incorporated Brian's corrections and improvements

bin/dnssec/dnssec-keygen.8

@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.1 2000/06/27 21:50:27 jim Exp $
+.\" $Id: dnssec-keygen.8,v 1.2 2000/06/28 03:20:46 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-KEYGEN 8
@@ -39,7 +39,7 @@
 .Ar name
 .Sh DESCRIPTION
 .Nm dnssec-keygen
-generates keys for DNSSEC, Secure DNS, as defined in RFC2065.
+generates keys for DNSSEC, Secure DNS, as defined in RFC2535.
 It also generates keys for use in Transaction Signatures, TSIG, which
 is defined in RFC2845.
 A short summary of the options and arguments to
@@ -62,14 +62,18 @@ option to
 .Nm dnssec-keygen .
 .Ar algorithm
 must be one of
-.Dv RSA ,
-.Dv RSAMD5 ,
+.Dv RSAMD5
 .Dv DH ,
 .Dv DSA
 or
 .Dv HMAC-MD5
-to indicate that an RSA, RSAMD5, Diffie-Hellman, Digital Signature
+to indicate that an RSA, Diffie-Hellman, Digital Signature
 Algorithm or HMAC-MD5 key is required.
+An argument of
+.Dv RSA
+can also be given.
+It is equivalent to
+.Dv RSAMD5 .
 The argument identifying the encryption algorithm is case-insensitive.
 DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one.
 Implementations of TSIG must support HMAC-MD5.
@@ -92,12 +96,17 @@ option specifies how the generated key will be used.
 .Ar nametype
 can be either
 .Dv ZONE ,
-.Dv HOST ,
-.Dv ENTITY 
+.Dv HOST , 
+.Dv ENTITY ,
 or
 .Dv USER
 to indicate that the key will be used for signing a zone, host,
 entity or user respectively.
+In this context
+.Dv HOST
+and
+.Dv ENTITY
+are identical.
 .Ar nametype
 is case-insensitive.
 .Pp
@@ -112,16 +121,19 @@ When creating Diffie-Hellman keys, the
 option selects the Diffie-Hellman generator
 .Ar generator
 that is to be used.
-The value of
+The only supported values value of
 .Ar generator
-must be either 2 or 5.
+are 2 and 5.
+If no Diffie-Hellman generator is supplied a known prime 
+from RFC2539 will be used if possible; otherwise 2 will be used as the
+generator.
 .Pp
 .Ar protocol-value
 sets the protocol value for the generated key.
 The default is 2 (email) for keys of type
 .Dv USER 
 and 3 (DNSSEC) for all other key types.
-Other possible values for this argument are listed in RFC2065 and its
+Other possible values for this argument are listed in RFC2535 and its
 successors.
 .Pp
 .Nm dnssec-keygen
@@ -146,6 +158,7 @@ given by
 .Ar strength-value .
 It should be a number between 0 and 15.
 The default strength is zero.
+The key strength field currently has no defined purpose in DNSSEC.
 .Pp
 The
 .Ar t
@@ -266,8 +279,9 @@ DSA key.
 .Sh FILES
 .Pa /dev/random 
 .Sh SEE ALSO
-.Xr RFC2065,
+.Xr RFC2535,
 .Xr RFC2845,
+.Xr RFC2539,
 .Xr dnssec-makekeyset 8 ,
 .Xr dnssec-signkey 8 ,
 .Xr dnssec-signzone 8 .

bin/dnssec/dnssec-makekeyset.8

@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-makekeyset.8,v 1.1 2000/06/27 21:50:27 jim Exp $
+.\" $Id: dnssec-makekeyset.8,v 1.2 2000/06/28 03:20:47 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-MAKEKEYSET 8
@@ -163,7 +163,8 @@ zone for them to sign the contents with
 The following command generates a key set for the DSA key for
 .Dv example.com
 that was shown in the
-.Xr dnssec-keygen 8 man page.
+.Xr dnssec-keygen 8
+man page.
 The backslash is for typographic reasons and would not be provided on
 the command line when running
 .Nm dnssec-makekeyset .
@@ -196,6 +197,6 @@ signatures securely.
 .Sh FILES
 .Pa /dev/random .
 .Sh SEE ALSO
-.Xr RFC2065 ,
+.Xr RFC2535 ,
 .Xr dnssec-keygen 8 ,
 .Xr dnssec-signkey 8 .

bin/dnssec/dnssec-signkey.8

@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signkey.8,v 1.1 2000/06/27 21:50:27 jim Exp $
+.\" $Id: dnssec-signkey.8,v 1.2 2000/06/28 03:20:48 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-SIGNKEY 8
@@ -151,7 +151,7 @@ zone's zone key.
 .Sh FILES
 .Pa /dev/random
 .Sh SEE ALSO
-.Xr RFC2065,
+.Xr RFC2535,
 .Xr dnssec-keygen 8 ,
 .Xr dnssec-makekeyset 8 ,
 .Xr dnssec-signzone 8 .

bin/dnssec/dnssec-signzone.8

@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.1 2000/06/27 21:50:27 jim Exp $
+.\" $Id: dnssec-signzone.8,v 1.2 2000/06/28 03:20:49 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-SIGNZONE 8
@@ -65,9 +65,7 @@ current working directory used by
 .Pp
 .Ar zonefile
 is the name of the unsigned zone file.
-If the fully qualified domain name is not clear from the resource
-records in the zone file because the owner-names are not fully
-qualified and dot-terminated, the
+Unless the file name is the same as the name of the zone, the
 .Ar o
 option should be given.
 .Ar origin
@@ -188,7 +186,7 @@ option instructs
 to use pseudo-random data when signing the zone's resource records.
 This is faster but less secure than using genuinely random data for signing.
 This option may be useful when the zone has many resource records to be
-signed and CPU resources are limited.
+signed and the entropy source is limited.
 It could also be used for short-lived keys and signatures that don't
 require strengthening against cryptanalysis: for instance when the signatures
 will be discarded long before the signed data could be compromised.
@@ -244,9 +242,7 @@ This zone file contains the keyset for
 .Dv example.com
 that was created by
 .Xr dnssec-makekeyset 8 .
-The zone's
-.Ar .keyset
-file was either appended to the zone file or
+The zone's keys were either appended to the zone file or
 incorporated using a 
 .Dv $INCLUDE 
 statement.
@@ -276,7 +272,7 @@ so that it can be loaded by the name server.
 .Sh FILES
 .Pa /dev/random
 .Sh SEE ALSO
-.Xr RFC2065,
+.Xr RFC2535,
 .Xr dnssec-keygen 8 ,
 .Xr dnssec-makekeyset 8 ,
 .Xr dnssec-signkey 8 .

doc/man/dnssec/dnssec-keygen.8

@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.1 2000/06/27 21:50:27 jim Exp $
+.\" $Id: dnssec-keygen.8,v 1.2 2000/06/28 03:20:46 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-KEYGEN 8
@@ -39,7 +39,7 @@
 .Ar name
 .Sh DESCRIPTION
 .Nm dnssec-keygen
-generates keys for DNSSEC, Secure DNS, as defined in RFC2065.
+generates keys for DNSSEC, Secure DNS, as defined in RFC2535.
 It also generates keys for use in Transaction Signatures, TSIG, which
 is defined in RFC2845.
 A short summary of the options and arguments to
@@ -62,14 +62,18 @@ option to
 .Nm dnssec-keygen .
 .Ar algorithm
 must be one of
-.Dv RSA ,
-.Dv RSAMD5 ,
+.Dv RSAMD5
 .Dv DH ,
 .Dv DSA
 or
 .Dv HMAC-MD5
-to indicate that an RSA, RSAMD5, Diffie-Hellman, Digital Signature
+to indicate that an RSA, Diffie-Hellman, Digital Signature
 Algorithm or HMAC-MD5 key is required.
+An argument of
+.Dv RSA
+can also be given.
+It is equivalent to
+.Dv RSAMD5 .
 The argument identifying the encryption algorithm is case-insensitive.
 DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one.
 Implementations of TSIG must support HMAC-MD5.
@@ -92,12 +96,17 @@ option specifies how the generated key will be used.
 .Ar nametype
 can be either
 .Dv ZONE ,
-.Dv HOST ,
-.Dv ENTITY 
+.Dv HOST , 
+.Dv ENTITY ,
 or
 .Dv USER
 to indicate that the key will be used for signing a zone, host,
 entity or user respectively.
+In this context
+.Dv HOST
+and
+.Dv ENTITY
+are identical.
 .Ar nametype
 is case-insensitive.
 .Pp
@@ -112,16 +121,19 @@ When creating Diffie-Hellman keys, the
 option selects the Diffie-Hellman generator
 .Ar generator
 that is to be used.
-The value of
+The only supported values value of
 .Ar generator
-must be either 2 or 5.
+are 2 and 5.
+If no Diffie-Hellman generator is supplied a known prime 
+from RFC2539 will be used if possible; otherwise 2 will be used as the
+generator.
 .Pp
 .Ar protocol-value
 sets the protocol value for the generated key.
 The default is 2 (email) for keys of type
 .Dv USER 
 and 3 (DNSSEC) for all other key types.
-Other possible values for this argument are listed in RFC2065 and its
+Other possible values for this argument are listed in RFC2535 and its
 successors.
 .Pp
 .Nm dnssec-keygen
@@ -146,6 +158,7 @@ given by
 .Ar strength-value .
 It should be a number between 0 and 15.
 The default strength is zero.
+The key strength field currently has no defined purpose in DNSSEC.
 .Pp
 The
 .Ar t
@@ -266,8 +279,9 @@ DSA key.
 .Sh FILES
 .Pa /dev/random 
 .Sh SEE ALSO
-.Xr RFC2065,
+.Xr RFC2535,
 .Xr RFC2845,
+.Xr RFC2539,
 .Xr dnssec-makekeyset 8 ,
 .Xr dnssec-signkey 8 ,
 .Xr dnssec-signzone 8 .

doc/man/dnssec/dnssec-makekeyset.8

@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-makekeyset.8,v 1.1 2000/06/27 21:50:27 jim Exp $
+.\" $Id: dnssec-makekeyset.8,v 1.2 2000/06/28 03:20:47 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-MAKEKEYSET 8
@@ -163,7 +163,8 @@ zone for them to sign the contents with
 The following command generates a key set for the DSA key for
 .Dv example.com
 that was shown in the
-.Xr dnssec-keygen 8 man page.
+.Xr dnssec-keygen 8
+man page.
 The backslash is for typographic reasons and would not be provided on
 the command line when running
 .Nm dnssec-makekeyset .
@@ -196,6 +197,6 @@ signatures securely.
 .Sh FILES
 .Pa /dev/random .
 .Sh SEE ALSO
-.Xr RFC2065 ,
+.Xr RFC2535 ,
 .Xr dnssec-keygen 8 ,
 .Xr dnssec-signkey 8 .

doc/man/dnssec/dnssec-signkey.8

@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signkey.8,v 1.1 2000/06/27 21:50:27 jim Exp $
+.\" $Id: dnssec-signkey.8,v 1.2 2000/06/28 03:20:48 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-SIGNKEY 8
@@ -151,7 +151,7 @@ zone's zone key.
 .Sh FILES
 .Pa /dev/random
 .Sh SEE ALSO
-.Xr RFC2065,
+.Xr RFC2535,
 .Xr dnssec-keygen 8 ,
 .Xr dnssec-makekeyset 8 ,
 .Xr dnssec-signzone 8 .

doc/man/dnssec/dnssec-signzone.8

@@ -14,7 +14,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.1 2000/06/27 21:50:27 jim Exp $
+.\" $Id: dnssec-signzone.8,v 1.2 2000/06/28 03:20:49 jim Exp $
 .\"
 .Dd Jun 30, 2000
 .Dt DNSSEC-SIGNZONE 8
@@ -65,9 +65,7 @@ current working directory used by
 .Pp
 .Ar zonefile
 is the name of the unsigned zone file.
-If the fully qualified domain name is not clear from the resource
-records in the zone file because the owner-names are not fully
-qualified and dot-terminated, the
+Unless the file name is the same as the name of the zone, the
 .Ar o
 option should be given.
 .Ar origin
@@ -188,7 +186,7 @@ option instructs
 to use pseudo-random data when signing the zone's resource records.
 This is faster but less secure than using genuinely random data for signing.
 This option may be useful when the zone has many resource records to be
-signed and CPU resources are limited.
+signed and the entropy source is limited.
 It could also be used for short-lived keys and signatures that don't
 require strengthening against cryptanalysis: for instance when the signatures
 will be discarded long before the signed data could be compromised.
@@ -244,9 +242,7 @@ This zone file contains the keyset for
 .Dv example.com
 that was created by
 .Xr dnssec-makekeyset 8 .
-The zone's
-.Ar .keyset
-file was either appended to the zone file or
+The zone's keys were either appended to the zone file or
 incorporated using a 
 .Dv $INCLUDE 
 statement.
@@ -276,7 +272,7 @@ so that it can be loaded by the name server.
 .Sh FILES
 .Pa /dev/random
 .Sh SEE ALSO
-.Xr RFC2065,
+.Xr RFC2535,
 .Xr dnssec-keygen 8 ,
 .Xr dnssec-makekeyset 8 ,
 .Xr dnssec-signkey 8 .