case 's': - startstr = isc_commandline_argument; - break; - - case 'e': - endstr = isc_commandline_argument; - break; - - case 't': - endp = NULL; - ttl = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0') - fatal("TTL must be numeric"); - break; - - case 'r': - setup_entropy(mctx, isc_commandline_argument, &ectx); - break; - - case 'v': - endp = NULL; - verbose = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0') - fatal("verbose level must be numeric"); - break; - - case 'p': - pseudorandom = ISC_TRUE; - break; - - case 'h': - default: - usage(); - - } - } - - argc -= isc_commandline_index; - argv += isc_commandline_index; - - if (argc < 1) - usage(); - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - eflags = ISC_ENTROPY_BLOCKING; - if (!pseudorandom) - eflags |= ISC_ENTROPY_GOODONLY; - result = dst_lib_init(mctx, ectx, eflags); - if (result != ISC_R_SUCCESS) - fatal("could not initialize dst: %s", - isc_result_totext(result)); - - isc_stdtime_get(&now); - - if (startstr != NULL) - starttime = strtotime(startstr, now, now); - else - starttime = now; - - if (endstr != NULL) - endtime = strtotime(endstr, now, starttime); - else - endtime = starttime + (30 * 24 * 60 * 60); - - if (ttl == -1) { - ttl = 3600; - fprintf(stderr, "%s: TTL not specified, assuming 3600\n", - program); - } - - setup_logging(verbose, mctx, &log); - - dns_diff_init(mctx, &diff); - rdclass = 0; - - ISC_LIST_INIT(keylist); - - for (i = 0; i < argc; i++) { - char namestr[DNS_NAME_FORMATSIZE]; - isc_buffer_t namebuf; - - key = NULL; - result = dst_key_fromnamedfile(argv[i], DST_TYPE_PUBLIC, - mctx, &key); - if (result != ISC_R_SUCCESS) - fatal("error loading key from %s: %s", argv[i], - isc_result_totext(result)); - if (rdclass == 0) - rdclass = dst_key_class(key); - - isc_buffer_init(&namebuf, namestr, sizeof(namestr)); - result = dns_name_tofilenametext(dst_key_name(key), - ISC_FALSE, - &namebuf); - check_result(result, "dns_name_tofilenametext"); - isc_buffer_putuint8(&namebuf, 0); - - if (domain == NULL) { - dns_fixedname_init(&fdomain); - domain = dns_fixedname_name(&fdomain); - dns_name_copy(dst_key_name(key), domain, NULL); - } else if (!dns_name_equal(domain, dst_key_name(key))) { - char str[DNS_NAME_FORMATSIZE]; - dns_name_format(domain, str, sizeof(str)); - fatal("all keys must have the same owner - %s " - "and %s do not match", str, namestr); - } - - if (output == NULL) { - size_t len; - len = strlen("keyset-") + strlen(namestr); - output = isc_mem_allocate(mctx, len + 1); - if (output == NULL) - fatal("out of memory"); - strlcpy(output, "keyset-", len + 1); - strlcat(output, namestr, len + 1); - } - - if (dst_key_iszonekey(key)) { - dst_key_t *zonekey = NULL; - result = dst_key_fromnamedfile(argv[i], - DST_TYPE_PUBLIC | - DST_TYPE_PRIVATE, - mctx, &zonekey); - if (result != ISC_R_SUCCESS) - fatal("failed to read private key %s: %s", - argv[i], isc_result_totext(result)); - if (!zonekey_on_list(zonekey)) { - keynode = isc_mem_get(mctx, sizeof(keynode_t)); - if (keynode == NULL) - fatal("out of memory"); - keynode->key = zonekey; - ISC_LIST_INITANDAPPEND(keylist, keynode, link); - } else - dst_key_free(&zonekey); - } - dns_rdata_reset(&rdata); - isc_buffer_init(&b, data, sizeof(data)); - result = dst_key_todns(key, &b); - dst_key_free(&key); - if (result != ISC_R_SUCCESS) - fatal("failed to convert key %s to a DNS KEY: %s", - argv[i], isc_result_totext(result)); - isc_buffer_usedregion(&b, &r); - dns_rdata_fromregion(&rdata, rdclass, dns_rdatatype_dnskey, &r); - tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - domain, ttl, &rdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - } - - db = NULL; - result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone, - rdclass, 0, NULL, &db); - if (result != ISC_R_SUCCESS) - fatal("failed to create a database"); - - version = NULL; - dns_db_newversion(db, &version); - - result = dns_diff_apply(&diff, db, version); - check_result(result, "dns_diff_apply"); - dns_diff_clear(&diff); - - dns_fixedname_init(&tname); - dns_rdataset_init(&rdataset); - result = dns_db_find(db, domain, version, dns_rdatatype_dnskey, 0, 0, - NULL, dns_fixedname_name(&tname), &rdataset, - NULL); - check_result(result, "dns_db_find"); - - if (ISC_LIST_EMPTY(keylist)) - fprintf(stderr, - "%s: no private zone key found; not self-signing\n", - program); - for (keynode = ISC_LIST_HEAD(keylist); - keynode != NULL; - keynode = ISC_LIST_NEXT(keynode, link)) - { - dns_rdata_reset(&rdata); - isc_buffer_init(&b, data, sizeof(data)); - result = dns_dnssec_sign(domain, &rdataset, keynode->key, - &starttime, &endtime, mctx, &b, - &rdata); - isc_entropy_stopcallbacksources(ectx); - if (result != ISC_R_SUCCESS) { - char keystr[KEY_FORMATSIZE]; - key_format(keynode->key, keystr, sizeof(keystr)); - fatal("failed to sign keyset with key %s: %s", - keystr, isc_result_totext(result)); - } - if (tryverify) { - result = dns_dnssec_verify(domain, &rdataset, - keynode->key, ISC_TRUE, - mctx, &rdata); - if (result != ISC_R_SUCCESS) { - char keystr[KEY_FORMATSIZE]; - key_format(keynode->key, keystr, sizeof(keystr)); - fatal("signature from key '%s' failed to " - "verify: %s", - keystr, isc_result_totext(result)); - } - } - tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - domain, ttl, &rdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - } - - result = dns_diff_apply(&diff, db, version); - check_result(result, "dns_diff_apply"); - dns_diff_clear(&diff); - - dns_rdataset_disassociate(&rdataset); - - dns_db_closeversion(db, &version, ISC_TRUE); - result = dns_db_dump(db, version, output); - if (result != ISC_R_SUCCESS) { - char domainstr[DNS_NAME_FORMATSIZE]; - dns_name_format(domain, domainstr, sizeof(domainstr)); - fatal("failed to write database for %s to %s", - domainstr, output); - } - - printf("%s\n", output); - - dns_db_detach(&db); - - while (!ISC_LIST_EMPTY(keylist)) { - keynode = ISC_LIST_HEAD(keylist); - ISC_LIST_UNLINK(keylist, keynode, link); - dst_key_free(&keynode->key); - isc_mem_put(mctx, keynode, sizeof(keynode_t)); - } - - cleanup_logging(&log); - cleanup_entropy(&ectx); - - isc_mem_free(mctx, output); - dst_lib_destroy(); - if (verbose > 10) - isc_mem_stats(mctx, stdout); - isc_mem_destroy(&mctx); - return (0); -} diff --git a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.docbook b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.docbook deleted file mode 100644 index 47c70a638e4..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.docbook +++ /dev/null @@ -1,233 +0,0 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> -<!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - - PERFORMANCE OF THIS SOFTWARE. ---> - -<!-- $ISC: dnssec-makekeyset.docbook,v 1.2.2.3.4.2 2004/06/03 02:24:55 marka Exp $ --> - -<refentry> - <refentryinfo> - <date>June 30, 2000</date> - </refentryinfo> - - <refmeta> - <refentrytitle><application>dnssec-makekeyset</application></refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo>BIND9</refmiscinfo> - </refmeta> - - <refnamediv> - <refname><application>dnssec-makekeyset</application></refname> - <refpurpose>DNSSEC zone signing tool</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <cmdsynopsis> - <command>dnssec-makekeyset</command> - <arg><option>-a</option></arg> - <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg> - <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg> - <arg><option>-h</option></arg> - <arg><option>-p</option></arg> - <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg> - <arg><option>-t</option><replaceable class="parameter">ttl</replaceable></arg> - <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> - <arg choice="req" rep="repeat">key</arg> - </cmdsynopsis> - </refsynopsisdiv> - - <refsect1> - <title>DESCRIPTION</title> - <para> - <command>dnssec-makekeyset</command> generates a key set from one - or more keys created by <command>dnssec-keygen</command>. It creates - a file containing a KEY record for each key, and self-signs the key - set with each zone key. The output file is of the form - <filename>keyset-nnnn.</filename>, where <filename>nnnn</filename> - is the zone name. - </para> - </refsect1> - - <refsect1> - <title>OPTIONS</title> - - <variablelist> - <varlistentry> - <term>-a</term> - <listitem> - <para> - Verify all generated signatures. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-s <replaceable class="parameter">start-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated SIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <option>start-time</option> is specified, the current - time is used. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-e <replaceable class="parameter">end-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated SIG records - expire. As with <option>start-time</option>, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <option>end-time</option> is - specified, 30 days from the start time is used as a default. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-h</term> - <listitem> - <para> - Prints a short summary of the options and arguments to - <command>dnssec-makekeyset</command>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-p</term> - <listitem> - <para> - Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-r <replaceable class="parameter">randomdev</replaceable></term> - <listitem> - <para> - Specifies the source of randomness. If the operating - system does not provide a <filename>/dev/random</filename> - or equivalent device, the default source of randomness - is keyboard input. <filename>randomdev</filename> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <filename>keyboard</filename> indicates that keyboard - input should be used. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-t <replaceable class="parameter">ttl</replaceable></term> - <listitem> - <para> - Specify the TTL (time to live) of the KEY and SIG records. - The default is 3600 seconds. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-v <replaceable class="parameter">level</replaceable></term> - <listitem> - <para> - Sets the debugging level. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>key</term> - <listitem> - <para> - The list of keys to be included in the keyset file. These keys - are expressed in the form <filename>Knnnn.+aaa+iiiii</filename> - as generated by <command>dnssec-keygen</command>. - </para> - </listitem> - </varlistentry> - - </variablelist> - </refsect1> - - <refsect1> - <title>EXAMPLE</title> - <para> - The following command generates a keyset containing the DSA key for - <userinput>example.com</userinput> generated in the - <command>dnssec-keygen</command> man page. - </para> - <para> - <userinput>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</userinput> - </para> - <para> - In this example, <command>dnssec-makekeyset</command> creates - the file <filename>keyset-example.com.</filename>. This file - contains the specified key and a self-generated signature. - </para> - <para> - The DNS administrator for <userinput>example.com</userinput> could - send <filename>keyset-example.com.</filename> to the DNS - administrator for <userinput>.com</userinput> for signing, if the - .com zone is DNSSEC-aware and the administrators of the two zones - have some mechanism for authenticating each other and exchanging - the keys and signatures securely. - </para> - </refsect1> - - <refsect1> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>dnssec-keygen</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>dnssec-signkey</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citetitle>BIND 9 Administrator Reference Manual</citetitle>, - <citetitle>RFC 2535</citetitle>. - </para> - </refsect1> - - <refsect1> - <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> - </para> - </refsect1> - -</refentry> - -<!-- - - Local variables: - - mode: sgml - - End: ---> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.html b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.html deleted file mode 100644 index ff7c424da66..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.html +++ /dev/null @@ -1,407 +0,0 @@ -<!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - - PERFORMANCE OF THIS SOFTWARE. ---> - -<!-- $ISC: dnssec-makekeyset.html,v 1.4.2.2.4.1 2004/03/06 10:21:15 marka Exp $ --> - -<HTML -><HEAD -><TITLE ->dnssec-makekeyset</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -><SPAN -CLASS="APPLICATION" ->dnssec-makekeyset</SPAN -></A -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->dnssec-makekeyset</SPAN -> -- DNSSEC zone signing tool</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->dnssec-makekeyset</B -> [<TT -CLASS="OPTION" ->-a</TT ->] [<TT -CLASS="OPTION" ->-s <TT -CLASS="REPLACEABLE" -><I ->start-time</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-e <TT -CLASS="REPLACEABLE" -><I ->end-time</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-h</TT ->] [<TT -CLASS="OPTION" ->-p</TT ->] [<TT -CLASS="OPTION" ->-r <TT -CLASS="REPLACEABLE" -><I ->randomdev</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-t</TT -><TT -CLASS="REPLACEABLE" -><I ->ttl</I -></TT ->] [<TT -CLASS="OPTION" ->-v <TT -CLASS="REPLACEABLE" -><I ->level</I -></TT -></TT ->] {key...}</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN38" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->dnssec-makekeyset</B -> generates a key set from one - or more keys created by <B -CLASS="COMMAND" ->dnssec-keygen</B ->. It creates - a file containing a KEY record for each key, and self-signs the key - set with each zone key. The output file is of the form - <TT -CLASS="FILENAME" ->keyset-nnnn.</TT ->, where <TT -CLASS="FILENAME" ->nnnn</TT -> - is the zone name. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN45" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-a</DT -><DD -><P -> Verify all generated signatures. - </P -></DD -><DT ->-s <TT -CLASS="REPLACEABLE" -><I ->start-time</I -></TT -></DT -><DD -><P -> Specify the date and time when the generated SIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <TT -CLASS="OPTION" ->start-time</TT -> is specified, the current - time is used. - </P -></DD -><DT ->-e <TT -CLASS="REPLACEABLE" -><I ->end-time</I -></TT -></DT -><DD -><P -> Specify the date and time when the generated SIG records - expire. As with <TT -CLASS="OPTION" ->start-time</TT ->, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <TT -CLASS="OPTION" ->end-time</TT -> is - specified, 30 days from the start time is used as a default. - </P -></DD -><DT ->-h</DT -><DD -><P -> Prints a short summary of the options and arguments to - <B -CLASS="COMMAND" ->dnssec-makekeyset</B ->. - </P -></DD -><DT ->-p</DT -><DD -><P -> Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </P -></DD -><DT ->-r <TT -CLASS="REPLACEABLE" -><I ->randomdev</I -></TT -></DT -><DD -><P -> Specifies the source of randomness. If the operating - system does not provide a <TT -CLASS="FILENAME" ->/dev/random</TT -> - or equivalent device, the default source of randomness - is keyboard input. <TT -CLASS="FILENAME" ->randomdev</TT -> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <TT -CLASS="FILENAME" ->keyboard</TT -> indicates that keyboard - input should be used. - </P -></DD -><DT ->-t <TT -CLASS="REPLACEABLE" -><I ->ttl</I -></TT -></DT -><DD -><P -> Specify the TTL (time to live) of the KEY and SIG records. - The default is 3600 seconds. - </P -></DD -><DT ->-v <TT -CLASS="REPLACEABLE" -><I ->level</I -></TT -></DT -><DD -><P -> Sets the debugging level. - </P -></DD -><DT ->key</DT -><DD -><P -> The list of keys to be included in the keyset file. These keys - are expressed in the form <TT -CLASS="FILENAME" ->Knnnn.+aaa+iiiii</TT -> - as generated by <B -CLASS="COMMAND" ->dnssec-keygen</B ->. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN98" -></A -><H2 ->EXAMPLE</H2 -><P -> The following command generates a keyset containing the DSA key for - <TT -CLASS="USERINPUT" -><B ->example.com</B -></TT -> generated in the - <B -CLASS="COMMAND" ->dnssec-keygen</B -> man page. - </P -><P -> <TT -CLASS="USERINPUT" -><B ->dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</B -></TT -> - </P -><P -> In this example, <B -CLASS="COMMAND" ->dnssec-makekeyset</B -> creates - the file <TT -CLASS="FILENAME" ->keyset-example.com.</TT ->. This file - contains the specified key and a self-generated signature. - </P -><P -> The DNS administrator for <TT -CLASS="USERINPUT" -><B ->example.com</B -></TT -> could - send <TT -CLASS="FILENAME" ->keyset-example.com.</TT -> to the DNS - administrator for <TT -CLASS="USERINPUT" -><B ->.com</B -></TT -> for signing, if the - .com zone is DNSSEC-aware and the administrators of the two zones - have some mechanism for authenticating each other and exchanging - the keys and signatures securely. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN112" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-signkey</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->, - <I -CLASS="CITETITLE" ->RFC 2535</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN123" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Software Consortium - </P -></DIV -></BODY -></HTML -> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signkey.8 b/usr.sbin/bind/bin/dnssec/dnssec-signkey.8 deleted file mode 100644 index ea55dd5af77..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-signkey.8 +++ /dev/null @@ -1,108 +0,0 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $ISC: dnssec-signkey.8,v 1.18.2.1.4.1 2004/03/06 07:41:39 marka Exp $ -.\" -.TH "DNSSEC-SIGNKEY" "8" "June 30, 2000" "BIND9" "" -.SH NAME -dnssec-signkey \- DNSSEC key set signing tool -.SH SYNOPSIS -.sp -\fBdnssec-signkey\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkeyset\fR \fBkey\fR\fI...\fR -.SH "DESCRIPTION" -.PP -\fBdnssec-signkey\fR signs a keyset. Typically -the keyset will be for a child zone, and will have been generated -by \fBdnssec-makekeyset\fR. The child zone's keyset -is signed with the zone keys for its parent zone. The output file -is of the form \fIsignedkey-nnnn.\fR, where -\fInnnn\fR is the zone name. -.SH "OPTIONS" -.TP -\fB-a\fR -Verify all generated signatures. -.TP -\fB-c \fIclass\fB\fR -Specifies the DNS class of the key sets. -.TP -\fB-s \fIstart-time\fB\fR -Specify the date and time when the generated SIG records -become valid. This can be either an absolute or relative -time. An absolute start time is indicated by a number -in YYYYMMDDHHMMSS notation; 20000530144500 denotes -14:45:00 UTC on May 30th, 2000. A relative start time is -indicated by +N, which is N seconds from the current time. -If no \fBstart-time\fR is specified, the current -time is used. -.TP -\fB-e \fIend-time\fB\fR -Specify the date and time when the generated SIG records -expire. As with \fBstart-time\fR, an absolute -time is indicated in YYYYMMDDHHMMSS notation. A time relative -to the start time is indicated with +N, which is N seconds from -the start time. A time relative to the current time is -indicated with now+N. If no \fBend-time\fR is -specified, 30 days from the start time is used as a default. -.TP -\fB-h\fR -Prints a short summary of the options and arguments to -\fBdnssec-signkey\fR. -.TP -\fB-p\fR -Use pseudo-random data when signing the zone. This is faster, -but less secure, than using real random data. This option -may be useful when signing large zones or when the entropy -source is limited. -.TP -\fB-r \fIrandomdev\fB\fR -Specifies the source of randomness. If the operating -system does not provide a \fI/dev/random\fR -or equivalent device, the default source of randomness -is keyboard input. \fIrandomdev\fR specifies -the name of a character device or file containing random -data to be used instead of the default. The special value -\fIkeyboard\fR indicates that keyboard -input should be used. -.TP -\fB-v \fIlevel\fB\fR -Sets the debugging level. -.TP -\fBkeyset\fR -The file containing the child's keyset. -.TP -\fBkey\fR -The keys used to sign the child's keyset. -.SH "EXAMPLE" -.PP -The DNS administrator for a DNSSEC-aware \fB.com\fR -zone would use the following command to sign the -\fIkeyset\fR file for \fBexample.com\fR -created by \fBdnssec-makekeyset\fR with a key generated -by \fBdnssec-keygen\fR: -.PP -\fBdnssec-signkey keyset-example.com. Kcom.+003+51944\fR -.PP -In this example, \fBdnssec-signkey\fR creates -the file \fIsignedkey-example.com.\fR, which -contains the \fBexample.com\fR keys and the -signatures by the \fB.com\fR keys. -.SH "SEE ALSO" -.PP -\fBdnssec-keygen\fR(8), -\fBdnssec-makekeyset\fR(8), -\fBdnssec-signzone\fR(8). -.SH "AUTHOR" -.PP -Internet Software Consortium diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signkey.c b/usr.sbin/bind/bin/dnssec/dnssec-signkey.c deleted file mode 100644 index f821b990a4c..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-signkey.c +++ /dev/null @@ -1,450 +0,0 @@ -/* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 2000-2003 Internet Software Consortium. - * Portions Copyright (C) 1995-2000 by Network Associates, Inc. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE - * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR - * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: dnssec-signkey.c,v 1.50.2.2.2.7 2004/08/28 06:25:28 marka Exp $ */ - -#include <config.h> - -#include <stdlib.h> - -#include <isc/string.h> -#include <isc/commandline.h> -#include <isc/entropy.h> -#include <isc/mem.h> -#include <isc/print.h> -#include <isc/util.h> - -#include <dns/db.h> -#include <dns/dbiterator.h> -#include <dns/diff.h> -#include <dns/dnssec.h> -#include <dns/fixedname.h> -#include <dns/log.h> -#include <dns/rdata.h> -#include <dns/rdataclass.h> -#include <dns/rdataset.h> -#include <dns/rdatasetiter.h> -#include <dns/rdatastruct.h> -#include <dns/result.h> -#include <dns/secalg.h> - -#include <dst/dst.h> - -#include "dnssectool.h" - -const char *program = "dnssec-signkey"; -int verbose; - -typedef struct keynode keynode_t; -struct keynode { - dst_key_t *key; - isc_boolean_t verified; - ISC_LINK(keynode_t) link; -}; -typedef ISC_LIST(keynode_t) keylist_t; - -static isc_stdtime_t starttime = 0, endtime = 0, now; - -static isc_mem_t *mctx = NULL; -static isc_entropy_t *ectx = NULL; -static keylist_t keylist; - -static void -usage(void) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, "\t%s [options] keyset keys\n", program); - - fprintf(stderr, "\n"); - - fprintf(stderr, "Version: %s\n", VERSION); - - fprintf(stderr, "Options: (default value in parenthesis) \n"); - fprintf(stderr, "\t-a\n"); - fprintf(stderr, "\t\tverify generated signatures\n"); - fprintf(stderr, "\t-c class (IN)\n"); - fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n"); - fprintf(stderr, "\t\tSIG start time - absolute|offset (from keyset)\n"); - fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); - fprintf(stderr, "\t\tSIG end time - absolute|from start|from now " - "(from keyset)\n"); - fprintf(stderr, "\t-v level:\n"); - fprintf(stderr, "\t\tverbose level (0)\n"); - fprintf(stderr, "\t-p\n"); - fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n"); - fprintf(stderr, "\t-r randomdev:\n"); - fprintf(stderr, "\t\ta file containing random data\n"); - - fprintf(stderr, "\n"); - - fprintf(stderr, "keyset:\n"); - fprintf(stderr, "\tfile with keyset to be signed (keyset-<name>)\n"); - fprintf(stderr, "keys:\n"); - fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n"); - - fprintf(stderr, "\n"); - fprintf(stderr, "Output:\n"); - fprintf(stderr, "\tsigned keyset (signedkey-<name>)\n"); - exit(0); -} - -static void -loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) { - dst_key_t *key; - dns_rdata_t rdata = DNS_RDATA_INIT; - keynode_t *keynode; - isc_result_t result; - - ISC_LIST_INIT(keylist); - result = dns_rdataset_first(rdataset); - check_result(result, "dns_rdataset_first"); - for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) { - dns_rdata_reset(&rdata); - dns_rdataset_current(rdataset, &rdata); - key = NULL; - result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &key); - if (result != ISC_R_SUCCESS) - continue; - if (!dst_key_iszonekey(key)) { - dst_key_free(&key); - continue; - } - keynode = isc_mem_get(mctx, sizeof(keynode_t)); - if (keynode == NULL) - fatal("out of memory"); - keynode->key = key; - keynode->verified = ISC_FALSE; - ISC_LIST_INITANDAPPEND(keylist, keynode, link); - } - if (result != ISC_R_NOMORE) - fatal("failure traversing key list"); -} - -static dst_key_t * -findkey(dns_rdata_rrsig_t *sig) { - keynode_t *keynode; - for (keynode = ISC_LIST_HEAD(keylist); - keynode != NULL; - keynode = ISC_LIST_NEXT(keynode, link)) - { - if (dst_key_id(keynode->key) == sig->keyid && - dst_key_alg(keynode->key) == sig->algorithm) { - keynode->verified = ISC_TRUE; - return (keynode->key); - } - } - fatal("signature generated by non-zone or missing key"); - return (NULL); -} - -int -main(int argc, char *argv[]) { - int i, ch; - char *startstr = NULL, *endstr = NULL, *classname = NULL; - char tdomain[1025]; - dns_fixedname_t fdomain; - dns_name_t *domain; - char *output = NULL; - char *endp; - unsigned char data[65536]; - dns_db_t *db; - dns_dbnode_t *node; - dns_dbversion_t *version; - dns_diff_t diff; - dns_difftuple_t *tuple; - dns_dbiterator_t *dbiter; - dns_rdatasetiter_t *rdsiter; - dst_key_t *key = NULL; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_t sigrdata = DNS_RDATA_INIT; - dns_rdataset_t rdataset, sigrdataset; - dns_rdata_rrsig_t sig; - isc_result_t result; - isc_buffer_t b; - isc_log_t *log = NULL; - keynode_t *keynode; - isc_boolean_t pseudorandom = ISC_FALSE; - unsigned int eflags; - dns_rdataclass_t rdclass; - isc_boolean_t tryverify = ISC_FALSE; - isc_boolean_t settime = ISC_FALSE; - size_t len; - - result = isc_mem_create(0, 0, &mctx); - check_result(result, "isc_mem_create()"); - - dns_result_register(); - - while ((ch = isc_commandline_parse(argc, argv, "ac:s:e:pr:v:h")) != -1) - { - switch (ch) { - case 'a': - tryverify = ISC_TRUE; - break; - case 'c': - classname = isc_commandline_argument; - break; - - case 's': - startstr = isc_commandline_argument; - break; - - case 'e': - endstr = isc_commandline_argument; - break; - - case 'p': - pseudorandom = ISC_TRUE; - break; - - case 'r': - setup_entropy(mctx, isc_commandline_argument, &ectx); - break; - - case 'v': - endp = NULL; - verbose = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0') - fatal("verbose level must be numeric"); - break; - - case 'h': - default: - usage(); - - } - } - - argc -= isc_commandline_index; - argv += isc_commandline_index; - - if (argc < 2) - usage(); - - rdclass = strtoclass(classname); - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - eflags = ISC_ENTROPY_BLOCKING; - if (!pseudorandom) - eflags |= ISC_ENTROPY_GOODONLY; - result = dst_lib_init(mctx, ectx, eflags); - if (result != ISC_R_SUCCESS) - fatal("could not initialize dst: %s", - isc_result_totext(result)); - - isc_stdtime_get(&now); - - if ((startstr == NULL || endstr == NULL) && - !(startstr == NULL && endstr == NULL)) - fatal("if -s or -e is specified, both must be"); - - if (startstr != NULL) { - starttime = strtotime(startstr, now, now); - endtime = strtotime(endstr, now, starttime); - settime = ISC_TRUE; - } - - setup_logging(verbose, mctx, &log); - - if (strlen(argv[0]) < 8U || strncmp(argv[0], "keyset-", 7) != 0) - fatal("keyset file '%s' must start with keyset-", argv[0]); - - db = NULL; - result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone, - rdclass, 0, NULL, &db); - check_result(result, "dns_db_create()"); - - result = dns_db_load(db, argv[0]); - if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) - fatal("failed to load database from '%s': %s", argv[0], - isc_result_totext(result)); - - dns_fixedname_init(&fdomain); - domain = dns_fixedname_name(&fdomain); - - dbiter = NULL; - result = dns_db_createiterator(db, ISC_FALSE, &dbiter); - check_result(result, "dns_db_createiterator()"); - - result = dns_dbiterator_first(dbiter); - check_result(result, "dns_dbiterator_first()"); - while (result == ISC_R_SUCCESS) { - node = NULL; - dns_dbiterator_current(dbiter, &node, domain); - rdsiter = NULL; - result = dns_db_allrdatasets(db, node, NULL, 0, &rdsiter); - check_result(result, "dns_db_allrdatasets()"); - result = dns_rdatasetiter_first(rdsiter); - dns_rdatasetiter_destroy(&rdsiter); - if (result == ISC_R_SUCCESS) - break; - dns_db_detachnode(db, &node); - result = dns_dbiterator_next(dbiter); - } - dns_dbiterator_destroy(&dbiter); - if (result != ISC_R_SUCCESS) - fatal("failed to find data in keyset file"); - - isc_buffer_init(&b, tdomain, sizeof(tdomain) - 1); - result = dns_name_tofilenametext(domain, ISC_FALSE, &b); - check_result(result, "dns_name_tofilenametext()"); - isc_buffer_putuint8(&b, 0); - - len = strlen("signedkey-") + strlen(tdomain); - output = isc_mem_allocate(mctx, len + 1); - if (output == NULL) - fatal("out of memory"); - strlcpy(output, "signedkey-", len + 1); - strlcat(output, tdomain, len + 1); - - version = NULL; - dns_db_newversion(db, &version); - - dns_rdataset_init(&rdataset); - dns_rdataset_init(&sigrdataset); - result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0, - 0, &rdataset, &sigrdataset); - if (result != ISC_R_SUCCESS) { - char domainstr[DNS_NAME_FORMATSIZE]; - dns_name_format(domain, domainstr, sizeof(domainstr)); - fatal("failed to find rdataset '%s KEY': %s", - domainstr, isc_result_totext(result)); - } - - loadkeys(domain, &rdataset); - - dns_diff_init(mctx, &diff); - - if (!dns_rdataset_isassociated(&sigrdataset)) - fatal("no SIG KEY set present"); - - result = dns_rdataset_first(&sigrdataset); - check_result(result, "dns_rdataset_first()"); - do { - dns_rdataset_current(&sigrdataset, &sigrdata); - result = dns_rdata_tostruct(&sigrdata, &sig, mctx); - check_result(result, "dns_rdata_tostruct()"); - key = findkey(&sig); - result = dns_dnssec_verify(domain, &rdataset, key, - ISC_TRUE, mctx, &sigrdata); - if (result != ISC_R_SUCCESS) { - char keystr[KEY_FORMATSIZE]; - key_format(key, keystr, sizeof(keystr)); - fatal("signature by key '%s' did not verify: %s", - keystr, isc_result_totext(result)); - } - if (!settime) { - starttime = sig.timesigned; - endtime = sig.timeexpire; - settime = ISC_TRUE; - } - dns_rdata_freestruct(&sig); - dns_rdata_reset(&sigrdata); - result = dns_rdataset_next(&sigrdataset); - } while (result == ISC_R_SUCCESS); - - for (keynode = ISC_LIST_HEAD(keylist); - keynode != NULL; - keynode = ISC_LIST_NEXT(keynode, link)) - if (!keynode->verified) - fatal("not all zone keys self signed the key set"); - - argc -= 1; - argv += 1; - - for (i = 0; i < argc; i++) { - key = NULL; - result = dst_key_fromnamedfile(argv[i], - DST_TYPE_PUBLIC | - DST_TYPE_PRIVATE, - mctx, &key); - if (result != ISC_R_SUCCESS) - fatal("failed to read key %s from disk: %s", - argv[i], isc_result_totext(result)); - - dns_rdata_reset(&rdata); - isc_buffer_init(&b, data, sizeof(data)); - result = dns_dnssec_sign(domain, &rdataset, key, - &starttime, &endtime, - mctx, &b, &rdata); - isc_entropy_stopcallbacksources(ectx); - if (result != ISC_R_SUCCESS) { - char keystr[KEY_FORMATSIZE]; - key_format(key, keystr, sizeof(keystr)); - fatal("key '%s' failed to sign data: %s", - keystr, isc_result_totext(result)); - } - if (tryverify) { - result = dns_dnssec_verify(domain, &rdataset, key, - ISC_TRUE, mctx, &rdata); - if (result != ISC_R_SUCCESS) { - char keystr[KEY_FORMATSIZE]; - key_format(key, keystr, sizeof(keystr)); - fatal("signature from key '%s' failed to " - "verify: %s", - keystr, isc_result_totext(result)); - } - } - tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - domain, rdataset.ttl, - &rdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - dst_key_free(&key); - } - - result = dns_db_deleterdataset(db, node, version, dns_rdatatype_rrsig, - dns_rdatatype_dnskey); - check_result(result, "dns_db_deleterdataset"); - - result = dns_diff_apply(&diff, db, version); - check_result(result, "dns_diff_apply"); - dns_diff_clear(&diff); - - dns_db_detachnode(db, &node); - dns_db_closeversion(db, &version, ISC_TRUE); - result = dns_db_dump(db, version, output); - if (result != ISC_R_SUCCESS) - fatal("failed to write database to '%s': %s", - output, isc_result_totext(result)); - - printf("%s\n", output); - - dns_rdataset_disassociate(&rdataset); - dns_rdataset_disassociate(&sigrdataset); - - dns_db_detach(&db); - - while (!ISC_LIST_EMPTY(keylist)) { - keynode = ISC_LIST_HEAD(keylist); - ISC_LIST_UNLINK(keylist, keynode, link); - dst_key_free(&keynode->key); - isc_mem_put(mctx, keynode, sizeof(keynode_t)); - } - - cleanup_logging(&log); - - isc_mem_free(mctx, output); - cleanup_entropy(&ectx); - dst_lib_destroy(); - if (verbose > 10) - isc_mem_stats(mctx, stdout); - isc_mem_destroy(&mctx); - return (0); -} diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signkey.docbook b/usr.sbin/bind/bin/dnssec/dnssec-signkey.docbook deleted file mode 100644 index 40cf45ba2f2..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-signkey.docbook +++ /dev/null @@ -1,237 +0,0 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> -<!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - - PERFORMANCE OF THIS SOFTWARE. ---> - -<!-- $ISC: dnssec-signkey.docbook,v 1.2.2.2.4.2 2004/06/03 02:24:55 marka Exp $ --> - -<refentry> - <refentryinfo> - <date>June 30, 2000</date> - </refentryinfo> - - <refmeta> - <refentrytitle><application>dnssec-signkey</application></refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo>BIND9</refmiscinfo> - </refmeta> - - <refnamediv> - <refname><application>dnssec-signkey</application></refname> - <refpurpose>DNSSEC key set signing tool</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <cmdsynopsis> - <command>dnssec-signkey</command> - <arg><option>-a</option></arg> - <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> - <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg> - <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg> - <arg><option>-h</option></arg> - <arg><option>-p</option></arg> - <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg> - <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> - <arg choice="req">keyset</arg> - <arg choice="req" rep="repeat">key</arg> - </cmdsynopsis> - </refsynopsisdiv> - - <refsect1> - <title>DESCRIPTION</title> - <para> - <command>dnssec-signkey</command> signs a keyset. Typically - the keyset will be for a child zone, and will have been generated - by <command>dnssec-makekeyset</command>. The child zone's keyset - is signed with the zone keys for its parent zone. The output file - is of the form <filename>signedkey-nnnn.</filename>, where - <filename>nnnn</filename> is the zone name. - </para> - </refsect1> - - <refsect1> - <title>OPTIONS</title> - - <variablelist> - <varlistentry> - <term>-a</term> - <listitem> - <para> - Verify all generated signatures. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-c <replaceable class="parameter">class</replaceable></term> - <listitem> - <para> - Specifies the DNS class of the key sets. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-s <replaceable class="parameter">start-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated SIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <option>start-time</option> is specified, the current - time is used. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-e <replaceable class="parameter">end-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated SIG records - expire. As with <option>start-time</option>, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <option>end-time</option> is - specified, 30 days from the start time is used as a default. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-h</term> - <listitem> - <para> - Prints a short summary of the options and arguments to - <command>dnssec-signkey</command>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-p</term> - <listitem> - <para> - Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-r <replaceable class="parameter">randomdev</replaceable></term> - <listitem> - <para> - Specifies the source of randomness. If the operating - system does not provide a <filename>/dev/random</filename> - or equivalent device, the default source of randomness - is keyboard input. <filename>randomdev</filename> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <filename>keyboard</filename> indicates that keyboard - input should be used. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-v <replaceable class="parameter">level</replaceable></term> - <listitem> - <para> - Sets the debugging level. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>keyset</term> - <listitem> - <para> - The file containing the child's keyset. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>key</term> - <listitem> - <para> - The keys used to sign the child's keyset. - </para> - </listitem> - </varlistentry> - - </variablelist> - </refsect1> - - <refsect1> - <title>EXAMPLE</title> - <para> - The DNS administrator for a DNSSEC-aware <userinput>.com</userinput> - zone would use the following command to sign the - <filename>keyset</filename> file for <userinput>example.com</userinput> - created by <command>dnssec-makekeyset</command> with a key generated - by <command>dnssec-keygen</command>: - </para> - <para> - <userinput>dnssec-signkey keyset-example.com. Kcom.+003+51944</userinput> - </para> - <para> - In this example, <command>dnssec-signkey</command> creates - the file <filename>signedkey-example.com.</filename>, which - contains the <userinput>example.com</userinput> keys and the - signatures by the <userinput>.com</userinput> keys. - </para> - </refsect1> - - <refsect1> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>dnssec-keygen</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>dnssec-makekeyset</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>dnssec-signzone</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>. - </para> - </refsect1> - - <refsect1> - <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> - </para> - </refsect1> - -</refentry> - -<!-- - - Local variables: - - mode: sgml - - End: ---> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signkey.html b/usr.sbin/bind/bin/dnssec/dnssec-signkey.html deleted file mode 100644 index fb134bfe1b3..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-signkey.html +++ /dev/null @@ -1,407 +0,0 @@ -<!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - - PERFORMANCE OF THIS SOFTWARE. ---> - -<!-- $ISC: dnssec-signkey.html,v 1.4.2.1.4.1 2004/03/06 10:21:15 marka Exp $ --> - -<HTML -><HEAD -><TITLE ->dnssec-signkey</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -><SPAN -CLASS="APPLICATION" ->dnssec-signkey</SPAN -></A -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->dnssec-signkey</SPAN -> -- DNSSEC key set signing tool</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->dnssec-signkey</B -> [<TT -CLASS="OPTION" ->-a</TT ->] [<TT -CLASS="OPTION" ->-c <TT -CLASS="REPLACEABLE" -><I ->class</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-s <TT -CLASS="REPLACEABLE" -><I ->start-time</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-e <TT -CLASS="REPLACEABLE" -><I ->end-time</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-h</TT ->] [<TT -CLASS="OPTION" ->-p</TT ->] [<TT -CLASS="OPTION" ->-r <TT -CLASS="REPLACEABLE" -><I ->randomdev</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-v <TT -CLASS="REPLACEABLE" -><I ->level</I -></TT -></TT ->] {keyset} {key...}</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN39" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->dnssec-signkey</B -> signs a keyset. Typically - the keyset will be for a child zone, and will have been generated - by <B -CLASS="COMMAND" ->dnssec-makekeyset</B ->. The child zone's keyset - is signed with the zone keys for its parent zone. The output file - is of the form <TT -CLASS="FILENAME" ->signedkey-nnnn.</TT ->, where - <TT -CLASS="FILENAME" ->nnnn</TT -> is the zone name. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN46" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-a</DT -><DD -><P -> Verify all generated signatures. - </P -></DD -><DT ->-c <TT -CLASS="REPLACEABLE" -><I ->class</I -></TT -></DT -><DD -><P -> Specifies the DNS class of the key sets. - </P -></DD -><DT ->-s <TT -CLASS="REPLACEABLE" -><I ->start-time</I -></TT -></DT -><DD -><P -> Specify the date and time when the generated SIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <TT -CLASS="OPTION" ->start-time</TT -> is specified, the current - time is used. - </P -></DD -><DT ->-e <TT -CLASS="REPLACEABLE" -><I ->end-time</I -></TT -></DT -><DD -><P -> Specify the date and time when the generated SIG records - expire. As with <TT -CLASS="OPTION" ->start-time</TT ->, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <TT -CLASS="OPTION" ->end-time</TT -> is - specified, 30 days from the start time is used as a default. - </P -></DD -><DT ->-h</DT -><DD -><P -> Prints a short summary of the options and arguments to - <B -CLASS="COMMAND" ->dnssec-signkey</B ->. - </P -></DD -><DT ->-p</DT -><DD -><P -> Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </P -></DD -><DT ->-r <TT -CLASS="REPLACEABLE" -><I ->randomdev</I -></TT -></DT -><DD -><P -> Specifies the source of randomness. If the operating - system does not provide a <TT -CLASS="FILENAME" ->/dev/random</TT -> - or equivalent device, the default source of randomness - is keyboard input. <TT -CLASS="FILENAME" ->randomdev</TT -> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <TT -CLASS="FILENAME" ->keyboard</TT -> indicates that keyboard - input should be used. - </P -></DD -><DT ->-v <TT -CLASS="REPLACEABLE" -><I ->level</I -></TT -></DT -><DD -><P -> Sets the debugging level. - </P -></DD -><DT ->keyset</DT -><DD -><P -> The file containing the child's keyset. - </P -></DD -><DT ->key</DT -><DD -><P -> The keys used to sign the child's keyset. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN101" -></A -><H2 ->EXAMPLE</H2 -><P -> The DNS administrator for a DNSSEC-aware <TT -CLASS="USERINPUT" -><B ->.com</B -></TT -> - zone would use the following command to sign the - <TT -CLASS="FILENAME" ->keyset</TT -> file for <TT -CLASS="USERINPUT" -><B ->example.com</B -></TT -> - created by <B -CLASS="COMMAND" ->dnssec-makekeyset</B -> with a key generated - by <B -CLASS="COMMAND" ->dnssec-keygen</B ->: - </P -><P -> <TT -CLASS="USERINPUT" -><B ->dnssec-signkey keyset-example.com. Kcom.+003+51944</B -></TT -> - </P -><P -> In this example, <B -CLASS="COMMAND" ->dnssec-signkey</B -> creates - the file <TT -CLASS="FILENAME" ->signedkey-example.com.</TT ->, which - contains the <TT -CLASS="USERINPUT" -><B ->example.com</B -></TT -> keys and the - signatures by the <TT -CLASS="USERINPUT" -><B ->.com</B -></TT -> keys. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN116" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-makekeyset</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-signzone</SPAN ->(8)</SPAN ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN128" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Software Consortium - </P -></DIV -></BODY -></HTML -> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 b/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 index 6f158fcb6c6..a6dffe57a66 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 +++ b/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 @@ -1,167 +1,157 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2003 Internet Software Consortium. -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2003 Internet Software Consortium. +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: dnssec-signzone.8,v 1.23.2.1.4.6 2004/06/11 02:32:46 marka Exp $ +.\" $ISC: dnssec-signzone.8,v 1.23.2.1.4.10 2005/10/13 02:33:45 marka Exp $ .\" -.TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" "" -.SH NAME -dnssec-signzone \- DNSSEC zone signing tool -.SH SYNOPSIS -.sp -\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-g\fR ] [ \fB-h\fR ] [ \fB-k \fIkey\fB\fR ] [ \fB-l \fIdomain\fB\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] [ \fB-z\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ] +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "DNSSEC\-SIGNZONE" "8" "June 30, 2000" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +dnssec\-signzone \- DNSSEC zone signing tool +.SH "SYNOPSIS" +.HP 16 +\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-n\ \fR\fB\fInthreads\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...] .SH "DESCRIPTION" .PP -\fBdnssec-signzone\fR signs a zone. It generates -NSEC and RRSIG records and produces a signed version of the -zone. The security status of delegations from the signed zone -(that is, whether the child zones are secure or not) is -determined by the presence or absence of a -\fIkeyset\fR file for each child zone. +\fBdnssec\-signzone\fR +signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a +\fIkeyset\fR +file for each child zone. .SH "OPTIONS" .TP -\fB-a\fR +\-a Verify all generated signatures. .TP -\fB-c \fIclass\fB\fR +\-c \fIclass\fR Specifies the DNS class of the zone. .TP -\fB-k \fIkey\fB\fR -Treat specified key as a key signing key ignoring any -key flags. This option may be specified multiple times. -.TP -\fB-l \fIdomain\fB\fR -Generate a DLV set in addition to the key (DNSKEY) and DS sets. -The domain is appended to the name of the records. -.TP -\fB-d \fIdirectory\fB\fR -Look for \fIkeyset\fR files in -\fBdirectory\fR as the directory -.TP -\fB-g\fR -Generate DS records for child zones from keyset files. -Existing DS records will be removed. -.TP -\fB-s \fIstart-time\fB\fR -Specify the date and time when the generated RRSIG records -become valid. This can be either an absolute or relative -time. An absolute start time is indicated by a number -in YYYYMMDDHHMMSS notation; 20000530144500 denotes -14:45:00 UTC on May 30th, 2000. A relative start time is -indicated by +N, which is N seconds from the current time. -If no \fBstart-time\fR is specified, the current -time minus 1 hour (to allow for clock skew) is used. -.TP -\fB-e \fIend-time\fB\fR -Specify the date and time when the generated RRSIG records -expire. As with \fBstart-time\fR, an absolute -time is indicated in YYYYMMDDHHMMSS notation. A time relative -to the start time is indicated with +N, which is N seconds from -the start time. A time relative to the current time is -indicated with now+N. If no \fBend-time\fR is -specified, 30 days from the start time is used as a default. -.TP -\fB-f \fIoutput-file\fB\fR -The name of the output file containing the signed zone. The -default is to append \fI.signed\fR to the -input file. -.TP -\fB-h\fR +\-k \fIkey\fR +Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times. +.TP +\-l \fIdomain\fR +Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records. +.TP +\-d \fIdirectory\fR +Look for +\fIkeyset\fR +files in +\fBdirectory\fR +as the directory +.TP +\-g +Generate DS records for child zones from keyset files. Existing DS records will be removed. +.TP +\-s \fIstart\-time\fR +Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no +\fBstart\-time\fR +is specified, the current time minus 1 hour (to allow for clock skew) is used. +.TP +\-e \fIend\-time\fR +Specify the date and time when the generated RRSIG records expire. As with +\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no +\fBend\-time\fR +is specified, 30 days from the start time is used as a default. +.TP +\-f \fIoutput\-file\fR +The name of the output file containing the signed zone. The default is to append +\fI.signed\fR +to the input file. +.TP +\-h Prints a short summary of the options and arguments to -\fBdnssec-signzone\fR. -.TP -\fB-i \fIinterval\fB\fR -When a previously signed zone is passed as input, records -may be resigned. The \fBinterval\fR option -specifies the cycle interval as an offset from the current -time (in seconds). If a RRSIG record expires after the -cycle interval, it is retained. Otherwise, it is considered -to be expiring soon, and it will be replaced. - -The default cycle interval is one quarter of the difference -between the signature end and start times. So if neither -\fBend-time\fR or \fBstart-time\fR -are specified, \fBdnssec-signzone\fR generates -signatures that are valid for 30 days, with a cycle -interval of 7.5 days. Therefore, if any existing RRSIG records -are due to expire in less than 7.5 days, they would be -replaced. -.TP -\fB-n \fIncpus\fB\fR -Specifies the number of threads to use. By default, one -thread is started for each detected CPU. -.TP -\fB-o \fIorigin\fB\fR -The zone origin. If not specified, the name of the zone file -is assumed to be the origin. -.TP -\fB-p\fR -Use pseudo-random data when signing the zone. This is faster, -but less secure, than using real random data. This option -may be useful when signing large zones or when the entropy -source is limited. -.TP -\fB-r \fIrandomdev\fB\fR -Specifies the source of randomness. If the operating -system does not provide a \fI/dev/random\fR -or equivalent device, the default source of randomness -is keyboard input. \fIrandomdev\fR specifies -the name of a character device or file containing random -data to be used instead of the default. The special value -\fIkeyboard\fR indicates that keyboard -input should be used. -.TP -\fB-t\fR +\fBdnssec\-signzone\fR. +.TP +\-i \fIinterval\fR +When a previously signed zone is passed as input, records may be resigned. The +\fBinterval\fR +option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced. +.sp +The default cycle interval is one quarter of the difference between the signature end and start times. So if neither +\fBend\-time\fR +or +\fBstart\-time\fR +are specified, +\fBdnssec\-signzone\fR +generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced. +.TP +\-n \fIncpus\fR +Specifies the number of threads to use. By default, one thread is started for each detected CPU. +.TP +\-o \fIorigin\fR +The zone origin. If not specified, the name of the zone file is assumed to be the origin. +.TP +\-p +Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited. +.TP +\-r \fIrandomdev\fR +Specifies the source of randomness. If the operating system does not provide a +\fI/dev/random\fR +or equivalent device, the default source of randomness is keyboard input. +\fIrandomdev\fR +specifies the name of a character device or file containing random data to be used instead of the default. The special value +\fIkeyboard\fR +indicates that keyboard input should be used. +.TP +\-t Print statistics at completion. .TP -\fB-v \fIlevel\fB\fR +\-v \fIlevel\fR Sets the debugging level. .TP -\fB-z\fR +\-z Ignore KSK flag on key when determining what to sign. .TP -\fBzonefile\fR +zonefile The file containing the zone to be signed. -Sets the debugging level. .TP -\fBkey\fR -The keys used to sign the zone. If no keys are specified, the -default all zone keys that have private key files in the -current directory. +key +The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory. .SH "EXAMPLE" .PP -The following command signs the \fBexample.com\fR -zone with the DSA key generated in the \fBdnssec-keygen\fR +The following command signs the +\fBexample.com\fR +zone with the DSA key generated in the +\fBdnssec\-keygen\fR man page. The zone's keys must be in the zone. If there are -\fIkeyset\fR files associated with child zones, -they must be in the current directory. -\fBexample.com\fR, the following command would be -issued: +\fIkeyset\fR +files associated with child zones, they must be in the current directory. +\fBexample.com\fR, the following command would be issued: .PP -\fBdnssec-signzone -o example.com db.example.com Kexample.com.+003+26160\fR +\fBdnssec\-signzone \-o example.com db.example.com Kexample.com.+003+26160\fR .PP The command would print a string of the form: .PP -In this example, \fBdnssec-signzone\fR creates -the file \fIdb.example.com.signed\fR. This file -should be referenced in a zone statement in a -\fInamed.conf\fR file. +In this example, +\fBdnssec\-signzone\fR +creates the file +\fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a +\fInamed.conf\fR +file. .SH "SEE ALSO" .PP -\fBdnssec-keygen\fR(8), -\fIBIND 9 Administrator Reference Manual\fR, -\fIRFC 2535\fR. +\fBdnssec\-keygen\fR(8), +BIND 9 Administrator Reference Manual, +RFC 2535. .SH "AUTHOR" .PP Internet Systems Consortium diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.c b/usr.sbin/bind/bin/dnssec/dnssec-signzone.c index e8645027a40..76fd0f3ba27 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.c +++ b/usr.sbin/bind/bin/dnssec/dnssec-signzone.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * @@ -16,7 +16,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dnssec-signzone.c,v 1.139.2.2.4.17 2004/10/25 01:36:06 marka Exp $ */ +/* $ISC: dnssec-signzone.c,v 1.139.2.2.4.21 2005/10/14 01:38:41 marka Exp $ */ #include <config.h> @@ -787,7 +787,6 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_rdatasetiter_t *rdsiter; isc_boolean_t isdelegation = ISC_FALSE; isc_boolean_t hasds = ISC_FALSE; - isc_boolean_t atorigin; isc_boolean_t changed = ISC_FALSE; dns_diff_t del, add; char namestr[DNS_NAME_FORMATSIZE]; @@ -795,8 +794,6 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_name_format(name, namestr, sizeof(namestr)); - atorigin = dns_name_equal(name, gorigin); - /* * Determine if this is a delegation point. */ @@ -931,13 +928,16 @@ signname(dns_dbnode_t *node, dns_name_t *name) { static inline isc_boolean_t active_node(dns_dbnode_t *node) { - dns_rdatasetiter_t *rdsiter; + dns_rdatasetiter_t *rdsiter = NULL; + dns_rdatasetiter_t *rdsiter2 = NULL; isc_boolean_t active = ISC_FALSE; isc_result_t result; dns_rdataset_t rdataset; + dns_rdatatype_t type; + dns_rdatatype_t covers; + isc_boolean_t found; dns_rdataset_init(&rdataset); - rdsiter = NULL; result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); result = dns_rdatasetiter_first(rdsiter); @@ -958,36 +958,63 @@ active_node(dns_dbnode_t *node) { if (!active) { /* - * Make sure there is no NSEC / RRSIG records for - * this node. + * The node is empty of everything but NSEC / RRSIG records. */ - result = dns_db_deleterdataset(gdb, node, gversion, - dns_rdatatype_nsec, 0); - if (result == DNS_R_UNCHANGED) - result = ISC_R_SUCCESS; - check_result(result, "dns_db_deleterdataset(nsec)"); - - result = dns_rdatasetiter_first(rdsiter); for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; result = dns_rdatasetiter_next(rdsiter)) { dns_rdatasetiter_current(rdsiter, &rdataset); - if (rdataset.type == dns_rdatatype_rrsig) { - dns_rdatatype_t type = rdataset.type; - dns_rdatatype_t covers = rdataset.covers; + result = dns_db_deleterdataset(gdb, node, gversion, + rdataset.type, + rdataset.covers); + check_result(result, "dns_db_deleterdataset()"); + dns_rdataset_disassociate(&rdataset); + } + if (result != ISC_R_NOMORE) + fatal("rdataset iteration failed: %s", + isc_result_totext(result)); + } else { + /* + * Delete RRSIGs for types that no longer exist. + */ + result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter2); + check_result(result, "dns_db_allrdatasets()"); + for (result = dns_rdatasetiter_first(rdsiter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter)) { + dns_rdatasetiter_current(rdsiter, &rdataset); + type = rdataset.type; + covers = rdataset.covers; + dns_rdataset_disassociate(&rdataset); + if (type != dns_rdatatype_rrsig) + continue; + found = ISC_FALSE; + for (result = dns_rdatasetiter_first(rdsiter2); + !found && result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter2)) { + dns_rdatasetiter_current(rdsiter2, &rdataset); + if (rdataset.type == covers) + found = ISC_TRUE; + dns_rdataset_disassociate(&rdataset); + } + if (!found) { + if (result != ISC_R_NOMORE) + fatal("rdataset iteration failed: %s", + isc_result_totext(result)); result = dns_db_deleterdataset(gdb, node, gversion, type, covers); - if (result == DNS_R_UNCHANGED) - result = ISC_R_SUCCESS; check_result(result, "dns_db_deleterdataset(rrsig)"); - } - dns_rdataset_disassociate(&rdataset); + } else if (result != ISC_R_NOMORE && + result != ISC_R_SUCCESS) + fatal("rdataset iteration failed: %s", + isc_result_totext(result)); } if (result != ISC_R_NOMORE) fatal("rdataset iteration failed: %s", isc_result_totext(result)); + dns_rdatasetiter_destroy(&rdsiter2); } dns_rdatasetiter_destroy(&rdsiter); @@ -1423,7 +1450,6 @@ warnifallksk(dns_db_t *db) { dns_dbnode_t *node = NULL; dns_rdataset_t rdataset; dns_rdata_t rdata = DNS_RDATA_INIT; - dst_key_t *pubkey; isc_result_t result; dns_rdata_key_t key; isc_boolean_t have_non_ksk = ISC_FALSE; @@ -1444,7 +1470,6 @@ warnifallksk(dns_db_t *db) { result = dns_rdataset_first(&rdataset); check_result(result, "dns_rdataset_first"); while (result == ISC_R_SUCCESS) { - pubkey = NULL; dns_rdata_reset(&rdata); dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &key, NULL); @@ -1615,9 +1640,9 @@ usage(void) { fprintf(stderr, "\t\tdirectory to find keyset files (.)\n"); fprintf(stderr, "\t-g:\t"); fprintf(stderr, "generate DS records from keyset files\n"); - fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n"); + fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n"); fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n"); - fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); + fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); fprintf(stderr, "\t\tRRSIG end time - absolute|from start|from now " "(now + 30 days)\n"); fprintf(stderr, "\t-i interval:\n"); diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook b/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook index a559e80064e..6c36ff708b0 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook +++ b/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook @@ -1,7 +1,9 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" + "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" + [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -16,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: dnssec-signzone.docbook,v 1.2.2.2.4.8 2004/06/11 01:17:35 marka Exp $ --> +<!-- $ISC: dnssec-signzone.docbook,v 1.2.2.2.4.11 2005/06/24 00:18:15 marka Exp $ --> <refentry> <refentryinfo> @@ -29,6 +31,21 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <docinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2000</year> + <year>2001</year> + <year>2002</year> + <year>2003</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </docinfo> + <refnamediv> <refname><application>dnssec-signzone</application></refname> <refpurpose>DNSSEC zone signing tool</refpurpose> @@ -290,7 +307,6 @@ <listitem> <para> The file containing the zone to be signed. - Sets the debugging level. </para> </listitem> </varlistentry> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.html b/usr.sbin/bind/bin/dnssec/dnssec-signzone.html index 4c0f0008897..787d7703ba9 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.html +++ b/usr.sbin/bind/bin/dnssec/dnssec-signzone.html @@ -1,553 +1,220 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: dnssec-signzone.html,v 1.4.2.1.4.7 2004/08/22 23:38:58 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->dnssec-signzone</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->dnssec-signzone</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->dnssec-signzone</SPAN -> -- DNSSEC zone signing tool</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->dnssec-signzone</B -> [<VAR -CLASS="OPTION" ->-a</VAR ->] [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->class</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-d <VAR -CLASS="REPLACEABLE" ->directory</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-e <VAR -CLASS="REPLACEABLE" ->end-time</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-f <VAR -CLASS="REPLACEABLE" ->output-file</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-g</VAR ->] [<VAR -CLASS="OPTION" ->-h</VAR ->] [<VAR -CLASS="OPTION" ->-k <VAR -CLASS="REPLACEABLE" ->key</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-l <VAR -CLASS="REPLACEABLE" ->domain</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-i <VAR -CLASS="REPLACEABLE" ->interval</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-n <VAR -CLASS="REPLACEABLE" ->nthreads</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-o <VAR -CLASS="REPLACEABLE" ->origin</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-p</VAR ->] [<VAR -CLASS="OPTION" ->-r <VAR -CLASS="REPLACEABLE" ->randomdev</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-s <VAR -CLASS="REPLACEABLE" ->start-time</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-t</VAR ->] [<VAR -CLASS="OPTION" ->-v <VAR -CLASS="REPLACEABLE" ->level</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-z</VAR ->] {zonefile} [key...]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN66" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->dnssec-signzone</B -> signs a zone. It generates +<!-- $ISC: dnssec-signzone.html,v 1.4.2.1.4.14 2005/10/13 02:33:46 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>dnssec-signzone</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nthreads</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525979"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">dnssec-signzone</strong></span> signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a - <TT -CLASS="FILENAME" ->keyset</TT -> file for each child zone. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN71" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-a</DT -><DD -><P -> Verify all generated signatures. - </P -></DD -><DT ->-c <VAR -CLASS="REPLACEABLE" ->class</VAR -></DT -><DD -><P -> Specifies the DNS class of the zone. - </P -></DD -><DT ->-k <VAR -CLASS="REPLACEABLE" ->key</VAR -></DT -><DD -><P -> Treat specified key as a key signing key ignoring any + <code class="filename">keyset</code> file for each child zone. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525995"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-a</span></dt> +<dd><p> + Verify all generated signatures. + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> +<dd><p> + Specifies the DNS class of the zone. + </p></dd> +<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt> +<dd><p> + Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times. - </P -></DD -><DT ->-l <VAR -CLASS="REPLACEABLE" ->domain</VAR -></DT -><DD -><P -> Generate a DLV set in addition to the key (DNSKEY) and DS sets. + </p></dd> +<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt> +<dd><p> + Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records. - </P -></DD -><DT ->-d <VAR -CLASS="REPLACEABLE" ->directory</VAR -></DT -><DD -><P -> Look for <TT -CLASS="FILENAME" ->keyset</TT -> files in - <VAR -CLASS="OPTION" ->directory</VAR -> as the directory - </P -></DD -><DT ->-g</DT -><DD -><P -> Generate DS records for child zones from keyset files. + </p></dd> +<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt> +<dd><p> + Look for <code class="filename">keyset</code> files in + <code class="option">directory</code> as the directory + </p></dd> +<dt><span class="term">-g</span></dt> +<dd><p> + Generate DS records for child zones from keyset files. Existing DS records will be removed. - </P -></DD -><DT ->-s <VAR -CLASS="REPLACEABLE" ->start-time</VAR -></DT -><DD -><P -> Specify the date and time when the generated RRSIG records + </p></dd> +<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt> +<dd><p> + Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. - If no <VAR -CLASS="OPTION" ->start-time</VAR -> is specified, the current + If no <code class="option">start-time</code> is specified, the current time minus 1 hour (to allow for clock skew) is used. - </P -></DD -><DT ->-e <VAR -CLASS="REPLACEABLE" ->end-time</VAR -></DT -><DD -><P -> Specify the date and time when the generated RRSIG records - expire. As with <VAR -CLASS="OPTION" ->start-time</VAR ->, an absolute + </p></dd> +<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt> +<dd><p> + Specify the date and time when the generated RRSIG records + expire. As with <code class="option">start-time</code>, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is - indicated with now+N. If no <VAR -CLASS="OPTION" ->end-time</VAR -> is + indicated with now+N. If no <code class="option">end-time</code> is specified, 30 days from the start time is used as a default. - </P -></DD -><DT ->-f <VAR -CLASS="REPLACEABLE" ->output-file</VAR -></DT -><DD -><P -> The name of the output file containing the signed zone. The - default is to append <TT -CLASS="FILENAME" ->.signed</TT -> to the + </p></dd> +<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt> +<dd><p> + The name of the output file containing the signed zone. The + default is to append <code class="filename">.signed</code> to the input file. - </P -></DD -><DT ->-h</DT -><DD -><P -> Prints a short summary of the options and arguments to - <B -CLASS="COMMAND" ->dnssec-signzone</B ->. - </P -></DD -><DT ->-i <VAR -CLASS="REPLACEABLE" ->interval</VAR -></DT -><DD -><P -> When a previously signed zone is passed as input, records - may be resigned. The <VAR -CLASS="OPTION" ->interval</VAR -> option + </p></dd> +<dt><span class="term">-h</span></dt> +<dd><p> + Prints a short summary of the options and arguments to + <span><strong class="command">dnssec-signzone</strong></span>. + </p></dd> +<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt> +<dd> +<p> + When a previously signed zone is passed as input, records + may be resigned. The <code class="option">interval</code> option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced. - </P -><P -> The default cycle interval is one quarter of the difference + </p> +<p> + The default cycle interval is one quarter of the difference between the signature end and start times. So if neither - <VAR -CLASS="OPTION" ->end-time</VAR -> or <VAR -CLASS="OPTION" ->start-time</VAR -> - are specified, <B -CLASS="COMMAND" ->dnssec-signzone</B -> generates + <code class="option">end-time</code> or <code class="option">start-time</code> + are specified, <span><strong class="command">dnssec-signzone</strong></span> generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced. - </P -></DD -><DT ->-n <VAR -CLASS="REPLACEABLE" ->ncpus</VAR -></DT -><DD -><P -> Specifies the number of threads to use. By default, one + </p> +</dd> +<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt> +<dd><p> + Specifies the number of threads to use. By default, one thread is started for each detected CPU. - </P -></DD -><DT ->-o <VAR -CLASS="REPLACEABLE" ->origin</VAR -></DT -><DD -><P -> The zone origin. If not specified, the name of the zone file + </p></dd> +<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt> +<dd><p> + The zone origin. If not specified, the name of the zone file is assumed to be the origin. - </P -></DD -><DT ->-p</DT -><DD -><P -> Use pseudo-random data when signing the zone. This is faster, + </p></dd> +<dt><span class="term">-p</span></dt> +<dd><p> + Use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited. - </P -></DD -><DT ->-r <VAR -CLASS="REPLACEABLE" ->randomdev</VAR -></DT -><DD -><P -> Specifies the source of randomness. If the operating - system does not provide a <TT -CLASS="FILENAME" ->/dev/random</TT -> + </p></dd> +<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> +<dd><p> + Specifies the source of randomness. If the operating + system does not provide a <code class="filename">/dev/random</code> or equivalent device, the default source of randomness - is keyboard input. <TT -CLASS="FILENAME" ->randomdev</TT -> specifies + is keyboard input. <code class="filename">randomdev</code> specifies the name of a character device or file containing random data to be used instead of the default. The special value - <TT -CLASS="FILENAME" ->keyboard</TT -> indicates that keyboard + <code class="filename">keyboard</code> indicates that keyboard input should be used. - </P -></DD -><DT ->-t</DT -><DD -><P -> Print statistics at completion. - </P -></DD -><DT ->-v <VAR -CLASS="REPLACEABLE" ->level</VAR -></DT -><DD -><P -> Sets the debugging level. - </P -></DD -><DT ->-z</DT -><DD -><P -> Ignore KSK flag on key when determining what to sign. - </P -></DD -><DT ->zonefile</DT -><DD -><P -> The file containing the zone to be signed. + </p></dd> +<dt><span class="term">-t</span></dt> +<dd><p> + Print statistics at completion. + </p></dd> +<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> +<dd><p> Sets the debugging level. - </P -></DD -><DT ->key</DT -><DD -><P -> The keys used to sign the zone. If no keys are specified, the + </p></dd> +<dt><span class="term">-z</span></dt> +<dd><p> + Ignore KSK flag on key when determining what to sign. + </p></dd> +<dt><span class="term">zonefile</span></dt> +<dd><p> + The file containing the zone to be signed. + </p></dd> +<dt><span class="term">key</span></dt> +<dd><p> + The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN181" -></A -><H2 ->EXAMPLE</H2 -><P -> The following command signs the <KBD -CLASS="USERINPUT" ->example.com</KBD -> - zone with the DSA key generated in the <B -CLASS="COMMAND" ->dnssec-keygen</B -> + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526435"></a><h2>EXAMPLE</h2> +<p> + The following command signs the <strong class="userinput"><code>example.com</code></strong> + zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span> man page. The zone's keys must be in the zone. If there are - <TT -CLASS="FILENAME" ->keyset</TT -> files associated with child zones, + <code class="filename">keyset</code> files associated with child zones, they must be in the current directory. - <KBD -CLASS="USERINPUT" ->example.com</KBD ->, the following command would be + <strong class="userinput"><code>example.com</code></strong>, the following command would be issued: - </P -><P -> <KBD -CLASS="USERINPUT" ->dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</KBD -> - </P -><P -> The command would print a string of the form: - </P -><P -> In this example, <B -CLASS="COMMAND" ->dnssec-signzone</B -> creates - the file <TT -CLASS="FILENAME" ->db.example.com.signed</TT ->. This file + </p> +<p> + <strong class="userinput"><code>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</code></strong> + </p> +<p> + The command would print a string of the form: + </p> +<p> + In this example, <span><strong class="command">dnssec-signzone</strong></span> creates + the file <code class="filename">db.example.com.signed</code>. This file should be referenced in a zone statement in a - <TT -CLASS="FILENAME" ->named.conf</TT -> file. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN195" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->, - <I -CLASS="CITETITLE" ->RFC 2535</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN203" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + <code class="filename">named.conf</code> file. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526485"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>, + <em class="citetitle">RFC 2535</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526512"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/dnssec/dnssectool.c b/usr.sbin/bind/bin/dnssec/dnssectool.c index 01e655d4712..965373e71ea 100644 --- a/usr.sbin/bind/bin/dnssec/dnssectool.c +++ b/usr.sbin/bind/bin/dnssec/dnssectool.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dnssectool.c,v 1.31.2.3.2.4 2004/03/08 02:07:38 marka Exp $ */ +/* $ISC: dnssectool.c,v 1.31.2.3.2.6 2005/07/02 02:42:43 marka Exp $ */ #include <config.h> @@ -145,6 +145,8 @@ setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) { isc_log_t *log = NULL; int level; + if (verbose < 0) + verbose = 0; switch (verbose) { case 0: /* diff --git a/usr.sbin/bind/bin/named/client.c b/usr.sbin/bind/bin/named/client.c index 691ae3f472b..16e1040f129 100644 --- a/usr.sbin/bind/bin/named/client.c +++ b/usr.sbin/bind/bin/named/client.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: client.c,v 1.176.2.13.4.23 2004/09/26 22:37:43 marka Exp $ */ +/* $ISC: client.c,v 1.176.2.13.4.26 2005/07/27 02:53:14 marka Exp $ */ #include <config.h> @@ -177,20 +177,10 @@ static void client_request(isc_task_t *task, isc_event_t *event); static void ns_client_dumpmessage(ns_client_t *client, const char *reason); void -ns_client_recursing(ns_client_t *client, isc_boolean_t killoldest) { - ns_client_t *oldest; +ns_client_recursing(ns_client_t *client) { REQUIRE(NS_CLIENT_VALID(client)); LOCK(&client->manager->lock); - if (killoldest) { - oldest = ISC_LIST_HEAD(client->manager->recursing); - if (oldest != NULL) { - ns_query_cancel(oldest); - ISC_LIST_UNLINK(*oldest->list, oldest, link); - ISC_LIST_APPEND(client->manager->active, oldest, link); - oldest->list = &client->manager->active; - } - } ISC_LIST_UNLINK(*client->list, client, link); ISC_LIST_APPEND(client->manager->recursing, client, link); client->list = &client->manager->recursing; @@ -198,6 +188,22 @@ ns_client_recursing(ns_client_t *client, isc_boolean_t killoldest) { } void +ns_client_killoldestquery(ns_client_t *client) { + ns_client_t *oldest; + REQUIRE(NS_CLIENT_VALID(client)); + + LOCK(&client->manager->lock); + oldest = ISC_LIST_HEAD(client->manager->recursing); + if (oldest != NULL) { + ns_query_cancel(oldest); + ISC_LIST_UNLINK(*oldest->list, oldest, link); + ISC_LIST_APPEND(client->manager->active, oldest, link); + oldest->list = &client->manager->active; + } + UNLOCK(&client->manager->lock); +} + +void ns_client_settimeout(ns_client_t *client, unsigned int seconds) { isc_result_t result; isc_interval_t interval; @@ -1603,8 +1609,7 @@ client_timeout(isc_task_t *task, isc_event_t *event) { } static isc_result_t -client_create(ns_clientmgr_t *manager, ns_client_t **clientp) -{ +client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { ns_client_t *client; isc_result_t result; diff --git a/usr.sbin/bind/bin/named/control.c b/usr.sbin/bind/bin/named/control.c index 157c7550d78..25fe878a749 100644 --- a/usr.sbin/bind/bin/named/control.c +++ b/usr.sbin/bind/bin/named/control.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: control.c,v 1.7.2.2.2.11 2004/09/03 03:43:31 marka Exp $ */ +/* $ISC: control.c,v 1.7.2.2.2.14 2005/04/29 01:04:47 marka Exp $ */ #include <config.h> @@ -37,6 +37,9 @@ #include <named/log.h> #include <named/os.h> #include <named/server.h> +#ifdef HAVE_LIBSCF +#include <named/ns_smf_globals.h> +#endif static isc_boolean_t command_compare(const char *text, const char *command) { @@ -58,6 +61,9 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { isccc_sexpr_t *data; char *command; isc_result_t result; +#ifdef HAVE_LIBSCF + ns_smf_want_disable = 0; +#endif data = isccc_alist_lookup(message, "_data"); if (data == NULL) { @@ -92,11 +98,41 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { } else if (command_compare(command, NS_COMMAND_RETRANSFER)) { result = ns_server_retransfercommand(ns_g_server, command); } else if (command_compare(command, NS_COMMAND_HALT)) { +#ifdef HAVE_LIBSCF + /* + * If we are managed by smf(5), AND in chroot, then + * we cannot connect to the smf repository, so just + * return with an appropriate message back to rndc. + */ + if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) { + result = ns_smf_add_message(text); + return (result); + } + /* + * If we are managed by smf(5) but not in chroot, + * try to disable ourselves the smf way. + */ + if (ns_smf_got_instance == 1 && ns_smf_chroot == 0) + ns_smf_want_disable = 1; + /* + * If ns_smf_got_instance = 0, ns_smf_chroot + * is not relevant and we fall through to + * isc_app_shutdown below. + */ +#endif ns_server_flushonshutdown(ns_g_server, ISC_FALSE); ns_os_shutdownmsg(command, text); isc_app_shutdown(); result = ISC_R_SUCCESS; } else if (command_compare(command, NS_COMMAND_STOP)) { +#ifdef HAVE_LIBSCF + if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) { + result = ns_smf_add_message(text); + return (result); + } + if (ns_smf_got_instance == 1 && ns_smf_chroot == 0) + ns_smf_want_disable = 1; +#endif ns_server_flushonshutdown(ns_g_server, ISC_TRUE); ns_os_shutdownmsg(command, text); isc_app_shutdown(); diff --git a/usr.sbin/bind/bin/named/lwresd.html b/usr.sbin/bind/bin/named/lwresd.html index 06b01664ace..fb800eeefe3 100644 --- a/usr.sbin/bind/bin/named/lwresd.html +++ b/usr.sbin/bind/bin/named/lwresd.html @@ -1,497 +1,189 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwresd.html,v 1.4.2.1.4.3 2004/08/22 23:38:59 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwresd</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->lwresd</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->lwresd</SPAN -> -- lightweight resolver daemon</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->lwresd</B -> [<VAR -CLASS="OPTION" ->-C <VAR -CLASS="REPLACEABLE" ->config-file</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-d <VAR -CLASS="REPLACEABLE" ->debug-level</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-f</VAR ->] [<VAR -CLASS="OPTION" ->-g</VAR ->] [<VAR -CLASS="OPTION" ->-i <VAR -CLASS="REPLACEABLE" ->pid-file</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-n <VAR -CLASS="REPLACEABLE" ->#cpus</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-P <VAR -CLASS="REPLACEABLE" ->port</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-s</VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->directory</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-u <VAR -CLASS="REPLACEABLE" ->user</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-v</VAR ->]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN48" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->lwresd</B -> is the daemon providing name lookup +<!-- $ISC: lwresd.html,v 1.4.2.1.4.8 2005/10/13 02:33:47 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwresd</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">lwresd</span> — lightweight resolver daemon</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">lwresd</code> [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525920"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">lwresd</strong></span> is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver library. It is essentially a stripped-down, caching-only name server that answers queries using the BIND 9 lightweight resolver protocol rather than the DNS protocol. - </P -><P -> <B -CLASS="COMMAND" ->lwresd</B -> listens for resolver queries on a + </p> +<p> + <span><strong class="command">lwresd</strong></span> listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This - means that <B -CLASS="COMMAND" ->lwresd</B -> can only be used by + means that <span><strong class="command">lwresd</strong></span> can only be used by processes running on the local machine. By default UDP port number 921 is used for lightweight resolver requests and responses. - </P -><P -> Incoming lightweight resolver requests are decoded by the + </p> +<p> + Incoming lightweight resolver requests are decoded by the server which then resolves them using the DNS protocol. When - the DNS lookup completes, <B -CLASS="COMMAND" ->lwresd</B -> encodes + the DNS lookup completes, <span><strong class="command">lwresd</strong></span> encodes the answers in the lightweight resolver format and returns them to the client that made the request. - </P -><P -> If <TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -> contains any - <VAR -CLASS="OPTION" ->nameserver</VAR -> entries, <B -CLASS="COMMAND" ->lwresd</B -> + </p> +<p> + If <code class="filename">/etc/resolv.conf</code> contains any + <code class="option">nameserver</code> entries, <span><strong class="command">lwresd</strong></span> sends recursive DNS queries to those servers. This is similar to the use of forwarders in a caching name server. If no - <VAR -CLASS="OPTION" ->nameserver</VAR -> entries are present, or if - forwarding fails, <B -CLASS="COMMAND" ->lwresd</B -> resolves the + <code class="option">nameserver</code> entries are present, or if + forwarding fails, <span><strong class="command">lwresd</strong></span> resolves the queries autonomously starting at the root name servers, using a built-in list of root server hints. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN63" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-C <VAR -CLASS="REPLACEABLE" ->config-file</VAR -></DT -><DD -><P -> Use <VAR -CLASS="REPLACEABLE" ->config-file</VAR -> as the + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525969"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt> +<dd><p> + Use <em class="replaceable"><code>config-file</code></em> as the configuration file instead of the default, - <TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->. - </P -></DD -><DT ->-d <VAR -CLASS="REPLACEABLE" ->debug-level</VAR -></DT -><DD -><P -> Set the daemon's debug level to <VAR -CLASS="REPLACEABLE" ->debug-level</VAR ->. - Debugging traces from <B -CLASS="COMMAND" ->lwresd</B -> become + <code class="filename">/etc/resolv.conf</code>. + </p></dd> +<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt> +<dd><p> + Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. + Debugging traces from <span><strong class="command">lwresd</strong></span> become more verbose as the debug level increases. - </P -></DD -><DT ->-f</DT -><DD -><P -> Run the server in the foreground (i.e. do not daemonize). - </P -></DD -><DT ->-g</DT -><DD -><P -> Run the server in the foreground and force all logging - to <TT -CLASS="FILENAME" ->stderr</TT ->. - </P -></DD -><DT ->-n <VAR -CLASS="REPLACEABLE" ->#cpus</VAR -></DT -><DD -><P -> Create <VAR -CLASS="REPLACEABLE" ->#cpus</VAR -> worker threads + </p></dd> +<dt><span class="term">-f</span></dt> +<dd><p> + Run the server in the foreground (i.e. do not daemonize). + </p></dd> +<dt><span class="term">-g</span></dt> +<dd><p> + Run the server in the foreground and force all logging + to <code class="filename">stderr</code>. + </p></dd> +<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt> +<dd><p> + Create <em class="replaceable"><code>#cpus</code></em> worker threads to take advantage of multiple CPUs. If not specified, - <B -CLASS="COMMAND" ->lwresd</B -> will try to determine the + <span><strong class="command">lwresd</strong></span> will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. - </P -></DD -><DT ->-P <VAR -CLASS="REPLACEABLE" ->port</VAR -></DT -><DD -><P -> Listen for lightweight resolver queries on port - <VAR -CLASS="REPLACEABLE" ->port</VAR ->. If + </p></dd> +<dt><span class="term">-P <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Listen for lightweight resolver queries on port + <em class="replaceable"><code>port</code></em>. If not specified, the default is port 921. - </P -></DD -><DT ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></DT -><DD -><P -> Send DNS lookups to port <VAR -CLASS="REPLACEABLE" ->port</VAR ->. If not + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Send DNS lookups to port <em class="replaceable"><code>port</code></em>. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non-standard port number. - </P -></DD -><DT ->-s</DT -><DD -><P -> Write memory usage statistics to <TT -CLASS="FILENAME" ->stdout</TT -> + </p></dd> +<dt><span class="term">-s</span></dt> +<dd> +<p> + Write memory usage statistics to <code class="filename">stdout</code> on exit. - </P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B -> This option is mainly of interest to BIND 9 developers + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release. - </P -></BLOCKQUOTE -></DIV -></DD -><DT ->-t <VAR -CLASS="REPLACEABLE" ->directory</VAR -></DT -><DD -><P -> <CODE -CLASS="FUNCTION" ->chroot()</CODE -> to <VAR -CLASS="REPLACEABLE" ->directory</VAR -> after + </p> +</div> +</dd> +<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> +<dd> +<p> + <code class="function">chroot()</code> to <em class="replaceable"><code>directory</code></em> after processing the command line arguments, but before reading the configuration file. - </P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="90%" -><TR -><TD -ALIGN="CENTER" -><B ->Warning</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -> This option should be used in conjunction with the - <VAR -CLASS="OPTION" ->-u</VAR -> option, as chrooting a process + </p> +<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Warning</h3> +<p> + This option should be used in conjunction with the + <code class="option">-u</code> option, as chrooting a process running as root doesn't enhance security on most - systems; the way <CODE -CLASS="FUNCTION" ->chroot()</CODE -> is + systems; the way <code class="function">chroot()</code> is defined allows a process with root privileges to escape a chroot jail. - </P -></TD -></TR -></TABLE -></DIV -></DD -><DT ->-u <VAR -CLASS="REPLACEABLE" ->user</VAR -></DT -><DD -><P -> <CODE -CLASS="FUNCTION" ->setuid()</CODE -> to <VAR -CLASS="REPLACEABLE" ->user</VAR -> after completing + </p> +</div> +</dd> +<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> +<dd><p> + <code class="function">setuid()</code> to <em class="replaceable"><code>user</code></em> after completing privileged operations, such as creating sockets that listen on privileged ports. - </P -></DD -><DT ->-v</DT -><DD -><P -> Report the version number and exit. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN137" -></A -><H2 ->FILES</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></DT -><DD -><P -> The default configuration file. - </P -></DD -><DT -><TT -CLASS="FILENAME" ->/var/run/lwresd.pid</TT -></DT -><DD -><P -> The default process-id file. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN150" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres</SPAN ->(3)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->resolver</SPAN ->(5)</SPAN ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN162" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + </p></dd> +<dt><span class="term">-v</span></dt> +<dd><p> + Report the version number and exit. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526237"></a><h2>FILES</h2> +<div class="variablelist"><dl> +<dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt> +<dd><p> + The default configuration file. + </p></dd> +<dt><span class="term"><code class="filename">/var/run/lwresd.pid</code></span></dt> +<dd><p> + The default process-id file. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526277"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>, + <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526315"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/named/main.c b/usr.sbin/bind/bin/named/main.c index 55d22471834..0db824a4b2a 100644 --- a/usr.sbin/bind/bin/named/main.c +++ b/usr.sbin/bind/bin/named/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: main.c,v 1.119.2.3.2.17 2004/10/25 00:42:54 marka Exp $ */ +/* $ISC: main.c,v 1.119.2.3.2.22 2005/04/29 01:04:47 marka Exp $ */ #include <config.h> @@ -48,10 +48,6 @@ #include <dst/result.h> -#ifdef HAVE_LIBSCF -#include <libscf.h> -#endif - /* * Defining NS_MAIN provides storage declarations (rather than extern) * for variables in named/globals.h. @@ -67,6 +63,9 @@ #include <named/server.h> #include <named/lwresd.h> #include <named/main.h> +#ifdef HAVE_LIBSCF +#include <named/ns_smf_globals.h> +#endif /* * Include header files for database drivers here. @@ -540,6 +539,9 @@ destroy_managers(void) { static void setup(void) { isc_result_t result; +#ifdef HAVE_LIBSCF + char *instance = NULL; +#endif /* * Write pidfile before chroot if specified on the command line @@ -561,6 +563,18 @@ setup(void) { ns_os_opendevnull(); +#ifdef HAVE_LIBSCF + /* Check if named is under smf control, before chroot. */ + result = ns_smf_get_instance(&instance, 0, ns_g_mctx); + /* We don't care about instance, just check if we got one. */ + if (result == ISC_R_SUCCESS) + ns_smf_got_instance = 1; + else + ns_smf_got_instance = 0; + if (instance != NULL) + isc_mem_free(ns_g_mctx, instance); +#endif /* HAVE_LIBSCF */ + #ifdef PATH_RANDOMDEV /* * Initialize system's random device as fallback entropy source @@ -716,92 +730,73 @@ ns_main_setmemstats(const char *filename) { #ifdef HAVE_LIBSCF /* - * Get FMRI for the current named process + * Get FMRI for the named process. */ -static char * -scf_get_ins_name(void) { +isc_result_t +ns_smf_get_instance(char **ins_name, int debug, isc_mem_t *mctx) { scf_handle_t *h = NULL; int namelen; - char *ins_name; + char *instance; + + REQUIRE(ins_name != NULL && *ins_name == NULL); if ((h = scf_handle_create(SCF_VERSION)) == NULL) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_handle_create() failed: %s", - scf_strerror(scf_error())); - return (NULL); + if (debug) + UNEXPECTED_ERROR(__FILE__, __LINE__, + "scf_handle_create() failed: %s", + scf_strerror(scf_error())); + return (ISC_R_FAILURE); } if (scf_handle_bind(h) == -1) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_handle_bind() failed: %s", - scf_strerror(scf_error())); + if (debug) + UNEXPECTED_ERROR(__FILE__, __LINE__, + "scf_handle_bind() failed: %s", + scf_strerror(scf_error())); scf_handle_destroy(h); - return (NULL); + return (ISC_R_FAILURE); } if ((namelen = scf_myname(h, NULL, 0)) == -1) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_MAIN, ISC_LOG_INFO, - "scf_myname() failed: %s", - scf_strerror(scf_error())); + if (debug) + UNEXPECTED_ERROR(__FILE__, __LINE__, + "scf_myname() failed: %s", + scf_strerror(scf_error())); scf_handle_destroy(h); - return (NULL); + return (ISC_R_FAILURE); } - if ((ins_name = malloc(namelen + 1)) == NULL) { + if ((instance = isc_mem_allocate(mctx, namelen + 1)) == NULL) { UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_get_ins_named() memory " + "ns_smf_get_instance memory " "allocation failed: %s", isc_result_totext(ISC_R_NOMEMORY)); scf_handle_destroy(h); - return (NULL); + return (ISC_R_FAILURE); } - if (scf_myname(h, ins_name, namelen + 1) == -1) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_myname() failed: %s", - scf_strerror(scf_error())); + if (scf_myname(h, instance, namelen + 1) == -1) { + if (debug) + UNEXPECTED_ERROR(__FILE__, __LINE__, + "scf_myname() failed: %s", + scf_strerror(scf_error())); scf_handle_destroy(h); - free(ins_name); - return (NULL); + isc_mem_free(mctx, instance); + return (ISC_R_FAILURE); } scf_handle_destroy(h); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, - ISC_LOG_INFO, "instance name:%s", ins_name); - - return (ins_name); -} - -static void -scf_cleanup(void) { - char *s; - char *ins_name; - - if ((ins_name = scf_get_ins_name()) != NULL) { - if ((s = smf_get_state(ins_name)) != NULL) { - if ((strcmp(SCF_STATE_STRING_ONLINE, s) == 0) || - (strcmp(SCF_STATE_STRING_DEGRADED, s) == 0)) { - if (smf_disable_instance(ins_name, 0) != 0) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "smf_disable_instance() failed: %s", - scf_strerror(scf_error())); - } - } - free(s); - } else { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "smf_get_state() failed: %s", - scf_strerror(scf_error())); - } - free(ins_name); - } + *ins_name = instance; + return (ISC_R_SUCCESS); } -#endif +#endif /* HAVE_LIBSCF */ int main(int argc, char *argv[]) { isc_result_t result; +#ifdef HAVE_LIBSCF + char *instance = NULL; +#endif /* * Record version in core image. @@ -869,8 +864,20 @@ main(int argc, char *argv[]) { } while (result != ISC_R_SUCCESS); #ifdef HAVE_LIBSCF - scf_cleanup(); -#endif + if (ns_smf_want_disable == 1) { + result = ns_smf_get_instance(&instance, 1, ns_g_mctx); + if (result == ISC_R_SUCCESS && instance != NULL) { + if (smf_disable_instance(instance, 0) != 0) + UNEXPECTED_ERROR(__FILE__, __LINE__, + "smf_disable_instance() ", + "failed for %s : %s", + instance, + scf_strerror(scf_error())); + } + if (instance != NULL) + isc_mem_free(ns_g_mctx, instance); + } +#endif /* HAVE_LIBSCF */ cleanup(); diff --git a/usr.sbin/bind/bin/named/named.html b/usr.sbin/bind/bin/named/named.html index 08a1d5db250..6589680aee3 100644 --- a/usr.sbin/bind/bin/named/named.html +++ b/usr.sbin/bind/bin/named/named.html @@ -1,625 +1,240 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: named.html,v 1.4.2.1.4.4 2004/08/22 23:38:59 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->named</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->named</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->named</SPAN -> -- Internet domain name server</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->named</B -> [<VAR -CLASS="OPTION" ->-4</VAR ->] [<VAR -CLASS="OPTION" ->-6</VAR ->] [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->config-file</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-d <VAR -CLASS="REPLACEABLE" ->debug-level</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-f</VAR ->] [<VAR -CLASS="OPTION" ->-g</VAR ->] [<VAR -CLASS="OPTION" ->-n <VAR -CLASS="REPLACEABLE" ->#cpus</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-s</VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->directory</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-u <VAR -CLASS="REPLACEABLE" ->user</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-v</VAR ->] [<VAR -CLASS="OPTION" ->-x <VAR -CLASS="REPLACEABLE" ->cache-file</VAR -></VAR ->]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN49" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->named</B -> is a Domain Name System (DNS) server, +<!-- $ISC: named.html,v 1.4.2.1.4.9 2005/10/13 02:33:47 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>named</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">named</span> — Internet domain name server</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525923"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">named</strong></span> is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more information on the DNS, see RFCs 1033, 1034, and 1035. - </P -><P -> When invoked without arguments, <B -CLASS="COMMAND" ->named</B -> will + </p> +<p> + When invoked without arguments, <span><strong class="command">named</strong></span> will read the default configuration file - <TT -CLASS="FILENAME" ->/etc/named.conf</TT ->, read any initial + <code class="filename">/etc/named.conf</code>, read any initial data, and listen for queries. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN56" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-4</DT -><DD -><P -> Use IPv4 only even if the host machine is capable of IPv6. - <VAR -CLASS="OPTION" ->-4</VAR -> and <VAR -CLASS="OPTION" ->-6</VAR -> are mutually + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525948"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-4</span></dt> +<dd><p> + Use IPv4 only even if the host machine is capable of IPv6. + <code class="option">-4</code> and <code class="option">-6</code> are mutually exclusive. - </P -></DD -><DT ->-6</DT -><DD -><P -> Use IPv6 only even if the host machine is capable of IPv4. - <VAR -CLASS="OPTION" ->-4</VAR -> and <VAR -CLASS="OPTION" ->-6</VAR -> are mutually + </p></dd> +<dt><span class="term">-6</span></dt> +<dd><p> + Use IPv6 only even if the host machine is capable of IPv4. + <code class="option">-4</code> and <code class="option">-6</code> are mutually exclusive. - </P -></DD -><DT ->-c <VAR -CLASS="REPLACEABLE" ->config-file</VAR -></DT -><DD -><P -> Use <VAR -CLASS="REPLACEABLE" ->config-file</VAR -> as the + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt> +<dd><p> + Use <em class="replaceable"><code>config-file</code></em> as the configuration file instead of the default, - <TT -CLASS="FILENAME" ->/etc/named.conf</TT ->. To + <code class="filename">/etc/named.conf</code>. To ensure that reloading the configuration file continues to work after the server has changed its working directory due to to a possible - <VAR -CLASS="OPTION" ->directory</VAR -> option in the configuration - file, <VAR -CLASS="REPLACEABLE" ->config-file</VAR -> should be + <code class="option">directory</code> option in the configuration + file, <em class="replaceable"><code>config-file</code></em> should be an absolute pathname. - </P -></DD -><DT ->-d <VAR -CLASS="REPLACEABLE" ->debug-level</VAR -></DT -><DD -><P -> Set the daemon's debug level to <VAR -CLASS="REPLACEABLE" ->debug-level</VAR ->. - Debugging traces from <B -CLASS="COMMAND" ->named</B -> become + </p></dd> +<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt> +<dd><p> + Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. + Debugging traces from <span><strong class="command">named</strong></span> become more verbose as the debug level increases. - </P -></DD -><DT ->-f</DT -><DD -><P -> Run the server in the foreground (i.e. do not daemonize). - </P -></DD -><DT ->-g</DT -><DD -><P -> Run the server in the foreground and force all logging - to <TT -CLASS="FILENAME" ->stderr</TT ->. - </P -></DD -><DT ->-n <VAR -CLASS="REPLACEABLE" ->#cpus</VAR -></DT -><DD -><P -> Create <VAR -CLASS="REPLACEABLE" ->#cpus</VAR -> worker threads + </p></dd> +<dt><span class="term">-f</span></dt> +<dd><p> + Run the server in the foreground (i.e. do not daemonize). + </p></dd> +<dt><span class="term">-g</span></dt> +<dd><p> + Run the server in the foreground and force all logging + to <code class="filename">stderr</code>. + </p></dd> +<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt> +<dd><p> + Create <em class="replaceable"><code>#cpus</code></em> worker threads to take advantage of multiple CPUs. If not specified, - <B -CLASS="COMMAND" ->named</B -> will try to determine the + <span><strong class="command">named</strong></span> will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. - </P -></DD -><DT ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></DT -><DD -><P -> Listen for queries on port <VAR -CLASS="REPLACEABLE" ->port</VAR ->. If not + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Listen for queries on port <em class="replaceable"><code>port</code></em>. If not specified, the default is port 53. - </P -></DD -><DT ->-s</DT -><DD -><P -> Write memory usage statistics to <TT -CLASS="FILENAME" ->stdout</TT -> on exit. - </P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B -> This option is mainly of interest to BIND 9 developers + </p></dd> +<dt><span class="term">-s</span></dt> +<dd> +<p> + Write memory usage statistics to <code class="filename">stdout</code> on exit. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release. - </P -></BLOCKQUOTE -></DIV -></DD -><DT ->-t <VAR -CLASS="REPLACEABLE" ->directory</VAR -></DT -><DD -><P -> <CODE -CLASS="FUNCTION" ->chroot()</CODE -> to <VAR -CLASS="REPLACEABLE" ->directory</VAR -> after + </p> +</div> +</dd> +<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> +<dd> +<p> + <code class="function">chroot()</code> to <em class="replaceable"><code>directory</code></em> after processing the command line arguments, but before reading the configuration file. - </P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="90%" -><TR -><TD -ALIGN="CENTER" -><B ->Warning</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -> This option should be used in conjunction with the - <VAR -CLASS="OPTION" ->-u</VAR -> option, as chrooting a process + </p> +<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Warning</h3> +<p> + This option should be used in conjunction with the + <code class="option">-u</code> option, as chrooting a process running as root doesn't enhance security on most - systems; the way <CODE -CLASS="FUNCTION" ->chroot()</CODE -> is + systems; the way <code class="function">chroot()</code> is defined allows a process with root privileges to escape a chroot jail. - </P -></TD -></TR -></TABLE -></DIV -></DD -><DT ->-u <VAR -CLASS="REPLACEABLE" ->user</VAR -></DT -><DD -><P -> <CODE -CLASS="FUNCTION" ->setuid()</CODE -> to <VAR -CLASS="REPLACEABLE" ->user</VAR -> after completing + </p> +</div> +</dd> +<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> +<dd> +<p> + <code class="function">setuid()</code> to <em class="replaceable"><code>user</code></em> after completing privileged operations, such as creating sockets that listen on privileged ports. - </P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B -> On Linux, <B -CLASS="COMMAND" ->named</B -> uses the kernel's + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + On Linux, <span><strong class="command">named</strong></span> uses the kernel's capability mechanism to drop all root privileges - except the ability to <CODE -CLASS="FUNCTION" ->bind()</CODE -> to a + except the ability to <code class="function">bind()</code> to a privileged port and set process resource limits. - Unfortunately, this means that the <VAR -CLASS="OPTION" ->-u</VAR -> - option only works when <B -CLASS="COMMAND" ->named</B -> is run + Unfortunately, this means that the <code class="option">-u</code> + option only works when <span><strong class="command">named</strong></span> is run on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since previous kernels did not allow privileges - to be retained after <CODE -CLASS="FUNCTION" ->setuid()</CODE ->. - </P -></BLOCKQUOTE -></DIV -></DD -><DT ->-v</DT -><DD -><P -> Report the version number and exit. - </P -></DD -><DT ->-x <VAR -CLASS="REPLACEABLE" ->cache-file</VAR -></DT -><DD -><P -> Load data from <VAR -CLASS="REPLACEABLE" ->cache-file</VAR -> into the + to be retained after <code class="function">setuid()</code>. + </p> +</div> +</dd> +<dt><span class="term">-v</span></dt> +<dd><p> + Report the version number and exit. + </p></dd> +<dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt> +<dd> +<p> + Load data from <em class="replaceable"><code>cache-file</code></em> into the cache of the default view. - </P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="90%" -><TR -><TD -ALIGN="CENTER" -><B ->Warning</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -> This option must not be used. It is only of interest + </p> +<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Warning</h3> +<p> + This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release. - </P -></TD -></TR -></TABLE -></DIV -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN153" -></A -><H2 ->SIGNALS</H2 -><P -> In routine operation, signals should not be used to control - the nameserver; <B -CLASS="COMMAND" ->rndc</B -> should be used + </p> +</div> +</dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526297"></a><h2>SIGNALS</h2> +<p> + In routine operation, signals should not be used to control + the nameserver; <span><strong class="command">rndc</strong></span> should be used instead. - </P -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->SIGHUP</DT -><DD -><P -> Force a reload of the server. - </P -></DD -><DT ->SIGINT, SIGTERM</DT -><DD -><P -> Shut down the server. - </P -></DD -></DL -></DIV -><P -> The result of sending any other signals to the server is undefined. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN167" -></A -><H2 ->CONFIGURATION</H2 -><P -> The <B -CLASS="COMMAND" ->named</B -> configuration file is too complex + </p> +<div class="variablelist"><dl> +<dt><span class="term">SIGHUP</span></dt> +<dd><p> + Force a reload of the server. + </p></dd> +<dt><span class="term">SIGINT, SIGTERM</span></dt> +<dd><p> + Shut down the server. + </p></dd> +</dl></div> +<p> + The result of sending any other signals to the server is undefined. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526412"></a><h2>CONFIGURATION</h2> +<p> + The <span><strong class="command">named</strong></span> configuration file is too complex to describe in detail here. A complete description is - provided in the <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference - Manual</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN172" -></A -><H2 ->FILES</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><TT -CLASS="FILENAME" ->/etc/named.conf</TT -></DT -><DD -><P -> The default configuration file. - </P -></DD -><DT -><TT -CLASS="FILENAME" ->/var/run/named.pid</TT -></DT -><DD -><P -> The default process-id file. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN185" -></A -><H2 ->SEE ALSO</H2 -><P -> <I -CLASS="CITETITLE" ->RFC 1033</I ->, - <I -CLASS="CITETITLE" ->RFC 1034</I ->, - <I -CLASS="CITETITLE" ->RFC 1035</I ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->rndc</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwresd</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN198" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + provided in the <em class="citetitle">BIND 9 Administrator Reference + Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526429"></a><h2>FILES</h2> +<div class="variablelist"><dl> +<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt> +<dd><p> + The default configuration file. + </p></dd> +<dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt> +<dd><p> + The default process-id file. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526469"></a><h2>SEE ALSO</h2> +<p> + <em class="citetitle">RFC 1033</em>, + <em class="citetitle">RFC 1034</em>, + <em class="citetitle">RFC 1035</em>, + <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526512"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/named/query.c b/usr.sbin/bind/bin/named/query.c index 24e13c7c636..4f805516aad 100644 --- a/usr.sbin/bind/bin/named/query.c +++ b/usr.sbin/bind/bin/named/query.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: query.c,v 1.198.2.13.4.30 2004/06/30 14:13:05 marka Exp $ */ +/* $ISC: query.c,v 1.198.2.13.4.36 2005/08/11 05:25:20 marka Exp $ */ #include <config.h> @@ -1198,17 +1198,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { * recursing to add address records, which in turn can cause * recursion to add KEYs. */ - if (type == dns_rdatatype_a || type == dns_rdatatype_aaaa) { - /* - * RFC 2535 section 3.5 says that when A or AAAA records are - * retrieved as additional data, any KEY RRs for the owner name - * should be added to the additional data section. - * - * XXXRTH We should lower the priority here. Alternatively, - * we could raise the priority of glue records. - */ - eresult = query_addadditional(client, name, dns_rdatatype_dnskey); - } else if (type == dns_rdatatype_srv && trdataset != NULL) { + if (type == dns_rdatatype_srv && trdataset != NULL) { /* * If we're adding SRV records to the additional data * section, it's helpful if we add the SRV additional data @@ -1241,8 +1231,6 @@ static inline void query_addrdataset(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) { - dns_rdatatype_t type = rdataset->type; - /* * Add 'rdataset' and any pertinent additional data to * 'fname', a name in the response message for 'client'. @@ -1266,22 +1254,6 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, */ (void)dns_rdataset_additionaldata(rdataset, query_addadditional, client); - /* - * RFC 2535 section 3.5 says that when NS, SOA, A, or AAAA records - * are retrieved, any KEY RRs for the owner name should be added - * to the additional data section. We treat A6 records the same way. - * - * We don't care if query_addadditional() fails. - */ - if (type == dns_rdatatype_ns || type == dns_rdatatype_soa || - type == dns_rdatatype_a || type == dns_rdatatype_aaaa || - type == dns_rdatatype_a6) { - /* - * XXXRTH We should lower the priority here. Alternatively, - * we could raise the priority of glue records. - */ - (void)query_addadditional(client, fname, dns_rdatatype_dnskey); - } CTRACE("query_addrdataset: done"); } @@ -2116,33 +2088,37 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, * connection was accepted (if allowed by the TCP quota). */ if (client->recursionquota == NULL) { - isc_boolean_t killoldest = ISC_FALSE; result = isc_quota_attach(&ns_g_server->recursionquota, &client->recursionquota); - if (result == ISC_R_SOFTQUOTA) { + if (result == ISC_R_SOFTQUOTA) { ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, - "recursive-clients limit exceeded, " + "recursive-clients soft limit exceeded, " "aborting oldest query"); - killoldest = ISC_TRUE; + ns_client_killoldestquery(client); result = ISC_R_SUCCESS; - } - if (dns_resolver_nrunning(client->view->resolver) > - (unsigned int)ns_g_server->recursionquota.max) - result = ISC_R_QUOTA; - if (result == ISC_R_SUCCESS && !client->mortal && - (client->attributes & NS_CLIENTATTR_TCP) == 0) - result = ns_client_replace(client); - if (result != ISC_R_SUCCESS) { + } else if (result == ISC_R_QUOTA) { ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "no more recursive clients: %s", isc_result_totext(result)); - if (client->recursionquota != NULL) + ns_client_killoldestquery(client); + } + if (result == ISC_R_SUCCESS && !client->mortal && + (client->attributes & NS_CLIENTATTR_TCP) == 0) { + result = ns_client_replace(client); + if (result != ISC_R_SUCCESS) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_QUERY, + ISC_LOG_WARNING, + "ns_client_replace() failed: %s", + isc_result_totext(result)); isc_quota_detach(&client->recursionquota); - return (result); + } } - ns_client_recursing(client, killoldest); + if (result != ISC_R_SUCCESS) + return (result); + ns_client_recursing(client); } /* @@ -2319,6 +2295,34 @@ query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) { query_releasename(client, &fname); } +static inline void +answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) { + dns_name_t *name; + dns_message_t *msg; + dns_section_t section = DNS_SECTION_ADDITIONAL; + dns_rdataset_t *rdataset = NULL; + + msg = client->message; + for (name = ISC_LIST_HEAD(msg->sections[section]); + name != NULL; + name = ISC_LIST_NEXT(name, link)) + if (dns_name_equal(name, client->query.qname)) { + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) + if (rdataset->type == qtype) + break; + break; + } + if (rdataset != NULL) { + ISC_LIST_UNLINK(msg->sections[section], name, link); + ISC_LIST_PREPEND(msg->sections[section], name, link); + ISC_LIST_UNLINK(name->list, rdataset, link); + ISC_LIST_PREPEND(name->list, rdataset, link); + rdataset->attributes |= DNS_RDATASETATTR_REQUIREDGLUE; + } +} + /* * Do the bulk of query processing for the current query of 'client'. * If 'event' is non-NULL, we are returning from recursion and 'qtype' @@ -2875,7 +2879,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * Add SOA. If the query was for a SOA record force the * ttl to zero so that it is possible for clients to find - * the containing zone of a arbitary name with a stub + * the containing zone of an arbitrary name with a stub * resolver and not have it cached. */ if (qtype == dns_rdatatype_soa) @@ -3338,6 +3342,16 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) */ setup_query_sortlist(client); + /* + * If this is a referral and the answer to the question + * is in the glue sort it to the start of the additional + * section. + */ + if (client->message->counts[DNS_SECTION_ANSWER] == 0 && + client->message->rcode == dns_rcode_noerror && + (qtype == dns_rdatatype_a || qtype == dns_rdatatype_aaaa)) + answer_in_glue(client, qtype); + if (client->message->rcode == dns_rcode_nxdomain && client->view->auth_nxdomain == ISC_TRUE) client->message->flags |= DNS_MESSAGEFLAG_AA; diff --git a/usr.sbin/bind/bin/named/server.c b/usr.sbin/bind/bin/named/server.c index 2a1a7e27976..f008fa811df 100644 --- a/usr.sbin/bind/bin/named/server.c +++ b/usr.sbin/bind/bin/named/server.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: server.c,v 1.339.2.15.2.59 2004/11/10 22:13:56 marka Exp $ */ +/* $ISC: server.c,v 1.339.2.15.2.65 2005/07/27 02:53:15 marka Exp $ */ #include <config.h> @@ -81,6 +81,10 @@ #include <named/tkeyconf.h> #include <named/tsigconf.h> #include <named/zoneconf.h> +#ifdef HAVE_LIBSCF +#include <named/ns_smf_globals.h> +#include <stdlib.h> +#endif /* * Check an operation for failure. Assumes that the function @@ -1798,7 +1802,7 @@ configure_server_quota(cfg_obj_t **maps, const char *name, isc_quota_t *quota) result = ns_config_get(maps, name, &obj); INSIST(result == ISC_R_SUCCESS); - quota->max = cfg_obj_asuint32(obj); + isc_quota_max(quota, cfg_obj_asuint32(obj)); } /* @@ -1937,9 +1941,13 @@ adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) { * At this point the zone list may contain a stale zone * just removed from the configuration. To see the validity, * check if the corresponding view is in our current view list. + * There may also be old zones that are still in the process + * of shutting down and have detached from their old view + * (zoneview == NULL). */ zoneview = dns_zone_getview(zone); - INSIST(zoneview != NULL); + if (zoneview == NULL) + continue; for (view = ISC_LIST_HEAD(server->viewlist); view != NULL && view != zoneview; view = ISC_LIST_NEXT(view, link)) @@ -2221,6 +2229,11 @@ load_configuration(const char *filename, ns_server_t *server, configure_server_quota(maps, "tcp-clients", &server->tcpquota); configure_server_quota(maps, "recursive-clients", &server->recursionquota); + if (server->recursionquota.max > 1000) + isc_quota_soft(&server->recursionquota, + server->recursionquota.max - 100); + else + isc_quota_soft(&server->recursionquota, 0); CHECK(configure_view_acl(NULL, config, "blackhole", &aclconfctx, ns_g_mctx, &server->blackholeacl)); @@ -2951,7 +2964,6 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { RUNTIME_CHECK(result == ISC_R_SUCCESS); result = isc_quota_init(&server->recursionquota, 100); RUNTIME_CHECK(result == ISC_R_SUCCESS); - isc_quota_soft(&server->recursionquota, ISC_FALSE); result = dns_aclenv_init(mctx, &server->aclenv); RUNTIME_CHECK(result == ISC_R_SUCCESS); @@ -3640,6 +3652,15 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) { struct viewlistentry *vle; isc_result_t result = ISC_R_SUCCESS; + /* + * Prevent duplicate views. + */ + for (vle = ISC_LIST_HEAD(dctx->viewlist); + vle != NULL; + vle = ISC_LIST_NEXT(vle, link)) + if (vle->view == view) + return (ISC_R_SUCCESS); + vle = isc_mem_get(dctx->mctx, sizeof *vle); if (vle == NULL) return (ISC_R_NOMEMORY); @@ -3703,9 +3724,11 @@ dumpdone(void *arg, isc_result_t result) { if (dctx->view == NULL) goto done; INSIST(dctx->zone == NULL); - } + } else + goto resume; nextview: fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name); + resume: if (dctx->zone == NULL && dctx->cache == NULL && dctx->dumpcache) { style = &dns_master_style_cache; /* start cache dump */ @@ -3766,9 +3789,12 @@ dumpdone(void *arg, isc_result_t result) { &dctx->mdctx); if (result == DNS_R_CONTINUE) return; - if (result == ISC_R_NOTIMPLEMENTED) + if (result == ISC_R_NOTIMPLEMENTED) { fprintf(dctx->fp, "; %s\n", dns_result_totext(result)); + result = ISC_R_SUCCESS; + goto nextzone; + } if (result != ISC_R_SUCCESS) goto cleanup; } @@ -3792,7 +3818,6 @@ dumpdone(void *arg, isc_result_t result) { dumpcontext_destroy(dctx); } - isc_result_t ns_server_dumpdb(ns_server_t *server, char *args) { struct dumpcontext *dctx = NULL; @@ -3848,6 +3873,7 @@ ns_server_dumpdb(ns_server_t *server, char *args) { ptr = next_token(&args, " \t"); } + nextview: for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) @@ -3856,6 +3882,11 @@ ns_server_dumpdb(ns_server_t *server, char *args) { continue; CHECK(add_view_tolist(dctx, view)); } + if (ptr != NULL) { + ptr = next_token(&args, " \t"); + if (ptr != NULL) + goto nextview; + } dumpdone(dctx, ISC_R_SUCCESS); return (ISC_R_SUCCESS); @@ -4107,3 +4138,22 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) { dns_zone_detach(&zone); return (result); } + +#ifdef HAVE_LIBSCF +/* + * This function adds a message for rndc to echo if named + * is managed by smf and is also running chroot. + */ +isc_result_t +ns_smf_add_message(isc_buffer_t *text) { + unsigned int n; + + n = snprintf((char *)isc_buffer_used(text), + isc_buffer_availablelength(text), + "use svcadm(1M) to manage named"); + if (n >= isc_buffer_availablelength(text)) + return (ISC_R_NOSPACE); + isc_buffer_add(text, n); + return (ISC_R_SUCCESS); +} +#endif /* HAVE_LIBSCF */ diff --git a/usr.sbin/bind/bin/named/unix/os.c b/usr.sbin/bind/bin/named/unix/os.c index 45a141e02ca..cb719d5fac7 100644 --- a/usr.sbin/bind/bin/named/unix/os.c +++ b/usr.sbin/bind/bin/named/unix/os.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: os.c,v 1.46.2.4.8.19 2004/10/07 02:34:20 marka Exp $ */ +/* $ISC: os.c,v 1.46.2.4.8.22 2005/05/20 01:37:19 marka Exp $ */ #include <config.h> #include <stdarg.h> @@ -46,6 +46,9 @@ #include <named/main.h> #include <named/os.h> +#ifdef HAVE_LIBSCF +#include <named/ns_smf_globals.h> +#endif static char *pidfile = NULL; static int pidfilefd = -1; @@ -162,7 +165,7 @@ linux_setcaps(unsigned int caps) { memset(&cap, 0, sizeof(cap)); cap.effective = caps; cap.permitted = caps; - cap.inheritable = caps; + cap.inheritable = 0; if (syscall(SYS_capset, &caphead, &cap) < 0) { isc__strerror(errno, strbuf, sizeof(strbuf)); ns_main_earlyfatal("capset failed: %s:" @@ -420,6 +423,9 @@ all_digits(const char *s) { void ns_os_chroot(const char *root) { char strbuf[ISC_STRERRORSIZE]; +#ifdef HAVE_LIBSCF + ns_smf_chroot = 0; +#endif if (root != NULL) { if (chroot(root) < 0) { isc__strerror(errno, strbuf, sizeof(strbuf)); @@ -429,6 +435,10 @@ ns_os_chroot(const char *root) { isc__strerror(errno, strbuf, sizeof(strbuf)); ns_main_earlyfatal("chdir(/): %s", strbuf); } +#ifdef HAVE_LIBSCF + /* Set ns_smf_chroot flag on successful chroot. */ + ns_smf_chroot = 1; +#endif } } diff --git a/usr.sbin/bind/bin/named/update.c b/usr.sbin/bind/bin/named/update.c index 86dd24defaa..9adb836cdc0 100644 --- a/usr.sbin/bind/bin/named/update.c +++ b/usr.sbin/bind/bin/named/update.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: update.c,v 1.88.2.5.2.25 2004/10/21 01:40:22 marka Exp $ */ +/* $ISC: update.c,v 1.88.2.5.2.27 2005/10/08 00:21:06 marka Exp $ */ #include <config.h> @@ -2723,8 +2723,8 @@ updatedone_action(isc_task_t *task, isc_event_t *event) { INSIST(client->nupdates > 0); client->nupdates--; respond(client, uev->result); - ns_client_detach(&client); isc_event_free(&event); + ns_client_detach(&client); } /* @@ -2740,8 +2740,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) { INSIST(client->nupdates > 0); client->nupdates--; respond(client, DNS_R_SERVFAIL); - ns_client_detach(&client); isc_event_free(&event); + ns_client_detach(&client); } diff --git a/usr.sbin/bind/bin/named/xfrout.c b/usr.sbin/bind/bin/named/xfrout.c index 86e93e3cb13..b87035247bc 100644 --- a/usr.sbin/bind/bin/named/xfrout.c +++ b/usr.sbin/bind/bin/named/xfrout.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: xfrout.c,v 1.101.2.5.2.10 2004/04/02 06:08:17 marka Exp $ */ +/* $ISC: xfrout.c,v 1.101.2.5.2.12 2005/10/14 02:13:05 marka Exp $ */ #include <config.h> @@ -868,7 +868,7 @@ xfrout_log1(ns_client_t *client, dns_name_t *zonename, const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6); static void -xfrout_log(xfrout_ctx_t *xfr, unsigned int level, const char *fmt, ...) +xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4); /**************************************************************************/ @@ -1710,7 +1710,7 @@ xfrout_log1(ns_client_t *client, dns_name_t *zonename, * Logging function for use when there is a xfrout_ctx_t. */ static void -xfrout_log(xfrout_ctx_t *xfr, unsigned int level, const char *fmt, ...) { +xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...) { va_list ap; va_start(ap, fmt); xfrout_logv(xfr->client, xfr->qname, xfr->qclass, level, fmt, ap); diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.8 b/usr.sbin/bind/bin/nsupdate/nsupdate.8 index ccd9d85251b..b5d1b227746 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.8 +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.8 @@ -1,294 +1,239 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2003 Internet Software Consortium. -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2003 Internet Software Consortium. +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: nsupdate.8,v 1.24.2.2.2.5 2004/03/08 09:04:15 marka Exp $ +.\" $ISC: nsupdate.8,v 1.24.2.2.2.8 2005/10/13 02:33:48 marka Exp $ .\" -.TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "" -.SH NAME +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" nsupdate \- Dynamic DNS update utility -.SH SYNOPSIS -.sp -\fBnsupdate\fR [ \fB-d\fR ] [ \fB [ -y \fIkeyname:secret\fB ] [ -k \fIkeyfile\fB ] \fR ] [ \fB-t \fItimeout\fB\fR ] [ \fB-u \fIudptimeout\fB\fR ] [ \fB-r \fIudpretries\fB\fR ] [ \fB-v\fR ] [ \fBfilename\fR ] +.SH "SYNOPSIS" +.HP 9 +\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fIkeyname:secret\fR\fR] [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename] .SH "DESCRIPTION" .PP \fBnsupdate\fR -is used to submit Dynamic DNS Update requests as defined in RFC2136 -to a name server. -This allows resource records to be added or removed from a zone -without manually editing the zone file. -A single update request can contain requests to add or remove more than one -resource record. +is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record. .PP Zones that are under dynamic control via \fBnsupdate\fR -or a DHCP server should not be edited by hand. -Manual edits could -conflict with dynamic updates and cause data to be lost. +or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost. .PP The resource records that are dynamically added or removed with \fBnsupdate\fR -have to be in the same zone. -Requests are sent to the zone's master server. -This is identified by the MNAME field of the zone's SOA record. +have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record. .PP The -\fB-d\fR +\fB\-d\fR option makes \fBnsupdate\fR -operate in debug mode. -This provides tracing information about the update requests that are -made and the replies received from the name server. +operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server. .PP -Transaction signatures can be used to authenticate the Dynamic DNS -updates. -These use the TSIG resource record type described in RFC2845 or the -SIG(0) record described in RFC3535 and RFC2931. -TSIG relies on a shared secret that should only be known to -\fBnsupdate\fR and the name server. -Currently, the only supported encryption algorithm for TSIG is -HMAC-MD5, which is defined in RFC 2104. -Once other algorithms are defined for TSIG, applications will need to -ensure they select the appropriate algorithm as well as the key when -authenticating each other. -For instance suitable +Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931. TSIG relies on a shared secret that should only be known to +\fBnsupdate\fR +and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance suitable \fBkey\fR and \fBserver\fR statements would be added to \fI/etc/named.conf\fR -so that the name server can associate the appropriate secret key -and algorithm with the IP address of the -client application that will be using TSIG authentication. -SIG(0) uses public key cryptography. To use a SIG(0) key, the public -key must be stored in a KEY record in a zone served by the name server. +so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. \fBnsupdate\fR does not read \fI/etc/named.conf\fR. .PP \fBnsupdate\fR uses the -\fB-y\fR +\fB\-y\fR or -\fB-k\fR -option (with an HMAC-MD5 key) to provide the shared secret needed to generate -a TSIG record for authenticating Dynamic DNS update requests. -These options are mutually exclusive. -With the -\fB-k\fR +\fB\-k\fR +option (with an HMAC\-MD5 key) to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the +\fB\-k\fR option, \fBnsupdate\fR reads the shared secret from the file -\fIkeyfile\fR, -whose name is of the form -\fIK{name}.+157.+{random}.private\fR. -For historical -reasons, the file +\fIkeyfile\fR, whose name is of the form +\fIK{name}.+157.+{random}.private\fR. For historical reasons, the file \fIK{name}.+157.+{random}.key\fR must also be present. When the -\fB-y\fR +\fB\-y\fR option is used, a signature is generated from -\fIkeyname:secret.\fR -\fIkeyname\fR -is the name of the key, -and +\fIkeyname:secret.\fR\fIkeyname\fR +is the name of the key, and \fIsecret\fR -is the base64 encoded shared secret. -Use of the -\fB-y\fR -option is discouraged because the shared secret is supplied as a command -line argument in clear text. -This may be visible in the output from -\fBps\fR(1) +is the base64 encoded shared secret. Use of the +\fB\-y\fR +option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from +\fBps\fR(1 ) or in a history file maintained by the user's shell. .PP -The \fB-k\fR may also be used to specify a SIG(0) key used -to authenticate Dynamic DNS update requests. In this case, the key -specified is not an HMAC-MD5 key. +The +\fB\-k\fR +may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key. .PP By default \fBnsupdate\fR -uses UDP to send update requests to the name server unless they are too -large to fit in a UDP request in which case TCP will be used. -The -\fB-v\fR +uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The +\fB\-v\fR option makes \fBnsupdate\fR -use a TCP connection. -This may be preferable when a batch of update requests is made. +use a TCP connection. This may be preferable when a batch of update requests is made. .PP -The \fB-t\fR option sets the maximum time a update request can -take before it is aborted. The default is 300 seconds. Zero can be used -to disable the timeout. +The +\fB\-t\fR +option sets the maximum time a update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout. .PP -The \fB-u\fR option sets the UDP retry interval. The default is -3 seconds. If zero the interval will be computed from the timeout interval -and number of UDP retries. +The +\fB\-u\fR +option sets the UDP retry interval. The default is 3 seconds. If zero the interval will be computed from the timeout interval and number of UDP retries. .PP -The \fB-r\fR option sets the number of UDP retries. The default is -3. If zero only one update request will be made. +The +\fB\-r\fR +option sets the number of UDP retries. The default is 3. If zero only one update request will be made. .SH "INPUT FORMAT" .PP \fBnsupdate\fR reads input from \fIfilename\fR -or standard input. -Each command is supplied on exactly one line of input. -Some commands are for administrative purposes. -The others are either update instructions or prerequisite checks on the -contents of the zone. -These checks set conditions that some name or set of -resource records (RRset) either exists or is absent from the zone. -These conditions must be met if the entire update request is to succeed. -Updates will be rejected if the tests for the prerequisite conditions fail. +or standard input. Each command is supplied on exactly one line of input. Some commands are for administrative purposes. The others are either update instructions or prerequisite checks on the contents of the zone. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone. These conditions must be met if the entire update request is to succeed. Updates will be rejected if the tests for the prerequisite conditions fail. .PP -Every update request consists of zero or more prerequisites -and zero or more updates. -This allows a suitably authenticated update request to proceed if some -specified resource records are present or missing from the zone. -A blank input line (or the \fBsend\fR command) causes the -accumulated commands to be sent as one Dynamic DNS update request to the -name server. +Every update request consists of zero or more prerequisites and zero or more updates. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone. A blank input line (or the +\fBsend\fR +command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server. .PP The command formats and their meaning are as follows: .TP -\fBserver servername [ port ]\fR +.HP 7 \fBserver\fR {servername} [port] Sends all dynamic update requests to the name server -\fIservername\fR. -When no server statement is provided, +\fIservername\fR. When no server statement is provided, \fBnsupdate\fR -will send updates to the master server of the correct zone. -The MNAME field of that zone's SOA record will identify the master -server for that zone. +will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone. \fIport\fR is the port number on \fIservername\fR -where the dynamic update requests get sent. -If no port number is specified, the default DNS port number of 53 is -used. +where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used. .TP -\fBlocal address [ port ]\fR +.HP 6 \fBlocal\fR {address} [port] Sends all dynamic update requests using the local -\fIaddress\fR. -When no local statement is provided, +\fIaddress\fR. When no local statement is provided, \fBnsupdate\fR will send updates using an address and port chosen by the system. \fIport\fR -can additionally be used to make requests come from a specific port. -If no port number is specified, the system will assign one. +can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one. .TP -\fBzone zonename\fR +.HP 5 \fBzone\fR {zonename} Specifies that all updates are to be made to the zone -\fIzonename\fR. -If no +\fIzonename\fR. If no \fIzone\fR statement is provided, \fBnsupdate\fR will attempt determine the correct zone to update based on the rest of the input. .TP -\fBclass classname\fR -Specify the default class. -If no \fIclass\fR is specified the default class is +.HP 6 \fBclass\fR {classname} +Specify the default class. If no +\fIclass\fR +is specified the default class is \fIIN\fR. .TP -\fBkey name secret\fR +.HP 4 \fBkey\fR {name} {secret} Specifies that all updates are to be TSIG signed using the -\fIkeyname\fR \fIkeysecret\fR pair. -The \fBkey\fR command -overrides any key specified on the command line via -\fB-y\fR or \fB-k\fR. +\fIkeyname\fR\fIkeysecret\fR +pair. The +\fBkey\fR +command overrides any key specified on the command line via +\fB\-y\fR +or +\fB\-k\fR. .TP -\fBprereq nxdomain domain-name\fR +.HP 16 \fBprereq nxdomain\fR {domain\-name} Requires that no resource record of any type exists with name -\fIdomain-name\fR. +\fIdomain\-name\fR. .TP -\fBprereq yxdomain domain-name\fR +.HP 16 \fBprereq yxdomain\fR {domain\-name} Requires that -\fIdomain-name\fR +\fIdomain\-name\fR exists (has as at least one resource record, of any type). .TP -\fBprereq nxrrset domain-name [ class ] type\fR +.HP 15 \fBprereq nxrrset\fR {domain\-name} [class] {type} Requires that no resource record exists of the specified \fItype\fR, \fIclass\fR and -\fIdomain-name\fR. -If +\fIdomain\-name\fR. If \fIclass\fR is omitted, IN (internet) is assumed. .TP -\fBprereq yxrrset domain-name [ class ] type\fR +.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} This requires that a resource record of the specified \fItype\fR, \fIclass\fR and -\fIdomain-name\fR -must exist. -If +\fIdomain\-name\fR +must exist. If \fIclass\fR is omitted, IN (internet) is assumed. .TP -\fBprereq yxrrset domain-name [ class ] type data\fI...\fB\fR +.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} {data...} The \fIdata\fR -from each set of prerequisites of this form -sharing a common +from each set of prerequisites of this form sharing a common \fItype\fR, -\fIclass\fR, -and -\fIdomain-name\fR -are combined to form a set of RRs. This set of RRs must -exactly match the set of RRs existing in the zone at the -given +\fIclass\fR, and +\fIdomain\-name\fR +are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given \fItype\fR, -\fIclass\fR, -and -\fIdomain-name\fR. -The +\fIclass\fR, and +\fIdomain\-name\fR. The \fIdata\fR -are written in the standard text representation of the resource record's -RDATA. +are written in the standard text representation of the resource record's RDATA. .TP -\fBupdate delete domain-name [ ttl ] [ class ] [ type [ data\fI...\fB ] ]\fR +.HP 14 \fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]] Deletes any resource records named -\fIdomain-name\fR. -If +\fIdomain\-name\fR. If \fItype\fR and \fIdata\fR -is provided, only matching resource records will be removed. -The internet class is assumed if +is provided, only matching resource records will be removed. The internet class is assumed if \fIclass\fR is not supplied. The \fIttl\fR is ignored, and is only allowed for compatibility. .TP -\fBupdate add domain-name ttl [ class ] type data\fI...\fB\fR +.HP 11 \fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...} Adds a new resource record with the specified \fIttl\fR, \fIclass\fR and \fIdata\fR. .TP -\fBshow\fR -Displays the current message, containing all of the prerequisites and -updates specified since the last send. +.HP 5 \fBshow\fR +Displays the current message, containing all of the prerequisites and updates specified since the last send. .TP -\fBsend\fR +.HP 5 \fBsend\fR Sends the current message. This is equivalent to entering a blank line. .TP -\fBanswer\fR +.HP 7 \fBanswer\fR Displays the answer. .PP Lines beginning with a semicolon are comments and are ignored. @@ -298,10 +243,7 @@ The examples below show how \fBnsupdate\fR could be used to insert and delete resource records from the \fBexample.com\fR -zone. -Notice that the input in each example contains a trailing blank line so that -a group of commands are sent as one dynamic update request to the -master name server for +zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for \fBexample.com\fR. .sp .nf @@ -309,61 +251,48 @@ master name server for > update delete oldhost.example.com A > update add newhost.example.com 86400 A 172.16.1.1 > send -.sp .fi +.sp .PP Any A records for \fBoldhost.example.com\fR -are deleted. -and an A record for +are deleted. and an A record for \fBnewhost.example.com\fR -it IP address 172.16.1.1 is added. -The newly-added record has a 1 day TTL (86400 seconds) +it IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds) .sp .nf # nsupdate > prereq nxdomain nickname.example.com > update add nickname.example.com 86400 CNAME somehost.example.com > send -.sp .fi +.sp .PP -The prerequisite condition gets the name server to check that there -are no resource records of any type for -\fBnickname.example.com\fR. -If there are, the update request fails. -If this name does not exist, a CNAME for it is added. -This ensures that when the CNAME is added, it cannot conflict with the -long-standing rule in RFC1034 that a name must not exist as any other -record type if it exists as a CNAME. -(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have -RRSIG, DNSKEY and NSEC records.) +The prerequisite condition gets the name server to check that there are no resource records of any type for +\fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.) .SH "FILES" .TP \fB/etc/resolv.conf\fR used to identify default name server .TP \fBK{name}.+157.+{random}.key\fR -base-64 encoding of HMAC-MD5 key created by -\fBdnssec-keygen\fR(8). +base\-64 encoding of HMAC\-MD5 key created by +\fBdnssec\-keygen\fR(8). .TP \fBK{name}.+157.+{random}.private\fR -base-64 encoding of HMAC-MD5 key created by -\fBdnssec-keygen\fR(8). +base\-64 encoding of HMAC\-MD5 key created by +\fBdnssec\-keygen\fR(8). .SH "SEE ALSO" .PP -\fBRFC2136\fR, -\fBRFC3007\fR, -\fBRFC2104\fR, -\fBRFC2845\fR, -\fBRFC1034\fR, -\fBRFC2535\fR, -\fBRFC2931\fR, +\fBRFC2136\fR(), +\fBRFC3007\fR(), +\fBRFC2104\fR(), +\fBRFC2845\fR(), +\fBRFC1034\fR(), +\fBRFC2535\fR(), +\fBRFC2931\fR(), \fBnamed\fR(8), -\fBdnssec-keygen\fR(8). +\fBdnssec\-keygen\fR(8). .SH "BUGS" .PP -The TSIG key is redundantly stored in two separate files. -This is a consequence of nsupdate using the DST library -for its cryptographic operations, and may change in future -releases. +The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases. diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.c b/usr.sbin/bind/bin/nsupdate/nsupdate.c index ce154afc80d..5999f1b636e 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.c +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: nsupdate.c,v 1.103.2.15.2.18 2004/09/16 02:12:18 marka Exp $ */ +/* $ISC: nsupdate.c,v 1.103.2.15.2.20 2005/03/17 03:58:26 marka Exp $ */ #include <config.h> @@ -1634,6 +1634,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) { ddebug("Destroying request [%p]", request); dns_request_destroy(&request); dns_message_renderreset(soaquery); + dns_message_settsigkey(soaquery, NULL); sendrequest(localaddr, &servers[ns_inuse], soaquery, &request); isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t)); isc_event_free(&event); @@ -1813,6 +1814,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) { dns_name_clone(&tname, name); dns_request_destroy(&request); dns_message_renderreset(soaquery); + dns_message_settsigkey(soaquery, NULL); if (userserver != NULL) sendrequest(localaddr, userserver, soaquery, &request); else diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.docbook b/usr.sbin/bind/bin/nsupdate/nsupdate.docbook index 7242155eb1e..2cb70abcdca 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.docbook +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.docbook @@ -1,7 +1,9 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" + "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" + [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -16,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: nsupdate.docbook,v 1.8.2.3.2.8 2004/03/08 04:04:23 marka Exp $ --> +<!-- $ISC: nsupdate.docbook,v 1.8.2.3.2.10 2005/05/12 21:36:03 sra Exp $ --> <refentry> <refentryinfo> @@ -27,6 +29,22 @@ <manvolnum>8</manvolnum> <refmiscinfo>BIND9</refmiscinfo> </refmeta> + + <docinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2000</year> + <year>2001</year> + <year>2002</year> + <year>2003</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </docinfo> + <refnamediv> <refname>nsupdate</refname> <refpurpose>Dynamic DNS update utility</refpurpose> @@ -229,6 +247,8 @@ where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used. </para> +</listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -248,6 +268,9 @@ will send updates using an address and port chosen by the system. <parameter>port</parameter> can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one. +</para> +</listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -482,6 +505,7 @@ updates specified since the last send. Sends the current message. This is equivalent to entering a blank line. </para> </listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -493,8 +517,10 @@ Sends the current message. This is equivalent to entering a blank line. Displays the answer. </para> </listitem> +</varlistentry> </variablelist> +</para> <para> Lines beginning with a semicolon are comments and are ignored. @@ -562,6 +588,7 @@ RRSIG, DNSKEY and NSEC records.) used to identify default name server </para> </listitem> +</varlistentry> <varlistentry><term><constant>K{name}.+157.+{random}.key</constant></term> <listitem> @@ -572,6 +599,7 @@ base-64 encoding of HMAC-MD5 key created by </citerefentry>. </para> </listitem> +</varlistentry> <varlistentry><term><constant>K{name}.+157.+{random}.private</constant></term> <listitem> @@ -582,6 +610,7 @@ base-64 encoding of HMAC-MD5 key created by </citerefentry>. </para> </listitem> +</varlistentry> </variablelist> </refsect1> @@ -615,7 +644,7 @@ base-64 encoding of HMAC-MD5 key created by <citerefentry> <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> </citerefentry>. - +</para> </refsect1> <refsect1> <title>BUGS</title> diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.html b/usr.sbin/bind/bin/nsupdate/nsupdate.html index 7697ead9982..cc4678b8e4a 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.html +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.html @@ -1,339 +1,170 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: nsupdate.html,v 1.9.2.3.2.5 2004/08/22 23:38:59 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->nsupdate</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->nsupdate</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->nsupdate -- Dynamic DNS update utility</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN11" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->nsupdate</B -> [<VAR -CLASS="OPTION" ->-d</VAR ->] [<VAR -CLASS="OPTION" ->-y <VAR -CLASS="REPLACEABLE" ->keyname:secret</VAR -></VAR -> | <VAR -CLASS="OPTION" ->-k <VAR -CLASS="REPLACEABLE" ->keyfile</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->timeout</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-u <VAR -CLASS="REPLACEABLE" ->udptimeout</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-r <VAR -CLASS="REPLACEABLE" ->udpretries</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-v</VAR ->] [filename]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN35" -></A -><H2 ->DESCRIPTION</H2 -><P -><B -CLASS="COMMAND" ->nsupdate</B -> +<!-- $ISC: nsupdate.html,v 1.9.2.3.2.12 2005/10/13 02:33:49 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>nsupdate</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>nsupdate — Dynamic DNS update utility</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [[<code class="option">-y <em class="replaceable"><code>keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-v</code>] [filename]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525896"></a><h2>DESCRIPTION</h2> +<p> +<span><strong class="command">nsupdate</strong></span> is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one -resource record.</P -><P ->Zones that are under dynamic control via -<B -CLASS="COMMAND" ->nsupdate</B -> +resource record. +</p> +<p> +Zones that are under dynamic control via +<span><strong class="command">nsupdate</strong></span> or a DHCP server should not be edited by hand. Manual edits could -conflict with dynamic updates and cause data to be lost.</P -><P ->The resource records that are dynamically added or removed with -<B -CLASS="COMMAND" ->nsupdate</B -> +conflict with dynamic updates and cause data to be lost. +</p> +<p> +The resource records that are dynamically added or removed with +<span><strong class="command">nsupdate</strong></span> have to be in the same zone. Requests are sent to the zone's master server. -This is identified by the MNAME field of the zone's SOA record.</P -><P ->The -<VAR -CLASS="OPTION" ->-d</VAR -> +This is identified by the MNAME field of the zone's SOA record. +</p> +<p> +The +<code class="option">-d</code> option makes -<B -CLASS="COMMAND" ->nsupdate</B -> +<span><strong class="command">nsupdate</strong></span> operate in debug mode. This provides tracing information about the update requests that are -made and the replies received from the name server.</P -><P ->Transaction signatures can be used to authenticate the Dynamic DNS +made and the replies received from the name server. +</p> +<p> +Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931. TSIG relies on a shared secret that should only be known to -<B -CLASS="COMMAND" ->nsupdate</B -> and the name server. +<span><strong class="command">nsupdate</strong></span> and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance suitable -<SPAN -CLASS="TYPE" ->key</SPAN -> +<span class="type">key</span> and -<SPAN -CLASS="TYPE" ->server</SPAN -> +<span class="type">server</span> statements would be added to -<TT -CLASS="FILENAME" ->/etc/named.conf</TT -> +<code class="filename">/etc/named.conf</code> so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. -<B -CLASS="COMMAND" ->nsupdate</B -> +<span><strong class="command">nsupdate</strong></span> does not read -<TT -CLASS="FILENAME" ->/etc/named.conf</TT ->.</P -><P -><B -CLASS="COMMAND" ->nsupdate</B -> +<code class="filename">/etc/named.conf</code>. +</p> +<p> +<span><strong class="command">nsupdate</strong></span> uses the -<VAR -CLASS="OPTION" ->-y</VAR -> +<code class="option">-y</code> or -<VAR -CLASS="OPTION" ->-k</VAR -> +<code class="option">-k</code> option (with an HMAC-MD5 key) to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the -<VAR -CLASS="OPTION" ->-k</VAR -> +<code class="option">-k</code> option, -<B -CLASS="COMMAND" ->nsupdate</B -> +<span><strong class="command">nsupdate</strong></span> reads the shared secret from the file -<VAR -CLASS="PARAMETER" ->keyfile</VAR ->, +<em class="parameter"><code>keyfile</code></em>, whose name is of the form -<TT -CLASS="FILENAME" ->K{name}.+157.+{random}.private</TT ->. +<code class="filename">K{name}.+157.+{random}.private</code>. For historical reasons, the file -<TT -CLASS="FILENAME" ->K{name}.+157.+{random}.key</TT -> +<code class="filename">K{name}.+157.+{random}.key</code> must also be present. When the -<VAR -CLASS="OPTION" ->-y</VAR -> +<code class="option">-y</code> option is used, a signature is generated from -<VAR -CLASS="PARAMETER" ->keyname:secret.</VAR -> -<VAR -CLASS="PARAMETER" ->keyname</VAR -> +<em class="parameter"><code>keyname:secret.</code></em> +<em class="parameter"><code>keyname</code></em> is the name of the key, and -<VAR -CLASS="PARAMETER" ->secret</VAR -> +<em class="parameter"><code>secret</code></em> is the base64 encoded shared secret. Use of the -<VAR -CLASS="OPTION" ->-y</VAR -> +<code class="option">-y</code> option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->ps</SPAN ->(1)</SPAN -> -or in a history file maintained by the user's shell.</P -><P ->The <VAR -CLASS="OPTION" ->-k</VAR -> may also be used to specify a SIG(0) key used +<span class="citerefentry"><span class="refentrytitle">ps</span>(1 +)</span> +or in a history file maintained by the user's shell. +</p> +<p> +The <code class="option">-k</code> may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key -specified is not an HMAC-MD5 key.</P -><P ->By default -<B -CLASS="COMMAND" ->nsupdate</B -> +specified is not an HMAC-MD5 key. +</p> +<p> +By default +<span><strong class="command">nsupdate</strong></span> uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The -<VAR -CLASS="OPTION" ->-v</VAR -> +<code class="option">-v</code> option makes -<B -CLASS="COMMAND" ->nsupdate</B -> +<span><strong class="command">nsupdate</strong></span> use a TCP connection. -This may be preferable when a batch of update requests is made.</P -><P ->The <VAR -CLASS="OPTION" ->-t</VAR -> option sets the maximum time a update request can +This may be preferable when a batch of update requests is made. +</p> +<p>The <code class="option">-t</code> option sets the maximum time a update request can take before it is aborted. The default is 300 seconds. Zero can be used -to disable the timeout.</P -><P ->The <VAR -CLASS="OPTION" ->-u</VAR -> option sets the UDP retry interval. The default is +to disable the timeout. +</p> +<p>The <code class="option">-u</code> option sets the UDP retry interval. The default is 3 seconds. If zero the interval will be computed from the timeout interval -and number of UDP retries.</P -><P ->The <VAR -CLASS="OPTION" ->-r</VAR -> option sets the number of UDP retries. The default is -3. If zero only one update request will be made.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN82" -></A -><H2 ->INPUT FORMAT</H2 -><P -><B -CLASS="COMMAND" ->nsupdate</B -> +and number of UDP retries. +</p> +<p>The <code class="option">-r</code> option sets the number of UDP retries. The default is +3. If zero only one update request will be made. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526121"></a><h2>INPUT FORMAT</h2> +<p> +<span><strong class="command">nsupdate</strong></span> reads input from -<VAR -CLASS="PARAMETER" ->filename</VAR -> +<em class="parameter"><code>filename</code></em> or standard input. Each command is supplied on exactly one line of input. Some commands are for administrative purposes. @@ -342,471 +173,245 @@ contents of the zone. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone. These conditions must be met if the entire update request is to succeed. -Updates will be rejected if the tests for the prerequisite conditions fail.</P -><P ->Every update request consists of zero or more prerequisites +Updates will be rejected if the tests for the prerequisite conditions fail. +</p> +<p> +Every update request consists of zero or more prerequisites and zero or more updates. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone. -A blank input line (or the <B -CLASS="COMMAND" ->send</B -> command) causes the +A blank input line (or the <span><strong class="command">send</strong></span> command) causes the accumulated commands to be sent as one Dynamic DNS update request to the -name server.</P -><P ->The command formats and their meaning are as follows: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><P -><B -CLASS="COMMAND" ->server</B -> {servername} [port]</P -></DT -><DD -><P ->Sends all dynamic update requests to the name server -<VAR -CLASS="PARAMETER" ->servername</VAR ->. +name server. +</p> +<p> +The command formats and their meaning are as follows: +</p> +<div class="variablelist"><dl> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">server</code> {servername} [port]</p></div> +</span></dt> +<dd><p> +Sends all dynamic update requests to the name server +<em class="parameter"><code>servername</code></em>. When no server statement is provided, -<B -CLASS="COMMAND" ->nsupdate</B -> +<span><strong class="command">nsupdate</strong></span> will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone. -<VAR -CLASS="PARAMETER" ->port</VAR -> +<em class="parameter"><code>port</code></em> is the port number on -<VAR -CLASS="PARAMETER" ->servername</VAR -> +<em class="parameter"><code>servername</code></em> where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is -used.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->local</B -> {address} [port]</P -></DT -><DD -><P ->Sends all dynamic update requests using the local -<VAR -CLASS="PARAMETER" ->address</VAR ->. +used. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">local</code> {address} [port]</p></div> +</span></dt> +<dd><p> +Sends all dynamic update requests using the local +<em class="parameter"><code>address</code></em>. When no local statement is provided, -<B -CLASS="COMMAND" ->nsupdate</B -> +<span><strong class="command">nsupdate</strong></span> will send updates using an address and port chosen by the system. -<VAR -CLASS="PARAMETER" ->port</VAR -> +<em class="parameter"><code>port</code></em> can additionally be used to make requests come from a specific port. -If no port number is specified, the system will assign one. </P -></DD -><DT -><P -><B -CLASS="COMMAND" ->zone</B -> {zonename}</P -></DT -><DD -><P ->Specifies that all updates are to be made to the zone -<VAR -CLASS="PARAMETER" ->zonename</VAR ->. +If no port number is specified, the system will assign one. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">zone</code> {zonename}</p></div> +</span></dt> +<dd><p> +Specifies that all updates are to be made to the zone +<em class="parameter"><code>zonename</code></em>. If no -<VAR -CLASS="PARAMETER" ->zone</VAR -> +<em class="parameter"><code>zone</code></em> statement is provided, -<B -CLASS="COMMAND" ->nsupdate</B -> -will attempt determine the correct zone to update based on the rest of the input.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->class</B -> {classname}</P -></DT -><DD -><P ->Specify the default class. -If no <VAR -CLASS="PARAMETER" ->class</VAR -> is specified the default class is -<VAR -CLASS="PARAMETER" ->IN</VAR ->.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->key</B -> {name} {secret}</P -></DT -><DD -><P ->Specifies that all updates are to be TSIG signed using the -<VAR -CLASS="PARAMETER" ->keyname</VAR -> <VAR -CLASS="PARAMETER" ->keysecret</VAR -> pair. -The <B -CLASS="COMMAND" ->key</B -> command +<span><strong class="command">nsupdate</strong></span> +will attempt determine the correct zone to update based on the rest of the input. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">class</code> {classname}</p></div> +</span></dt> +<dd><p> +Specify the default class. +If no <em class="parameter"><code>class</code></em> is specified the default class is +<em class="parameter"><code>IN</code></em>. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">key</code> {name} {secret}</p></div> +</span></dt> +<dd><p> +Specifies that all updates are to be TSIG signed using the +<em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair. +The <span><strong class="command">key</strong></span> command overrides any key specified on the command line via -<VAR -CLASS="OPTION" ->-y</VAR -> or <VAR -CLASS="OPTION" ->-k</VAR ->.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->prereq nxdomain</B -> {domain-name}</P -></DT -><DD -><P ->Requires that no resource record of any type exists with name -<VAR -CLASS="PARAMETER" ->domain-name</VAR ->.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->prereq yxdomain</B -> {domain-name}</P -></DT -><DD -><P ->Requires that -<VAR -CLASS="PARAMETER" ->domain-name</VAR -> -exists (has as at least one resource record, of any type).</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->prereq nxrrset</B -> {domain-name} [class] {type}</P -></DT -><DD -><P ->Requires that no resource record exists of the specified -<VAR -CLASS="PARAMETER" ->type</VAR ->, -<VAR -CLASS="PARAMETER" ->class</VAR -> +<code class="option">-y</code> or <code class="option">-k</code>. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">prereq nxdomain</code> {domain-name}</p></div> +</span></dt> +<dd><p> +Requires that no resource record of any type exists with name +<em class="parameter"><code>domain-name</code></em>. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">prereq yxdomain</code> {domain-name}</p></div> +</span></dt> +<dd><p> +Requires that +<em class="parameter"><code>domain-name</code></em> +exists (has as at least one resource record, of any type). +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">prereq nxrrset</code> {domain-name} [class] {type}</p></div> +</span></dt> +<dd><p> +Requires that no resource record exists of the specified +<em class="parameter"><code>type</code></em>, +<em class="parameter"><code>class</code></em> and -<VAR -CLASS="PARAMETER" ->domain-name</VAR ->. +<em class="parameter"><code>domain-name</code></em>. If -<VAR -CLASS="PARAMETER" ->class</VAR -> -is omitted, IN (internet) is assumed.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->prereq yxrrset</B -> {domain-name} [class] {type}</P -></DT -><DD -><P ->This requires that a resource record of the specified -<VAR -CLASS="PARAMETER" ->type</VAR ->, -<VAR -CLASS="PARAMETER" ->class</VAR -> +<em class="parameter"><code>class</code></em> +is omitted, IN (internet) is assumed. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">prereq yxrrset</code> {domain-name} [class] {type}</p></div> +</span></dt> +<dd><p> +This requires that a resource record of the specified +<em class="parameter"><code>type</code></em>, +<em class="parameter"><code>class</code></em> and -<VAR -CLASS="PARAMETER" ->domain-name</VAR -> +<em class="parameter"><code>domain-name</code></em> must exist. If -<VAR -CLASS="PARAMETER" ->class</VAR -> -is omitted, IN (internet) is assumed.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->prereq yxrrset</B -> {domain-name} [class] {type} {data...}</P -></DT -><DD -><P ->The -<VAR -CLASS="PARAMETER" ->data</VAR -> +<em class="parameter"><code>class</code></em> +is omitted, IN (internet) is assumed. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">prereq yxrrset</code> {domain-name} [class] {type} {data...}</p></div> +</span></dt> +<dd><p> +The +<em class="parameter"><code>data</code></em> from each set of prerequisites of this form sharing a common -<VAR -CLASS="PARAMETER" ->type</VAR ->, -<VAR -CLASS="PARAMETER" ->class</VAR ->, +<em class="parameter"><code>type</code></em>, +<em class="parameter"><code>class</code></em>, and -<VAR -CLASS="PARAMETER" ->domain-name</VAR -> +<em class="parameter"><code>domain-name</code></em> are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given -<VAR -CLASS="PARAMETER" ->type</VAR ->, -<VAR -CLASS="PARAMETER" ->class</VAR ->, +<em class="parameter"><code>type</code></em>, +<em class="parameter"><code>class</code></em>, and -<VAR -CLASS="PARAMETER" ->domain-name</VAR ->. +<em class="parameter"><code>domain-name</code></em>. The -<VAR -CLASS="PARAMETER" ->data</VAR -> +<em class="parameter"><code>data</code></em> are written in the standard text representation of the resource record's -RDATA.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->update delete</B -> {domain-name} [ttl] [class] [type [data...]]</P -></DT -><DD -><P ->Deletes any resource records named -<VAR -CLASS="PARAMETER" ->domain-name</VAR ->. +RDATA. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">update delete</code> {domain-name} [ttl] [class] [type [data...]]</p></div> +</span></dt> +<dd><p> +Deletes any resource records named +<em class="parameter"><code>domain-name</code></em>. If -<VAR -CLASS="PARAMETER" ->type</VAR -> +<em class="parameter"><code>type</code></em> and -<VAR -CLASS="PARAMETER" ->data</VAR -> +<em class="parameter"><code>data</code></em> is provided, only matching resource records will be removed. The internet class is assumed if -<VAR -CLASS="PARAMETER" ->class</VAR -> +<em class="parameter"><code>class</code></em> is not supplied. The -<VAR -CLASS="PARAMETER" ->ttl</VAR -> -is ignored, and is only allowed for compatibility.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->update add</B -> {domain-name} {ttl} [class] {type} {data...}</P -></DT -><DD -><P ->Adds a new resource record with the specified -<VAR -CLASS="PARAMETER" ->ttl</VAR ->, -<VAR -CLASS="PARAMETER" ->class</VAR -> +<em class="parameter"><code>ttl</code></em> +is ignored, and is only allowed for compatibility. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">update add</code> {domain-name} {ttl} [class] {type} {data...}</p></div> +</span></dt> +<dd><p> +Adds a new resource record with the specified +<em class="parameter"><code>ttl</code></em>, +<em class="parameter"><code>class</code></em> and -<VAR -CLASS="PARAMETER" ->data</VAR ->.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->show</B -> </P -></DT -><DD -><P ->Displays the current message, containing all of the prerequisites and -updates specified since the last send.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->send</B -> </P -></DT -><DD -><P ->Sends the current message. This is equivalent to entering a blank line.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->answer</B -> </P -></DT -><DD -><P ->Displays the answer.</P -></DD -></DL -></DIV -> </P -><P ->Lines beginning with a semicolon are comments and are ignored.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN255" -></A -><H2 ->EXAMPLES</H2 -><P ->The examples below show how -<B -CLASS="COMMAND" ->nsupdate</B -> +<em class="parameter"><code>data</code></em>. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">show</code> </p></div> +</span></dt> +<dd><p> +Displays the current message, containing all of the prerequisites and +updates specified since the last send. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">send</code> </p></div> +</span></dt> +<dd><p> +Sends the current message. This is equivalent to entering a blank line. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">answer</code> </p></div> +</span></dt> +<dd><p> +Displays the answer. +</p></dd> +</dl></div> +<p> +</p> +<p> +Lines beginning with a semicolon are comments and are ignored. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526749"></a><h2>EXAMPLES</h2> +<p> +The examples below show how +<span><strong class="command">nsupdate</strong></span> could be used to insert and delete resource records from the -<SPAN -CLASS="TYPE" ->example.com</SPAN -> +<span class="type">example.com</span> zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for -<SPAN -CLASS="TYPE" ->example.com</SPAN ->. +<span class="type">example.com</span>. -<PRE -CLASS="PROGRAMLISTING" -># nsupdate -> update delete oldhost.example.com A -> update add newhost.example.com 86400 A 172.16.1.1 -> send</PRE -></P -><P ->Any A records for -<SPAN -CLASS="TYPE" ->oldhost.example.com</SPAN -> +</p> +<pre class="programlisting"> +# nsupdate +> update delete oldhost.example.com A +> update add newhost.example.com 86400 A 172.16.1.1 +> send +</pre> +<p> +</p> +<p> +Any A records for +<span class="type">oldhost.example.com</span> are deleted. and an A record for -<SPAN -CLASS="TYPE" ->newhost.example.com</SPAN -> +<span class="type">newhost.example.com</span> it IP address 172.16.1.1 is added. The newly-added record has a 1 day TTL (86400 seconds) -<PRE -CLASS="PROGRAMLISTING" -># nsupdate -> prereq nxdomain nickname.example.com -> update add nickname.example.com 86400 CNAME somehost.example.com -> send</PRE -></P -><P ->The prerequisite condition gets the name server to check that there +</p> +<pre class="programlisting"> +# nsupdate +> prereq nxdomain nickname.example.com +> update add nickname.example.com 86400 CNAME somehost.example.com +> send +</pre> +<p> +</p> +<p> +The prerequisite condition gets the name server to check that there are no resource records of any type for -<SPAN -CLASS="TYPE" ->nickname.example.com</SPAN ->. +<span class="type">nickname.example.com</span>. If there are, the update request fails. If this name does not exist, a CNAME for it is added. @@ -814,149 +419,50 @@ This ensures that when the CNAME is added, it cannot conflict with the long-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have -RRSIG, DNSKEY and NSEC records.)</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN268" -></A -><H2 ->FILES</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->/etc/resolv.conf</CODE -></DT -><DD -><P ->used to identify default name server</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->K{name}.+157.+{random}.key</CODE -></DT -><DD -><P ->base-64 encoding of HMAC-MD5 key created by -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->K{name}.+157.+{random}.private</CODE -></DT -><DD -><P ->base-64 encoding of HMAC-MD5 key created by -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->.</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN292" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2136</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC3007</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2104</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2845</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC1034</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2535</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2931</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->. </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN315" -></A -><H2 ->BUGS</H2 -><P ->The TSIG key is redundantly stored in two separate files. +RRSIG, DNSKEY and NSEC records.) +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526793"></a><h2>FILES</h2> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt> +<dd><p> +used to identify default name server +</p></dd> +<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt> +<dd><p> +base-64 encoding of HMAC-MD5 key created by +<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. +</p></dd> +<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt> +<dd><p> +base-64 encoding of HMAC-MD5 key created by +<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. +</p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525155"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>, +<span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>, +<span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>, +<span class="citerefentry"><span class="refentrytitle">RFC2845</span></span>, +<span class="citerefentry"><span class="refentrytitle">RFC1034</span></span>, +<span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>, +<span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>, +<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, +<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525226"></a><h2>BUGS</h2> +<p> +The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future -releases.</P -></DIV -></BODY -></HTML -> +releases. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.8 b/usr.sbin/bind/bin/rndc/rndc-confgen.8 index 009568e961c..c5c151ccc25 100644 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.8 +++ b/usr.sbin/bind/bin/rndc/rndc-confgen.8 @@ -1,140 +1,183 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2001-2003 Internet Software Consortium. -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2001, 2003 Internet Software Consortium. +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: rndc-confgen.8,v 1.3.2.5.2.3 2004/06/03 05:35:48 marka Exp $ +.\" $ISC: rndc-confgen.8,v 1.3.2.5.2.7 2005/10/13 02:33:50 marka Exp $ .\" -.TH "RNDC-CONFGEN" "8" "Aug 27, 2001" "BIND9" "" -.SH NAME -rndc-confgen \- rndc key generation tool -.SH SYNOPSIS -.sp -\fBrndc-confgen\fR [ \fB-a\fR ] [ \fB-b \fIkeysize\fB\fR ] [ \fB-c \fIkeyfile\fB\fR ] [ \fB-h\fR ] [ \fB-k \fIkeyname\fB\fR ] [ \fB-p \fIport\fB\fR ] [ \fB-r \fIrandomfile\fB\fR ] [ \fB-s \fIaddress\fB\fR ] [ \fB-t \fIchrootdir\fB\fR ] [ \fB-u \fIuser\fB\fR ] +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +rndc\-confgen \- rndc key generation tool +.SH "SYNOPSIS" +.HP 13 +\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] .SH "DESCRIPTION" .PP -\fBrndc-confgen\fR generates configuration files -for \fBrndc\fR. It can be used as a -convenient alternative to writing the -\fIrndc.conf\fR file -and the corresponding \fBcontrols\fR -and \fBkey\fR -statements in \fInamed.conf\fR by hand. -Alternatively, it can be run with the \fB-a\fR -option to set up a \fIrndc.key\fR file and -avoid the need for a \fIrndc.conf\fR file -and a \fBcontrols\fR statement altogether. +\fBrndc\-confgen\fR +generates configuration files for +\fBrndc\fR. It can be used as a convenient alternative to writing the +\fIrndc.conf\fR +file and the corresponding +\fBcontrols\fR +and +\fBkey\fR +statements in +\fInamed.conf\fR +by hand. Alternatively, it can be run with the +\fB\-a\fR +option to set up a +\fIrndc.key\fR +file and avoid the need for a +\fIrndc.conf\fR +file and a +\fBcontrols\fR +statement altogether. .SH "OPTIONS" .TP -\fB-a\fR -Do automatic \fBrndc\fR configuration. -This creates a file \fIrndc.key\fR -in \fI/etc\fR (or whatever -sysconfdir -was specified as when BIND was built) -that is read by both \fBrndc\fR -and \fBnamed\fR on startup. The -\fIrndc.key\fR file defines a default -command channel and authentication key allowing -\fBrndc\fR to communicate with -\fBnamed\fR on the local host -with no further configuration. - -Running \fBrndc-confgen -a\fR allows -BIND 9 and \fBrndc\fR to be used as drop-in -replacements for BIND 8 and \fBndc\fR, -with no changes to the existing BIND 8 -\fInamed.conf\fR file. - -If a more elaborate configuration than that -generated by \fBrndc-confgen -a\fR -is required, for example if rndc is to be used remotely, -you should run \fBrndc-confgen\fR without the -\fB-a\fR option and set up a -\fIrndc.conf\fR and +\-a +Do automatic +\fBrndc\fR +configuration. This creates a file +\fIrndc.key\fR +in +\fI/etc\fR +(or whatever +\fIsysconfdir\fR +was specified as when +BIND +was built) that is read by both +\fBrndc\fR +and +\fBnamed\fR +on startup. The +\fIrndc.key\fR +file defines a default command channel and authentication key allowing +\fBrndc\fR +to communicate with +\fBnamed\fR +on the local host with no further configuration. +.sp +Running +\fBrndc\-confgen \-a\fR +allows BIND 9 and +\fBrndc\fR +to be used as drop\-in replacements for BIND 8 and +\fBndc\fR, with no changes to the existing BIND 8 +\fInamed.conf\fR +file. +.sp +If a more elaborate configuration than that generated by +\fBrndc\-confgen \-a\fR +is required, for example if rndc is to be used remotely, you should run +\fBrndc\-confgen\fR +without the +\fB\-a\fR +option and set up a +\fIrndc.conf\fR +and \fInamed.conf\fR as directed. .TP -\fB-b \fIkeysize\fB\fR -Specifies the size of the authentication key in bits. -Must be between 1 and 512 bits; the default is 128. +\-b \fIkeysize\fR +Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128. .TP -\fB-c \fIkeyfile\fB\fR -Used with the \fB-a\fR option to specify -an alternate location for \fIrndc.key\fR. +\-c \fIkeyfile\fR +Used with the +\fB\-a\fR +option to specify an alternate location for +\fIrndc.key\fR. .TP -\fB-h\fR +\-h Prints a short summary of the options and arguments to -\fBrndc-confgen\fR. +\fBrndc\-confgen\fR. .TP -\fB-k \fIkeyname\fB\fR -Specifies the key name of the rndc authentication key. -This must be a valid domain name. -The default is rndc-key. +\-k \fIkeyname\fR +Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is +\fBrndc\-key\fR. .TP -\fB-p \fIport\fB\fR -Specifies the command channel port where \fBnamed\fR -listens for connections from \fBrndc\fR. -The default is 953. +\-p \fIport\fR +Specifies the command channel port where +\fBnamed\fR +listens for connections from +\fBrndc\fR. The default is 953. .TP -\fB-r \fIrandomfile\fB\fR -Specifies a source of random data for generating the -authorization. If the operating -system does not provide a \fI/dev/random\fR -or equivalent device, the default source of randomness -is keyboard input. \fIrandomdev\fR specifies -the name of a character device or file containing random -data to be used instead of the default. The special value -\fIkeyboard\fR indicates that keyboard -input should be used. +\-r \fIrandomfile\fR +Specifies a source of random data for generating the authorization. If the operating system does not provide a +\fI/dev/random\fR +or equivalent device, the default source of randomness is keyboard input. +\fIrandomdev\fR +specifies the name of a character device or file containing random data to be used instead of the default. The special value +\fIkeyboard\fR +indicates that keyboard input should be used. .TP -\fB-s \fIaddress\fB\fR -Specifies the IP address where \fBnamed\fR +\-s \fIaddress\fR +Specifies the IP address where +\fBnamed\fR listens for command channel connections from -\fBrndc\fR. The default is the loopback -address 127.0.0.1. +\fBrndc\fR. The default is the loopback address 127.0.0.1. .TP -\fB-t \fIchrootdir\fB\fR -Used with the \fB-a\fR option to specify -a directory where \fBnamed\fR will run -chrooted. An additional copy of the \fIrndc.key\fR -will be written relative to this directory so that -it will be found by the chrooted \fBnamed\fR. +\-t \fIchrootdir\fR +Used with the +\fB\-a\fR +option to specify a directory where +\fBnamed\fR +will run chrooted. An additional copy of the +\fIrndc.key\fR +will be written relative to this directory so that it will be found by the chrooted +\fBnamed\fR. .TP -\fB-u \fIuser\fB\fR -Used with the \fB-a\fR option to set the owner -of the \fIrndc.key\fR file generated. If -\fB-t\fR is also specified only the file in -the chroot area has its owner changed. +\-u \fIuser\fR +Used with the +\fB\-a\fR +option to set the owner of the +\fIrndc.key\fR +file generated. If +\fB\-t\fR +is also specified only the file in the chroot area has its owner changed. .SH "EXAMPLES" .PP -To allow \fBrndc\fR to be used with -no manual configuration, run +To allow +\fBrndc\fR +to be used with no manual configuration, run .PP -\fBrndc-confgen -a\fR +\fBrndc\-confgen \-a\fR .PP -To print a sample \fIrndc.conf\fR file and -corresponding \fBcontrols\fR and \fBkey\fR -statements to be manually inserted into \fInamed.conf\fR, -run +To print a sample +\fIrndc.conf\fR +file and corresponding +\fBcontrols\fR +and +\fBkey\fR +statements to be manually inserted into +\fInamed.conf\fR, run .PP -\fBrndc-confgen\fR +\fBrndc\-confgen\fR .SH "SEE ALSO" .PP \fBrndc\fR(8), \fBrndc.conf\fR(5), \fBnamed\fR(8), -\fIBIND 9 Administrator Reference Manual\fR. +BIND 9 Administrator Reference Manual. .SH "AUTHOR" .PP Internet Systems Consortium diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.docbook b/usr.sbin/bind/bin/rndc/rndc-confgen.docbook index 9a74463d805..562adb4e277 100644 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.docbook +++ b/usr.sbin/bind/bin/rndc/rndc-confgen.docbook @@ -1,6 +1,8 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" + "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" + [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -16,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: rndc-confgen.docbook,v 1.3.2.1.4.3 2004/06/03 02:24:58 marka Exp $ --> +<!-- $ISC: rndc-confgen.docbook,v 1.3.2.1.4.5 2005/05/13 01:22:34 marka Exp $ --> <refentry> <refentryinfo> @@ -29,6 +31,19 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <docinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2001</year> + <year>2003</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </docinfo> + <refnamediv> <refname><application>rndc-confgen</application></refname> <refpurpose>rndc key generation tool</refpurpose> diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.html b/usr.sbin/bind/bin/rndc/rndc-confgen.html index 797d5ce2c5f..2e32cf9a1a0 100644 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.html +++ b/usr.sbin/bind/bin/rndc/rndc-confgen.html @@ -1,538 +1,185 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001, 2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: rndc-confgen.html,v 1.3.2.5.2.4 2004/08/22 23:39:00 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->rndc-confgen</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->rndc-confgen</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->rndc-confgen</SPAN -> -- rndc key generation tool</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->rndc-confgen</B -> [<VAR -CLASS="OPTION" ->-a</VAR ->] [<VAR -CLASS="OPTION" ->-b <VAR -CLASS="REPLACEABLE" ->keysize</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->keyfile</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-h</VAR ->] [<VAR -CLASS="OPTION" ->-k <VAR -CLASS="REPLACEABLE" ->keyname</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-r <VAR -CLASS="REPLACEABLE" ->randomfile</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-s <VAR -CLASS="REPLACEABLE" ->address</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->chrootdir</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-u <VAR -CLASS="REPLACEABLE" ->user</VAR -></VAR ->]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN44" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->rndc-confgen</B -> generates configuration files - for <B -CLASS="COMMAND" ->rndc</B ->. It can be used as a +<!-- $ISC: rndc-confgen.html,v 1.3.2.5.2.11 2005/10/13 02:33:51 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>rndc-confgen</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">rndc-confgen</span> — rndc key generation tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525911"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">rndc-confgen</strong></span> generates configuration files + for <span><strong class="command">rndc</strong></span>. It can be used as a convenient alternative to writing the - <TT -CLASS="FILENAME" ->rndc.conf</TT -> file - and the corresponding <B -CLASS="COMMAND" ->controls</B -> - and <B -CLASS="COMMAND" ->key</B -> - statements in <TT -CLASS="FILENAME" ->named.conf</TT -> by hand. - Alternatively, it can be run with the <B -CLASS="COMMAND" ->-a</B -> - option to set up a <TT -CLASS="FILENAME" ->rndc.key</TT -> file and - avoid the need for a <TT -CLASS="FILENAME" ->rndc.conf</TT -> file - and a <B -CLASS="COMMAND" ->controls</B -> statement altogether. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN57" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-a</DT -><DD -><P -> Do automatic <B -CLASS="COMMAND" ->rndc</B -> configuration. - This creates a file <TT -CLASS="FILENAME" ->rndc.key</TT -> - in <TT -CLASS="FILENAME" ->/etc</TT -> (or whatever - <VAR -CLASS="VARNAME" ->sysconfdir</VAR -> - was specified as when <ACRONYM -CLASS="ACRONYM" ->BIND</ACRONYM -> was built) - that is read by both <B -CLASS="COMMAND" ->rndc</B -> - and <B -CLASS="COMMAND" ->named</B -> on startup. The - <TT -CLASS="FILENAME" ->rndc.key</TT -> file defines a default + <code class="filename">rndc.conf</code> file + and the corresponding <span><strong class="command">controls</strong></span> + and <span><strong class="command">key</strong></span> + statements in <code class="filename">named.conf</code> by hand. + Alternatively, it can be run with the <span><strong class="command">-a</strong></span> + option to set up a <code class="filename">rndc.key</code> file and + avoid the need for a <code class="filename">rndc.conf</code> file + and a <span><strong class="command">controls</strong></span> statement altogether. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525957"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-a</span></dt> +<dd> +<p> + Do automatic <span><strong class="command">rndc</strong></span> configuration. + This creates a file <code class="filename">rndc.key</code> + in <code class="filename">/etc</code> (or whatever + <code class="varname">sysconfdir</code> + was specified as when <span class="acronym">BIND</span> was built) + that is read by both <span><strong class="command">rndc</strong></span> + and <span><strong class="command">named</strong></span> on startup. The + <code class="filename">rndc.key</code> file defines a default command channel and authentication key allowing - <B -CLASS="COMMAND" ->rndc</B -> to communicate with - <B -CLASS="COMMAND" ->named</B -> on the local host + <span><strong class="command">rndc</strong></span> to communicate with + <span><strong class="command">named</strong></span> on the local host with no further configuration. - </P -><P -> Running <B -CLASS="COMMAND" ->rndc-confgen -a</B -> allows - BIND 9 and <B -CLASS="COMMAND" ->rndc</B -> to be used as drop-in - replacements for BIND 8 and <B -CLASS="COMMAND" ->ndc</B ->, + </p> +<p> + Running <span><strong class="command">rndc-confgen -a</strong></span> allows + BIND 9 and <span><strong class="command">rndc</strong></span> to be used as drop-in + replacements for BIND 8 and <span><strong class="command">ndc</strong></span>, with no changes to the existing BIND 8 - <TT -CLASS="FILENAME" ->named.conf</TT -> file. - </P -><P -> If a more elaborate configuration than that - generated by <B -CLASS="COMMAND" ->rndc-confgen -a</B -> + <code class="filename">named.conf</code> file. + </p> +<p> + If a more elaborate configuration than that + generated by <span><strong class="command">rndc-confgen -a</strong></span> is required, for example if rndc is to be used remotely, - you should run <B -CLASS="COMMAND" ->rndc-confgen</B -> without the - <B -CLASS="COMMAND" ->-a</B -> option and set up a - <TT -CLASS="FILENAME" ->rndc.conf</TT -> and - <TT -CLASS="FILENAME" ->named.conf</TT -> + you should run <span><strong class="command">rndc-confgen</strong></span> without the + <span><strong class="command">-a</strong></span> option and set up a + <code class="filename">rndc.conf</code> and + <code class="filename">named.conf</code> as directed. - </P -></DD -><DT ->-b <VAR -CLASS="REPLACEABLE" ->keysize</VAR -></DT -><DD -><P -> Specifies the size of the authentication key in bits. + </p> +</dd> +<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt> +<dd><p> + Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128. - </P -></DD -><DT ->-c <VAR -CLASS="REPLACEABLE" ->keyfile</VAR -></DT -><DD -><P -> Used with the <B -CLASS="COMMAND" ->-a</B -> option to specify - an alternate location for <TT -CLASS="FILENAME" ->rndc.key</TT ->. - </P -></DD -><DT ->-h</DT -><DD -><P -> Prints a short summary of the options and arguments to - <B -CLASS="COMMAND" ->rndc-confgen</B ->. - </P -></DD -><DT ->-k <VAR -CLASS="REPLACEABLE" ->keyname</VAR -></DT -><DD -><P -> Specifies the key name of the rndc authentication key. + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt> +<dd><p> + Used with the <span><strong class="command">-a</strong></span> option to specify + an alternate location for <code class="filename">rndc.key</code>. + </p></dd> +<dt><span class="term">-h</span></dt> +<dd><p> + Prints a short summary of the options and arguments to + <span><strong class="command">rndc-confgen</strong></span>. + </p></dd> +<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt> +<dd><p> + Specifies the key name of the rndc authentication key. This must be a valid domain name. - The default is <CODE -CLASS="CONSTANT" ->rndc-key</CODE ->. - </P -></DD -><DT ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></DT -><DD -><P -> Specifies the command channel port where <B -CLASS="COMMAND" ->named</B -> - listens for connections from <B -CLASS="COMMAND" ->rndc</B ->. + The default is <code class="constant">rndc-key</code>. + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Specifies the command channel port where <span><strong class="command">named</strong></span> + listens for connections from <span><strong class="command">rndc</strong></span>. The default is 953. - </P -></DD -><DT ->-r <VAR -CLASS="REPLACEABLE" ->randomfile</VAR -></DT -><DD -><P -> Specifies a source of random data for generating the + </p></dd> +<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt> +<dd><p> + Specifies a source of random data for generating the authorization. If the operating - system does not provide a <TT -CLASS="FILENAME" ->/dev/random</TT -> + system does not provide a <code class="filename">/dev/random</code> or equivalent device, the default source of randomness - is keyboard input. <TT -CLASS="FILENAME" ->randomdev</TT -> specifies + is keyboard input. <code class="filename">randomdev</code> specifies the name of a character device or file containing random data to be used instead of the default. The special value - <TT -CLASS="FILENAME" ->keyboard</TT -> indicates that keyboard + <code class="filename">keyboard</code> indicates that keyboard input should be used. - </P -></DD -><DT ->-s <VAR -CLASS="REPLACEABLE" ->address</VAR -></DT -><DD -><P -> Specifies the IP address where <B -CLASS="COMMAND" ->named</B -> + </p></dd> +<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt> +<dd><p> + Specifies the IP address where <span><strong class="command">named</strong></span> listens for command channel connections from - <B -CLASS="COMMAND" ->rndc</B ->. The default is the loopback + <span><strong class="command">rndc</strong></span>. The default is the loopback address 127.0.0.1. - </P -></DD -><DT ->-t <VAR -CLASS="REPLACEABLE" ->chrootdir</VAR -></DT -><DD -><P -> Used with the <B -CLASS="COMMAND" ->-a</B -> option to specify - a directory where <B -CLASS="COMMAND" ->named</B -> will run - chrooted. An additional copy of the <TT -CLASS="FILENAME" ->rndc.key</TT -> + </p></dd> +<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt> +<dd><p> + Used with the <span><strong class="command">-a</strong></span> option to specify + a directory where <span><strong class="command">named</strong></span> will run + chrooted. An additional copy of the <code class="filename">rndc.key</code> will be written relative to this directory so that - it will be found by the chrooted <B -CLASS="COMMAND" ->named</B ->. - </P -></DD -><DT ->-u <VAR -CLASS="REPLACEABLE" ->user</VAR -></DT -><DD -><P -> Used with the <B -CLASS="COMMAND" ->-a</B -> option to set the owner - of the <TT -CLASS="FILENAME" ->rndc.key</TT -> file generated. If - <B -CLASS="COMMAND" ->-t</B -> is also specified only the file in + it will be found by the chrooted <span><strong class="command">named</strong></span>. + </p></dd> +<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> +<dd><p> + Used with the <span><strong class="command">-a</strong></span> option to set the owner + of the <code class="filename">rndc.key</code> file generated. If + <span><strong class="command">-t</strong></span> is also specified only the file in the chroot area has its owner changed. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN147" -></A -><H2 ->EXAMPLES</H2 -><P -> To allow <B -CLASS="COMMAND" ->rndc</B -> to be used with + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526270"></a><h2>EXAMPLES</h2> +<p> + To allow <span><strong class="command">rndc</strong></span> to be used with no manual configuration, run - </P -><P -> <KBD -CLASS="USERINPUT" ->rndc-confgen -a</KBD -> - </P -><P -> To print a sample <TT -CLASS="FILENAME" ->rndc.conf</TT -> file and - corresponding <B -CLASS="COMMAND" ->controls</B -> and <B -CLASS="COMMAND" ->key</B -> - statements to be manually inserted into <TT -CLASS="FILENAME" ->named.conf</TT ->, + </p> +<p> + <strong class="userinput"><code>rndc-confgen -a</code></strong> + </p> +<p> + To print a sample <code class="filename">rndc.conf</code> file and + corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span> + statements to be manually inserted into <code class="filename">named.conf</code>, run - </P -><P -> <KBD -CLASS="USERINPUT" ->rndc-confgen</KBD -> - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN160" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->rndc</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->rndc.conf</SPAN ->(5)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN173" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + </p> +<p> + <strong class="userinput"><code>rndc-confgen</code></strong> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526314"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526357"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/rndc/rndc.c b/usr.sbin/bind/bin/rndc/rndc.c index 7945ef2a53c..ec27daaf94c 100644 --- a/usr.sbin/bind/bin/rndc/rndc.c +++ b/usr.sbin/bind/bin/rndc/rndc.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: rndc.c,v 1.77.2.5.2.13 2004/09/03 03:43:32 marka Exp $ */ +/* $ISC: rndc.c,v 1.77.2.5.2.15 2005/03/17 03:58:27 marka Exp $ */ /* * Principal Author: DCL @@ -104,7 +104,8 @@ command is one of the following:\n\ reconfig Reload configuration file and new zones only.\n\ stats Write server statistics to the statistics file.\n\ querylog Toggle query logging.\n\ - dumpdb Dump cache(s) to the dump file (named_dump.db).\n\ + dumpdb [-all|-cache|-zones] [view ...]\n\ + Dump cache(s) to the dump file (named_dump.db).\n\ stop Save pending updates to master files and stop the server.\n\ stop -p Save pending updates to master files and stop the server\n\ reporting process id.\n\ diff --git a/usr.sbin/bind/bin/rndc/rndc.conf.html b/usr.sbin/bind/bin/rndc/rndc.conf.html index 4167af74780..f80c17dadcd 100644 --- a/usr.sbin/bind/bin/rndc/rndc.conf.html +++ b/usr.sbin/bind/bin/rndc/rndc.conf.html @@ -1,238 +1,113 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: rndc.conf.html,v 1.5.2.1.4.3 2004/08/22 23:39:00 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->rndc.conf</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><TT -CLASS="FILENAME" ->rndc.conf</TT -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><TT -CLASS="FILENAME" ->rndc.conf</TT -> -- rndc configuration file</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->rndc.conf</B -> </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN16" -></A -><H2 ->DESCRIPTION</H2 -><P -> <TT -CLASS="FILENAME" ->rndc.conf</TT -> is the configuration file - for <B -CLASS="COMMAND" ->rndc</B ->, the BIND 9 name server control +<!-- $ISC: rndc.conf.html,v 1.5.2.1.4.10 2005/10/13 02:33:51 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>rndc.conf</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><code class="filename">rndc.conf</code> — rndc configuration file</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525833"></a><h2>DESCRIPTION</h2> +<p> + <code class="filename">rndc.conf</code> is the configuration file + for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control utility. This file has a similar structure and syntax to - <TT -CLASS="FILENAME" ->named.conf</TT ->. Statements are enclosed + <code class="filename">named.conf</code>. Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment styles are supported: - </P -><P -> C style: /* */ - </P -><P -> C++ style: // to end of line - </P -><P -> Unix style: # to end of line - </P -><P -> <TT -CLASS="FILENAME" ->rndc.conf</TT -> is much simpler than - <TT -CLASS="FILENAME" ->named.conf</TT ->. The file uses three + </p> +<p> + C style: /* */ + </p> +<p> + C++ style: // to end of line + </p> +<p> + Unix style: # to end of line + </p> +<p> + <code class="filename">rndc.conf</code> is much simpler than + <code class="filename">named.conf</code>. The file uses three statements: an options statement, a server statement and a key statement. - </P -><P -> The <VAR -CLASS="OPTION" ->options</VAR -> statement contains three clauses. - The <VAR -CLASS="OPTION" ->default-server</VAR -> clause is followed by the + </p> +<p> + The <code class="option">options</code> statement contains three clauses. + The <code class="option">default-server</code> clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to - <B -CLASS="COMMAND" ->rndc</B ->. The <VAR -CLASS="OPTION" ->default-key</VAR -> + <span><strong class="command">rndc</strong></span>. The <code class="option">default-key</code> clause is followed by the name of a key which is identified by - a <VAR -CLASS="OPTION" ->key</VAR -> statement. If no - <VAR -CLASS="OPTION" ->keyid</VAR -> is provided on the rndc command line, - and no <VAR -CLASS="OPTION" ->key</VAR -> clause is found in a matching - <VAR -CLASS="OPTION" ->server</VAR -> statement, this default key will be + a <code class="option">key</code> statement. If no + <code class="option">keyid</code> is provided on the rndc command line, + and no <code class="option">key</code> clause is found in a matching + <code class="option">server</code> statement, this default key will be used to authenticate the server's commands and responses. The - <VAR -CLASS="OPTION" ->default-port</VAR -> clause is followed by the port + <code class="option">default-port</code> clause is followed by the port to connect to on the remote name server. If no - <VAR -CLASS="OPTION" ->port</VAR -> option is provided on the rndc command - line, and no <VAR -CLASS="OPTION" ->port</VAR -> clause is found in a - matching <VAR -CLASS="OPTION" ->server</VAR -> statement, this default port + <code class="option">port</code> option is provided on the rndc command + line, and no <code class="option">port</code> clause is found in a + matching <code class="option">server</code> statement, this default port will be used to connect. - </P -><P -> After the <VAR -CLASS="OPTION" ->server</VAR -> keyword, the server statement + </p> +<p> + After the <code class="option">server</code> keyword, the server statement includes a string which is the hostname or address for a name server. The statement has two possible clauses: - <VAR -CLASS="OPTION" ->key</VAR -> and <VAR -CLASS="OPTION" ->port</VAR ->. The key name must + <code class="option">key</code> and <code class="option">port</code>. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. - </P -><P -> The <VAR -CLASS="OPTION" ->key</VAR -> statement begins with an identifying + </p> +<p> + The <code class="option">key</code> statement begins with an identifying string, the name of the key. The statement has two clauses. - <VAR -CLASS="OPTION" ->algorithm</VAR -> identifies the encryption algorithm - for <B -CLASS="COMMAND" ->rndc</B -> to use; currently only HMAC-MD5 is + <code class="option">algorithm</code> identifies the encryption algorithm + for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5 is supported. This is followed by a secret clause which contains the base-64 encoding of the algorithm's encryption key. The base-64 string is enclosed in double quotes. - </P -><P -> There are two common ways to generate the base-64 string for the - secret. The BIND 9 program <B -CLASS="COMMAND" ->rndc-confgen</B -> can + </p> +<p> + There are two common ways to generate the base-64 string for the + secret. The BIND 9 program <span><strong class="command">rndc-confgen</strong></span> can be used to generate a random key, or the - <B -CLASS="COMMAND" ->mmencode</B -> program, also known as - <B -CLASS="COMMAND" ->mimencode</B ->, can be used to generate a base-64 - string from known input. <B -CLASS="COMMAND" ->mmencode</B -> does not + <span><strong class="command">mmencode</strong></span> program, also known as + <span><strong class="command">mimencode</strong></span>, can be used to generate a base-64 + string from known input. <span><strong class="command">mmencode</strong></span> does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN54" -></A -><H2 ->EXAMPLE</H2 -><PRE -CLASS="PROGRAMLISTING" -> options { + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525968"></a><h2>EXAMPLE</h2> +<pre class="programlisting"> + options { default-server localhost; default-key samplekey; }; @@ -245,133 +120,60 @@ CLASS="PROGRAMLISTING" algorithm hmac-md5; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; - </PRE -><P -> In the above example, <B -CLASS="COMMAND" ->rndc</B -> will by default use + </pre> +<p> + In the above example, <span><strong class="command">rndc</strong></span> will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC-MD5 algorithm and its secret clause contains the base-64 encoding of the HMAC-MD5 secret enclosed in double quotes. - </P -><P -> To generate a random secret with <B -CLASS="COMMAND" ->rndc-confgen</B ->: - </P -><P -> <KBD -CLASS="USERINPUT" ->rndc-confgen</KBD -> - </P -><P -> A complete <TT -CLASS="FILENAME" ->rndc.conf</TT -> file, including the + </p> +<p> + To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>: + </p> +<p> + <strong class="userinput"><code>rndc-confgen</code></strong> + </p> +<p> + A complete <code class="filename">rndc.conf</code> file, including the randomly generated key, will be written to the standard - output. Commented out <VAR -CLASS="OPTION" ->key</VAR -> and - <VAR -CLASS="OPTION" ->controls</VAR -> statements for - <TT -CLASS="FILENAME" ->named.conf</TT -> are also printed. - </P -><P -> To generate a base-64 secret with <B -CLASS="COMMAND" ->mmencode</B ->: - </P -><P -> <KBD -CLASS="USERINPUT" ->echo "known plaintext for a secret" | mmencode</KBD -> - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN72" -></A -><H2 ->NAME SERVER CONFIGURATION</H2 -><P -> The name server must be configured to accept rndc connections and - to recognize the key specified in the <TT -CLASS="FILENAME" ->rndc.conf</TT -> - file, using the controls statement in <TT -CLASS="FILENAME" ->named.conf</TT ->. - See the sections on the <VAR -CLASS="OPTION" ->controls</VAR -> statement in the + output. Commented out <code class="option">key</code> and + <code class="option">controls</code> statements for + <code class="filename">named.conf</code> are also printed. + </p> +<p> + To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>: + </p> +<p> + <strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526028"></a><h2>NAME SERVER CONFIGURATION</h2> +<p> + The name server must be configured to accept rndc connections and + to recognize the key specified in the <code class="filename">rndc.conf</code> + file, using the controls statement in <code class="filename">named.conf</code>. + See the sections on the <code class="option">controls</code> statement in the BIND 9 Administrator Reference Manual for details. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN78" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->rndc</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->rndc-confgen</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->mmencode</SPAN ->(1)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN91" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526049"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526091"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/rndc/rndc.html b/usr.sbin/bind/bin/rndc/rndc.html index 5e20ad852ab..85beb8267bd 100644 --- a/usr.sbin/bind/bin/rndc/rndc.html +++ b/usr.sbin/bind/bin/rndc/rndc.html @@ -1,284 +1,112 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: rndc.html,v 1.7.2.1.4.3 2004/08/22 23:39:00 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->rndc</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->rndc</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->rndc</SPAN -> -- name server control utility</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->rndc</B -> [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->config-file</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-k <VAR -CLASS="REPLACEABLE" ->key-file</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-s <VAR -CLASS="REPLACEABLE" ->server</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-V</VAR ->] [<VAR -CLASS="OPTION" ->-y <VAR -CLASS="REPLACEABLE" ->key_id</VAR -></VAR ->] {command}</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN34" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->rndc</B -> controls the operation of a name - server. It supersedes the <B -CLASS="COMMAND" ->ndc</B -> utility +<!-- $ISC: rndc.html,v 1.7.2.1.4.10 2005/10/13 02:33:50 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>rndc</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">rndc</span> — name server control utility</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525886"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">rndc</strong></span> controls the operation of a name + server. It supersedes the <span><strong class="command">ndc</strong></span> utility that was provided in old BIND releases. If - <B -CLASS="COMMAND" ->rndc</B -> is invoked with no command line + <span><strong class="command">rndc</strong></span> is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments. - </P -><P -> <B -CLASS="COMMAND" ->rndc</B -> communicates with the name server + </p> +<p> + <span><strong class="command">rndc</strong></span> communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of - <B -CLASS="COMMAND" ->rndc</B -> and <B -CLASS="COMMAND" ->named</B -> named + <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span> named the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server. - </P -><P -> <B -CLASS="COMMAND" ->rndc</B -> reads a configuration file to + </p> +<p> + <span><strong class="command">rndc</strong></span> reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN46" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-c <VAR -CLASS="REPLACEABLE" ->config-file</VAR -></DT -><DD -><P -> Use <VAR -CLASS="REPLACEABLE" ->config-file</VAR -> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525927"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt> +<dd><p> + Use <em class="replaceable"><code>config-file</code></em> as the configuration file instead of the default, - <TT -CLASS="FILENAME" ->/etc/rndc.conf</TT ->. - </P -></DD -><DT ->-k <VAR -CLASS="REPLACEABLE" ->key-file</VAR -></DT -><DD -><P -> Use <VAR -CLASS="REPLACEABLE" ->key-file</VAR -> + <code class="filename">/etc/rndc.conf</code>. + </p></dd> +<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt> +<dd><p> + Use <em class="replaceable"><code>key-file</code></em> as the key file instead of the default, - <TT -CLASS="FILENAME" ->/etc/rndc.key</TT ->. The key in - <TT -CLASS="FILENAME" ->/etc/rndc.key</TT -> will be used to authenticate - commands sent to the server if the <VAR -CLASS="REPLACEABLE" ->config-file</VAR -> + <code class="filename">/etc/rndc.key</code>. The key in + <code class="filename">/etc/rndc.key</code> will be used to authenticate + commands sent to the server if the <em class="replaceable"><code>config-file</code></em> does not exist. - </P -></DD -><DT ->-s <VAR -CLASS="REPLACEABLE" ->server</VAR -></DT -><DD -><P -> <VAR -CLASS="REPLACEABLE" ->server</VAR -> is + </p></dd> +<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt> +<dd><p> + <em class="replaceable"><code>server</code></em> is the name or address of the server which matches a server statement in the configuration file for - <B -CLASS="COMMAND" ->rndc</B ->. If no server is supplied on the + <span><strong class="command">rndc</strong></span>. If no server is supplied on the command line, the host named by the default-server clause in the option statement of the configuration file will be used. - </P -></DD -><DT ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></DT -><DD -><P -> Send commands to TCP port - <VAR -CLASS="REPLACEABLE" ->port</VAR -> instead + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Send commands to TCP port + <em class="replaceable"><code>port</code></em> instead of BIND 9's default control channel port, 953. - </P -></DD -><DT ->-V</DT -><DD -><P -> Enable verbose logging. - </P -></DD -><DT ->-y <VAR -CLASS="REPLACEABLE" ->keyid</VAR -></DT -><DD -><P -> Use the key <VAR -CLASS="REPLACEABLE" ->keyid</VAR -> + </p></dd> +<dt><span class="term">-V</span></dt> +<dd><p> + Enable verbose logging. + </p></dd> +<dt><span class="term">-y <em class="replaceable"><code>keyid</code></em></span></dt> +<dd><p> + Use the key <em class="replaceable"><code>keyid</code></em> from the configuration file. - <VAR -CLASS="REPLACEABLE" ->keyid</VAR -> must be + <em class="replaceable"><code>keyid</code></em> must be known by named with the same algorithm and secret string in order for control message validation to succeed. - If no <VAR -CLASS="REPLACEABLE" ->keyid</VAR -> - is specified, <B -CLASS="COMMAND" ->rndc</B -> will first look + If no <em class="replaceable"><code>keyid</code></em> + is specified, <span><strong class="command">rndc</strong></span> will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default-key clause of the options statement. @@ -286,103 +114,43 @@ CLASS="COMMAND" which are used to send authenticated control commands to name servers. It should therefore not have general read or write access. - </P -></DD -></DL -></DIV -><P -> For the complete set of commands supported by <B -CLASS="COMMAND" ->rndc</B ->, + </p></dd> +</dl></div> +<p> + For the complete set of commands supported by <span><strong class="command">rndc</strong></span>, see the BIND 9 Administrator Reference Manual or run - <B -CLASS="COMMAND" ->rndc</B -> without arguments to see its help message. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN94" -></A -><H2 ->LIMITATIONS</H2 -><P -> <B -CLASS="COMMAND" ->rndc</B -> does not yet support all the commands of - the BIND 8 <B -CLASS="COMMAND" ->ndc</B -> utility. - </P -><P -> There is currently no way to provide the shared secret for a - <VAR -CLASS="OPTION" ->key_id</VAR -> without using the configuration file. - </P -><P -> Several error messages could be clearer. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN102" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->rndc.conf</SPAN ->(5)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named.conf</SPAN ->(5)</SPAN -> - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->ndc</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN118" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + <span><strong class="command">rndc</strong></span> without arguments to see its help message. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526109"></a><h2>LIMITATIONS</h2> +<p> + <span><strong class="command">rndc</strong></span> does not yet support all the commands of + the BIND 8 <span><strong class="command">ndc</strong></span> utility. + </p> +<p> + There is currently no way to provide the shared secret for a + <code class="option">key_id</code> without using the configuration file. + </p> +<p> + Several error messages could be clearer. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526138"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span> + <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526190"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> |