The doc file doc/dnssec-guide/validation.rst points to a resolver test
site that is now down. Remove the dead link.
(cherry picked from commit 8e78f8fc0f)
Since !6413 we discourage opt-out, so we should not be advertising it in
the examples. Even worse, it was just thrown into the command line
without even mentioning its meaning in the surrounding text.
Related: !6413
(cherry picked from commit beae857288b52ee555bdf41491c5aa2eec390c10)
The > looked like shell output redirection. It was present since we
imported DNSSEC Guide into the ARM.
(cherry picked from commit 1ab564d605450cb2c473ded28ff5e8891a4df83b)
These statements/block are ambiguos because they occur in named.conf and
rndc.conf as well. All occurences now link link to the matching
definition.
(cherry picked from commit c3fed5ce40)
It turns out that many manual edits were required:
- Heading underlines were too short because :any:`` is longer than ````
- Some statement names clashed with manually defined _link_anchors
(notify, trust-anchors etc.)
- Zone types are defined like "type primary" in the internal grammar and
that caused mayhem in the replacement script as it took "type" and
individual types ("primary", "secondary") as separate statements.
For that reason :any:`primary` had to be manually replaced with
:any:`primary <type primary>` where appropriate.
- Sometimes option name is also the same as a value name (e.g. "notify")
and then it did not make sense to do the replacement.
(cherry picked from commit 9bbcff225b)
The two procedures were essentially the same, but each instance was
missing some details from the other. They are now combined into one text
in the DNSSEC Guide and linked from DNSSEC chapter.
(cherry picked from commit 7d25027898)
Based on measurements done on BIND v9_19_2 using bank. TLD and a
synthetitc fullly signed zone, using RSASHA256 and ECDSAP256SHA256
algorithms with NSEC and NSEC3 without opt-out.
(cherry picked from commit 635885afe6)
This section was completely out of date. Current measurements on dataset
Telco EU 2022-02 and BIND 9.19.1 indicate absolutely different results
than described in the old version of the text.
(cherry picked from commit 6cf8066b9c)
Guide in this repo is tied to latest version anyway, so let's not even
mention ancient versions of BIND.
This also solves the OpenSSL question because it is now mandatory for
build, which subsequently removes the entropy problem - so let's not
mention it either.
(cherry picked from commit 6e79877759)
dnssec-keymgr is not included in the distribution since BIND 9.17 so
there is no point in keeping usage instructions around.
(cherry picked from commit 0e1306374e)
Mention in the DNSSEC guide in the "revert to unsigned" recipe that you
can publish CDS and CDNSKEY DELETE records to remove the corresponding
DS records from the parent zone.
(cherry picked from commit f088657eb1)
Use the new role :iscman: to replace all occurences or ``binary``
with :iscman:`binary`, creating a hyperlink to the manual page.
Generated using:
find bin -name *.rst | xargs fgrep --files-with-matches '.. iscman' | xargs -I{} -n1 basename {} .rst > /tmp/progs
for PROG in $(cat /tmp/progs); do find -name '*.rst' | xargs sed -i -e "s/\`\`$PROG\`\`/:iscman:\`$PROG\`/g"; done
Additional hand-edits were done mainly around filter-aaaa and
filter-a which are program names and and option names at the
same time. Couple more edits was neede to fix .rst syntax broken by
automatic replacement.
(cherry picked from commit 53a5776025)
Side-effect of hyperlinking is that typos in program and option names
are now detected by Sphinx.
Candidate -options were detected using:
find -name *.rst | xargs grep '``-[^`]'
and then modified from ``-o`` to :option:`-o` using regex
s/``\(-[^`]\+\)``/:option:`\1`/
+ manual modifications where necessary.
Non-hyphenated options were detected by looking at context around
program names:
find bin -name *.rst | xargs -I{} -n1 basename {} .rst | sort -u
and grepping for program name with trailing whitespace.
Stand-alone program names like ``named`` are not hyperlinked in this
commit.
(cherry picked from commit a85df3ff9c)
Add a note to the DNSSEC guide and to the ARM reference that A ZSK/KSK
pair used for signing your zone should have the same algorithm.
This commit also updates the 'dnssec-policy/keys' example to use the
slightly more modern 'rsasha256' algorithm.
(cherry picked from commit 7365400610)
This commit converts the license handling to adhere to the REUSE
specification. It specifically:
1. Adds used licnses to LICENSES/ directory
2. Add "isc" template for adding the copyright boilerplate
3. Changes all source files to include copyright and SPDX license
header, this includes all the C sources, documentation, zone files,
configuration files. There are notes in the doc/dev/copyrights file
on how to add correct headers to the new files.
4. Handle the rest that can't be modified via .reuse/dep5 file. The
binary (or otherwise unmodifiable) files could have license places
next to them in <foo>.license file, but this would lead to cluttered
repository and most of the files handled in the .reuse/dep5 file are
system test files.
In the "Migrating from NSEC to NSEC3" section, it says:
dnssec-policy "standard" {
nsec3param iterations optout no salt-length 16;
};
There should be an integer after "iterations". Based on the following
text, the number of iterations should be 10.
Update the ARM to mention the new built-in "insecure" policy. Update
the DNSSEC guide recipe "Revert to unsigned" to add the additional
step of reconfiguring the zone to "insecure" (instead of immediately
set it to "none").
Add a new option 'purge-keys' to 'dnssec-policy' that will purge key
files for deleted keys. The option determines how long key files
should be retained prior to removing the corresponding files from
disk.
If set to 0, the option is disabled and 'named' will not remove key
files from disk.
