mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-24 10:21:10 -05:00
Regenerate man pages with Sphinx 4.5.0
The Debian 11 (bullseye) Docker image, which GitLab CI uses for building documentation, currently contains the following package versions: - Sphinx 4.5.0 - sphinx-rtd-theme 1.0.0 - docutils 0.17.1 Regenerate the man pages to match contents produced in a Sphinx environment using the above package versions. This is necessary to prevent the "docs" GitLab CI job from failing.
This commit is contained in:
Michał Kępień
parent
cb42b9b400
commit
e80ce6cfe2
31 changed files with 201 additions and 201 deletions
|
|
@ -37,19 +37,19 @@ ddns-confgen \- ddns key generation tool
|
|||
.sp
|
||||
\fBddns\-confgen\fP is an utility that generates keys for use in TSIG signing.
|
||||
The resulting keys can be used, for example, to secure dynamic DNS updates
|
||||
to a zone, or for the \fBrndc\fP command channel.
|
||||
to a zone, or for the \fI\%rndc\fP command channel.
|
||||
.sp
|
||||
The key name can specified using \fI\%\-k\fP parameter and defaults to \fBddns\-key\fP\&.
|
||||
The generated key is accompanied by configuration text and instructions that
|
||||
can be used with \fBnsupdate\fP and \fBnamed\fP when setting up dynamic DNS,
|
||||
can be used with \fI\%nsupdate\fP and \fI\%named\fP when setting up dynamic DNS,
|
||||
including an example \fBupdate\-policy\fP statement.
|
||||
(This usage is similar to the \fBrndc\-confgen\fP command for setting up
|
||||
(This usage is similar to the \fI\%rndc\-confgen\fP command for setting up
|
||||
command\-channel security.)
|
||||
.sp
|
||||
Note that \fBnamed\fP itself can configure a local DDNS key for use with
|
||||
\fBnsupdate \-l\fP; it does this when a zone is configured with
|
||||
Note that \fI\%named\fP itself can configure a local DDNS key for use with
|
||||
\fI\%nsupdate \-l\fP; it does this when a zone is configured with
|
||||
\fBupdate\-policy local;\fP\&. \fBddns\-confgen\fP is only needed when a more
|
||||
elaborate configuration is required: for instance, if \fBnsupdate\fP is to
|
||||
elaborate configuration is required: for instance, if \fI\%nsupdate\fP is to
|
||||
be used from a remote system.
|
||||
.SH OPTIONS
|
||||
.INDENT 0.0
|
||||
|
|
@ -80,13 +80,13 @@ letters, digits, hyphens, and periods.
|
|||
.B \-q
|
||||
This option enables quiet mode, which prints only the key, with no
|
||||
explanatory text or usage examples. This is essentially identical to
|
||||
\fBtsig\-keygen\fP\&.
|
||||
\fI\%tsig\-keygen\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-s name
|
||||
This option generates a configuration example to allow dynamic updates
|
||||
of a single hostname. The example \fBnamed.conf\fP text shows how to set
|
||||
of a single hostname. The example \fI\%named.conf\fP text shows how to set
|
||||
an update policy for the specified name using the "name" nametype. The
|
||||
default key name is \fBddns\-key.name\fP\&. Note that the "self" nametype
|
||||
cannot be used, since the name to be updated may differ from the key
|
||||
|
|
@ -96,14 +96,14 @@ name. This option cannot be used with the \fI\%\-z\fP option.
|
|||
.TP
|
||||
.B \-z zone
|
||||
This option generates a configuration example to allow
|
||||
dynamic updates of a zone. The example \fBnamed.conf\fP text shows how
|
||||
dynamic updates of a zone. The example \fI\%named.conf\fP text shows how
|
||||
to set an update policy for the specified zone using the "zonesub"
|
||||
nametype, allowing updates to all subdomain names within that zone.
|
||||
This option cannot be used with the \fI\%\-s\fP option.
|
||||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBnsupdate(1)\fP, \fBnamed.conf(5)\fP, \fBnamed(8)\fP, BIND 9 Administrator Reference Manual.
|
||||
\fI\%nsupdate(1)\fP, \fI\%named.conf(5)\fP, \fI\%named(8)\fP, BIND 9 Administrator Reference Manual.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ delv \- DNS lookup and validation utility
|
|||
.SH DESCRIPTION
|
||||
.sp
|
||||
\fBdelv\fP is a tool for sending DNS queries and validating the results,
|
||||
using the same internal resolver and validator logic as \fBnamed\fP\&.
|
||||
using the same internal resolver and validator logic as \fI\%named\fP\&.
|
||||
.sp
|
||||
\fBdelv\fP sends to a specified name server all queries needed to
|
||||
fetch and validate the requested data; this includes the original
|
||||
|
|
@ -127,7 +127,7 @@ Note: When reading the trust anchor file, \fBdelv\fP treats \fBtrust\-anchors\fP
|
|||
\fBinitial\-key\fP, and \fBstatic\-key\fP identically. That is, for a managed key,
|
||||
it is the \fIinitial\fP key that is trusted; \fI\%RFC 5011\fP key management is not
|
||||
supported. \fBdelv\fP does not consult the managed\-keys database maintained by
|
||||
\fBnamed\fP, which means that if either of the keys in \fB@sysconfdir@/bind.keys\fP is
|
||||
\fI\%named\fP, which means that if either of the keys in \fB@sysconfdir@/bind.keys\fP is
|
||||
revoked and rolled over, \fB@sysconfdir@/bind.keys\fP must be updated to
|
||||
use DNSSEC validation in \fBdelv\fP\&.
|
||||
.UNINDENT
|
||||
|
|
@ -362,7 +362,7 @@ parsing of the \fBdelv\fP output.
|
|||
.TP
|
||||
.B +[no]dnssec
|
||||
This option indicates whether to display RRSIG records in the \fBdelv\fP output.
|
||||
The default is to do so. Note that (unlike in \fBdig\fP) this does
|
||||
The default is to do so. Note that (unlike in \fI\%dig\fP) this does
|
||||
\fInot\fP control whether to request DNSSEC records or to
|
||||
validate them. DNSSEC records are always requested, and validation
|
||||
always occurs unless suppressed by the use of \fI\%\-i\fP or
|
||||
|
|
@ -402,7 +402,7 @@ This option prints response data in YAML format.
|
|||
\fB/etc/resolv.conf\fP
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdig(1)\fP, \fBnamed(8)\fP, \fI\%RFC 4034\fP, \fI\%RFC 4035\fP, \fI\%RFC 4431\fP, \fI\%RFC 5074\fP, \fI\%RFC 5155\fP\&.
|
||||
\fI\%dig(1)\fP, \fI\%named(8)\fP, \fI\%RFC 4034\fP, \fI\%RFC 4035\fP, \fI\%RFC 4431\fP, \fI\%RFC 5074\fP, \fI\%RFC 5155\fP\&.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -153,12 +153,12 @@ Print a usage summary.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-k keyfile
|
||||
This option tells \fBnamed\fP to sign queries using TSIG using a key read from the given file. Key
|
||||
files can be generated using \fBtsig\-keygen\fP\&. When using TSIG
|
||||
This option tells \fI\%named\fP to sign queries using TSIG using a key read from the given file. Key
|
||||
files can be generated using \fI\%tsig\-keygen\fP\&. When using TSIG
|
||||
authentication with \fBdig\fP, the name server that is queried needs to
|
||||
know the key and algorithm that is being used. In BIND, this is done
|
||||
by providing appropriate \fBkey\fP and \fBserver\fP statements in
|
||||
\fBnamed.conf\fP\&.
|
||||
\fI\%named.conf\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -441,7 +441,7 @@ This option sends an EDNS Expire option.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B +[no]fail
|
||||
This option indicates that \fBnamed\fP should try [or not try] the next server if a SERVFAIL is received. The default is
|
||||
This option indicates that \fI\%named\fP should try [or not try] the next server if a SERVFAIL is received. The default is
|
||||
to not try the next server, which is the reverse of normal stub
|
||||
resolver behavior.
|
||||
.UNINDENT
|
||||
|
|
@ -675,7 +675,7 @@ This option performs [or does not perform] a search showing intermediate results
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B +[no]sigchase
|
||||
This feature is now obsolete and has been removed; use \fBdelv\fP
|
||||
This feature is now obsolete and has been removed; use \fI\%delv\fP
|
||||
instead.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
|
|
@ -756,7 +756,7 @@ is used. This option has no effect if \fB+tls\-ca\fP is not specified.
|
|||
.TP
|
||||
.B +[no]topdown
|
||||
This feature is related to \fBdig +sigchase\fP, which is obsolete and
|
||||
has been removed. Use \fBdelv\fP instead.
|
||||
has been removed. Use \fI\%delv\fP instead.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -785,7 +785,7 @@ the number of tries is silently rounded up to 1.
|
|||
.TP
|
||||
.B +trusted\-key=####
|
||||
This option formerly specified trusted keys for use with \fBdig +sigchase\fP\&. This
|
||||
feature is now obsolete and has been removed; use \fBdelv\fP instead.
|
||||
feature is now obsolete and has been removed; use \fI\%delv\fP instead.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -898,7 +898,7 @@ Internal error
|
|||
\fB${HOME}/.digrc\fP
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdelv(1)\fP, \fBhost(1)\fP, \fBnamed(8)\fP, \fBdnssec\-keygen(8)\fP, \fI\%RFC 1035\fP\&.
|
||||
\fI\%delv(1)\fP, \fI\%host(1)\fP, \fI\%named(8)\fP, \fI\%dnssec\-keygen(8)\fP, \fI\%RFC 1035\fP\&.
|
||||
.SH BUGS
|
||||
.sp
|
||||
There are probably too many query options.
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ file containing the child\(aqs CDS and/or CDNSKEY records, plus RRSIG and
|
|||
DNSKEY records so that they can be authenticated. The \fI\%\-d path\fP option
|
||||
specifies the location of a file containing the current DS records. For
|
||||
example, this could be a \fBdsset\-\fP file generated by
|
||||
\fBdnssec\-signzone\fP, or the output of \fBdnssec\-dsfromkey\fP, or the
|
||||
\fI\%dnssec\-signzone\fP, or the output of \fI\%dnssec\-dsfromkey\fP, or the
|
||||
output of a previous run of \fBdnssec\-cds\fP\&.
|
||||
.sp
|
||||
The \fBdnssec\-cds\fP command uses special DNSSEC validation logic
|
||||
|
|
@ -79,9 +79,9 @@ Be careful not to delete the DS records when \fBdnssec\-cds\fP fails!
|
|||
.UNINDENT
|
||||
.UNINDENT
|
||||
.sp
|
||||
Alternatively, :option\(gadnssec\-cds \-u\(ga writes an \fBnsupdate\fP script to the
|
||||
Alternatively, :option\(gadnssec\-cds \-u\(ga writes an \fI\%nsupdate\fP script to the
|
||||
standard output. The \fI\%\-u\fP and \fI\%\-i\fP options can be used together to
|
||||
maintain a \fBdsset\-\fP file as well as emit an \fBnsupdate\fP script.
|
||||
maintain a \fBdsset\-\fP file as well as emit an \fI\%nsupdate\fP script.
|
||||
.SH OPTIONS
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -172,13 +172,13 @@ the new DS records also have no explicit TTL.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-u
|
||||
This option writes an \fBnsupdate\fP script to the standard output, instead of
|
||||
This option writes an \fI\%nsupdate\fP script to the standard output, instead of
|
||||
printing the new DS reords. The output is empty if no change is
|
||||
needed.
|
||||
.sp
|
||||
Note: The TTL of new records needs to be specified: it can be done in the
|
||||
original \fBdsset\-\fP file, with the \fI\%\-T\fP option, or using the
|
||||
\fBnsupdate\fP \fBttl\fP command.
|
||||
\fI\%nsupdate\fP \fBttl\fP command.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -205,11 +205,11 @@ If successful, the DS records may or may not need to be
|
|||
changed.
|
||||
.SH EXAMPLES
|
||||
.sp
|
||||
Before running \fBdnssec\-signzone\fP, ensure that the delegations
|
||||
Before running \fI\%dnssec\-signzone\fP, ensure that the delegations
|
||||
are up\-to\-date by running \fBdnssec\-cds\fP on every \fBdsset\-\fP file.
|
||||
.sp
|
||||
To fetch the child records required by \fBdnssec\-cds\fP, invoke
|
||||
\fBdig\fP as in the script below. It is acceptable if the \fBdig\fP fails, since
|
||||
\fI\%dig\fP as in the script below. It is acceptable if the \fI\%dig\fP fails, since
|
||||
\fBdnssec\-cds\fP performs all the necessary checking.
|
||||
.INDENT 0.0
|
||||
.INDENT 3.5
|
||||
|
|
@ -227,8 +227,8 @@ done
|
|||
.UNINDENT
|
||||
.UNINDENT
|
||||
.sp
|
||||
When the parent zone is automatically signed by \fBnamed\fP,
|
||||
\fBdnssec\-cds\fP can be used with \fBnsupdate\fP to maintain a delegation as follows.
|
||||
When the parent zone is automatically signed by \fI\%named\fP,
|
||||
\fBdnssec\-cds\fP can be used with \fI\%nsupdate\fP to maintain a delegation as follows.
|
||||
The \fBdsset\-\fP file allows the script to avoid having to fetch and
|
||||
validate the parent DS records, and it maintains the replay attack
|
||||
protection time.
|
||||
|
|
@ -246,7 +246,7 @@ nsupdate \-l
|
|||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdig(1)\fP, \fBdnssec\-settime(8)\fP, \fBdnssec\-signzone(8)\fP, \fBnsupdate(1)\fP, BIND 9 Administrator
|
||||
\fI\%dig(1)\fP, \fI\%dnssec\-settime(8)\fP, \fI\%dnssec\-signzone(8)\fP, \fI\%nsupdate(1)\fP, BIND 9 Administrator
|
||||
Reference Manual, \fI\%RFC 7344\fP\&.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
|
|
|
|||
|
|
@ -51,13 +51,13 @@ included.
|
|||
The input keys can be specified in a number of ways:
|
||||
.sp
|
||||
By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format
|
||||
\fBKnnnn.+aaa+iiiii.key\fP, as generated by \fBdnssec\-keygen\fP\&.
|
||||
\fBKnnnn.+aaa+iiiii.key\fP, as generated by \fI\%dnssec\-keygen\fP\&.
|
||||
.sp
|
||||
With the \fI\%\-f file\fP option, \fBdnssec\-dsfromkey\fP reads keys from a zone
|
||||
file or partial zone file (which can contain just the DNSKEY records).
|
||||
.sp
|
||||
With the \fI\%\-s\fP option, \fBdnssec\-dsfromkey\fP reads a \fBkeyset\-\fP file,
|
||||
as generated by \fBdnssec\-keygen\fP \fI\%\-C\fP\&.
|
||||
as generated by \fI\%dnssec\-keygen\fP \fI\%\-C\fP\&.
|
||||
.SH OPTIONS
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -107,7 +107,7 @@ DNS domain name of a zone whose master file can be read from
|
|||
omitted.
|
||||
.sp
|
||||
If \fBfile\fP is \fB\-\fP, then the zone data is read from the standard
|
||||
input. This makes it possible to use the output of the \fBdig\fP
|
||||
input. This makes it possible to use the output of the \fI\%dig\fP
|
||||
command as input, as in:
|
||||
.sp
|
||||
\fBdig dnskey example.com | dnssec\-dsfromkey \-f \- example.com\fP
|
||||
|
|
@ -157,7 +157,7 @@ The command returns something similar to:
|
|||
.sp
|
||||
The keyfile can be designated by the key identification
|
||||
\fBKnnnn.+aaa+iiiii\fP or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as
|
||||
generated by \fBdnssec\-keygen\fP\&.
|
||||
generated by \fI\%dnssec\-keygen\fP\&.
|
||||
.sp
|
||||
The keyset file name is built from the \fBdirectory\fP, the string
|
||||
\fBkeyset\-\fP, and the \fBdnsname\fP\&.
|
||||
|
|
@ -166,7 +166,7 @@ The keyset file name is built from the \fBdirectory\fP, the string
|
|||
A keyfile error may return "file not found," even if the file exists.
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdnssec\-keygen(8)\fP, \fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
|
||||
\fI\%dnssec\-keygen(8)\fP, \fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
|
||||
\fI\%RFC 3658\fP (DS RRs), \fI\%RFC 4509\fP (SHA\-256 for DS RRs),
|
||||
\fI\%RFC 6605\fP (SHA\-384 for DS RRs), \fI\%RFC 7344\fP (CDS and CDNSKEY RRs).
|
||||
.SH AUTHOR
|
||||
|
|
|
|||
|
|
@ -129,10 +129,10 @@ key are to be deleted.
|
|||
.sp
|
||||
A keyfile can be designed by the key identification \fBKnnnn.+aaa+iiiii\fP
|
||||
or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as generated by
|
||||
\fBdnssec\-keygen\fP\&.
|
||||
\fI\%dnssec\-keygen\fP\&.
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdnssec\-keygen(8)\fP, \fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
|
||||
\fI\%dnssec\-keygen(8)\fP, \fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
|
||||
\fI\%RFC 5011\fP\&.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ dnssec-keyfromlabel \- DNSSEC key generation tool
|
|||
\fBdnssec\-keyfromlabel\fP generates a pair of key files that reference a
|
||||
key object stored in a cryptographic hardware service module (HSM). The
|
||||
private key file can be used for DNSSEC signing of zone data as if it
|
||||
were a conventional signing key created by \fBdnssec\-keygen\fP, but the
|
||||
were a conventional signing key created by \fI\%dnssec\-keygen\fP, but the
|
||||
key material is stored within the HSM and the actual signing takes
|
||||
place there.
|
||||
.sp
|
||||
|
|
@ -303,7 +303,7 @@ The \fB\&.private\fP file contains algorithm\-specific fields. For obvious
|
|||
security reasons, this file does not have general read permission.
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdnssec\-keygen(8)\fP, \fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
|
||||
\fI\%dnssec\-keygen(8)\fP, \fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
|
||||
\fI\%RFC 4034\fP, \fI\%RFC 7512\fP\&.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ option, which copies the algorithm from the predecessor key.
|
|||
.sp
|
||||
In prior releases, HMAC algorithms could be generated for use as TSIG
|
||||
keys, but that feature was removed in BIND 9.13.0. Use
|
||||
\fBtsig\-keygen\fP to generate TSIG keys.
|
||||
\fI\%tsig\-keygen\fP to generate TSIG keys.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -354,7 +354,7 @@ string. \fBKnnnn.+aaa+iiiii.key\fP contains the public key, and
|
|||
\fBKnnnn.+aaa+iiiii.private\fP contains the private key.
|
||||
.sp
|
||||
The \fB\&.key\fP file contains a DNSKEY or KEY record. When a zone is being
|
||||
signed by \fBnamed\fP or \fBdnssec\-signzone \-S\fP, DNSKEY records are
|
||||
signed by \fI\%named\fP or \fI\%dnssec\-signzone \-S\fP, DNSKEY records are
|
||||
included automatically. In other cases, the \fB\&.key\fP file can be
|
||||
inserted into a zone file manually or with an \fB$INCLUDE\fP statement.
|
||||
.sp
|
||||
|
|
@ -379,7 +379,7 @@ To generate a matching key\-signing key, issue the command:
|
|||
\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example.com\fP
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 2539\fP,
|
||||
\fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 2539\fP,
|
||||
\fI\%RFC 2845\fP, \fI\%RFC 4034\fP\&.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
|
|
|
|||
|
|
@ -88,7 +88,7 @@ revoke the key.
|
|||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdnssec\-keygen(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 5011\fP\&.
|
||||
\fI\%dnssec\-keygen(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 5011\fP\&.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ dnssec-settime \- set the key timing metadata for a DNSSEC key
|
|||
\fBdnssec\-settime\fP reads a DNSSEC private key file and sets the key
|
||||
timing metadata as specified by the \fI\%\-P\fP, \fI\%\-A\fP, \fI\%\-R\fP,
|
||||
\fI\%\-I\fP, and \fI\%\-D\fP options. The metadata can then be used by
|
||||
\fBdnssec\-signzone\fP or other signing software to determine when a key is
|
||||
\fI\%dnssec\-signzone\fP or other signing software to determine when a key is
|
||||
to be published, whether it should be used for signing a zone, etc.
|
||||
.sp
|
||||
If none of these options is set on the command line,
|
||||
|
|
@ -284,7 +284,7 @@ metadata, use \fBall\fP\&.
|
|||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdnssec\-keygen(8)\fP, \fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
|
||||
\fI\%dnssec\-keygen(8)\fP, \fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
|
||||
\fI\%RFC 5011\fP\&.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
|
|
|
|||
|
|
@ -111,7 +111,7 @@ which is useful to know when rolling keys. The maxttl is the longest
|
|||
possible time before signatures that have been retrieved by resolvers
|
||||
expire from resolver caches. Zones that are signed with this
|
||||
option should be configured to use a matching \fBmax\-zone\-ttl\fP in
|
||||
\fBnamed.conf\fP\&. (Note: This option is incompatible with \fI\%\-D\fP,
|
||||
\fI\%named.conf\fP\&. (Note: This option is incompatible with \fI\%\-D\fP,
|
||||
because it modifies non\-DNSSEC data in the output zone.)
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
|
|
@ -268,8 +268,8 @@ zone. Possible formats are \fBtext\fP (the default), which is the standard
|
|||
textual representation of the zone; \fBfull\fP, which is text output in a
|
||||
format suitable for processing by external scripts; and \fBraw\fP and
|
||||
\fBraw=N\fP, which store the zone in binary formats for rapid loading by
|
||||
\fBnamed\fP\&. \fBraw=N\fP specifies the format version of the raw zone file:
|
||||
if N is 0, the raw file can be read by any version of \fBnamed\fP; if N is
|
||||
\fI\%named\fP\&. \fBraw=N\fP specifies the format version of the raw zone file:
|
||||
if N is 0, the raw file can be read by any version of \fI\%named\fP; if N is
|
||||
1, the file can be read by release 9.9.0 or higher. The default is 1.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
|
|
@ -392,7 +392,7 @@ This option sets the debugging level.
|
|||
.B \-x
|
||||
This option indicates that BIND 9 should only sign the DNSKEY, CDNSKEY, and CDS RRsets with key\-signing keys,
|
||||
and should omit signatures from zone\-signing keys. (This is similar to the
|
||||
\fBdnssec\-dnskey\-kskonly yes;\fP zone option in \fBnamed\fP\&.)
|
||||
\fBdnssec\-dnskey\-kskonly yes;\fP zone option in \fI\%named\fP\&.)
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -400,7 +400,7 @@ and should omit signatures from zone\-signing keys. (This is similar to the
|
|||
This option indicates that BIND 9 should ignore the KSK flag on keys when determining what to sign. This causes
|
||||
KSK\-flagged keys to sign all records, not just the DNSKEY RRset.
|
||||
(This is similar to the \fBupdate\-check\-ksk no;\fP zone option in
|
||||
\fBnamed\fP\&.)
|
||||
\fI\%named\fP\&.)
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -444,7 +444,7 @@ the current directory, they are used for signing.
|
|||
.SH EXAMPLE
|
||||
.sp
|
||||
The following command signs the \fBexample.com\fP zone with the
|
||||
ECDSAP256SHA256 key generated by \fBdnssec\-keygen\fP
|
||||
ECDSAP256SHA256 key generated by \fI\%dnssec\-keygen\fP
|
||||
(Kexample.com.+013+17247). Because the \fI\%\-S\fP option is not being used,
|
||||
the zone\(aqs keys must be in the master file (\fBdb.example.com\fP). This
|
||||
invocation looks for \fBdsset\fP files in the current directory, so that
|
||||
|
|
@ -465,7 +465,7 @@ db.example.com.signed
|
|||
.sp
|
||||
In the above example, \fBdnssec\-signzone\fP creates the file
|
||||
\fBdb.example.com.signed\fP\&. This file should be referenced in a zone
|
||||
statement in the \fBnamed.conf\fP file.
|
||||
statement in the \fI\%named.conf\fP file.
|
||||
.sp
|
||||
This example re\-signs a previously signed zone with default parameters.
|
||||
The private keys are assumed to be in the current directory.
|
||||
|
|
@ -484,7 +484,7 @@ db.example.com.signed
|
|||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdnssec\-keygen(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 4033\fP,
|
||||
\fI\%dnssec\-keygen(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 4033\fP,
|
||||
\fI\%RFC 4641\fP\&.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ This option verifies only that the DNSKEY RRset is signed with key\-signing keys
|
|||
Without this flag, it is assumed that the DNSKEY RRset is signed
|
||||
by all active keys. When this flag is set, it is not an error if
|
||||
the DNSKEY RRset is not signed by zone\-signing keys. This corresponds
|
||||
to the \fB\-x option in dnssec\-signzone\fP\&.
|
||||
to the \fI\%\-x option in dnssec\-signzone\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -110,7 +110,7 @@ be at least one non\-revoked, self\-signed DNSKEY, regardless of
|
|||
the KSK flag state, and that other RRsets be signed by a
|
||||
non\-revoked key for the same algorithm that includes the self\-signed
|
||||
key; the same key may be used for both purposes. This corresponds to
|
||||
the \fB\-z option in dnssec\-signzone\fP\&.
|
||||
the \fI\%\-z option in dnssec\-signzone\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -119,7 +119,7 @@ This option indicates the file containing the zone to be signed.
|
|||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 4033\fP\&.
|
||||
\fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 4033\fP\&.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@ This option prints \fBdnstap\fP data in a detailed YAML format.
|
|||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBnamed(8)\fP, \fBrndc(8)\fP, BIND 9 Administrator Reference Manual.
|
||||
\fI\%named(8)\fP, \fI\%rndc(8)\fP, BIND 9 Administrator Reference Manual.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -35,8 +35,8 @@ filter-a \- filter A in DNS responses when AAAA is present
|
|||
\fBplugin query\fP "filter\-a.so" [{ parameters }];
|
||||
.SH DESCRIPTION
|
||||
.sp
|
||||
\fBfilter\-a.so\fP is a query plugin module for \fBnamed\fP, enabling
|
||||
\fBnamed\fP to omit some IPv4 addresses when responding to clients.
|
||||
\fBfilter\-a.so\fP is a query plugin module for \fI\%named\fP, enabling
|
||||
\fI\%named\fP to omit some IPv4 addresses when responding to clients.
|
||||
.sp
|
||||
For example:
|
||||
.INDENT 0.0
|
||||
|
|
|
|||
|
|
@ -35,13 +35,13 @@ filter-aaaa \- filter AAAA in DNS responses when A is present
|
|||
\fBplugin query\fP "filter\-aaaa.so" [{ parameters }];
|
||||
.SH DESCRIPTION
|
||||
.sp
|
||||
\fBfilter\-aaaa.so\fP is a query plugin module for \fBnamed\fP, enabling
|
||||
\fBnamed\fP to omit some IPv6 addresses when responding to clients.
|
||||
\fBfilter\-aaaa.so\fP is a query plugin module for \fI\%named\fP, enabling
|
||||
\fI\%named\fP to omit some IPv6 addresses when responding to clients.
|
||||
.sp
|
||||
Until BIND 9.12, this feature was implemented natively in \fBnamed\fP and
|
||||
Until BIND 9.12, this feature was implemented natively in \fI\%named\fP and
|
||||
enabled with the \fBfilter\-aaaa\fP ACL and the \fBfilter\-aaaa\-on\-v4\fP and
|
||||
\fBfilter\-aaaa\-on\-v6\fP options. These options are now deprecated in
|
||||
\fBnamed.conf\fP but can be passed as parameters to the
|
||||
\fI\%named.conf\fP but can be passed as parameters to the
|
||||
\fBfilter\-aaaa.so\fP plugin, for example:
|
||||
.INDENT 0.0
|
||||
.INDENT 3.5
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@ class resource records. The default class is IN (Internet).
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-C
|
||||
This option indicates that \fBnamed\fP should check consistency, meaning that \fBhost\fP queries the SOA records for zone
|
||||
This option indicates that \fI\%named\fP should check consistency, meaning that \fBhost\fP queries the SOA records for zone
|
||||
\fBname\fP from all the listed authoritative name servers for that
|
||||
zone. The list of name servers is defined by the NS records that are
|
||||
found for the zone.
|
||||
|
|
@ -91,7 +91,7 @@ This option prints debugging traces, and is equivalent to the \fI\%\-v\fP verbos
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-l
|
||||
This option tells \fBnamed\fP to list the zone, meaning the \fBhost\fP command performs a zone transfer of zone
|
||||
This option tells \fI\%named\fP to list the zone, meaning the \fBhost\fP command performs a zone transfer of zone
|
||||
\fBname\fP and prints out the NS, PTR, and address records (A/AAAA).
|
||||
.sp
|
||||
Together, the \fI\%\-l\fP \fI\%\-a\fP options print all records in the zone.
|
||||
|
|
@ -131,7 +131,7 @@ the value of the \fBattempts\fP option in \fB/etc/resolv.conf\fP, if set.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-s
|
||||
This option tells \fBnamed\fP \fInot\fP to send the query to the next nameserver if any server responds
|
||||
This option tells \fI\%named\fP \fInot\fP to send the query to the next nameserver if any server responds
|
||||
with a SERVFAIL response, which is the reverse of normal stub
|
||||
resolver behavior.
|
||||
.UNINDENT
|
||||
|
|
@ -188,7 +188,7 @@ also the \fI\%\-W\fP option.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-W wait
|
||||
This options sets the length of the wait timeout, indicating that \fBnamed\fP should wait for up to \fBwait\fP seconds for a reply. If \fBwait\fP is
|
||||
This options sets the length of the wait timeout, indicating that \fI\%named\fP should wait for up to \fBwait\fP seconds for a reply. If \fBwait\fP is
|
||||
less than 1, the wait interval is set to 1 second.
|
||||
.sp
|
||||
By default, \fBhost\fP waits for 5 seconds for UDP responses and 10
|
||||
|
|
@ -211,7 +211,7 @@ when \fBhost\fP runs.
|
|||
\fB/etc/resolv.conf\fP
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdig(1)\fP, \fBnamed(8)\fP\&.
|
||||
\fI\%dig(1)\fP, \fI\%named(8)\fP\&.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -39,18 +39,18 @@ mdig \- DNS pipelined lookup utility
|
|||
\fBmdig\fP [@server] {global\-opt...} { {local\-opt...} {query} ...}
|
||||
.SH DESCRIPTION
|
||||
.sp
|
||||
\fBmdig\fP is a multiple/pipelined query version of \fBdig\fP: instead of
|
||||
\fBmdig\fP is a multiple/pipelined query version of \fI\%dig\fP: instead of
|
||||
waiting for a response after sending each query, it begins by sending
|
||||
all queries. Responses are displayed in the order in which they are
|
||||
received, not in the order the corresponding queries were sent.
|
||||
.sp
|
||||
\fBmdig\fP options are a subset of the \fBdig\fP options, and are divided
|
||||
\fBmdig\fP options are a subset of the \fI\%dig\fP options, and are divided
|
||||
into "anywhere options," which can occur anywhere, "global options," which
|
||||
must occur before the query name (or they are ignored with a warning),
|
||||
and "local options," which apply to the next query on the command line.
|
||||
.sp
|
||||
The \fB@server\fP option is a mandatory global option. It is the name or IP
|
||||
address of the name server to query. (Unlike \fBdig\fP, this value is not
|
||||
address of the name server to query. (Unlike \fI\%dig\fP, this value is not
|
||||
retrieved from \fB/etc/resolv.conf\fP\&.) It can be an IPv4 address in
|
||||
dotted\-decimal notation, an IPv6 address in colon\-delimited notation, or
|
||||
a hostname. When the supplied \fBserver\fP argument is a hostname,
|
||||
|
|
@ -428,7 +428,7 @@ This flag is off by default.
|
|||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdig(1)\fP, \fI\%RFC 1035\fP\&.
|
||||
\fI\%dig(1)\fP, \fI\%RFC 1035\fP\&.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -36,14 +36,14 @@ named-checkconf \- named configuration file syntax checking tool
|
|||
.SH DESCRIPTION
|
||||
.sp
|
||||
\fBnamed\-checkconf\fP checks the syntax, but not the semantics, of a
|
||||
\fBnamed\fP configuration file. The file, along with all files included by it, is parsed and checked for syntax
|
||||
\fI\%named\fP configuration file. The file, along with all files included by it, is parsed and checked for syntax
|
||||
errors. If no file is specified,
|
||||
\fB@sysconfdir@/named.conf\fP is read by default.
|
||||
.sp
|
||||
Note: files that \fBnamed\fP reads in separate parser contexts, such as
|
||||
Note: files that \fI\%named\fP reads in separate parser contexts, such as
|
||||
\fBrndc.key\fP and \fBbind.keys\fP, are not automatically read by
|
||||
\fBnamed\-checkconf\fP\&. Configuration errors in these files may cause
|
||||
\fBnamed\fP to fail to run, even if \fBnamed\-checkconf\fP was successful.
|
||||
\fI\%named\fP to fail to run, even if \fBnamed\-checkconf\fP was successful.
|
||||
However, \fBnamed\-checkconf\fP can be run on these files explicitly.
|
||||
.SH OPTIONS
|
||||
.INDENT 0.0
|
||||
|
|
@ -54,7 +54,7 @@ This option prints the usage summary and exits.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-j
|
||||
When loading a zonefile, this option instructs \fBnamed\fP to read the journal if it exists.
|
||||
When loading a zonefile, this option instructs \fI\%named\fP to read the journal if it exists.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -77,15 +77,15 @@ This option ignores warnings on deprecated options.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-p
|
||||
This option prints out the \fBnamed.conf\fP and included files in canonical form if
|
||||
This option prints out the \fI\%named.conf\fP and included files in canonical form if
|
||||
no errors were detected. See also the \fI\%\-x\fP option.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-t directory
|
||||
This option instructs \fBnamed\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
|
||||
This option instructs \fI\%named\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
|
||||
configuration file are processed as if run by a similarly chrooted
|
||||
\fBnamed\fP\&.
|
||||
\fI\%named\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -97,7 +97,7 @@ This option prints the version of the \fBnamed\-checkconf\fP program and exits.
|
|||
.B \-x
|
||||
When printing the configuration files in canonical form, this option obscures
|
||||
shared secrets by replacing them with strings of question marks
|
||||
(\fB?\fP). This allows the contents of \fBnamed.conf\fP and related files
|
||||
(\fB?\fP). This allows the contents of \fI\%named.conf\fP and related files
|
||||
to be shared \- for example, when submitting bug reports \-
|
||||
without compromising private data. This option cannot be used without
|
||||
\fI\%\-p\fP\&.
|
||||
|
|
@ -105,7 +105,7 @@ without compromising private data. This option cannot be used without
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-z
|
||||
This option performs a test load of all zones of type \fBprimary\fP found in \fBnamed.conf\fP\&.
|
||||
This option performs a test load of all zones of type \fBprimary\fP found in \fI\%named.conf\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -119,7 +119,7 @@ it defaults to \fB@sysconfdir@/named.conf\fP\&.
|
|||
and 0 otherwise.
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBnamed(8)\fP, \fBnamed\-checkzone(8)\fP, BIND 9 Administrator Reference Manual.
|
||||
\fI\%named(8)\fP, \fI\%named\-checkzone(8)\fP, BIND 9 Administrator Reference Manual.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ named-checkzone \- zone file validity checking or converting tool
|
|||
.SH DESCRIPTION
|
||||
.sp
|
||||
\fBnamed\-checkzone\fP checks the syntax and integrity of a zone file. It
|
||||
performs the same checks as \fBnamed\fP does when loading a zone. This
|
||||
performs the same checks as \fI\%named\fP does when loading a zone. This
|
||||
makes \fBnamed\-checkzone\fP useful for checking zone files before
|
||||
configuring them into a name server.
|
||||
.SH OPTIONS
|
||||
|
|
@ -64,14 +64,14 @@ This option prints the version of the \fBnamed\-checkzone\fP program and exits.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-j
|
||||
When loading a zone file, this option tells \fBnamed\fP to read the journal if it exists. The journal
|
||||
When loading a zone file, this option tells \fI\%named\fP to read the journal if it exists. The journal
|
||||
file name is assumed to be the zone file name with the
|
||||
string \fB\&.jnl\fP appended.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-J filename
|
||||
When loading the zone file, this option tells \fBnamed\fP to read the journal from the given file, if
|
||||
When loading the zone file, this option tells \fI\%named\fP to read the journal from the given file, if
|
||||
it exists. This implies \fI\%\-j\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
|
|
@ -122,9 +122,9 @@ the zone contents.
|
|||
.sp
|
||||
Possible formats are \fBtext\fP (the default), which is the standard
|
||||
textual representation of the zone, and \fBraw\fP and \fBraw=N\fP, which
|
||||
store the zone in a binary format for rapid loading by \fBnamed\fP\&.
|
||||
store the zone in a binary format for rapid loading by \fI\%named\fP\&.
|
||||
\fBraw=N\fP specifies the format version of the raw zone file: if \fBN\fP is
|
||||
0, the raw file can be read by any version of \fBnamed\fP; if N is 1, the
|
||||
0, the raw file can be read by any version of \fI\%named\fP; if N is 1, the
|
||||
file can only be read by release 9.9.0 or higher. The default is 1.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
|
|
@ -138,7 +138,7 @@ Possible modes are \fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&.
|
|||
.B \-l ttl
|
||||
This option sets a maximum permissible TTL for the input file. Any record with a
|
||||
TTL higher than this value causes the zone to be rejected. This
|
||||
is similar to using the \fBmax\-zone\-ttl\fP option in \fBnamed.conf\fP\&.
|
||||
is similar to using the \fBmax\-zone\-ttl\fP option in \fI\%named.conf\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -199,9 +199,9 @@ This option checks whether an SRV record refers to a CNAME. Possible modes are
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-t directory
|
||||
This option tells \fBnamed\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
|
||||
This option tells \fI\%named\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
|
||||
configuration file are processed as if run by a similarly chrooted
|
||||
\fBnamed\fP\&.
|
||||
\fI\%named\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -213,9 +213,9 @@ modes are \fBwarn\fP (the default) and \fBignore\fP\&.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-w directory
|
||||
This option instructs \fBnamed\fP to chdir to \fBdirectory\fP, so that relative filenames in master file
|
||||
This option instructs \fI\%named\fP to chdir to \fBdirectory\fP, so that relative filenames in master file
|
||||
\fB$INCLUDE\fP directives work. This is similar to the directory clause in
|
||||
\fBnamed.conf\fP\&.
|
||||
\fI\%named.conf\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -246,7 +246,7 @@ This is the name of the zone file.
|
|||
and 0 otherwise.
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBnamed(8)\fP, \fBnamed\-checkconf(8)\fP, \fBnamed\-compilezone(8)\fP, \fI\%RFC 1035\fP, BIND 9 Administrator Reference
|
||||
\fI\%named(8)\fP, \fI\%named\-checkconf(8)\fP, \fI\%named\-compilezone(8)\fP, \fI\%RFC 1035\fP, BIND 9 Administrator Reference
|
||||
Manual.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
|
|
|
|||
|
|
@ -38,9 +38,9 @@ named-compilezone \- zone file validity checking or converting tool
|
|||
\fBnamed\-compilezone\fP checks the syntax and integrity of a zone file,
|
||||
and dumps the zone contents to a specified file in a specified format.
|
||||
It applies strict check levels by default, since the
|
||||
dump output is used as an actual zone file loaded by \fBnamed\fP\&.
|
||||
dump output is used as an actual zone file loaded by \fI\%named\fP\&.
|
||||
When manually specified otherwise, the check levels must at least be as
|
||||
strict as those specified in the \fBnamed\fP configuration file.
|
||||
strict as those specified in the \fI\%named\fP configuration file.
|
||||
.SH OPTIONS
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -61,19 +61,19 @@ successful or failed completion.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-v
|
||||
This option prints the version of the \fBnamed\-checkzone\fP program and exits.
|
||||
This option prints the version of the \fI\%named\-checkzone\fP program and exits.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-j
|
||||
When loading a zone file, this option tells \fBnamed\fP to read the journal if it exists. The journal
|
||||
When loading a zone file, this option tells \fI\%named\fP to read the journal if it exists. The journal
|
||||
file name is assumed to be the zone file name with the
|
||||
string \fB\&.jnl\fP appended.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-J filename
|
||||
When loading the zone file, this option tells \fBnamed\fP to read the journal from the given file, if
|
||||
When loading the zone file, this option tells \fI\%named\fP to read the journal from the given file, if
|
||||
it exists. This implies \fI\%\-j\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
|
|
@ -119,14 +119,14 @@ This option specifies the format of the zone file. Possible formats are
|
|||
.TP
|
||||
.B \-F format
|
||||
This option specifies the format of the output file specified. For
|
||||
\fBnamed\-checkzone\fP, this does not have any effect unless it dumps
|
||||
\fI\%named\-checkzone\fP, this does not have any effect unless it dumps
|
||||
the zone contents.
|
||||
.sp
|
||||
Possible formats are \fBtext\fP (the default), which is the standard
|
||||
textual representation of the zone, and \fBraw\fP and \fBraw=N\fP, which
|
||||
store the zone in a binary format for rapid loading by \fBnamed\fP\&.
|
||||
store the zone in a binary format for rapid loading by \fI\%named\fP\&.
|
||||
\fBraw=N\fP specifies the format version of the raw zone file: if \fBN\fP is
|
||||
0, the raw file can be read by any version of \fBnamed\fP; if N is 1, the
|
||||
0, the raw file can be read by any version of \fI\%named\fP; if N is 1, the
|
||||
file can only be read by release 9.9.0 or higher. The default is 1.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
|
|
@ -140,7 +140,7 @@ Possible modes are \fBfail\fP (the default), \fBwarn\fP, and \fBignore\fP\&.
|
|||
.B \-l ttl
|
||||
This option sets a maximum permissible TTL for the input file. Any record with a
|
||||
TTL higher than this value causes the zone to be rejected. This
|
||||
is similar to using the \fBmax\-zone\-ttl\fP option in \fBnamed.conf\fP\&.
|
||||
is similar to using the \fBmax\-zone\-ttl\fP option in \fI\%named.conf\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -200,9 +200,9 @@ This option checks whether an SRV record refers to a CNAME. Possible modes are
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-t directory
|
||||
This option tells \fBnamed\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
|
||||
This option tells \fI\%named\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
|
||||
configuration file are processed as if run by a similarly chrooted
|
||||
\fBnamed\fP\&.
|
||||
\fI\%named\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -214,9 +214,9 @@ modes are \fBwarn\fP (the default) and \fBignore\fP\&.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-w directory
|
||||
This option instructs \fBnamed\fP to chdir to \fBdirectory\fP, so that relative filenames in master file
|
||||
This option instructs \fI\%named\fP to chdir to \fBdirectory\fP, so that relative filenames in master file
|
||||
\fB$INCLUDE\fP directives work. This is similar to the directory clause in
|
||||
\fBnamed.conf\fP\&.
|
||||
\fI\%named.conf\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -248,7 +248,7 @@ This is the name of the zone file.
|
|||
and 0 otherwise.
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBnamed(8)\fP, \fBnamed\-checkconf(8)\fP, \fBnamed\-checkzone(8)\fP, \fI:rfc:\(ga1035\fP,
|
||||
\fI\%named(8)\fP, \fI\%named\-checkconf(8)\fP, \fI\%named\-checkzone(8)\fP, \fI:rfc:\(ga1035\fP,
|
||||
BIND 9 Administrator Reference Manual.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
|
|
|
|||
|
|
@ -39,8 +39,8 @@ named-journalprint \- print zone journal in human-readable form
|
|||
printing it in a human\-readable form, or, optionally, converting it
|
||||
to a different journal file format.
|
||||
.sp
|
||||
Journal files are automatically created by \fBnamed\fP when changes are
|
||||
made to dynamic zones (e.g., by \fBnsupdate\fP). They record each addition
|
||||
Journal files are automatically created by \fI\%named\fP when changes are
|
||||
made to dynamic zones (e.g., by \fI\%nsupdate\fP). They record each addition
|
||||
or deletion of a resource record, in binary format, allowing the changes
|
||||
to be re\-applied to the zone when the server is restarted after a
|
||||
shutdown or crash. By default, the name of the journal file is formed by
|
||||
|
|
@ -54,7 +54,7 @@ the resource record in master\-file format.
|
|||
.sp
|
||||
The \fB\-c\fP (compact) option provides a mechanism to reduce the size of
|
||||
a journal by removing (most/all) transactions prior to the specified
|
||||
serial number. Note: this option \fImust not\fP be used while \fBnamed\fP is
|
||||
serial number. Note: this option \fImust not\fP be used while \fI\%named\fP is
|
||||
running, and can cause data loss if the zone file has not been updated
|
||||
to contain the data being removed from the journal. Use with extreme caution.
|
||||
.sp
|
||||
|
|
@ -67,10 +67,10 @@ replaced. \fB\-d\fP writes out the journal in the format used by
|
|||
versions of BIND up to 9.16.11; \fB\-u\fP writes it out in the format used
|
||||
by versions since 9.16.13. (9.16.12 is omitted due to a journal\-formatting
|
||||
bug in that release.) Note that these options \fImust not\fP be used while
|
||||
\fBnamed\fP is running.
|
||||
\fI\%named\fP is running.
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBnamed(8)\fP, \fBnsupdate(1)\fP, BIND 9 Administrator Reference Manual.
|
||||
\fI\%named(8)\fP, \fI\%nsupdate(1)\fP, BIND 9 Administrator Reference Manual.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ named-nzd2nzf \- convert an NZD database to NZF text format
|
|||
.sp
|
||||
\fBnamed\-nzd2nzf\fP converts an NZD database to NZF format and prints it
|
||||
to standard output. This can be used to review the configuration of
|
||||
zones that were added to \fBnamed\fP via \fBrndc addzone\fP\&. It can also be
|
||||
zones that were added to \fI\%named\fP via \fI\%rndc addzone\fP\&. It can also be
|
||||
used to restore the old file format when rolling back from a newer
|
||||
version of BIND to an older version.
|
||||
.SH ARGUMENTS
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ and private type mnemonics, respectively.
|
|||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fI\%RFC 1034\fP, \fI\%RFC 1035\fP, \fBnamed(8)\fP\&.
|
||||
\fI\%RFC 1034\fP, \fI\%RFC 1035\fP, \fI\%named(8)\fP\&.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -237,12 +237,12 @@ This option reports the version number and build options, and exits.
|
|||
This option acquires a lock on the specified file at runtime; this helps to
|
||||
prevent duplicate \fBnamed\fP instances from running simultaneously.
|
||||
Use of this option overrides the \fBlock\-file\fP option in
|
||||
\fBnamed.conf\fP\&. If set to \fBnone\fP, the lock file check is disabled.
|
||||
\fI\%named.conf\fP\&. If set to \fBnone\fP, the lock file check is disabled.
|
||||
.UNINDENT
|
||||
.SH SIGNALS
|
||||
.sp
|
||||
In routine operation, signals should not be used to control the
|
||||
nameserver; \fBrndc\fP should be used instead.
|
||||
nameserver; \fI\%rndc\fP should be used instead.
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B SIGHUP
|
||||
|
|
@ -274,7 +274,7 @@ The default process\-id file.
|
|||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fI\%RFC 1033\fP, \fI\%RFC 1034\fP, \fI\%RFC 1035\fP, \fBnamed\-checkconf(8)\fP, \fBnamed\-checkzone(8)\fP, \fBrndc(8)\fP, \fBnamed.conf(5)\fP, BIND 9 Administrator Reference Manual.
|
||||
\fI\%RFC 1033\fP, \fI\%RFC 1034\fP, \fI\%RFC 1035\fP, \fI\%named\-checkconf(8)\fP, \fI\%named\-checkzone(8)\fP, \fI\%rndc(8)\fP, \fI\%named.conf(5)\fP, BIND 9 Administrator Reference Manual.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ named.conf \- configuration file for **named**
|
|||
\fBnamed.conf\fP
|
||||
.SH DESCRIPTION
|
||||
.sp
|
||||
\fBnamed.conf\fP is the configuration file for \fBnamed\fP\&.
|
||||
\fBnamed.conf\fP is the configuration file for \fI\%named\fP\&.
|
||||
Statements are enclosed in braces and terminated with a semi\-colon.
|
||||
Clauses in the statements are also semi\-colon terminated. The usual
|
||||
comment styles are supported:
|
||||
|
|
@ -1312,7 +1312,7 @@ zone <string> [ <class> ] {
|
|||
\fB@sysconfdir@/named.conf\fP
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBnamed(8)\fP, \fBnamed\-checkconf(8)\fP, \fBrndc(8)\fP, \fBrndc\-confgen(8)\fP, \fBtsig\-keygen(8)\fP, BIND 9 Administrator Reference Manual.
|
||||
\fI\%named(8)\fP, \fI\%named\-checkconf(8)\fP, \fI\%rndc(8)\fP, \fI\%rndc\-confgen(8)\fP, \fI\%tsig\-keygen(8)\fP, BIND 9 Administrator Reference Manual.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -77,9 +77,9 @@ and immediately exit.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \fBhost [server]\fP
|
||||
This command looks up information for \fBhost\fP using the current default server or
|
||||
using \fBserver\fP, if specified. If \fBhost\fP is an Internet address and the
|
||||
query type is A or PTR, the name of the host is returned. If \fBhost\fP is
|
||||
This command looks up information for \fI\%host\fP using the current default server or
|
||||
using \fBserver\fP, if specified. If \fI\%host\fP is an Internet address and the
|
||||
query type is A or PTR, the name of the host is returned. If \fI\%host\fP is
|
||||
a name and does not have a trailing period (\fB\&.\fP), the search list is used
|
||||
to qualify the name.
|
||||
.sp
|
||||
|
|
@ -216,7 +216,7 @@ when \fBnslookup\fP runs, or when the standard output is not a tty.
|
|||
\fB/etc/resolv.conf\fP
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBdig(1)\fP, \fBhost(1)\fP, \fBnamed(8)\fP\&.
|
||||
\fI\%dig(1)\fP, \fI\%host(1)\fP, \fI\%named(8)\fP\&.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@ and the name server. For instance, suitable \fBkey\fP and \fBserver\fP
|
|||
statements are added to \fB@sysconfdir@/named.conf\fP so that the name server
|
||||
can associate the appropriate secret key and algorithm with the IP
|
||||
address of the client application that is using TSIG
|
||||
authentication. \fBddns\-confgen\fP can generate suitable
|
||||
authentication. \fI\%ddns\-confgen\fP can generate suitable
|
||||
configuration fragments. \fBnsupdate\fP uses the \fI\%\-y\fP or \fI\%\-k\fP options
|
||||
to provide the TSIG shared secret; these options are mutually exclusive.
|
||||
.sp
|
||||
|
|
@ -111,12 +111,12 @@ This option forces interactive mode, even when standard input is not a terminal.
|
|||
.TP
|
||||
.B \-k keyfile
|
||||
This option indicates the file containing the TSIG authentication key. Keyfiles may be in
|
||||
two formats: a single file containing a \fBnamed.conf\fP\-format \fBkey\fP
|
||||
statement, which may be generated automatically by \fBddns\-confgen\fP;
|
||||
two formats: a single file containing a \fI\%named.conf\fP\-format \fBkey\fP
|
||||
statement, which may be generated automatically by \fI\%ddns\-confgen\fP;
|
||||
or a pair of files whose names are of the format
|
||||
\fBK{name}.+157.+{random}.key\fP and
|
||||
\fBK{name}.+157.+{random}.private\fP, which can be generated by
|
||||
\fBdnssec\-keygen\fP\&. The \fI\%\-k\fP option can also be used to specify a SIG(0)
|
||||
\fI\%dnssec\-keygen\fP\&. The \fI\%\-k\fP option can also be used to specify a SIG(0)
|
||||
key used to authenticate Dynamic DNS update requests. In this case,
|
||||
the key specified is not an HMAC\-MD5 key.
|
||||
.UNINDENT
|
||||
|
|
@ -127,7 +127,7 @@ This option sets local\-host only mode, which sets the server address to localho
|
|||
(disabling the \fBserver\fP so that the server address cannot be
|
||||
overridden). Connections to the local server use a TSIG key
|
||||
found in \fB@runstatedir@/session.key\fP, which is automatically
|
||||
generated by \fBnamed\fP if any local \fBprimary\fP zone has set
|
||||
generated by \fI\%named\fP if any local \fBprimary\fP zone has set
|
||||
\fBupdate\-policy\fP to \fBlocal\fP\&. The location of this key file can be
|
||||
overridden with the \fI\%\-k\fP option.
|
||||
.UNINDENT
|
||||
|
|
@ -404,15 +404,15 @@ Used to identify the default name server
|
|||
Sets the default TSIG key for use in local\-only mode
|
||||
.TP
|
||||
.B \fBK{name}.+157.+{random}.key\fP
|
||||
Base\-64 encoding of the HMAC\-MD5 key created by \fBdnssec\-keygen\fP\&.
|
||||
Base\-64 encoding of the HMAC\-MD5 key created by \fI\%dnssec\-keygen\fP\&.
|
||||
.TP
|
||||
.B \fBK{name}.+157.+{random}.private\fP
|
||||
Base\-64 encoding of the HMAC\-MD5 key created by \fBdnssec\-keygen\fP\&.
|
||||
Base\-64 encoding of the HMAC\-MD5 key created by \fI\%dnssec\-keygen\fP\&.
|
||||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fI\%RFC 2136\fP, \fI\%RFC 3007\fP, \fI\%RFC 2104\fP, \fI\%RFC 2845\fP, \fI\%RFC 1034\fP, \fI\%RFC 2535\fP, \fI\%RFC 2931\fP,
|
||||
\fBnamed(8)\fP, \fBdnssec\-keygen(8)\fP, \fBtsig\-keygen(8)\fP\&.
|
||||
\fI\%named(8)\fP, \fI\%dnssec\-keygen(8)\fP, \fI\%tsig\-keygen(8)\fP\&.
|
||||
.SH BUGS
|
||||
.sp
|
||||
The TSIG key is redundantly stored in two separate files. This is a
|
||||
|
|
|
|||
|
|
@ -35,26 +35,26 @@ rndc-confgen \- rndc key generation tool
|
|||
\fBrndc\-confgen\fP [\fB\-a\fP] [\fB\-A\fP algorithm] [\fB\-b\fP keysize] [\fB\-c\fP keyfile] [\fB\-h\fP] [\fB\-k\fP keyname] [\fB\-p\fP port] [\fB\-s\fP address] [\fB\-t\fP chrootdir] [\fB\-u\fP user]
|
||||
.SH DESCRIPTION
|
||||
.sp
|
||||
\fBrndc\-confgen\fP generates configuration files for \fBrndc\fP\&. It can be
|
||||
used as a convenient alternative to writing the \fBrndc.conf\fP file and
|
||||
the corresponding \fBcontrols\fP and \fBkey\fP statements in \fBnamed.conf\fP
|
||||
\fBrndc\-confgen\fP generates configuration files for \fI\%rndc\fP\&. It can be
|
||||
used as a convenient alternative to writing the \fI\%rndc.conf\fP file and
|
||||
the corresponding \fBcontrols\fP and \fBkey\fP statements in \fI\%named.conf\fP
|
||||
by hand. Alternatively, it can be run with the \fI\%\-a\fP option to set up a
|
||||
\fBrndc.key\fP file and avoid the need for a \fBrndc.conf\fP file and a
|
||||
\fBrndc.key\fP file and avoid the need for a \fI\%rndc.conf\fP file and a
|
||||
\fBcontrols\fP statement altogether.
|
||||
.SH OPTIONS
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-a
|
||||
This option sets automatic \fBrndc\fP configuration, which creates a file
|
||||
\fB@sysconfdir@/rndc.key\fP that is read by both \fBrndc\fP and \fBnamed\fP on startup.
|
||||
This option sets automatic \fI\%rndc\fP configuration, which creates a file
|
||||
\fB@sysconfdir@/rndc.key\fP that is read by both \fI\%rndc\fP and \fI\%named\fP on startup.
|
||||
The \fBrndc.key\fP file defines a default command channel and
|
||||
authentication key allowing \fBrndc\fP to communicate with \fBnamed\fP on
|
||||
authentication key allowing \fI\%rndc\fP to communicate with \fI\%named\fP on
|
||||
the local host with no further configuration.
|
||||
.sp
|
||||
If a more elaborate configuration than that generated by
|
||||
\fI\%rndc\-confgen \-a\fP is required, for example if rndc is to be used
|
||||
remotely, run \fBrndc\-confgen\fP without the \fI\%\-a\fP option
|
||||
and set up \fBrndc.conf\fP and \fBnamed.conf\fP as directed.
|
||||
and set up \fI\%rndc.conf\fP and \fI\%named.conf\fP as directed.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -84,14 +84,14 @@ This option prints a short summary of the options and arguments to
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-k keyname
|
||||
This option specifies the key name of the \fBrndc\fP authentication key. This must be a
|
||||
This option specifies the key name of the \fI\%rndc\fP authentication key. This must be a
|
||||
valid domain name. The default is \fBrndc\-key\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-p port
|
||||
This option specifies the command channel port where \fBnamed\fP listens for
|
||||
connections from \fBrndc\fP\&. The default is 953.
|
||||
This option specifies the command channel port where \fI\%named\fP listens for
|
||||
connections from \fI\%rndc\fP\&. The default is 953.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -101,17 +101,17 @@ This option prevets printing the written path in automatic configuration mode.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-s address
|
||||
This option specifies the IP address where \fBnamed\fP listens for command\-channel
|
||||
connections from \fBrndc\fP\&. The default is the loopback address
|
||||
This option specifies the IP address where \fI\%named\fP listens for command\-channel
|
||||
connections from \fI\%rndc\fP\&. The default is the loopback address
|
||||
127.0.0.1.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-t chrootdir
|
||||
This option is used with the \fI\%\-a\fP option to specify a directory where \fBnamed\fP
|
||||
This option is used with the \fI\%\-a\fP option to specify a directory where \fI\%named\fP
|
||||
runs chrooted. An additional copy of the \fBrndc.key\fP is
|
||||
written relative to this directory, so that it is found by the
|
||||
chrooted \fBnamed\fP\&.
|
||||
chrooted \fI\%named\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -122,17 +122,17 @@ area has its owner changed.
|
|||
.UNINDENT
|
||||
.SH EXAMPLES
|
||||
.sp
|
||||
To allow \fBrndc\fP to be used with no manual configuration, run:
|
||||
To allow \fI\%rndc\fP to be used with no manual configuration, run:
|
||||
.sp
|
||||
\fBrndc\-confgen \-a\fP
|
||||
.sp
|
||||
To print a sample \fBrndc.conf\fP file and the corresponding \fBcontrols\fP and
|
||||
\fBkey\fP statements to be manually inserted into \fBnamed.conf\fP, run:
|
||||
To print a sample \fI\%rndc.conf\fP file and the corresponding \fBcontrols\fP and
|
||||
\fBkey\fP statements to be manually inserted into \fI\%named.conf\fP, run:
|
||||
.sp
|
||||
\fBrndc\-confgen\fP
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBrndc(8)\fP, \fBrndc.conf(5)\fP, \fBnamed(8)\fP, BIND 9 Administrator Reference Manual.
|
||||
\fI\%rndc(8)\fP, \fI\%rndc.conf(5)\fP, \fI\%named(8)\fP, BIND 9 Administrator Reference Manual.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ arguments.
|
|||
.sp
|
||||
\fBrndc\fP communicates with the name server over a TCP connection,
|
||||
sending commands authenticated with digital signatures. In the current
|
||||
versions of \fBrndc\fP and \fBnamed\fP, the only supported authentication
|
||||
versions of \fBrndc\fP and \fI\%named\fP, the only supported authentication
|
||||
algorithms are HMAC\-MD5 (for compatibility), HMAC\-SHA1, HMAC\-SHA224,
|
||||
HMAC\-SHA256 (default), HMAC\-SHA384, and HMAC\-SHA512. They use a shared
|
||||
secret on each end of the connection, which provides TSIG\-style
|
||||
|
|
@ -108,7 +108,7 @@ unless there is an error.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-r
|
||||
This option instructs \fBrndc\fP to print the result code returned by \fBnamed\fP
|
||||
This option instructs \fBrndc\fP to print the result code returned by \fI\%named\fP
|
||||
after executing the requested command (e.g., ISC_R_SUCCESS,
|
||||
ISC_R_FAILURE, etc.).
|
||||
.UNINDENT
|
||||
|
|
@ -121,7 +121,7 @@ This option enables verbose logging.
|
|||
.TP
|
||||
.B \-y key_id
|
||||
This option indicates use of the key \fBkey_id\fP from the configuration file. For control message validation to succeed, \fBkey_id\fP must be known
|
||||
by \fBnamed\fP with the same algorithm and secret string. If no \fBkey_id\fP is specified,
|
||||
by \fI\%named\fP with the same algorithm and secret string. If no \fBkey_id\fP is specified,
|
||||
\fBrndc\fP first looks for a key clause in the server statement of
|
||||
the server being used, or if no server statement is present for that
|
||||
host, then in the default\-key clause of the options statement. Note that
|
||||
|
|
@ -141,14 +141,14 @@ Currently supported commands are:
|
|||
This command adds a zone while the server is running. This command requires the
|
||||
\fBallow\-new\-zones\fP option to be set to \fByes\fP\&. The configuration
|
||||
string specified on the command line is the zone configuration text
|
||||
that would ordinarily be placed in \fBnamed.conf\fP\&.
|
||||
that would ordinarily be placed in \fI\%named.conf\fP\&.
|
||||
.sp
|
||||
The configuration is saved in a file called \fBviewname.nzf\fP (or, if
|
||||
\fBnamed\fP is compiled with liblmdb, an LMDB database file called
|
||||
\fI\%named\fP is compiled with liblmdb, an LMDB database file called
|
||||
\fBviewname.nzd\fP). \fBviewname\fP is the name of the view, unless the view
|
||||
name contains characters that are incompatible with use as a file
|
||||
name, in which case a cryptographic hash of the view name is used
|
||||
instead. When \fBnamed\fP is restarted, the file is loaded into
|
||||
instead. When \fI\%named\fP is restarted, the file is loaded into
|
||||
the view configuration so that zones that were added can persist
|
||||
after a restart.
|
||||
.sp
|
||||
|
|
@ -175,10 +175,10 @@ are reported in the output of the \fBrndc delzone\fP command.)
|
|||
.sp
|
||||
If the zone was originally added via \fBrndc addzone\fP, then it is
|
||||
removed permanently. However, if it was originally configured in
|
||||
\fBnamed.conf\fP, then that original configuration remains in place;
|
||||
\fI\%named.conf\fP, then that original configuration remains in place;
|
||||
when the server is restarted or reconfigured, the zone is
|
||||
recreated. To remove it permanently, it must also be removed from
|
||||
\fBnamed.conf\fP\&.
|
||||
\fI\%named.conf\fP\&.
|
||||
.sp
|
||||
See also \fI\%rndc addzone\fP and \fI\%rndc modzone\fP\&.
|
||||
.UNINDENT
|
||||
|
|
@ -194,7 +194,7 @@ zone.
|
|||
\fBrndc dnssec \-rollover\fP allows you to schedule key rollover for a
|
||||
specific key (overriding the original key lifetime).
|
||||
.sp
|
||||
\fBrndc dnssec \-checkds\fP will let \fBnamed\fP know that the DS for the given
|
||||
\fBrndc dnssec \-checkds\fP will let \fI\%named\fP know that the DS for the given
|
||||
key has been seen published into or withdrawn from the parent. This is
|
||||
required in order to complete a KSK rollover. If the \fB\-key id\fP argument
|
||||
is specified, look for the key with the given identifier, otherwise if there
|
||||
|
|
@ -207,7 +207,7 @@ withdrawn is set to now, unless otherwise specified with the argument \fB\-when
|
|||
.TP
|
||||
.B dnstap (\-reopen | \-roll [number])
|
||||
This command closes and re\-opens DNSTAP output files. \fBrndc dnstap \-reopen\fP allows
|
||||
the output file to be renamed externally, so that \fBnamed\fP can
|
||||
the output file to be renamed externally, so that \fI\%named\fP can
|
||||
truncate and re\-open it. \fBrndc dnstap \-roll\fP causes the output file
|
||||
to be rolled automatically, similar to log files. The most recent
|
||||
output file has ".0" appended to its name; the previous most recent
|
||||
|
|
@ -257,8 +257,8 @@ See also \fI\%rndc thaw\fP\&.
|
|||
This command stops the server immediately. Recent changes made through dynamic
|
||||
update or IXFR are not saved to the master files, but are rolled
|
||||
forward from the journal files when the server is restarted. If
|
||||
\fB\-p\fP is specified, \fBnamed\fP\(aqs process ID is returned. This allows
|
||||
an external process to determine when \fBnamed\fP has completed
|
||||
\fB\-p\fP is specified, \fI\%named\fP\(aqs process ID is returned. This allows
|
||||
an external process to determine when \fI\%named\fP has completed
|
||||
halting.
|
||||
.sp
|
||||
See also \fI\%rndc stop\fP\&.
|
||||
|
|
@ -306,11 +306,11 @@ This command should be used only with extreme caution.
|
|||
.sp
|
||||
Existing keys that are already trusted are not deleted from
|
||||
memory; DNSSEC validation can continue after this command is used.
|
||||
However, key maintenance operations cease until \fBnamed\fP is
|
||||
However, key maintenance operations cease until \fI\%named\fP is
|
||||
restarted or reconfigured, and all existing key maintenance states
|
||||
are deleted.
|
||||
.sp
|
||||
Running \fI\%rndc reconfig\fP or restarting \fBnamed\fP immediately
|
||||
Running \fI\%rndc reconfig\fP or restarting \fI\%named\fP immediately
|
||||
after this command causes key maintenance to be reinitialized
|
||||
from scratch, just as if the server were being started for the
|
||||
first time. This is primarily intended for testing, but it may
|
||||
|
|
@ -326,16 +326,16 @@ This command modifies the configuration of a zone while the server is running. T
|
|||
command requires the \fBallow\-new\-zones\fP option to be set to \fByes\fP\&.
|
||||
As with \fBaddzone\fP, the configuration string specified on the
|
||||
command line is the zone configuration text that would ordinarily be
|
||||
placed in \fBnamed.conf\fP\&.
|
||||
placed in \fI\%named.conf\fP\&.
|
||||
.sp
|
||||
If the zone was originally added via \fI\%rndc addzone\fP, the
|
||||
configuration changes are recorded permanently and are still
|
||||
in effect after the server is restarted or reconfigured. However, if
|
||||
it was originally configured in \fBnamed.conf\fP, then that original
|
||||
it was originally configured in \fI\%named.conf\fP, then that original
|
||||
configuration remains in place; when the server is restarted or
|
||||
reconfigured, the zone reverts to its original configuration. To
|
||||
make the changes permanent, it must also be modified in
|
||||
\fBnamed.conf\fP\&.
|
||||
\fI\%named.conf\fP\&.
|
||||
.sp
|
||||
See also \fI\%rndc addzone\fP and \fI\%rndc delzone\fP\&.
|
||||
.UNINDENT
|
||||
|
|
@ -356,18 +356,18 @@ See also \fI\%rndc trace\fP\&.
|
|||
.B nta [(\-class class | \-dump | \-force | \-remove | \-lifetime duration)] domain [view]
|
||||
This command sets a DNSSEC negative trust anchor (NTA) for \fBdomain\fP, with a
|
||||
lifetime of \fBduration\fP\&. The default lifetime is configured in
|
||||
\fBnamed.conf\fP via the \fBnta\-lifetime\fP option, and defaults to one
|
||||
\fI\%named.conf\fP via the \fBnta\-lifetime\fP option, and defaults to one
|
||||
hour. The lifetime cannot exceed one week.
|
||||
.sp
|
||||
A negative trust anchor selectively disables DNSSEC validation for
|
||||
zones that are known to be failing because of misconfiguration rather
|
||||
than an attack. When data to be validated is at or below an active
|
||||
NTA (and above any other configured trust anchors), \fBnamed\fP
|
||||
NTA (and above any other configured trust anchors), \fI\%named\fP
|
||||
aborts the DNSSEC validation process and treats the data as insecure
|
||||
rather than bogus. This continues until the NTA\(aqs lifetime has
|
||||
elapsed.
|
||||
.sp
|
||||
NTAs persist across restarts of the \fBnamed\fP server. The NTAs for a
|
||||
NTAs persist across restarts of the \fI\%named\fP server. The NTAs for a
|
||||
view are saved in a file called \fBname.nta\fP, where \fBname\fP is the name
|
||||
of the view; if it contains characters that are incompatible with
|
||||
use as a file name, a cryptographic hash is generated from the name of
|
||||
|
|
@ -385,7 +385,7 @@ If \fB\-dump\fP is used, any other arguments are ignored and a list
|
|||
of existing NTAs is printed. Note that this may include NTAs that are
|
||||
expired but have not yet been cleaned up.
|
||||
.sp
|
||||
Normally, \fBnamed\fP periodically tests to see whether data below
|
||||
Normally, \fI\%named\fP periodically tests to see whether data below
|
||||
an NTA can now be validated (see the \fBnta\-recheck\fP option in the
|
||||
Administrator Reference Manual for details). If data can be
|
||||
validated, then the NTA is regarded as no longer necessary and is
|
||||
|
|
@ -413,8 +413,8 @@ on and off.
|
|||
.sp
|
||||
Query logging can also be enabled by explicitly directing the
|
||||
\fBqueries\fP \fBcategory\fP to a \fBchannel\fP in the \fBlogging\fP section
|
||||
of \fBnamed.conf\fP, or by specifying \fBquerylog yes;\fP in the
|
||||
\fBoptions\fP section of \fBnamed.conf\fP\&.
|
||||
of \fI\%named.conf\fP, or by specifying \fBquerylog yes;\fP in the
|
||||
\fBoptions\fP section of \fI\%named.conf\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
|
|
@ -427,7 +427,7 @@ avoids the need to examine the modification times of the zone files.
|
|||
.INDENT 0.0
|
||||
.TP
|
||||
.B recursing
|
||||
This command dumps the list of queries \fBnamed\fP is currently
|
||||
This command dumps the list of queries \fI\%named\fP is currently
|
||||
recursing on, and the list of domains to which iterative queries
|
||||
are currently being sent.
|
||||
.sp
|
||||
|
|
@ -493,7 +493,7 @@ If the first argument is \fB\-\fP, then the output is returned via the
|
|||
\fBrndc\fP response channel and printed to the standard output.
|
||||
Otherwise, it is written to the secroots dump file, which defaults to
|
||||
\fBnamed.secroots\fP, but can be overridden via the \fBsecroots\-file\fP
|
||||
option in \fBnamed.conf\fP\&.
|
||||
option in \fI\%named.conf\fP\&.
|
||||
.sp
|
||||
See also \fI\%rndc managed\-keys\fP\&.
|
||||
.UNINDENT
|
||||
|
|
@ -501,11 +501,11 @@ See also \fI\%rndc managed\-keys\fP\&.
|
|||
.TP
|
||||
.B serve\-stale (on | off | reset | status) [class [view]]
|
||||
This command enables, disables, resets, or reports the current status of
|
||||
the serving of stale answers as configured in \fBnamed.conf\fP\&.
|
||||
the serving of stale answers as configured in \fI\%named.conf\fP\&.
|
||||
.sp
|
||||
If serving of stale answers is disabled by \fBrndc\-serve\-stale off\fP, then it
|
||||
remains disabled even if \fBnamed\fP is reloaded or reconfigured. \fBrndc
|
||||
serve\-stale reset\fP restores the setting as configured in \fBnamed.conf\fP\&.
|
||||
remains disabled even if \fI\%named\fP is reloaded or reconfigured. \fBrndc
|
||||
serve\-stale reset\fP restores the setting as configured in \fI\%named.conf\fP\&.
|
||||
.sp
|
||||
\fBrndc serve\-stale status\fP reports whether caching and serving of stale
|
||||
answers is currently enabled or disabled. It also reports the values of
|
||||
|
|
@ -565,7 +565,7 @@ depending on whether the opt\-out bit in the NSEC3
|
|||
chain should be set. \fBiterations\fP defines the number of additional times to apply
|
||||
the algorithm when generating an NSEC3 hash. The \fBsalt\fP is a string
|
||||
of data expressed in hexadecimal, a hyphen (\fI\-\(aq) if no salt is to be
|
||||
used, or the keyword \(ga\(gaauto\(ga\fP, which causes \fBnamed\fP to generate a
|
||||
used, or the keyword \(ga\(gaauto\(ga\fP, which causes \fI\%named\fP to generate a
|
||||
random 64\-bit salt.
|
||||
.sp
|
||||
So, for example, to create an NSEC3 chain using the SHA\-1 hash
|
||||
|
|
@ -601,8 +601,8 @@ there is no explicit root zone configured.
|
|||
.B stop \-p
|
||||
This command stops the server, making sure any recent changes made through dynamic
|
||||
update or IXFR are first saved to the master files of the updated
|
||||
zones. If \fB\-p\fP is specified, \fBnamed\fP\(aqs process ID is returned.
|
||||
This allows an external process to determine when \fBnamed\fP has
|
||||
zones. If \fB\-p\fP is specified, \fI\%named\fP\(aqs process ID is returned.
|
||||
This allows an external process to determine when \fI\%named\fP has
|
||||
completed stopping.
|
||||
.sp
|
||||
See also \fI\%rndc halt\fP\&.
|
||||
|
|
@ -661,7 +661,7 @@ apply to statically configured TSIG keys.
|
|||
.TP
|
||||
.B tsig\-list
|
||||
This command lists the names of all TSIG keys currently configured for use by
|
||||
\fBnamed\fP in each view. The list includes both statically configured keys and
|
||||
\fI\%named\fP in each view. The list includes both statically configured keys and
|
||||
dynamic TKEY\-negotiated keys.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
|
|
@ -701,8 +701,8 @@ without using the configuration file.
|
|||
Several error messages could be clearer.
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBrndc.conf(5)\fP, \fBrndc\-confgen(8)\fP,
|
||||
\fBnamed(8)\fP, \fBnamed.conf(5)\fP, BIND 9 Administrator
|
||||
\fI\%rndc.conf(5)\fP, \fI\%rndc\-confgen(8)\fP,
|
||||
\fI\%named(8)\fP, \fI\%named.conf(5)\fP, BIND 9 Administrator
|
||||
Reference Manual.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
|
|
|
|||
|
|
@ -35,9 +35,9 @@ rndc.conf \- rndc configuration file
|
|||
\fBrndc.conf\fP
|
||||
.SH DESCRIPTION
|
||||
.sp
|
||||
\fBrndc.conf\fP is the configuration file for \fBrndc\fP, the BIND 9 name
|
||||
\fBrndc.conf\fP is the configuration file for \fI\%rndc\fP, the BIND 9 name
|
||||
server control utility. This file has a similar structure and syntax to
|
||||
\fBnamed.conf\fP\&. Statements are enclosed in braces and terminated with a
|
||||
\fI\%named.conf\fP\&. Statements are enclosed in braces and terminated with a
|
||||
semi\-colon. Clauses in the statements are also semi\-colon terminated.
|
||||
The usual comment styles are supported:
|
||||
.sp
|
||||
|
|
@ -47,13 +47,13 @@ C++ style: // to end of line
|
|||
.sp
|
||||
Unix style: # to end of line
|
||||
.sp
|
||||
\fBrndc.conf\fP is much simpler than \fBnamed.conf\fP\&. The file uses three
|
||||
\fBrndc.conf\fP is much simpler than \fI\%named.conf\fP\&. The file uses three
|
||||
statements: an options statement, a server statement, and a key
|
||||
statement.
|
||||
.sp
|
||||
The \fBoptions\fP statement contains five clauses. The \fBdefault\-server\fP
|
||||
clause is followed by the name or address of a name server. This host
|
||||
is used when no name server is given as an argument to \fBrndc\fP\&.
|
||||
is used when no name server is given as an argument to \fI\%rndc\fP\&.
|
||||
The \fBdefault\-key\fP clause is followed by the name of a key, which is
|
||||
identified by a \fBkey\fP statement. If no \fBkeyid\fP is provided on the
|
||||
rndc command line, and no \fBkey\fP clause is found in a matching
|
||||
|
|
@ -78,14 +78,14 @@ IPv4 and IPv6 source address, respectively.
|
|||
.sp
|
||||
The \fBkey\fP statement begins with an identifying string, the name of the
|
||||
key. The statement has two clauses. \fBalgorithm\fP identifies the
|
||||
authentication algorithm for \fBrndc\fP to use; currently only HMAC\-MD5
|
||||
authentication algorithm for \fI\%rndc\fP to use; currently only HMAC\-MD5
|
||||
(for compatibility), HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256 (default),
|
||||
HMAC\-SHA384, and HMAC\-SHA512 are supported. This is followed by a secret
|
||||
clause which contains the base\-64 encoding of the algorithm\(aqs
|
||||
authentication key. The base\-64 string is enclosed in double quotes.
|
||||
.sp
|
||||
There are two common ways to generate the base\-64 string for the secret.
|
||||
The BIND 9 program \fBrndc\-confgen\fP can be used to generate a random
|
||||
The BIND 9 program \fI\%rndc\-confgen\fP can be used to generate a random
|
||||
key, or the \fBmmencode\fP program, also known as \fBmimencode\fP, can be
|
||||
used to generate a base\-64 string from known input. \fBmmencode\fP does
|
||||
not ship with BIND 9 but is available on many systems. See the Example
|
||||
|
|
@ -156,7 +156,7 @@ key testkey {
|
|||
.UNINDENT
|
||||
.UNINDENT
|
||||
.sp
|
||||
In the above example, \fBrndc\fP by default uses the server at
|
||||
In the above example, \fI\%rndc\fP by default uses the server at
|
||||
localhost (127.0.0.1) and the key called "samplekey". Commands to the
|
||||
localhost server use the "samplekey" key, which must also be defined
|
||||
in the server\(aqs configuration file with the same name and secret. The
|
||||
|
|
@ -164,16 +164,16 @@ key statement indicates that "samplekey" uses the HMAC\-SHA256 algorithm
|
|||
and its secret clause contains the base\-64 encoding of the HMAC\-SHA256
|
||||
secret enclosed in double quotes.
|
||||
.sp
|
||||
If \fBrndc \-s testserver\fP is used, then \fBrndc\fP connects to the server
|
||||
If \fI\%rndc \-s testserver\fP is used, then \fI\%rndc\fP connects to the server
|
||||
on localhost port 5353 using the key "testkey".
|
||||
.sp
|
||||
To generate a random secret with \fBrndc\-confgen\fP:
|
||||
To generate a random secret with \fI\%rndc\-confgen\fP:
|
||||
.sp
|
||||
\fBrndc\-confgen\fP
|
||||
\fI\%rndc\-confgen\fP
|
||||
.sp
|
||||
A complete \fBrndc.conf\fP file, including the randomly generated key,
|
||||
is written to the standard output. Commented\-out \fBkey\fP and
|
||||
\fBcontrols\fP statements for \fBnamed.conf\fP are also printed.
|
||||
\fBcontrols\fP statements for \fI\%named.conf\fP are also printed.
|
||||
.sp
|
||||
To generate a base\-64 secret with \fBmmencode\fP:
|
||||
.sp
|
||||
|
|
@ -182,12 +182,12 @@ To generate a base\-64 secret with \fBmmencode\fP:
|
|||
.sp
|
||||
The name server must be configured to accept rndc connections and to
|
||||
recognize the key specified in the \fBrndc.conf\fP file, using the
|
||||
controls statement in \fBnamed.conf\fP\&. See the sections on the
|
||||
controls statement in \fI\%named.conf\fP\&. See the sections on the
|
||||
\fBcontrols\fP statement in the BIND 9 Administrator Reference Manual for
|
||||
details.
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBrndc(8)\fP, \fBrndc\-confgen(8)\fP, \fBmmencode(1)\fP, BIND 9 Administrator Reference Manual.
|
||||
\fI\%rndc(8)\fP, \fI\%rndc\-confgen(8)\fP, \fBmmencode(1)\fP, BIND 9 Administrator Reference Manual.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ tsig-keygen \- TSIG key generation tool
|
|||
.sp
|
||||
\fBtsig\-keygen\fP is an utility that generates keys for use in TSIG signing.
|
||||
The resulting keys can be used, for example, to secure dynamic DNS updates
|
||||
to a zone, or for the \fBrndc\fP command channel.
|
||||
to a zone, or for the \fI\%rndc\fP command channel.
|
||||
.sp
|
||||
A domain name can be specified on the command line to be used as the name
|
||||
of the generated key. If no name is specified, the default is \fBtsig\-key\fP\&.
|
||||
|
|
@ -57,7 +57,7 @@ This option prints a short summary of options and arguments.
|
|||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fBnsupdate(1)\fP, \fBnamed.conf(5)\fP, \fBnamed(8)\fP, BIND 9 Administrator Reference Manual.
|
||||
\fI\%nsupdate(1)\fP, \fI\%named.conf(5)\fP, \fI\%named(8)\fP, BIND 9 Administrator Reference Manual.
|
||||
.SH AUTHOR
|
||||
Internet Systems Consortium
|
||||
.SH COPYRIGHT
|
||||
|
|
|
|||
Loading…
Reference in a new issue