From 1ebb25608fa10737ea27abd4e0481707ccd45581 Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Sat, 29 Jun 2013 01:40:28 +0000 Subject: [PATCH] regen master --- doc/arm/man.dnssec-checkds.html | 122 ++++++++++++++++++ doc/arm/man.dnssec-coverage.html | 205 +++++++++++++++++++++++++++++++ 2 files changed, 327 insertions(+) create mode 100644 doc/arm/man.dnssec-checkds.html create mode 100644 doc/arm/man.dnssec-coverage.html diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html new file mode 100644 index 0000000000..1dcdf4dc7f --- /dev/null +++ b/doc/arm/man.dnssec-checkds.html @@ -0,0 +1,122 @@ + + + + + +dnssec-checkds + + + + + + + +
+ + + + + + + +
dnssec-checkds
+Prev Manual pages Next +
+
+
+
+
+
+

Name

+

dnssec-checkds — A DNSSEC delegation consistency checking tool.

+
+
+

Synopsis

+

dnssec-checkds [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

+

dnssec-dsfromkey [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

+
+
+

DESCRIPTION

+

dnssec-checkds + verifies the correctness of Delegation Signer (DS) or DNSSEC + Lookaside Validation (DLV) resource records for keys in a specified + zone. +

+
+
+

OPTIONS

+
+
-f file
+

+ If a file is specified, then the zone is + read from that file to find the DNSKEY records. If not, + then the DNSKEY records for the zone are looked up in the DNS. +

+
-l domain
+

+ Check for a DLV record in the specified lookaside domain, + instead of checking for a DS record in the zone's parent. + For example, to check for DLV records for "example.com" + in ISC's DLV zone, use: + dnssec-checkds -l dlv.isc.org example.com +

+
-d dig path
+

+ Specifies a path to a dig binary. Used + for testing. +

+
-D dsfromkey path
+

+ Specifies a path to a dnssec-dsfromkey binary. + Used for testing. +

+
+
+
+

SEE ALSO

+

dnssec-dsfromkey(8), + dnssec-keygen(8), + dnssec-signzone(8), +

+
+
+

AUTHOR

+

Internet Systems Consortium +

+
+
+
+
+ + + + + + + + + + + +
+Prev Up Next +
host Home dnssec-coverage +
+
+ + diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html new file mode 100644 index 0000000000..c554263e25 --- /dev/null +++ b/doc/arm/man.dnssec-coverage.html @@ -0,0 +1,205 @@ + + + + + +dnssec-coverage + + + + + + + +
+ + + + + + + +
dnssec-coverage
+Prev Manual pages Next +
+
+
+
+
+
+

Name

+

dnssec-coverage — checks future DNSKEY coverage for a zone

+
+
+

Synopsis

+

dnssec-coverage [-K directory] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [zone]

+
+
+

DESCRIPTION

+

dnssec-coverage + verifies that the DNSSEC keys for a given zone or a set of zones + have timing metadata set properly to ensure no future lapses in DNSSEC + coverage. +

+

+ If zone is specified, then keys found in + the key repository matching that zone are scanned, and an ordered + list is generated of the events scheduled for that key (i.e., + publication, activation, inactivation, deletion). The list of + events is walked in order of occurrence. Warnings are generated + if any event is scheduled which could cause the zone to enter a + state in which validation failures might occur: for example, if + the number of published or active keys for a given algorithm drops + to zero, or if a key is deleted from the zone too soon after a new + key is rolled, and cached data signed by the prior key has not had + time to expire from resolver caches. +

+

+ If zone is not specified, then all keys in the + key repository will be scanned, and all zones for which there are + keys will be analyzed. (Note: This method of reporting is only + accurate if all the zones that have keys in a given repository + share the same TTL parameters.) +

+
+
+

OPTIONS

+
+
-f file
+

+ If a file is specified, then the zone is + read from that file; the largest TTL and the DNSKEY TTL are + determined directly from the zone data, and the + -m and -d options do + not need to be specified on the command line. +

+
-K directory
+

+ Sets the directory in which keys can be found. Defaults to the + current working directory. +

+
-m maximum TTL
+
+

+ Sets the value to be used as the maximum TTL for the zone or + zones being analyzed when determining whether there is a + possibility of validation failure. When a zone-signing key is + deactivated, there must be enough time for the record in the + zone with the longest TTL to have expired from resolver caches + before that key can be purged from the DNSKEY RRset. If that + condition does not apply, a warning will be generated. +

+

+ The length of the TTL can be set in seconds, or in larger units + of time by adding a suffix: 'mi' for minutes, 'h' for hours, + 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years. +

+

+ This option is mandatory unless the -f has + been used to specify a zone file. (If -f has + been specified, this option may still be used; it will overrde + the value found in the file.) +

+
+
-d DNSKEY TTL
+
+

+ Sets the value to be used as the DNSKEY TTL for the zone or + zones being analyzed when determining whether there is a + possibility of validation failure. When a key is rolled (that + is, replaced with a new key), there must be enough time + for the old DNSKEY RRset to have expired from resolver caches + before the new key is activated and begins generating + signatures. If that condition does not apply, a warning + will be generated. +

+

+ The length of the TTL can be set in seconds, or in larger units + of time by adding a suffix: 'mi' for minutes, 'h' for hours, + 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years. +

+

+ This option is mandatory unless the -f has + been used to specify a zone file, or a default key TTL was + set with the -L to + dnssec-keygen. (If either of those is true, + this option may still be used; it will overrde the value found + in the zone or key file.) +

+
+
-r resign interval
+
+

+ Sets the value to be used as the resign interval for the zone + or zones being analyzed when determining whether there is a + possibility of validation failure. This value defaults to + 22.5 days, which is also the default in + named. However, if it has been changed + by the sig-validity-interval option in + named.conf, then it should also be + changed here. +

+

+ The length of the interval can be set in seconds, or in larger + units of time by adding a suffix: 'mi' for minutes, 'h' for hours, + 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years. +

+
+
-c compilezone path
+

+ Specifies a path to a named-compilezone binary. + Used for testing. +

+
+
+
+

SEE ALSO

+

+ dnssec-checkds(8), + dnssec-dsfromkey(8), + dnssec-keygen(8), + dnssec-signzone(8) +

+
+
+

AUTHOR

+

Internet Systems Consortium +

+
+
+
+
+ + + + + + + + + + + +
+Prev Up Next +
+dnssec-checkds Home dnssec-dsfromkey +
+
+ +