named-checkconf
- [-hjlvz]
+ [-chjlvz]
[-p
[-x
]]
@@ -88,6 +88,14 @@
(e.g. master or slave).
+ Check "core" configuration only. This suppresses the loading + of plugin modules, and causes all parameters to + plugin statements to be ignored. +
+diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index c0885df7b3..e951411e5c 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -327,21 +327,21 @@ and files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&. .SH "EXAMPLE" .PP -To generate a 768\-bit DSA key for the domain +To generate an ECDSAP256SHA256 key for the domain \fBexample\&.com\fR, the following command would be issued: .PP -\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example\&.com\fR +\fBdnssec\-keygen \-a ECDSAP256SHA256 \-n ZONE example\&.com\fR .PP The command would print a string of the form: .PP -\fBKexample\&.com\&.+003+26160\fR +\fBKexample\&.com\&.+013+26160\fR .PP In this example, \fBdnssec\-keygen\fR creates the files -Kexample\&.com\&.+003+26160\&.key +Kexample\&.com\&.+013+26160\&.key and -Kexample\&.com\&.+003+26160\&.private\&. +Kexample\&.com\&.+013+26160\&.private\&. .SH "SEE ALSO" .PP \fBdnssec-signzone\fR(8), diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index d817ce79bc..04c138d8e6 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -498,22 +498,22 @@
- To generate a 768-bit DSA key for the domain
+ To generate an ECDSAP256SHA256 key for the domain
example.com, the following command would be
issued:
dnssec-keygen -a DSA -b 768 -n ZONE example.com
+
dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com
The command would print a string of the form:
-Kexample.com.+003+26160
+
Kexample.com.+013+26160
In this example, dnssec-keygen creates
- the files Kexample.com.+003+26160.key
+ the files Kexample.com.+013+26160.key
and
- Kexample.com.+003+26160.private.
+ Kexample.com.+013+26160.private.
The following command signs the example.com
- zone with the DSA key generated by dnssec-keygen
- (Kexample.com.+003+17247). Because the -S option
- is not being used, the zone's keys must be in the master file
+ zone with the ECDSAP256SHA256 key generated by key generated by
+ dnssec-keygen (Kexample.com.+013+17247).
+ Because the -S option is not being used,
+ the zone's keys must be in the master file
(db.example.com). This invocation looks
for dsset files, in the current directory,
so that DS records can be imported from them (-g).
% dnssec-signzone -g -o example.com db.example.com \ -Kexample.com.+003+17247 +Kexample.com.+013+17247 db.example.com.signed %
diff --git a/bin/plugins/filter-aaaa.8 b/bin/plugins/filter-aaaa.8
index f9204904c1..982ad891fd 100644
--- a/bin/plugins/filter-aaaa.8
+++ b/bin/plugins/filter-aaaa.8
@@ -9,7 +9,7 @@
'\" t
.\" Title: filter-aaaa.so
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.79.1
filter-aaaa.so — filter AAAA in DNS responses when A is present
-hook query "filter-aaaa.so" [{ parameters }];
-
- filter-aaaa.so is a query hook module for + filter-aaaa.so + — filter AAAA in DNS responses when A is present +
+
+ plugin query "filter-aaaa.so"
+ [{ parameters }];
+
+ filter-aaaa.so is a query plugin module for named, enabling named to omit some IPv6 addresses when responding to clients.
-+
Until BIND 9.12, this feature was implemented natively in
named and enabled with the
filter-aaaa ACL and the
@@ -38,42 +51,45 @@
filter-aaaa-on-v6 options. These options are
now deprecated in named.conf, but can be
passed as parameters to the filter-aaaa.so
- hook module, for example:
+ plugin, for example:
-hook query "/usr/local/lib/filter-aaaa.so" {
+
+plugin query "/usr/local/lib/filter-aaaa.so" {
filter-aaaa-on-v4 yes;
filter-aaaa-on-v6 yes;
filter-aaaa { 192.0.2.1; 2001:db8:2::1; };
};
-
+
This module is intended to aid transition from IPv4 to IPv6 by
withholding IPv6 addresses from DNS clients which are not connected
to the IPv6 Internet, when the name being looked up has an IPv4
address available. Use of this module is not recommended unless
absolutely necessary.
-
+
Note: This mechanism can erroneously cause other servers not to
give AAAA records to their clients. If a recursing server with
both IPv6 and IPv4 network connections queries an authoritative
server using this mechanism via IPv4, it will be denied AAAA
records even if its client is using IPv6.
-+
Specifies a list of client addresses for which AAAA
filtering is to be applied. The default is
any.
-
+
If set to yes, the DNS client is
at an IPv4 address, in filter-aaaa,
and if the response does not include DNSSEC signatures,
@@ -81,35 +97,39 @@ hook query "/usr/local/lib/filter-aaaa.so" {
This filtering applies to all responses and not only
authoritative responses.
+
If set to break-dnssec,
then AAAA records are deleted even when DNSSEC is
enabled. As suggested by the name, this causes the
response to fail to verify, because the DNSSEC protocol is
designed to detect deletions.
+
This mechanism can erroneously cause other servers not to give AAAA records to their clients. A recursing server with both IPv6 and IPv4 network connections that queries an authoritative server using this mechanism via IPv4 will be denied AAAA records even if its client is using IPv6.
-+
Identical to filter-aaaa-on-v4,
except it filters AAAA responses to queries from IPv6
clients instead of IPv4 clients. To filter all
responses, set both options to yes.
-