# HG changeset patch # User Stacey Marshall # Date 1466081313 -3600 # Node ID a498cb62401486fbacec8921370d91db6d335b4f # Parent cebcbbd803413537e381cc4b2b6d3ed8cff0eecc PSARC/2016/261 BIND 9.10 21964863 Upgrade ISC BIND (named) to the most recent version (9.10.3) 22330192 Eradicate MD5 from Solaris: DNS server BIND 23033730 BIND Makefile has leftover 32-bit references 18398243 nslookup cores when kfcd isn't running diff -r cebcbbd80341 -r a498cb624014 components/bind/Makefile --- a/components/bind/Makefile Mon Jun 06 06:11:42 2016 -0700 +++ b/components/bind/Makefile Thu Jun 16 13:48:33 2016 +0100 @@ -26,30 +26,36 @@ include ../../make-rules/shared-macros.mk COMPONENT_NAME= bind -COMPONENT_VERSION= 9.6-ESV-R11 -HUMAN_VERSION= $(COMPONENT_VERSION)-P6 -IPS_COMPONENT_VERSION= 9.6.3.11.6 +COMPONENT_VERSION= 9.10.3-P4 +HUMAN_VERSION= $(COMPONENT_VERSION) +IPS_COMPONENT_VERSION= 9.10.3.0.4 COMPONENT_PROJECT_URL= http://www.isc.org/software/bind/ # hash from: sha256sum $(COMPONENT_ARCHIVE) | sed 's/\(.[^ ]*\).*/sha256:\1/' COMPONENT_ARCHIVE_HASH= \ - sha256:4f052195a62218c05a05033774452e6a9e329b865c01e594cc20a6adf11e0d0f + sha256:2ac044b5fbdf45fb45107af0df961b3b7cb5262a3bf1948ed3fe7a170dd13e3e COMPONENT_ARCHIVE_URL= \ http://ftp.isc.org/isc/bind9/$(COMPONENT_VERSION)/$(COMPONENT_ARCHIVE) +COMPONENT_SIG_URL= $(COMPONENT_ARCHIVE_URL).sha512.asc COMPONENT_BUGDB= service/dns-server - -TPNO= 25905 +TPNO= 26279 include $(WS_MAKE_RULES)/common.mk +# PYVER is important for packaging and computing requisites. +PYTHON_VERSION = 3.4 +PKG_MACROS += PYVER=$(PYTHON_VERSION) + # Specify "configure" options and features. # FYI, The configure options are displayed by 'named -V'. CONFIGURE_OPTIONS += --enable-full-report -# - Build dynamic libraries, static libraries are not shipped. +# Python: specifying version helps with packaging. +CONFIGURE_OPTIONS += --with-python=$(PYTHON.$(PYTHON_VERSION)) +# - libtool: Build dynamic libraries, static libraries are not shipped. CONFIGURE_OPTIONS += --with-libtool -# - Use openssl, but don't check version as that is also delivered dynamically. +# - openssl: use openssl, required for DNSSEC features. CONFIGURE_OPTIONS += --with-openssl -CONFIGURE_OPTIONS += --disable-openssl-version-check +# - pkcs11: Use openSSL pkcs11 engine (KMIP/KMS) CONFIGURE_OPTIONS += --with-pkcs11 # - Use xml2-config found uder /usr without checking its version. CONFIGURE_OPTIONS += --with-libxml2=$(USRDIR) @@ -61,14 +67,12 @@ # Override / set specific pathnames: # - DNS libraries are in usr/lib/dns - Override settings from configure.mk -CONFIGURE_LIBDIR.32 = $(CONFIGURE_PREFIX)/lib/dns CONFIGURE_LIBDIR.64 = $(CONFIGURE_PREFIX)/lib/dns/$(MACH64) -# - Traditionally all BIND executables are installed in sbin not bin. -CONFIGURE_BINDIR.64 = $(CONFIGURE_SBINDIR.64) CONFIGURE_OPTIONS += --sysconfdir=$(ETCDIR) CONFIGURE_OPTIONS += --localstatedir=$(VARDIR) CONFIGURE_OPTIONS += --with-randomdev=/dev/random CONFIGURE_OPTIONS += --with-gssapi=krb5-config +CONFIGURE_OPTIONS += --with-docbook-xsl=/usr/share/sgml/docbook # Compiler and compiler options: # - configure will add "-mt" to CC which is already set in CFLAGS, so override. @@ -145,24 +149,19 @@ else \ echo '64bit version not found.'; \ fi; - @if [ -e $(PROTO_DIR)$(CONFIGURE_SBINDIR.32)/named ]; then \ - echo '32bit version:'; \ - file $(PROTO_DIR)$(CONFIGURE_SBINDIR.32)/named; \ - LD_LIBRARY_PATH=$(PROTO_DIR)$(CONFIGURE_LIBDIR.32) \ - $(PROTO_DIR)$(CONFIGURE_SBINDIR.32)/named -V; \ - else \ - echo '32bit version not found.'; \ - fi; test-clean: - $(RM) $(TEST_32_and_64) + $(RM) $(TEST_64) # Package dependencies # Created by 'gmake REQUIRED_PACKAGES', manually verified. +REQUIRED_PACKAGES += library/json-c +REQUIRED_PACKAGES += library/libedit REQUIRED_PACKAGES += library/libxml2 REQUIRED_PACKAGES += library/security/openssl REQUIRED_PACKAGES += library/security/openssl/openssl-fips-140 REQUIRED_PACKAGES += network/dns/bind +REQUIRED_PACKAGES += runtime/python-34 REQUIRED_PACKAGES += security/kerberos-5 REQUIRED_PACKAGES += service/security/kerberos-5 REQUIRED_PACKAGES += shell/ksh93 diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/dig.8 --- a/components/bind/Solaris/dig.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,784 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dig 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -dig \- DNS lookup utility -.SH SYNOPSIS -.LP -.nf -\fBdig\fR [@server] [\fB-b\fR \fIaddress\fR] [\fB-c\fR \fIclass\fR] [\fB-f\fR \fIfilename\fR] - [\fB-k\fR \fIfilename\fR] [\fB-m\fR] [\fB-p\fR \fIport#\fR] [\fB-q\fR \fIname\fR] [\fB-t\fR \fItype\fR] [\fB-x\fR \fIaddr\fR] - [\fB-y\fR [\fIhmac\fR:]\fIname:key\fR] [\fB-4\fR] [\fB-6\fR] [\fIname\fR] [\fItype\fR] [\fIclass\fR] [\fIqueryopt\fR]... -.fi - -.LP -.nf -\fBdig\fR [\fB-h\fR] -.fi - -.LP -.nf -\fBdig\fR [\fIglobal-queryopt\fR...] [\fIquery\fR...] -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBdig\fR utility (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use \fBdig\fR to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than \fBdig\fR. -.sp -.LP -Although \fBdig\fR is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments and options is printed when the \fB-h\fR option is specified. Unlike earlier versions, the BIND 9 implementation of \fBdig\fR allows multiple lookups to be issued from the command line. -.sp -.LP -Unless it is told to query a specific name server, \fBdig\fR tries each of the servers listed in \fB/etc/resolv.conf\fR. -.sp -.LP -When no command line arguments or options are given, \fBdig\fR performs an NS query for "." (the root). -.sp -.LP -It is possible to set per-user defaults for \fBdig\fR with \fB${HOME}/.digrc\fR. This file is read and any options in it are applied before the command line arguments. -.sp -.LP -The \fBIN\fR and \fBCH\fR class names overlap with the \fBIN\fR and \fBCH\fR top level domains names. Either use the \fB-t\fR and \fB-c\fR options to specify the type and class, or use \fB"IN."\fR and \fB"CH."\fR when looking up these top level domains. -.SS "Simple Usage" -.sp -.LP -The following is a typical invocation of \fBdig\fR: -.sp -.in +2 -.nf -dig @server name type -.fi -.in -2 -.sp - -.sp -.LP -where: -.sp -.ne 2 -.mk -.na -\fB\fIserver\fR\fR -.ad -.sp .6 -.RS 4n -The name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied \fIserver\fR argument is a hostname, \fBdig\fR resolves that name before querying that name server. If no \fIserver\fR argument is provided, \fBdig\fR consults \fB/etc/resolv.conf\fR and queries the name servers listed there. The reply from the name server that responds is displayed. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fIname\fR\fR -.ad -.sp .6 -.RS 4n -The name of the resource record that is to be looked up. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fItype\fR\fR -.ad -.sp .6 -.RS 4n -Indicates what type of query is required (ANY, A, MX, SIG, among others.) \fItype\fR can be any valid query type. If no \fItype\fR argument is supplied, \fBdig\fR performs a lookup for an A record. -.RE - -.SH OPTIONS -.sp -.LP -The following options are supported: -.sp -.ne 2 -.mk -.na -\fB\fB-4\fR\fR -.ad -.sp .6 -.RS 4n -Use only IPv4 transport. By default both IPv4 and IPv6 transports can be used. Options \fB-4\fR and \fB-6\fR are mutually exclusive. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-6\fR\fR -.ad -.sp .6 -.RS 4n -Use only IPv6 transport. By default both IPv4 and IPv6 transports can be used. Options \fB-4\fR and \fB-6\fR are mutually exclusive. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-b\fR \fIaddress\fR\fR -.ad -.sp .6 -.RS 4n -Set the source IP address of the query to \fIaddress\fR. This must be a valid address on one of the host's network interfaces or \fB0.0.0.0\fR or \fB::\fR. An optional port may be specified by appending: \fB#\fR\fI\fR -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -Override the default query class (IN for internet). The \fIclass\fR argument is any valid class, such as HS for Hesiod records or CH for CHAOSNET records. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR \fIfilename\fR\fR -.ad -.sp .6 -.RS 4n -Operate in batch mode by reading a list of lookup requests to process from the file \fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to \fBdig\fR using the command-line interface. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -Print a brief summary of command-line arguments and options. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fIfilename\fR\fR -.ad -.sp .6 -.RS 4n -Specify a transaction signature (TSIG) key file to sign the DNS queries sent by \fBdig\fR and their responses using TSIGs. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-m\fR\fR -.ad -.sp .6 -.RS 4n -Enable memory usage debugging. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR \fIport#\fR\fR -.ad -.sp .6 -.RS 4n -Query a non-standard port number. The \fIport#\fR argument is the port number that \fBdig\fR sends its queries instead of the standard DNS port number 53. This option tests a name server that has been configured to listen for queries on a non-standard port number. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-q\fR \fIname\fR\fR -.ad -.sp .6 -.RS 4n -Sets the query name to \fIname\fR. This can be useful in that the query name can be easily distinguished from other arguments. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fItype\fR\fR -.ad -.sp .6 -.RS 4n -Set the query type to \fItype\fR, which can be any valid query type supported in BIND9. The default query type "A", unless the \fB-x\fR option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, \fItype\fR is set to \fBixfr\fR=\fIN\fR. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was \fIN\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-x\fR \fIaddr\fR\fR -.ad -.sp .6 -.RS 4n -Simplify reverse lookups (mapping addresses to names ). The \fIaddr\fR argument is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 address. When this option is used, there is no need to provide the \fIname\fR, \fIclass\fR and \fItype\fR arguments. The \fBdig\fR utility automatically performs a lookup for a name like \fB11.12.13.10.in-addr.arpa\fR and sets the query type and class to PTR and IN, respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain, specify the \fB-i\fR option. Bit string labels (RFC 2874) are now experimental and are not attempted. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-y\fR [\fIhmac\fR:]\fIname\fR:\fIkey\fR\fR -.ad -.sp .6 -.RS 4n -Specify a transaction signature (TSIG) key on the command line. This is done to sign the DNS queries sent by \fBdig\fR, as well as their responses. You can also specify the TSIG key itself on the command line using the \fB-y\fR option. The optional \fIhmac\fR is the type of TSIG; the default is \fBHMAC-MD5\fR. The \fIname\fR argument is the name of the TSIG key and the \fIkey\fR argument is the actual key. The key is a base-64 encoded string, typically generated by \fBdnssec-keygen\fR(8). -.sp -Caution should be taken when using the \fB-y\fR option on multi-user systems, since the key can be visible in the output from \fBps\fR(1) or in the shell's history file. When using TSIG authentication with \fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate \fBkey\fR and \fBserver\fR statements in \fBnamed.conf\fR. -.RE - -.SH QUERY OPTIONS -.sp -.LP -The \fBdig\fR utility provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies. -.sp -.LP -Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string no to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form \fB+keyword=\fR\fIvalue\fR. The query options are: -.sp -.ne 2 -.mk -.na -\fB\fB+[no]tcp\fR\fR -.ad -.sp .6 -.RS 4n -Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]vc\fR\fR -.ad -.sp .6 -.RS 4n -Use [do not use] TCP when querying name servers. This alternate syntax to \fB+[no]tcp\fR is provided for backwards compatibility. The "vc" stands for "virtual circuit". -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]ignore\fR\fR -.ad -.sp .6 -.RS 4n -Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+domain=\fR\fIsomename\fR\fR -.ad -.sp .6 -.RS 4n -Set the search list to contain the single domain \fIsomename\fR, as if specified in a \fBdomain\fR directive in \fB/etc/resolv.conf\fR, and enable search list processing as if the \fB+search\fR option were given. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]search\fR\fR -.ad -.sp .6 -.RS 4n -Use [do not use] the search list defined by the \fBsearchlist\fR or \fBdomain\fR directive in \fBresolv.conf\fR (if any). The search list is not used by default. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]showsearch\fR\fR -.ad -.sp .6 -.RS 4n -Perform [do not perform] a search showing intermediate results. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]defname\fR\fR -.ad -.sp .6 -.RS 4n -Deprecated, treated as a synonym for \fB+[no]search\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]aaonly\fR\fR -.ad -.sp .6 -.RS 4n -Sets the \fBaa\fR flag in the query. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]aaflag\fR\fR -.ad -.sp .6 -.RS 4n -A synonym for \fB+[no]aaonly\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]adflag\fR\fR -.ad -.sp .6 -.RS 4n -Set [do not set] the AD (authentic data) bit in the query. This requests that the server return, regardless of whether all of the answer and authority sections have all been validated as secure according to the security policy of the server. A setting of \fBAD=1\fR indicates that all records have been validated as secure and the answer is not from an \fBOPT-OUT\fR range. \fBAD=0\fR indicates that some part of the answer is insecure or not validated. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]cdflag\fR\fR -.ad -.sp .6 -.RS 4n -Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]cl\fR\fR -.ad -.sp .6 -.RS 4n -Display [do not display] the CLASS when printing the record. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]ttlid\fR\fR -.ad -.sp .6 -.RS 4n -Display [do not display] the TTL when printing the record. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]recurse\fR\fR -.ad -.sp .6 -.RS 4n -Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means \fBdig\fR normally sends recursive queries. Recursion is automatically disabled when the \fB+nssearch\fR or \fB+trace\fR query options are used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]nssearch\fR\fR -.ad -.sp .6 -.RS 4n -When this option is set, \fBdig\fR attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]trace\fR\fR -.ad -.sp .6 -.RS 4n -Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, \fBdig\fR makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]cmd\fR\fR -.ad -.sp .6 -.RS 4n -Toggle the printing of the initial comment in the output identifying the version of \fBdig\fR and the query options that have been applied. This comment is printed by default. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]short\fR\fR -.ad -.sp .6 -.RS 4n -Provide a terse answer. The default is to print the answer in a verbose form. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]identify\fR\fR -.ad -.sp .6 -.RS 4n -Show [or do not show] the IP address and port number that supplied the answer when the +\fIshort\fR option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]comments\fR\fR -.ad -.sp .6 -.RS 4n -Toggle the display of comment lines in the output. The default is to print comments. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]stats\fR\fR -.ad -.sp .6 -.RS 4n -Toggle the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]qr\fR\fR -.ad -.sp .6 -.RS 4n -Print [do not print] the query as it is sent. By default, the query is not printed. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]question\fR\fR -.ad -.sp .6 -.RS 4n -Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]answer\fR\fR -.ad -.sp .6 -.RS 4n -Display [do not display] the answer section of a reply. The default is to display it. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]authority\fR\fR -.ad -.sp .6 -.RS 4n -Display [do not display] the authority section of a reply. The default is to display it. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]additional\fR\fR -.ad -.sp .6 -.RS 4n -Display [do not display] the additional section of a reply. The default is to display it. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]all\fR\fR -.ad -.sp .6 -.RS 4n -Set or clear all display flags. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+time=\fR\fIT\fR\fR -.ad -.sp .6 -.RS 4n -Sets the timeout for a query to \fIT\fR seconds. The default time out is 5 seconds. An attempt to set \fIT\fR to less than 1 will result in a query timeout of 1 second being applied. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+tries=\fR\fIT\fR\fR -.ad -.sp .6 -.RS 4n -Sets the maximum number of UDP attempts to \fIT\fR. The default number is 3 (1 initial attempt followed by 2 retries). If T is less than or equal to zero, the number of retries is silently rounded up to 1. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+retry=\fR\fIT\fR\fR -.ad -.sp .6 -.RS 4n -Sets the number of UDP retries to \fIT\fR. The default is 2. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+ndots=\fR\fID\fR\fR -.ad -.sp .6 -.RS 4n -Set the number of dots that have to appear in \fIname\fR to \fID\fR for it to be considered absolute. The default value is that defined using the \fBndots\fR statement in \fB/etc/resolv.conf\fR, or 1 if no \fBndots\fR statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the \fBsearch\fR or \fBdomain\fR directive in \fB/etc/resolv.conf\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+bufsize=\fR\fIB\fR\fR -.ad -.sp .6 -.RS 4n -Set the UDP message buffer size advertised using EDNS0 to \fIB\fR bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+edns=\fR\fI#\fR\fR -.ad -.sp .6 -.RS 4n -Specify the EDNS version with which to query. Valid values are 0 to 255. Setting the EDNS version causes a EDNS query to be sent. \fB+noedns\fR clears the remembered EDNS version. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]multiline\fR\fR -.ad -.sp .6 -.RS 4n -Print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the \fBdig\fR output. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]fail\fR\fR -.ad -.sp .6 -.RS 4n -Do not try the next server if you receive a \fBSERVFAIL\fR. The default is to not try the next server which is the reverse of normal stub resolver behavior. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]besteffort\fR\fR -.ad -.sp .6 -.RS 4n -Attempt to display the contents of messages which are malformed. The default is to not display malformed answers. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]dnssec\fR\fR -.ad -.sp .6 -.RS 4n -Request DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]sigchase\fR\fR -.ad -.sp .6 -.RS 4n -Chase DNSSEC signature chains. Requires \fBdig\fR be compiled with \fB-DDIG_SIGCHASE\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+trusted-key=\fR####\fR -.ad -.sp .6 -.RS 4n -Specifies a file containing trusted keys to be used with \fB+sigchase\fR. Each \fBDNSKEY\fR record must be on its own line. -.sp -If not specified dig will look for \fB/etc/trusted-key.key\fR then \fBtrusted-key.key\fR in the current directory. -.sp -Requires \fBdig\fR be compiled with \fB-DDIG_SIGCHASE\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]topdown\fR\fR -.ad -.sp .6 -.RS 4n -When chasing DNSSEC signature chains, perform a top-down validation. Requires \fBdig\fR be compiled with \fB-DDIG_SIGCHASE\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]nsid\fR\fR -.ad -.sp .6 -.RS 4n -Include an EDNS name server ID request when sending a query. -.RE - -.SH MULTIPLE QUERIES -.sp -.LP -The BIND 9 implementation of \fBdig\fR supports specifying multiple queries on the command line (in addition to supporting the \fB-f\fR batch file option). Each of those queries can be supplied with its own set of flags, options and query options. -.sp -.LP -In this case, each \fIquery\fR argument represent an individual query in the command-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type, and class and any query options that should be applied to that query. -.sp -.LP -A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except the \fB+[no]cmd\fR option) can be overridden by a query-specific set of query options. For example: -.sp -.in +2 -.nf -dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -.fi -.in -2 -.sp - -.sp -.LP -\&...shows how \fBdig\fR could be used from the command line to make three lookups: an ANY query for \fBwww.isc.org\fR, a reverse lookup of 127.0.0.1 and a query for the NS records of \fBisc.org\fR. A global query option of \fB+qr\fR is applied, so that \fBdig\fR shows the initial query it made for each lookup. The final query has a local query option of \fB+noqr\fR which means that \fBdig\fR will not print the initial query when it looks up the NS records for \fBisc.org\fR. -.SH FILES -.sp -.ne 2 -.mk -.na -\fB\fB/etc/resolv.conf\fR\fR -.ad -.sp .6 -.RS 4n -Resolver configuration file -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB${HOME}/.digrc\fR\fR -.ad -.sp .6 -.RS 4n -User-defined configuration file -.RE - -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilitynetwork/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBdnssec-keygen\fR(8), \fBhost\fR(8), \fBnamed\fR(8), \fBnslookup\fR(8), \fBattributes\fR(7) -.sp -.LP -\fIRFC 1035\fR -.sp -.LP -See the BIND 9 \fIAdministrator's Reference Manual\fR. As of the date of publication of this man page, this document is available at https://www.isc.org/software/bind/documentation\&. -.SH BUGS -.sp -.LP -There are probably too many query options. -.SH NOTES -.sp -.LP -\fBnslookup\fR(8) and \fBdig\fR now report "Not Implemented" as \fBNOTIMP\fR rather than \fBNOTIMPL\fR. This will have impact on scripts that are looking for \fBNOTIMPL\fR. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/dns-server.8s --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/bind/Solaris/dns-server.8s Thu Jun 16 13:48:33 2016 +0100 @@ -0,0 +1,453 @@ +'\" te +.\" Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. +.TH dns-server 5 "18 Apr 2016" "SunOS 5.12" "Standards, Environments, and Macros" +.SH NAME +dns-server \- Domain Name Server service +.SH DESCRIPTION +.sp +.LP +The \fBdns-server\fR service is a service management facility, under the service identifier: +.sp +.in +2 +.nf +svc:/network/dns/server:default +.fi +.in -2 +.sp +.LP +The service starts, monitors and manages an instance of \fBnamed\fR(8) with command line +options as per service properties configured in the SMF configuration +repository. Use \fBsvcprop\fR(1) to list the properties and +\fBsvccfg\fR(8) to make changes. See EXAMPLES below. +.sp +.LP +Administrative actions on this service, such as enabling, disabling, +or requesting restart, can be performed using \fBsvcadm\fR(8). The +service's status can be queried using the \fBsvcs\fR(1) command. +.SH SERVICE +.sp +.LP +The \fBdns-server\fR SMF service supports the \fBstart\fR, +\fBstop\fR, \fBrefresh\fR and \fBrestart\fR methods. The methods are +invoked using \fBsvcadm\fR(8). +.sp +.ne 2 +.mk +.na +\fB\fBstart\fR\fR +.ad +.RS 11n +.rt +Reads SMF properties and creates relevant command line, checks for existence of configuration file, and +for rndc configuration (/etc/rndc.conf) or key (/etc/rndc.key) file (creating them if +neither exist), starts named(8) with created options and monitors process. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBstop\fR\fR +.ad +.RS 11n +.rt +stops instance. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBrefresh\fR\fR +.ad +.RS 11n +.rt +Refreshes SMF options and sends \fBnamed\fR(8) instance a \fBSIGHUP\fR +signal, causing it to reload named.conf. Note, a running instance +will not pickup any SMF option changes until a restart. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBrestart\fR\fR +.ad +.RS 11n +.rt +stops and the restarts instance. +.RE + +.SH SMF PROPERTIES +.sp +.LP +The following application configuration properties are available to administrators: + +.sp +.ne 2 +.mk +.na +\fB\fBoptions\fR/\fIchroot_dir\fR\fR +.ad +.sp .6 +.RS 4n +This option is not recommended and may be removed in a future release! +Using \fBzones\fR(7) and Role-Based Access Control, \fBrbac\fR(7), is +recommended rather than chroot environments. +.sp +\fIchroot_dir\fR specifies the directory to be used as the root +directory after processing SMF properties and the command line +arguments but before reading the configuration file. Use this property +when using a \fBchroot\fR(2) environment. Synonymous to command line +option \fB-t\fR \fIdirectory\fR. +.sp +This option should be used in conjunction with the start/user option +(see below), as chrooting a process running as root does not enhance +security on most systems; the way chroot() is defined allows a process +with root privileges to escape a chroot jail. +.sp +When using \fBchroot\fR(2), \fBnamed\fR(8) is unable to disable itself +when receiving \fBrndc\fR(8) \fBstop\fR or \fBhalt\fR +commands. Instead, you must use the \fBsvcadm\fR(8) \fBdisable\fR +command. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBoptions\fR/\fIconfiguration_file\fR\fR +.ad +.sp .6 +.RS 4n +Specifies the configuration file to be used instead of the default, +\fB/etc/named.conf\fR. A directory option might be specified in the +configuration file. To ensure that reloading the configuration file +continues to work in such a situation, \fIconfiguration_file\fR should +be specified as an absolute pathname. This pathname should not include +the \fIchroot_dir\fR pathname. This property is the equivalent of the +\fB-c\fR \fIconfig-file\fR option. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBoptions\fR/\fIcrypto_engine\fR\fR +.ad +.sp .6 +.RS 4n +Specify an alternative crypto hardware (OpenSSL engine) for the crypto +operations. Equivalent command line option \fB-E\fR \fIengine-name\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBoptions\fR/\fIdebug_level\fR\fR +.ad +.sp .6 +.RS 4n +Specifies the default debug level. The default is 0, which means no debugging. The higher the number the more verbose debug information becomes. Equivalent of the command line option \fB-d\fR \fIdebug_level\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBoptions\fR/\fIip_interfaces\fR\fR +.ad +.sp .6 +.RS 4n +Specifies over which IP transport, IPv4 or IPv6, BIND will transmit. Possible values are \fBIPv4\fR or \fBIPv6\fR. Any other setting assumes \fBall\fR, the default. This property is the equivalent of command line option \fB-4\fR or \fB-6\fR +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBoptions\fR/\fIlisten_on_port\fR\fR +.ad +.sp .6 +.RS 4n +Specifies the default UDP and TCP port to be used for listening to DNS requests. This property is the equivalent of the command line option \fB-p\fR \fIport\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBoptions\fR/\fIlistener_threads\fR\fR +.ad +.sp .6 +.RS 4n +Specifies the number of listener worker threads to listen for incoming UDP packets on each address. If not specified, \fBnamed\fR will calculate a default value based on the number of detected CPUs: 1 for 1 CPU, 2 for 2-4 CPUs, and the number of detected CPUs divided by 2 for values higher than 4. If \fB\fBoptions\fR/\fIthreads\fR\fR has been set to a higher value than the number of detected CPUs, then \fBlistener_threads\fR may be increased as high as that value, but no higher. Equivalent command line option \fB-U\fR \fI#listeners\fR'. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBoptions\fR/\fIserver\fR\fR +.ad +.sp .6 +.RS 4n +Specifies the server executable to be used instead of the default server, \fB/usr/sbin/named\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBoptions\fR/\fIthreads\fR\fR +.ad +.sp .6 +.RS 4n +Specifies the number of CPU worker threads to create. The default of 0 causes \fBnamed\fR to try and determine the number of CPUs present and create one thread per CPU. Equivalent of command line option \fB-n\fR \fI#cpus\fR. +.RE + +.sp +.LP +In the event of a configuration error originating in one of the above +SMF application options, an error message is logged which +provides information about the error and the parameters that need +correcting. \fBdns-server\fR then exits with exit code +\fBSMF_EXIT_ERR_CONFIG\fR. In the event of an error other than a +configuration error, \fBdns-server\fR exits with exit code +\fBSMF_EXIT_ERR_FATAL\fR. Both non-successful exit codes cause the start +method, \fBsmf_method\fR(7), to place the service in the maintenance +state, which can be observed with the \fBsvcs\fR(1) command \fBsvcs\fR +\fB-x\fR. +.sp +.LP +In addition to the properties listed above, the following property can +be used to invoke \fBnamed\fR as a user other than root: +.sp +.ne 2 +.mk +.na +\fB\fBstart\fR/\fIuser\fR\fR +.ad +.sp .6 +.RS 4n +Specifies the identity of the user that is invoking \fBnamed\fR. See +\fBsmf_method\fR(7). Note that the user must have +\fBsolaris.smf.manage.bind\fR authorization. Without this role the +\fBnamed\fR will be unable to manage its SMF FMRI and \fBnamed\fR will +automatically be restarted by the SMF after an \fBrndc\fR(8) +\fBstop\fR or \fBhalt\fR command. See \fBEXAMPLES\fR for a sequence of +commands that establishes the correct authorization. +.RE + +.SH EXAMPLES +.LP +\fBExample 1 \fRConfiguring \fBnamed\fR to Transmit Only over IPv4 Networks +.sp +.LP +The following command sequence configures \fBnamed\fR such that it +will transmit only over IPv4 networks. + +.sp +.in +2 +.nf +# \fBsvccfg -s svc:network/dns/server:default setprop \e\fR + +\fB> options/ip_interfaces=IPv4\fR + +# \fBsvcadm refresh svc:network/dns/server:default\fR + +# +.fi +.in -2 +.sp + +.LP +\fBExample 2 \fRListing Current Configuration File and Setting an Alternative File +.sp +.LP +The following sequence of commands lists the current \fBnamed\fR +configuration file and sets an alternative file. + +.sp +.in +2 +.nf +# \fBsvcprop -p options/configuration_file dns/server:default\fR + +/etc/named.conf + +# \fBsvccfg -s dns/server:default setprop \e + +> options/configuration_file=/var/named/named.conf\fR + +# \fBsvcadm refresh dns/server:default\fR + +# \fBsvcprop -p options/configuration_file dns/server:default\fR + +/var/named/named.conf +.fi +.in -2 +.sp + +.LP +\fBExample 3 \fREstablishing Appropriate Authorization for \fBnamed\fR +.sp +.LP +To have \fBnamed\fR start with the \fBsolaris.smf.manage.bind\fR +authorization, perform the steps shown below. + +.sp +.LP +Add the user \fBdnsadmin\fR to the \fBsolaris.smf.manage.bind\fR role: + +.sp +.in +2 +.nf +# \fBusermod -A solaris.smf.manage.bind dnsadmin\fR + +\fBObserve effect of command:\fR + +# \fBtail -1 /etc/user_attr\fR + +dnsadmin::::type=normal;auths=solaris.smf.manage.bind +.fi +.in -2 +.sp + +.sp +.LP +Modify the service properties: + +.sp +.in +2 +.nf +# \fBsvccfg\fR + +svc:> \fBselect svc:/network/dns/server:default\fR + +svc:/network/dns/server:default> \fBsetprop start/user = dnsadmin\fR + +svc:/network/dns/server:default> \fBsetprop start/group = dnsadmin\fR + +svc:/network/dns/server:default> \fBexit\fR + +# \fBsvcadm refresh svc:/network/dns/server:default\fR + +# \fBsvcadm restart svc:/network/dns/server:default\fR +.fi +.in -2 +.sp + +.sp +.LP +Because only root has write access to create the default process-ID +file, \fB/var/run/named/named.pid\fR, \fBnamed\fR must be configured +to use an alternative path for the user \fBdnsadmin\fR. Here is an +example of how to accomplish this: + +.sp +.in +2 +.nf +# \fBmkdir /var/named/tmp\fR + +# \fBchown dnsadmin /var/named/tmp\fR +.fi +.in -2 +.sp + +.sp +.LP +Shown below is what you must add to \fBnamed.conf\fR to make use of +the directory created above. + +.sp +.in +2 +.nf +# \fBhead /etc/named.conf\fR + +options { + +directory "/var/named"; + +pid-file "/var/named/tmp/named.pid"; + +}; +.fi +.in -2 +.sp + +.SH FILES +.sp +.ne 2 +.mk +.na +\fB\fB/etc/named.conf\fR\fR +.ad +.sp .6 +.RS 4n +default configuration file +.RE + +.sp +.ne 2 +.mk +.na +\fB\fB/etc/rndc.conf\fR\fR +.ad +.sp .6 +.RS 4n +Configuration file for \fBrndc\fR(8) +.RE + +.sp +.ne 2 +.mk +.na +\fB\fB/etc/rndc.key\fR\fR +.ad +.sp .6 +.RS 4n +default key file used by \fBrndc\fR(8) +.RE + +.sp +.ne 2 +.mk +.na +\fB\fB/var/run/named/named.pid\fR\fR +.ad +.sp .6 +.RS 4n +default process-ID file +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +Availabilityservice/network/dns/bind +_ +Interface StabilityVolatile +.TE + +.SH SEE ALSO +.sp +.LP +\fBsvcs\fR(1), \fBnamed\fR(8), \fBnamed-checkconf\fR(8), +\fBnamed-checkzone\fR(8), \fBrndc\fR(8), \fBrndc-confgen\fR(8), +\fBsvcadm\fR(8), \fBsvccfg\fR(8), \fBsvcprop\fR(1), \fBchroot\fR(2), +\fBsetuid\fR(2), \fBbind\fR(3c), \fBattributes\fR(7), +\fBsmf\fR(7), \fBsmf_method\fR(7) +.sp +.LP +See the BIND 9 \fIAdministrator's Reference Manual\fR. As of the date of publication of this man page, this document is available at https://kb.isc.org/article/AA-01031\&. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/dns-server.sh --- a/components/bind/Solaris/dns-server.sh Mon Jun 06 06:11:42 2016 -0700 +++ b/components/bind/Solaris/dns-server.sh Thu Jun 16 13:48:33 2016 +0100 @@ -19,10 +19,10 @@ # # CDDL HEADER END # -# Copyright (c) 2007, 2012, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved. # -# smf_method(5) start/stop script required for server DNS +# smf_method(7) start/stop script required for server DNS . /lib/svc/share/smf_include.sh @@ -47,13 +47,15 @@ rndc_cmd_opts="-a" cmdopts="" properties="debug_level ip_interfaces listen_on_port - threads chroot_dir configuration_file server" + threads chroot_dir configuration_file server + listener_threads crypto_engine" for prop in $properties do value=`/usr/bin/svcprop -p options/${prop} ${SMF_FMRI}` if [ -z "${value}" -o "${value}" = '""' ]; then - continue; + # Could not find property or it has no value. + continue fi case $prop in @@ -99,6 +101,15 @@ set -- `echo ${value} | /usr/bin/sed -e 's/\\\\//g'` server=$@ ;; + 'listener_threads') + if [ ${value} -gt 0 ]; then + cmdopts="${cmdopts} -U ${value}" + fi + ;; + 'crypto_engine') + # Use '' to specify an empty name. + cmdopts="${cmdopts} -E ${value}" + ;; esac done diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/dnssec-dsfromkey.8 --- a/components/bind/Solaris/dnssec-dsfromkey.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,169 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-dsfromkey 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -dnssec-dsfromkey \- DNSSEC DS RR generation tool -.SH SYNOPSIS -.LP -.nf -\fBdnssec-dsfromkey\fR [\fB-v\fR \fIlevel\fR] [\fB-1\fR] [\fB-2\fR] [\fB-a\fR \fIalg\fR] \fIkeyfile\fR -.fi - -.LP -.nf -\fBdnssec-dsfromkey\fR \fB-s\fR [\fB-v\fR \fIlevel\fR] [\fB-1\fR] [\fB-2\fR] [\fB-a\fR \fIalg\fR] [\fB-c\fR \fIclass\fR] - [\fB-d\fR \fIdir\fR] \fIkeyfile\fR -.fi - -.SH DESCRIPTION -.sp -.LP -\fBdnssec-dsfromkey\fR -.SH OPTIONS -.sp -.LP -The following options are supported: -.sp -.ne 2 -.mk -.na -\fB\fB-1\fR\fR -.ad -.sp .6 -.RS 4n -Use \fBSHA-1\fR as the digest algorithm. The default is to use both \fBSHA-1\fR and \fBSHA-256\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-2\fR\fR -.ad -.sp .6 -.RS 4n -Use SHA-256 as the digest algorithm. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR \fIalgorithm\fR\fR -.ad -.sp .6 -.RS 4n -Select the digest algorithm. The value of \fIalgorithm\fR must be one of \fBSHA-1\fR (\fBSHA1\fR) or \fBSHA-256\fR (\fBSHA256\fR). These values are case-insensitive. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.sp .6 -.RS 4n -Sets the debugging level. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR\fR -.ad -.sp .6 -.RS 4n -Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. The \fB-c\fR and \fB-d\fR options have meaning only in this mode. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the DNS class (default is \fBIN\fR); useful only in the keyset mode. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-d\fR \fIdirectory\fR\fR -.ad -.sp .6 -.RS 4n -Look for keyset files in directory as the directory; ignored when not in the keyset mode. -.RE - -.SH EXAMPLES -.sp -.LP -To build the SHA-256 DS RR from the \fBKexample.com.+003+26160\fR keyfile name, use a command such as the following: -.sp -.in +2 -.nf -# \fBdnssec-dsfromkey -2 Kexample.com.+003+26160\fR -.fi -.in -2 -.sp - -.sp -.LP -This command would produce output similar to the following: -.sp -.in +2 -.nf -example.com. IN DS 26160 5 2 -3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 -C5EA0B94 -.fi -.in -2 -.sp - -.SH FILES -.sp -.LP -The keyfile can be designated by the key identification \fBK\fR\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR, or the full file name \fBK\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR.key\fR, as generated by \fBdnssec-keygen\fR(8). -.sp -.LP -The keyset file name is built from the directory, the string \fBkeyset-\fR and the \fIdnsname\fR. -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilityservice/network/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBdnssec-keygen\fR(8), \fBdnssec-signzone\fR(8), \fBattributes\fR(7) -.sp -.LP -\fIRFC 3658\fR, \fIRFC 4509\fR -.sp -.LP -See the BIND 9 \fIAdministrator's Reference Manual\fR. As of the date of publication of this man page, this document is available at https://www.isc.org/software/bind/documentation\&. -.SH CAUTION -.sp -.LP -A keyfile error can produce a "file not found" message, even if the file exists. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/dnssec-keyfromlabel.8 --- a/components/bind/Solaris/dnssec-keyfromlabel.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,194 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-keyfromlabel 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -dnssec-keyfromlabel \- DNSSEC key generation tool -.SH SYNOPSIS -.LP -.nf -\fBdnssec-keyfromlabel\fR \fB-a\fR \fIalgorithm\fR \fB-l\fR \fIlabel\fR [\fB-c\fR \fIclass\fR] [\fB-f\fR \fIflag\fR] [\fB-k\fR] - [\fB-n\fR \fInametype\fR] [\fB-p\fR \fIprotocol\fR] [\fB-t\fR \fItype\fR] [\fB-v\fR \fIlevel\fR] \fIname\fR -.fi - -.SH DESCRIPTION -.sp -.LP -\fBdnssec-keyfromlabel\fR retrieves keys with a specified label from a crypto hardware device and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. -.SH OPTIONS -.sp -.LP -The following options are supported: -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR \fIalgorithm\fR\fR -.ad -.sp .6 -.RS 4n -Selects the cryptographic algorithm. The value of \fIalgorithm\fR must be one of \fBRSAMD5\fR (RSA) or \fBRSASHA1\fR, \fBDSA\fR, \fBNSEC3RSASHA1\fR, \fBNSEC3DSA\fR, or \fBDH\fR (Diffie-Hellman). These values are case-insensitive. -.sp -Note that for \fBDNSSEC\fR, \fBRSASHA1\fR is a mandatory-to-implement algorithm, and DSA is recommended. Note also that \fBDH\fR automatically sets the \fB-k\fR flag. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-l\fR \fIlabel\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the label of keys in the crypto hardware (PKCS#11) device. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-n\fR \fInametype\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the owner type of the key. The value of \fInametype\fR must either be \fBZONE\fR (for a \fBDNSSEC\fR zone key (\fBKEY\fR/\fBDNSKEY\fR)), \fBHOST\fR or \fBENTITY\fR (for a key associated with a host (\fBKEY\fR)), \fBUSER\fR (for a key associated with a user (\fBKEY\fR)), or \fBOTHER\fR (\fBDNSKEY\fR). These values are case-insensitive. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -Indicates that the DNS record containing the key should have the specified class. If not specified, class \fBIN\fR is used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR \fIflag\fR\fR -.ad -.sp .6 -.RS 4n -Set the specified flag in the flag field of the \fBKEY\fR/\fBDNSKEY\fR record. The only recognized flag is \fBKSK\fR (Key Signing Key) \fBDNSKEY\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -Displays a short summary of the options and arguments to \fBdnssec-keyfromlabel\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fI\fR\fR -.ad -.sp .6 -.RS 4n -Generate \fBKEY\fR records rather than \fBDNSKEY\fR records. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR \fIprotocol\fR\fR -.ad -.sp .6 -.RS 4n -Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is \fB3\fR (\fBDNSSEC\fR). Other possible values for this argument are listed in RFC 2535 and its successors. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fItype\fR\fR -.ad -.sp .6 -.RS 4n -Indicates the use of the key. \fItype\fR must be one of \fBAUTHCONF\fR, \fBNOAUTHCONF\fR, \fBNOAUTH\fR, or \fBNOCONF\fR. The default is \fBAUTHCONF\fR. \fBAUTH\fR refers to the ability to authenticate data, and \fBCONF\fR the ability to encrypt data. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.sp .6 -.RS 4n -Sets the debugging level. -.RE - -.SH GENERATED KEY FILES -.sp -.LP -When \fBdnssec-keyfromlabel\fR completes successfully, it displays a string of the form \fBK\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR\fR to the standard output. This is an identification string for the key files it has generated, which translates as follows. -.RS +4 -.TP -.ie t \(bu -.el o -\fInnnn\fR is the key name. -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fIaaa\fR is the numeric representation of the algorithm. -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fIiiiii\fR is the key identifier (or footprint). -.RE -.sp -.LP -\fBdnssec-keyfromlabel\fR creates two files, with names based on the displayed string. \fBK\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR.key\fR contains the public key, and \fBK\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR.private\fR contains the private key. -.sp -.LP -The first file contains a \fBDNS\fR \fBKEY\fR record that can be inserted into a zone file (directly or with an \fB$INCLUDE\fR statement). -.sp -.LP -The second file contains algorithm-specific fields. For obvious security reasons, this file does not have general read permission. -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilityservice/network/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBdnssec-keygen\fR(8), \fBdnssec-signzone\fR(8), \fBattributes\fR(7) -.sp -.LP -\fIRFC 2539\fR, \fIRFC 2845\fR, \fIRFC 4033\fR -.sp -.LP -See the BIND 9 \fIAdministrator's Reference Manual\fR. As of the date of publication of this man page, this document is available at https://www.isc.org/software/bind/documentation\&. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/dnssec-keygen.8 --- a/components/bind/Solaris/dnssec-keygen.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,300 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-keygen 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -dnssec-keygen \- DNSSEC key generation tool -.SH SYNOPSIS -.LP -.nf -\fBdnssec-keygen\fR \fB-a\fR \fIalgorithm\fR \fB-b\fR \fIkeysize\fR \fB-n\fR \fInametype\fR [\fB-ehk\fR] - [\fB-c\fR \fIclass\fR] [\fB-f\fR \fIflag\fR] [\fB-g\fR \fIgenerator\fR] [\fB-p\fR \fIprotocol\fR] - [\fB-r\fR \fIrandomdev\fR] [\fB-s\fR \fIstrength\fR] [\fB-t\fR \fItype\fR] [\fB-v\fR \fIlevel\fR] \fIname\fR -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBdnssec-keygen\fR utility generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. -.SH OPTIONS -.sp -.LP -The following options are supported: -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR \fIalgorithm\fR\fR -.ad -.sp .6 -.RS 4n -Select the cryptographic algorithm. The value of algorithm must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, \fBDH\fR (Diffie-Hellman), or HMAC-MD5. These values are case insensitive. -.sp -For DNSSEC, RSASHA1 is a mandatory-to-implement algorithm and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. -.LP -Note - -.sp -.RS 2 -HMAC-MD5 and DH automatically set the \fB-k\fR flag. -.RE -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-b\fR \fIkeysize\fR\fR -.ad -.sp .6 -.RS 4n -Specify the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 and RSASHA1 keys must be between 512 and 2048 bits. Diffie-Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC-MD5 keys must be between 1 and 512 bits. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -Indicate that the DNS record containing the key should have the specified class. If not specified, class IN is used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-e\fR\fR -.ad -.sp .6 -.RS 4n -Use a large exponent if generating an RSAMD5 or RSASHA1 key. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR \fIflag\fR\fR -.ad -.sp .6 -.RS 4n -Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-g\fR \fIgenerator\fR\fR -.ad -.sp .6 -.RS 4n -Use this \fIgenerator\fR if generating a Diffie Hellman key. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -Print a short summary of the options and arguments to \fBdnssec-keygen\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR\fR -.ad -.sp .6 -.RS 4n -Generate KEY records rather than DNSKEY records. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-n\fR \fInametype\fR\fR -.ad -.sp .6 -.RS 4n -Specify the owner type of the key. The value of \fInametype\fR must either be \fBZONE\fR (for a DNSSEC zone key (KEY/DNSKEY)), \fBHOST\fR or \fBENTITY\fR (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)), or \fBOTHER\fR (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR \fIprotocol\fR\fR -.ad -.sp .6 -.RS 4n -Set the protocol value for the generated key. The \fIprotocol\fR argument is a number between 0 and 255. The default is 3 (DNSSEC) Other possible values for this argument are listed in RFC 2535 and its successors. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-r\fR \fIrandomdev\fR\fR -.ad -.sp .6 -.RS 4n -Specify the source of randomness. If the operating system does not provide a \fB/dev/random\fR or equivalent device, the default source of randomness is keyboard input. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default. The special value "\fBkeyboard\fR" indicates that keyboard input should be used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR \fIstrength\fR\fR -.ad -.sp .6 -.RS 4n -Specify the strength value of the key. The \fIstrength\fR argument is a number between 0 and 15, and currently has no defined purpose in DNSSEC. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fItype\fR\fR -.ad -.sp .6 -.RS 4n -Indicate the use of the key. \fBtype\fR must be one of \fBAUTHCONF\fR, \fBNOAUTHCONF\fR, \fBNOAUTH\fR, or \fBNOCONF\fR. The default is \fBAUTHCONF\fR. \fBAUTH\fR refers to the ability to authenticate data, and \fBCONF\fR the ability to encrypt data. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.sp .6 -.RS 4n -Set the debugging level. -.RE - -.SH GENERATED KEYS -.sp -.LP -When \fBdnssec-keygen\fR completes successfully, it prints a string of the form \fBK\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR\fR to the standard output. This is an identification string for the key it has generated. -.RS +4 -.TP -.ie t \(bu -.el o -\fInnnn\fR is the key name. -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fIaaa\fR is the numeric representation of the algorithm. -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fIiiiii\fR is the key identifier (or footprint). -.RE -.sp -.LP -The \fBdnssec-keygen\fR utility creates two files, with names based on the printed string. -.RS +4 -.TP -.ie t \(bu -.el o -\fBK\fR\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR.\fBkey\fR contains the public key. -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fBK\fR\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR.\fBprivate\fR contains the private key. -.RE -.sp -.LP -The \fB\&.key\fR file contains a DNS \fBKEY\fR record that can be inserted into a zone file (directly or with a \fB$INCLUDE\fR statement). -.sp -.LP -The \fB\&.private\fR file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission. -.sp -.LP -Both \fB\&.key\fR and \fB\&.private\fR files are generated for symmetric encryption algorithm such as HMAC-MD5, even though the public and private key are equivalent. -.SH EXAMPLES -.LP -\fBExample 1 \fRGenerating a 768-bit DSA Key -.sp -.LP -To generate a 768-bit DSA key for the domain \fBexample.com\fR, the following command would be issued: - -.sp -.in +2 -.nf -dnssec-keygen -a DSA -b 768 -n ZONE example.com -.fi -.in -2 -.sp - -.sp -.LP -The command would print a string of the form: - -.sp -.in +2 -.nf -Kexample.com.+003+26160 -.fi -.in -2 -.sp - -.sp -.LP -The following files would be created: - -.sp -.in +2 -.nf -Kexample.com.+003+26160.key -Kexample.com.+003+26160.private -.fi -.in -2 -.sp - -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilityservice/network/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBdnssec-signzone\fR(8), \fBattributes\fR(7) -.sp -.LP -\fIRFC 2539\fR, \fIRFC 2845\fR, \fIRFC 4033\fR -.sp -.LP -See the BIND 9 \fIAdministrator's Reference Manual\fR. As of the date of publication of this man page, this document is available at https://www.isc.org/software/bind/documentation\&. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/dnssec-makekeyset.8 --- a/components/bind/Solaris/dnssec-makekeyset.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,176 +0,0 @@ -'\" te -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2000, 2001, 2003 Internet Software Consortium. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2004, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-makekeyset 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -dnssec-makekeyset \- DNSSEC zone signing tool -.SH SYNOPSIS -.LP -.nf -\fBdnssec-makekeyset\fR [\fB-ahp\fR] [\fB-s\fR \fIstart-time\fR] [\fB-e\fR \fIend-time\fR] - [\fB-r\fR \fIrandomdev\fR] [\fB-t\fR \fIttl\fR] [\fB-v\fR \fIlevel\fR] \fIkey\fR... -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBdnssec-makekeyset\fR utility generates a key set from one or more keys created by \fBdnssec-keygen\fR(8). It creates a file containing a \fBKEY\fR record for each key, and self-signs the key set with each zone key. The output file is of the form \fIkeyset-nnnn.\fR, where \fInnnn\fR is the zone name. -.SH OPTIONS -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR\fR -.ad -.RS 17n -.rt -Verify all generated signatures. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-e\fR \fIend-time\fR\fR -.ad -.RS 17n -.rt -Specify the date and time when the generated SIG records expire. As with \fIstart-time\fR, an absolute time is indicated in \fBYYYYMMDDHHMMSS\fR notation. A time relative to the start time is indicated with +\fIN\fR, which is \fIN\fR seconds from the start time. A time relative to the current time is indicated with now+\fIN\fR. If no \fIend-time\fR is specified, 30 days from the start time is used as a default. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.RS 17n -.rt -Print a short summary of the options and arguments to \fBdnssec-makekeyset()\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR\fR -.ad -.RS 17n -.rt -Use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-r\fR \fIrandomdev\fR\fR -.ad -.RS 17n -.rt -Specify the source of randomness. If the operating system does not provide a \fB/dev/random\fR or equivalent device, the default source of randomness is keyboard input. The \fIrandomdev\fR argument specifies the name of a character device or file containing random data to be used instead of the default. The special value \fBkeyboard\fR indicates that keyboard input should be used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR \fIstart-time\fR\fR -.ad -.RS 17n -.rt -Specify the date and time when the generated \fBSIG\fR records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in \fBYYYYMMDDHHMMSS\fR notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no \fBstart-time\fR is specified, the current time is used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fIttl\fR\fR -.ad -.RS 17n -.rt -Specify the TTL (time to live) of the \fBKEY\fR and \fBSIG\fR records. The default is 3600 seconds. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.RS 17n -.rt -Set the debugging level. -.RE - -.SH OPERANDS -.sp -.LP -The following operands are supported: -.sp -.ne 2 -.mk -.na -\fB\fIkey\fR\fR -.ad -.RS 7n -.rt -The list of keys to be included in the keyset file. These keys are expressed in the form \fBK\fR\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR as generated by \fBdnssec-keygen\fR. -.RE - -.SH EXAMPLES -.LP -\fBExample 1 \fRGenerates a keyset containing the DSA key for \fBexample.com\fR. -.sp -.LP -The following command generates a keyset containing the DSA key for \fBexample.com\fR generated in the \fBdnssec-keygen\fR(8) manual page. - -.sp -.in +2 -.nf -dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 \e -Kexample.com.+003+26160 -.fi -.in -2 -.sp - -.sp -.LP -In this example, \fBdnssec-makekeyset()\fR creates the file \fBkeyset-example.com\fR. This file contains the specified key and a self-generated signature. - -.sp -.LP -The DNS administrator for \fBexample.com\fR could send \fBkeyset-example.com.\fR to the DNS administrator for \fB\&.com\fR for signing, if the .com zone is DNSSEC-aware and the administrators of the two zones have some mechanism for authenticating each other and exchanging the keys and signatures securely. - -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) cw(2.75i) -lw(2.75i) lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -AvailabilitySUNWbind9 -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBdnssec-keygen\fR(8), \fBdnssec-signkey\fR(8), \fBattributes\fR(7) -.sp -.LP -\fIRFC 2535\fR -.sp -.LP -\fIBIND 9 Administrator Reference Manual\fR -.SH NOTES -.sp -.LP -Source for BIND9 is available in the SUNWbind9S package. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/dnssec-signkey.8 --- a/components/bind/Solaris/dnssec-signkey.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,179 +0,0 @@ -'\" te -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2000, 2001, 2003 Internet Software Consortium. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2004, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-signkey 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -dnssec-signkey \- DNSSEC key set signing tool -.SH SYNOPSIS -.LP -.nf -\fBdnssec-signkey\fR [\fB-ahp\fR] [\fB-c\fR \fIclass\fR] [\fB-e\fR \fIend-time\fR] - [\fB-r\fR \fIrandomdev\fR] [\fB-s\fR \fIstart-time\fR] [\fB-v\fR \fIlevel\fR] \fIkeyset\fR \fIkey\fR... -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBdnssec-signkey\fR utility signs a keyset. Typically the keyset will be for a child zone and will have been generated by \fBdnssec-makekeyset\fR(8). The child zone's keyset is signed with the zone keys for its parent zone. The output file is of the form \fBsignedkey\fR-\fInnnn.\fR, where \fInnnn\fR is the zone name. -.SH OPTIONS -.sp -.LP -The following options are supported: -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR\fR -.ad -.RS 17n -.rt -Verify all generated signatures. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.RS 17n -.rt -Specify the DNS class of the key sets. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-e\fR \fIend-time\fR\fR -.ad -.RS 17n -.rt -Specify the date and time when the generated SIG records expire. As with \fIstart-time\fR, an absolute time is indicated in \fBYYYYMMDDHHMMSS\fR notation. A time relative to the start time is indicated with +\fIN\fR, which is \fIN\fR seconds from the start time. A time relative to the current time is indicated with now+\fIN\fR. If no \fIend-time\fR is specified, 30 days from the start time is used as a default. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.RS 17n -.rt -Prints a short summary of the options and arguments to \fBdnssec-signkey()\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR\fR -.ad -.RS 17n -.rt -Use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-r\fR \fIrandomdev\fR\fR -.ad -.RS 17n -.rt -Specify the source of randomness. If the operating system does not provide a \fB/dev/random\fR or equivalent device, the default source of randomness is keyboard input. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default. The special value \fBkeyboard\fR indicates that keyboard input should be used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR \fIstart-time\fR\fR -.ad -.RS 17n -.rt -Specify the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in \fBYYYYMMDDHHMMSS\fR notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +\fIN\fR, which is \fIN\fR seconds from the current time. If no \fIstart-time\fR is specified, the current time is used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.RS 17n -.rt -Set the debugging level. -.RE - -.SH OPERANDS -.sp -.LP -The following operands are supported: -.sp -.ne 2 -.mk -.na -\fB\fIkey\fR\fR -.ad -.RS 10n -.rt -The keys used to sign the child's keyset. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fIkeyset\fR\fR -.ad -.RS 10n -.rt -The file containing the child's keyset. -.RE - -.SH EXAMPLES -.LP -\fBExample 1 \fRSign the \fIkeyset\fR file for \fBexample.com\fR. -.sp -.LP -The DNS administrator for a DNSSEC-aware \fB\&.com\fR zone would use the following command to sign the \fIkeyset\fR file for \fBexample.com\fR created by \fBdnssec-makekeyset\fR with a key generated by \fBdnssec-keygen\fR: - -.sp -.in +2 -.nf -dnssec-signkey keyset-example.com. Kcom.+003+51944 -.fi -.in -2 -.sp - -.sp -.LP -In this example, \fBdnssec-signkey\fR creates the file \fBsignedkey-example.com\fR, which contains the \fBexample.com\fR keys and the signatures by the \fB\&.com\fR keys. - -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) cw(2.75i) -lw(2.75i) lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -AvailabilitySUNWbind9 -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBdnssec-keygen\fR(8), \fBdnssec-makekeyset\fR(8), \fBdnssec-signzone\fR(8), \fBattributes\fR(7) -.SH NOTES -.sp -.LP -Source for BIND9 is available in the SUNWbind9S package. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/dnssec-signzone.8 --- a/components/bind/Solaris/dnssec-signzone.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,431 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-signzone 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -dnssec-signzone \- DNSSEC zone signing tool -.SH SYNOPSIS -.LP -.nf -\fBdnssec-signzone\fR [\fB-Aaghptz\fR] [\fB-c\fR \fIclass\fR] [\fB-d\fR \fIdirectory\fR] - [\fB-e\fR \fIend-time\fR] [\fB-f\fR \fIoutput-file\fR] [\fB-H\fR \fIiterations\fR] [\fB-I\fR \fIinput_format\fR] - [\fB-i\fR \fIinterval\fR] [\fB-k\fR \fIkey\fR] [\fB-l\fR \fIdomain\fR] [\fB-N\fR \fIsoa-serial-format\fR] [\fB-n\fR \fIncpus\fR] - [\fB-O\fR \fIoutput_format\fR] [\fB-o\fR \fIorigin\fR] [\fB-r\fR \fIrandomdev\fR] [\fB-s\fR \fIstart-time\fR] - [\fB-v\fR \fIlevel\fR] [\fB-3\fR \fIsalt\fR] \fIzonefile\fR [\fIkey\fR]... -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBdnssec-signzone\fR utility signs a zone. It generates \fBNSEC\fR and \fBRRSIG\fR records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a \fBkeyset\fR file for each child zone. -.SH OPTIONS -.sp -.LP -The following options are supported: -.sp -.ne 2 -.mk -.na -\fB\fB-A\fR\fR -.ad -.sp .6 -.RS 4n -When generating an NSEC3 chain, set the \fBOPTOUT\fR flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR\fR -.ad -.sp .6 -.RS 4n -Verify all generated signatures. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -Specify the \fBDNS\fR class of the zone. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-d\fR \fIdirectory\fR\fR -.ad -.sp .6 -.RS 4n -Look for \fBkeyset\fR files in \fIdirectory\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-e\fR \fIend-time\fR\fR -.ad -.sp .6 -.RS 4n -Specify the date and time when the generated \fBRRSIG\fR records expire. As with \fBstart-time\fR, an absolute time is indicated in \fBYYYYMMDDHHMMSS\fR notation. A time relative to the start time is indicated with +\fIN\fR, which is \fIN\fR seconds from the start time. A time relative to the current time is indicated with \fBnow\fR+\fIN\fR. If no \fIend-time\fR is specified, 30 days from the start time is used as a default. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR \fIoutput-file\fR\fR -.ad -.sp .6 -.RS 4n -The name of the output file containing the signed zone. The default is to append \fB\&.signed\fR to the input file name. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-g\fR\fR -.ad -.sp .6 -.RS 4n -Generate DS records for child zones from \fBkeyset\fR files. Existing DS records will be removed. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-H\fR \fIiterations\fR\fR -.ad -.sp .6 -.RS 4n -When generating a NSEC3 chain use the number of interations specified by \fIiterations\fR. The default is 100. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -Prints a short summary of the options and arguments to \fBdnssec-signzone()\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-I\fR \fIinput-format\fR\fR -.ad -.sp .6 -.RS 4n -The format of the input zone file. Possible formats are \fBtext\fR (default) and \fBraw\fR. This option is primarily intended for dynamic signed zones so that the dumped zone file in a non-text format containing updates can be signed directly. The use of this option serves no purpose for non-dynamic zones. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-i\fR \fIinterval\fR\fR -.ad -.sp .6 -.RS 4n -Specify the cycle interval as an offset from the current time (in seconds). When a previously signed zone is passed as input, records could be resigned. If an \fBRRSIG\fR record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon and will be replaced. -.sp -The default cycle interval is one quarter of the difference between the signature end and start times. If neither \fIend-time\fR or \fIstart-time\fR are specified, \fBdnssec-signzone\fR generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Any existing \fBRRSIG\fR records due to expire in less than 7.5 days would be replaced. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-j\fR \fIjitter\fR\fR -.ad -.sp .6 -.RS 4n -When signing a zone with a fixed signature lifetime, all \fBRRSIG\fR records issued at the time of signing expire simultaneously. If the zone is incrementally signed, that is, a previously-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time. The jitter option specifies a jitter window that will be used to randomize the signature-expire time, thus spreading incremental signature regeneration over time. -.sp -Signature lifetime jitter also benefits, to some extent, validators and servers by spreading out cache expiration. That is, if large numbers of \fBRRSIG\fRs from all caches do not expire at the same time, there will be less congestion than if all validators needed to refetch at almost the same time. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fIkey\fR\fR -.ad -.sp .6 -.RS 4n -Treat specified \fIkey\fR as a key-signing key, ignoring any key flags. This option can be specified multiple times. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-l\fR \fIdomain\fR\fR -.ad -.sp .6 -.RS 4n -Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-N\fR \fIsoa-serial-format\fR\fR -.ad -.sp .6 -.RS 4n -The SOA serial number format of the signed zone. Possible formats are \fBkeep\fR (default), \fBincrement\fR and \fBunixtime\fR, described as follows. -.sp -.ne 2 -.mk -.na -\fB\fBkeep\fR\fR -.ad -.sp .6 -.RS 4n -Do not modify the SOA serial number. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBincrement\fR\fR -.ad -.sp .6 -.RS 4n -Increment the SOA serial number using RFC 1982 arithmetic. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBunixtime\fR\fR -.ad -.sp .6 -.RS 4n -Set the SOA serial number to the number of seconds since epoch. -.RE - -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-n\fR \fInthreads\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the number of threads to use. By default, one thread is started for each detected CPU. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-O\fR \fIoutput_format\fR\fR -.ad -.sp .6 -.RS 4n -The format of the output file containing the signed zone. Possible formats are \fBtext\fR (default) and \fBraw\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-o\fR \fIorigin\fR\fR -.ad -.sp .6 -.RS 4n -Specify the zone origin. If not specified, the name of the zone file is assumed to be the origin. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR\fR -.ad -.sp .6 -.RS 4n -Use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-r\fR \fIrandomdev\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the source of randomness. If the operating system does not provide a \fB/dev/random\fR or equivalent device, the default source of randomness is keyboard input. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default \fB/dev/random\fR. The special value \fBkeyboard\fR indicates that keyboard input should be used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR \fIstart-time\fR\fR -.ad -.sp .6 -.RS 4n -Specify the date and time when the generated \fBRRSIG\fR records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in \fIYYYYMMDDHHMMSS\fR notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +\fIN\fR, which is \fIN\fR seconds from the current time. If no \fIstart-time\fR is specified, the current time minus one hour (to allow for clock skew) is used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR\fR -.ad -.sp .6 -.RS 4n -Print statistics at completion. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.sp .6 -.RS 4n -Set the debugging level. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-z\fR\fR -.ad -.sp .6 -.RS 4n -Ignore KSK flag on key when determining what to sign. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-3\fR \fIsalt\fR\fR -.ad -.sp .6 -.RS 4n -Generate a NSEC3 chain with the specified hex-encoded \fIsalt\fR. A dash (\fB-\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain. -.RE - -.SH OPERANDS -.sp -.LP -The following operands are supported: -.sp -.ne 2 -.mk -.na -\fB\fIzonefile\fR\fR -.ad -.sp .6 -.RS 4n -The file containing the zone to be signed. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fIkey\fR\fR -.ad -.sp .6 -.RS 4n -Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for \fBDNSKEY\fR records at the zone apex. If these are found and there are matching private keys in the current directory, these will be used for signing. -.RE - -.SH EXAMPLES -.LP -\fBExample 1 \fRSigning a Zone with a DSA Key -.sp -.LP -The following command signs the \fBexample.com\fR zone with the DSA key generated in the example in the \fBdnssec-keygen\fR(8) manual page (\fBKexample.com.+003+17247\fR). The zone's keys must be in the master file (\fBdb.example.com\fR). This invocation looks for keyset files in the current directory, so that DS records can be generated from them (\fB-g\fR). - -.sp -.in +2 -.nf -% \fBdnssec-signzone -g -o example.com db.example.com \e\fR -\fBKexample.com.+003+17247\fR -\fBdb.example.com.signed\fR -% -.fi -.in -2 -.sp - -.sp -.LP -In the above example, \fBdnssec-signzone\fR creates the file \fBdb.example.com.signed\fR. This file should be referenced in a zone statement in a \fBnamed.conf\fR file. - -.LP -\fBExample 2 \fRRe-signing a Previously Signed Zone -.sp -.LP -The following commands re-sign a previously signed zone with default parameters. The private keys are assumed to be in the current directory. - -.sp -.in +2 -.nf -% \fBcp db.example.com.signed db.example.com\fR -% \fBdnssec-signzone -o example.com db.example.com \e\fR -\fBdb.example.com.signed\fR -% -.fi -.in -2 -.sp - -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilityservice/network/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBdnssec-keygen\fR(8), \fBattributes\fR(7) -.sp -.LP -\fIRFC 4033\fR -.sp -.LP -See the BIND 9 \fIAdministrator's Reference Manual\fR. As of the date of publication of this man page, this document is available at https://www.isc.org/software/bind/documentation\&. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/host.8 --- a/components/bind/Solaris/host.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,266 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH host 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -host \- DNS lookup utility -.SH SYNOPSIS -.LP -.nf -\fBhost\fR [\fB-aCdilmrsTvw\fR] [\fB-c\fR \fIclass\fR] [\fB-N\fR \fIndots\fR] [\fB-R\fR \fInumber\fR] - [\fB-t\fR \fItype\fR] [\fB-W\fR \fIwait\fR] [\fB-4\fR | \fB-6\fR] \fIname\fR [\fIserver\fR] -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBhost\fR utility performs simple DNS lookups. It is normally used to convert names to IP addresses and IP addresses to names. When no arguments or options are given, \fBhost\fR prints a short summary of its command line arguments and options. -.sp -.LP -The \fIname\fR argument is the domain name that is to be looked up. It can also be a dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which case \fBhost\fR by default performs a reverse lookup for that address. The optional \fIserver\fR argument is either the name or IP address of the name server that \fBhost\fR should query instead of the server or servers listed in \fB/etc/resolv.conf\fR. -.SH OPTIONS -.sp -.LP -The following options are supported: -.sp -.ne 2 -.mk -.na -\fB\fB-4\fR\fR -.ad -.sp .6 -.RS 4n -Use only IPv4 transport. By default, both IPv4 and IPv6 transports can be used. Options \fB-4\fR and \fB-6\fR are mutually exclusive. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-6\fR\fR -.ad -.sp .6 -.RS 4n -Use only IPv6 transport. By default, both IPv4 and IPv6 transports can be used. Options \fB-4\fR and \fB-6\fR are mutually exclusive. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR\fR -.ad -.sp .6 -.RS 4n -Equivalent to setting the \fB-v\fR option and asking \fBhost\fR to make a query of type \fBANY\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -Make a DNS query of class \fIclass\fR. This can be used to lookup Hesiod or Chaosnet class resource records. The default class is IN (Internet). -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-C\fR\fR -.ad -.sp .6 -.RS 4n -Attempt to display the SOA records for zone \fIname\fR from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-d\fR\fR -.ad -.sp .6 -.RS 4n -Generate verbose output. This option is equivalent to \fB-v\fR. These two options are provided for backward compatibility. In previous versions, the \fB-d\fR option switched on debugging traces and \fB-v\fR enabled verbose output. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-i\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC 1886. The default is to use RFC 3152 domain IP6.ARPA. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-l\fR\fR -.ad -.sp .6 -.RS 4n -List mode. This option makes \fBhost\fR perform a zone transfer for zone \fIname\fR, displaying the NS, PTR and address records (A/AAAA). If combined with \fB-a\fR, all records will be displayed. The argument is provided for compatibility with previous implementations. Options \fB-la\fR is equivalent to making a query of type \fBAXFR\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-m\fR\fR -.ad -.sp .6 -.RS 4n -Sets the memory usage debugging flags: record, usage, and trace. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-N\fR \fIndots\fR\fR -.ad -.sp .6 -.RS 4n -Set the number of dots that have to be in \fIname\fR for it to be considered absolute. The default value is that defined using the ndots statement in \fB/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the \fBsearch\fR or \fBdomain\fR directive in \fB/etc/resolv.conf\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-r\fR\fR -.ad -.sp .6 -.RS 4n -Make a non-recursive query. Setting this option clears the \fBRD\fR (recursion desired) bit in the query made by \fBhost\fR. The name server receiving the query does not attempt to resolve \fIname\fR. The \fB-r\fR option enables \fBhost\fR to mimic the behaviour of a name server by making non-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-R\fR \fInumber\fR\fR -.ad -.sp .6 -.RS 4n -Change the number of UDP retries for a lookup. The \fInumber\fR argument indicates how many times \fBhost\fR will repeat a query that does not get answered. The default number of retries is 1. If \fInumber\fR is negative or zero, the number of retries will default to 1. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that the host not send the query to the next name server if any server responds with a \fBSERVFAIL\fR response, which is the reverse of normal stub resolver behavior. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fItype\fR\fR -.ad -.sp .6 -.RS 4n -Select the query type. The \fItype\fR argument can be any recognised query type: \fBCNAME\fR, \fBNS\fR, \fBSOA\fR, \fBSIG\fR, \fBKEY\fR, and \fBAXFR\fR, among others. When no query type is specified, \fBhost\fR automatically selects an appropriate query type. By default it looks for A, AAAA, and MX records, but if the \fB-C\fR option is specified, queries are made for SOA records. If \fIname\fR is a dotted-decimal IPv4 address or colon-delimited IPv6 address, \fBhost\fR queries for PTR records. -.sp -If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (for example: \fB-t\fR \fBIXFR=12345678\fR). -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-T\fR\fR -.ad -.sp .6 -.RS 4n -Use a TCP connection when querying the name server. TCP is automatically selected for queries that require it, such as zone transfer (\fBAXFR\fR) requests. By default \fBhost\fR uses UDP when making queries. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR\fR -.ad -.sp .6 -.RS 4n -Generate verbose output. This option is equivalent to \fB-d\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-w\fR\fR -.ad -.sp .6 -.RS 4n -Wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-W\fR \fIwait\fR\fR -.ad -.sp .6 -.RS 4n -Wait for \fIwait\fR seconds for a reply. If \fIwait\fR is less than one, the wait interval is set to one second. -.RE - -.SH FILES -.sp -.ne 2 -.mk -.na -\fB\fB/etc/resolv.conf\fR\fR -.ad -.sp .6 -.RS 4n -Resolver configuration file -.RE - -.SH ATTRIBUTES -.sp -.LP -See for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilitynetwork/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBdig\fR(8), \fBnamed\fR(8), \fBattributes\fR(7) -.sp -.LP -\fIRFC 1035\fR, \fIRFC 1886\fR, \fIRFC 3152\fR -.sp -.LP -See the BIND 9 \fIAdministrator's Reference Manual\fR. As of the date of publication of this man page, this document is available at https://www.isc.org/software/bind/documentation\&. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/in.named.8 --- a/components/bind/Solaris/in.named.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +0,0 @@ -.so man8/named.8 diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/ja/dig.8 --- a/components/bind/Solaris/ja/dig.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,784 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dig 8 "2010 年 1 月 11 日" "SunOS 5.12" "システム管理コマンド" -.SH 名前 -dig \- DNS 検索ユーティリティー -.SH 形式 -.LP -.nf -\fBdig\fR [@server] [\fB-b\fR \fIaddress\fR] [\fB-c\fR \fIclass\fR] [\fB-f\fR \fIfilename\fR] - [\fB-k\fR \fIfilename\fR] [\fB-m\fR] [\fB-p\fR \fIport#\fR] [\fB-q\fR \fIname\fR] [\fB-t\fR \fItype\fR] [\fB-x\fR \fIaddr\fR] - [\fB-y\fR [\fIhmac\fR:]\fIname:key\fR] [\fB-4\fR] [\fB-6\fR] [\fIname\fR] [\fItype\fR] [\fIclass\fR] [\fIqueryopt\fR]... -.fi - -.LP -.nf -\fBdig\fR [\fB-h\fR] -.fi - -.LP -.nf -\fBdig\fR [\fIglobal-queryopt\fR...] [\fIquery\fR...] -.fi - -.SH 機能説明 -.sp -.LP -\fBdig\fR (Domain Information Groper) ユーティリティーは、DNS ネームサーバーに問い合わせるための柔軟性に優れたツールです。dig ユーティリティーは、DNS 検索を実行し、照会したネームサーバーから返された回答を表示します。\fBdig\fR ユーティリティーは、柔軟性に優れ、使いやすく、出力が明確であるため、ほとんどの DNS 管理者がこのユーティリティーを使用して DNS の問題をトラブルシューティングします。ほかの検索ツールは、多くの場合で \fBdig\fR ほど機能性に優れていません。 -.sp -.LP -通常、\fBdig\fR は、コマンド行引数とともに使用されますが、ファイルから検索要求を読み取るバッチモード操作にも対応します。\fB-h\fR オプションを指定すると、そのコマンド行引数とオプションの簡単なサマリーが出力されます。以前のバージョンとは異なり、BIND 9 における \fBdig\fR の実装では、コマンド行から複数の検索を発行できます。 -.sp -.LP -特定のネームサーバーに照会するよう指示されていないかぎり、\fBdig\fR は、\fB/etc/resolv.conf\fR に記載されている各サーバーに照会します。 -.sp -.LP -コマンド行引数またはオプションを指定しない場合、\fBdig\fR は、「.」(ルート) に対して NS クエリーを実行します。 -.sp -.LP -\fB${HOME}/.digrc\fR を使用すると、\fBdig\fR のユーザーごとのデフォルトを設定できます。コマンド行引数の前に、このファイルが読み取られ、含まれているオプションが適用されます。 -.sp -.LP -クラス名 \fBIN\fR および \fBCH\fR は、トップレベルドメイン名 \fBIN\fR および \fBCH\fR と一致します。これらのトップレベルドメインを検索するときは、\fB-t\fR オプションおよび \fB-c\fR オプションを使用してタイプとクラスを指定するか、\fB"IN."\fR および \fB "CH."\fR を使用します。 -.SS "簡単な使用法" -.sp -.LP -一般的な \fBdig\fR の呼び出しを次に示します。 -.sp -.in +2 -.nf -dig @server name type -.fi -.in -2 -.sp - -.sp -.LP -各表記の意味は次のとおりです。 -.sp -.ne 2 -.mk -.na -\fB\fIserver\fR\fR -.ad -.sp .6 -.RS 4n -照会するネームサーバーの名前または IP アドレス。ドット区切り 10 進表記の IPv4 アドレスか、コロン区切り表記の IPv6 アドレスを指定できます。指定された \fIserver\fR 引数がホスト名の場合、\fBdig\fR は、その名前を解決してから、そのネームサーバーに照会します。\fIserver\fR 引数を指定しない場合、\fBdig\fR は \fB/etc/resolv.conf\fR を参照し、そのファイルに記載されているネームサーバーに照会します。応答したネームサーバーからの応答が表示されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fIname\fR\fR -.ad -.sp .6 -.RS 4n -検索するリソースレコードの名前。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fItype\fR\fR -.ad -.sp .6 -.RS 4n -どのタイプのクエリーが必要かを示します (ANY、A、MX、SIG など)。\fItype\fR には、任意の有効なクエリータイプを指定できます。\fItype\fR 引数を指定しない場合、\fBdig\fR は、A レコードの検索を実行します。 -.RE - -.SH オプション -.sp -.LP -サポートしているオプションは、次のとおりです。 -.sp -.ne 2 -.mk -.na -\fB\fB-4\fR\fR -.ad -.sp .6 -.RS 4n -IPv4 トランスポートのみを使用します。デフォルトでは、IPv4 トランスポートと IPv6 トランスポートの両方を使用できます。オプション \fB-4\fR とオプション \fB-6\fR は相互に排他的です。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-6\fR\fR -.ad -.sp .6 -.RS 4n -IPv6 トランスポートのみを使用します。デフォルトでは、IPv4 トランスポートと IPv6 トランスポートの両方を使用できます。オプション \fB-4\fR とオプション \fB-6\fR は相互に排他的です。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-b\fR \fIaddress\fR\fR -.ad -.sp .6 -.RS 4n -クエリーのソース IP アドレスを \fIaddress\fR に設定します。これは、ホストのいずれかのネットワークインタフェース上の有効なアドレスか、\fB0.0.0.0\fR または \fB::\fR である必要があります。\fB#\fR\fI \fR を追加して、オプションのポートを指定できます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -デフォルトのクエリークラス (インターネットを表す IN) をオーバーライドします。\fIclass\fR 引数は、HS (Hesiod レコード) や CH (CHAOSNET レコード) などの有効な任意のクラスです。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR \fIfilename\fR\fR -.ad -.sp .6 -.RS 4n -ファイル \fIfilename\fR から、処理対象の検索要求のリストを読み取って、バッチモードで動作します。ファイルには、1 行に 1 つずつ、複数のクエリーが含まれています。ファイル内の各エントリは、コマンド行インタフェースを使用して \fBdig\fR で発行するクエリーを指定する場合と同じように構成するようにしてください。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -コマンド行引数およびオプションの簡単なサマリーを出力します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fIfilename\fR\fR -.ad -.sp .6 -.RS 4n -\fBdig\fR によって送信される DNS クエリーとその応答に、トランザクション署名 (Transaction Signature、TSIG) を使用して署名するための TSIG 鍵ファイルを指定します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-m\fR\fR -.ad -.sp .6 -.RS 4n -メモリー使用量のデバッグを有効にします。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR \fIport#\fR\fR -.ad -.sp .6 -.RS 4n -標準以外のポート番号を照会します。\fIport#\fR 引数は、\fBdig\fR が標準の DNS ポート番号 53 の代わりにクエリーを送信するポート番号です。このオプションを使用すると、標準以外のポート番号でクエリーを待機するように構成されているネームサーバーをテストできます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-q\fR \fIname\fR\fR -.ad -.sp .6 -.RS 4n -クエリー名を \fIname\fR に設定します。これは、クエリー名をほかの引数と容易に区別できるという点で便利です。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fItype\fR\fR -.ad -.sp .6 -.RS 4n -クエリータイプを \fItype\fR に設定します。これには、BIND9 でサポートされている有効なクエリータイプを指定できます。逆検索を示す \fB-x\fR オプションが指定されていないかぎり、デフォルトのクエリータイプは「A」です。タイプ AXFR を指定することによって、ゾーン転送を要求できます。増分ゾーン転送 (Incremental Zone Transfer、IXFR) が必要な場合は、\fItype\fR を \fBixfr\fR=\fIN\fR に設定します。増分ゾーン転送には、ゾーンの SOA レコードのシリアル番号が \fIN\fR であった時点以降にゾーンに加えられた変更が含まれます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-x\fR \fIaddr\fR\fR -.ad -.sp .6 -.RS 4n -逆検索を簡略化します (アドレスを名前にマッピングします)。\fIaddr\fR 引数は、ドット区切り 10 進表記の IPv4 アドレスか、コロン区切りの IPv6 アドレスです。このオプションを使用する場合は、\fIname\fR、\fIclass\fR、および \fItype\fR の各引数を指定する必要はありません。\fBdig\fR ユーティリティーは、自動的に \fB11.12.13.10.in-addr.arpa\fR などの名前の検索を実行し、クエリーのタイプとクラスをそれぞれ PTR と IN に設定します。デフォルトでは、IPv6 アドレスはニブル形式を使用して IP6.ARPA ドメインで検索されます。IP6.INT ドメインを使用する以前の RFC1886 方式を使用するには、\fB-i\fR オプションを指定します。ビット文字列ラベル (RFC 2874) は、実験的な段階であり、試行されません。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-y\fR [\fIhmac\fR:]\fIname\fR:\fIkey\fR\fR -.ad -.sp .6 -.RS 4n -コマンド行でトランザクション署名 (TSIG) 鍵を指定します。これは、\fBdig\fR によって送信される DNS クエリーと、その応答に署名するために行います。\fB-y\fR オプションを使用すると、TSIG 鍵自体をコマンド行で指定することもできます。オプションの \fIhmac\fR は TSIG のタイプであり、デフォルトは \fBHMAC-MD5\fR です。\fIname\fR 引数は TSIG 鍵の名前であり、\fIkey\fR 引数は実際の鍵です。鍵は base-64 でエンコードされた文字列であり、通常は、\fBdnssec-keygen\fR(8) によって生成されます。 -.sp -鍵が \fBps\fR(1) の出力またはシェルの履歴ファイルに示されるため、複数ユーザーシステムで \fB-y\fR オプションを使用するときは注意するようにしてください。\fBdig\fR で TSIG 認証を使用する場合は、照会されるネームサーバーが、使用される鍵とアルゴリズムを認識できる必要があります。BIND では、\fBnamed.conf\fR で適切な \fBkey\fR 文と \fBserver\fR 文を指定します。 -.RE - -.SH クエリーオプション -.sp -.LP -\fBdig\fR ユーティリティーには、検索方法と結果の表示方法に影響を与える多数のクエリーオプションが用意されています。これらのクエリーオプションを使用すると、クエリーヘッダーのフラグビットを設定/リセットしたり、回答のどの部分を出力するかを決定したり、タイムアウト/再試行方針を決定したりできます。 -.sp -.LP -各クエリーオプションは、プラス記号 (+) とそれに続くキーワードによって識別されます。一部のキーワードは、オプションを設定またはリセットします。これらのキーワードの前に文字列 no を指定すると、そのキーワードの意味を否定できます。タイムアウトの間隔など、オプションに値を割り当てるキーワードもあります。これらは、\fB+keyword=\fR\fI value\fR の形式をとります。クエリーオプションを次に示します。 -.sp -.ne 2 -.mk -.na -\fB\fB+[no]tcp\fR\fR -.ad -.sp .6 -.RS 4n -ネームサーバーに照会するときに TCP を使用します [使用しません]。デフォルトの動作では UDP が使用されます。ただし、TCP 接続が使用される AXFR または IXFR クエリーが要求された場合を除きます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]vc\fR\fR -.ad -.sp .6 -.RS 4n -ネームサーバーに照会するときに TCP を使用します [使用しません]。\fB+[no]tcp\fR の代替構文は下位互換性を確保するために用意されています。「vc」は、「virtual circuit (仮想回路)」を表します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]ignore\fR\fR -.ad -.sp .6 -.RS 4n -TCP で再試行する代わりに、UDP 応答での切り捨てを無視します。デフォルトでは、TCP での再試行が実行されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+domain=\fR\fIsomename\fR\fR -.ad -.sp .6 -.RS 4n -\fB/etc/resolv.conf\fR の \fBdomain\fR 指令で指定された場合と同じように単一のドメイン \fIsomename\fR を含めるように検索リストを設定し、\fB+search\fR オプションが指定された場合と同じように検索リストが処理されるようにします。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]search\fR\fR -.ad -.sp .6 -.RS 4n -\fBsearchlist\fR、または存在する場合は \fBresolv.conf\fR の \fBdomain\fR 指令で定義されている検索リストを使用します [使用しません]。デフォルトでは、検索リストは使用されません。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]showsearch\fR\fR -.ad -.sp .6 -.RS 4n -中間結果を表示して検索を実行します [実行しません]。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]defname\fR\fR -.ad -.sp .6 -.RS 4n -非推奨、\fB+[no]search\fR の同義語として処理されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]aaonly\fR\fR -.ad -.sp .6 -.RS 4n -クエリーで \fBaa\fR フラグを設定します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]aaflag\fR\fR -.ad -.sp .6 -.RS 4n -\fB+[no]aaonly\fR の同義語です。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]adflag\fR\fR -.ad -.sp .6 -.RS 4n -クエリーで AD (Authentic Data、認証済みデータ) ビットを設定します [設定しません]。これは、サーバーのセキュリティーポリシーに従って、すべての回答セクションおよび権限セクションが検証されたかどうかにかかわらず、安全であると応答するようにサーバーに要求します。設定 \fBAD=1\fR は、すべてのレコードが安全であると検証されいて、回答が \fBOPT-OUT\fR の範囲からではないことを示します。\fBAD=0\fR は、回答の一部が安全ではないか、検証されていないことを示します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]cdflag\fR\fR -.ad -.sp .6 -.RS 4n -クエリーで CD (Checking Disabled、チェック無効) ビットを設定します [設定しません]。これは、応答の DNSSEC 検証を実行しないようにサーバーに要求します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]cl\fR\fR -.ad -.sp .6 -.RS 4n -レコードを出力するときに CLASS を表示します [表示しません]。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]ttlid\fR\fR -.ad -.sp .6 -.RS 4n -レコードを出力するときに TTL を表示します [表示しません]。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]recurse\fR\fR -.ad -.sp .6 -.RS 4n -クエリーで RD (Recursion Desired、再帰要望) ビットの設定を切り替えます。デフォルトでは、このビットは設定されています。これは、\fBdig\fR で通常は再帰クエリーが送信されることを意味します。\fB+nssearch\fR または \fB+trace\fR クエリーオプションが使用されている場合、再帰は自動的に無効になります。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]nssearch\fR\fR -.ad -.sp .6 -.RS 4n -このオプションを設定すると、\fBdig\fR は、検索対象の名前が含まれるゾーンの信頼できるネームサーバーを見つけて、各ネームサーバーが持つゾーンの SOA レコードを表示しようとします。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]trace\fR\fR -.ad -.sp .6 -.RS 4n -検索対象の名前の、ルートネームサーバーからの委譲パスのトレースの有効/無効を切り替えます。デフォルトでは、トレースは無効になっています。トレースを有効にすると、\fBdig\fR は、反復クエリーを実行して検索対象の名前を解決します。ルートサーバーからのリフェラルを追跡し、検索の解決に使用した各サーバーからの回答を表示します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]cmd\fR\fR -.ad -.sp .6 -.RS 4n -出力の中にある、\fBdig\fR のバージョンと適用されているクエリーオプションを識別する先頭のコメントの有無を切り替えます。デフォルトでは、このコメントは出力されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]short\fR\fR -.ad -.sp .6 -.RS 4n -簡易形式の回答を表示します。デフォルトでは、詳細形式の回答が出力されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]identify\fR\fR -.ad -.sp .6 -.RS 4n -+\fIshort\fR オプションが有効になっている場合に、回答を返したサーバーの IP アドレスおよびポート番号を表示します [表示しません]。短い形式の回答を要求した場合、デフォルトでは、回答を返したサーバーの発信元アドレスおよびポート番号は表示されません。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]comments\fR\fR -.ad -.sp .6 -.RS 4n -出力でのコメント行の表示の有無を切り替えます。デフォルトでは、コメントが出力されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]stats\fR\fR -.ad -.sp .6 -.RS 4n -クエリーが発行された時刻、応答のサイズなどの統計情報の出力の有無を切り替えます。デフォルトの動作では、クエリーの統計情報が出力されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]qr\fR\fR -.ad -.sp .6 -.RS 4n -クエリーが送信されたときにクエリーを出力します [出力しません]。デフォルトでは、クエリーは出力されません。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]question\fR\fR -.ad -.sp .6 -.RS 4n -回答が返されたときに、クエリーの質問セクションを出力します [出力しません]。デフォルトでは、質問セクションがコメントとして出力されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]answer\fR\fR -.ad -.sp .6 -.RS 4n -応答の回答セクションを表示します [表示しません]。デフォルトでは表示されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]authority\fR\fR -.ad -.sp .6 -.RS 4n -応答の権限セクションを表示します [表示しません]。デフォルトでは表示されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]additional\fR\fR -.ad -.sp .6 -.RS 4n -応答の追加セクションを表示します [表示しません]。デフォルトでは表示されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]all\fR\fR -.ad -.sp .6 -.RS 4n -すべての表示フラグを設定またはクリアします。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+time=\fR\fIT\fR\fR -.ad -.sp .6 -.RS 4n -クエリーのタイムアウトを \fIT\fR 秒に設定します。デフォルトのタイムアウトは 5 秒です。\fIT\fR を 1 未満に設定しようとした場合、1 秒が適用されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+tries=\fR\fIT\fR\fR -.ad -.sp .6 -.RS 4n -UDP での最大試行回数を \fIT\fR に設定します。デフォルトの数値は 3 (最初の試行が 1 回と、その後の再試行が 2 回) です。T が 0 以下の場合、再試行回数は自動的に 1 に切り上げられます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+retry=\fR\fIT\fR\fR -.ad -.sp .6 -.RS 4n -UDP での再試行回数を \fIT\fR に設定します。デフォルトは 2 です。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+ndots=\fR\fID\fR\fR -.ad -.sp .6 -.RS 4n -\fIname\fR に示すドットの数を \fID\fR に設定します。この数のドットが含まれる名前は絶対名と見なされます。デフォルト値は、\fB/etc/resolv.conf\fR で \fBndots\fR 文を使用して定義されている値です。\fBndots\fR 文が存在しない場合は 1 です。ドットがこの値よりも少ない名前は、相対名と解釈され、\fB/etc/resolv.conf\fR の \fBsearch\fR 指令または \fBdomain\fR 指令に示されているドメイン内で検索されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+bufsize=\fR\fIB\fR\fR -.ad -.sp .6 -.RS 4n -EDNS0 を使用して通知される UDP メッセージバッファーサイズを \fIB\fR バイトに設定します。このバッファーの最大および最小サイズはそれぞれ 65535 と 0 です。この範囲外の値は、適切に切り上げられるか、切り下げられます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+edns=\fR\fI#\fR\fR -.ad -.sp .6 -.RS 4n -クエリーで使用される EDNS バージョンを指定します。有効な値の範囲は 0 - 255 です。EDNS バージョンを設定すると、EDNS クエリーが送信されます。\fB+noedns\fR により、記憶されている EDNS バージョンはクリアされます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]multiline\fR\fR -.ad -.sp .6 -.RS 4n -SOA レコードなどのレコードを、詳細な複数行形式で、人間が読める形式のコメントとともに出力します。デフォルトでは、\fBdig\fR 出力をマシンで容易に解析できるようにするため、各レコードが 1 行に 1 つずつ出力されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]fail\fR\fR -.ad -.sp .6 -.RS 4n -\fBSERVFAIL\fR を受け取った場合に、次のサーバーを試行しません。デフォルトでは次のサーバーを試行しません。これは、通常のスタブリゾルバとは逆の動作です。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]besteffort\fR\fR -.ad -.sp .6 -.RS 4n -不正な形式のメッセージの内容を表示しようとします。デフォルトでは、不正な形式の回答は表示されません。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]dnssec\fR\fR -.ad -.sp .6 -.RS 4n -クエリーの追加セクションの OPT レコードで DNSSEC OK (DO) ビットを設定し、DNSSEC レコードが送信されるよう要求します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]sigchase\fR\fR -.ad -.sp .6 -.RS 4n -DNSSEC 署名チェーンを追跡します。\fB-DDIG_SIGCHASE\fR を使用して \fBdig\fR をコンパイルする必要があります。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+trusted-key=\fR####\fR -.ad -.sp .6 -.RS 4n -\fB+sigchase\fR で使用される信頼できる鍵が含まれるファイルを指定します。\fBDNSKEY\fR レコードは、1 行に 1 つずつ記述する必要があります。 -.sp -ファイルを指定しない場合、dig は、\fB/etc/trusted-key.key\fR、現在のディレクトリの \fBtrusted-key.key\fR の順に検索します。 -.sp -\fB-DDIG_SIGCHASE\fR を使用して \fBdig\fR をコンパイルする必要があります。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]topdown\fR\fR -.ad -.sp .6 -.RS 4n -DNSSEC 署名チェーンを追跡するときに、トップダウン検証を実行します。\fB-DDIG_SIGCHASE\fR を使用して \fBdig\fR をコンパイルする必要があります。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]nsid\fR\fR -.ad -.sp .6 -.RS 4n -クエリーを送信するときに、EDNS ネームサーバーの ID 要求を含めます。 -.RE - -.SH 複数のクエリー -.sp -.LP -BIND 9 における \fBdig\fR の実装では、(\fB-f\fR バッチファイルオプションのサポートに加えて) コマンド行での複数のクエリーの指定がサポートされます。これらの各クエリーは、それぞれ一連のフラグ、オプション、およびクエリーオプションを設定して発行できます。 -.sp -.LP -この場合、各 \fIquery\fR 引数は、前述のコマンド行構文での個々のクエリーを表します。各クエリーは、標準のオプションとフラグ、検索対象の名前、クエリータイプ (省略可能)、クラス、およびそのクエリーに適用するクエリーオプションで構成されます。 -.sp -.LP -すべてのクエリーに適用するクエリーオプションのグローバルセットを設定することもできます。これらのグローバルなクエリーオプションは、コマンド行で、名前、クラス、タイプ、オプション、フラグ、およびクエリーオプションの最初の組の前に指定する必要があります。グローバルなクエリーオプション (\fB+[no]cmd\fR オプションを除く) は、クエリーごとの一連のクエリーオプションで上書きできます。例: -.sp -.in +2 -.nf -dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -.fi -.in -2 -.sp - -.sp -.LP -この例は、コマンド行から \fBdig\fR を使用して、3 つの検索 (\fBwww.isc.org\fR の ANY クエリー、127.0.0.1 の逆検索、および \fBisc.org\fR の NS レコードのクエリー) を実行する方法を示しています。グローバルなクエリーオプション \fB+qr\fR が適用されているため、\fBdig\fR によって、発行された最初のクエリーが各検索で表示されます。最後のクエリーには、ローカルなクエリーオプション \fB+noqr\fR が指定されています。これは、\fBdig\fR によって、\fBisc.org\fR の NS レコードを検索したときに、最初のクエリーが出力されないことを意味しています。 -.SH ファイル -.sp -.ne 2 -.mk -.na -\fB\fB/etc/resolv.conf\fR\fR -.ad -.sp .6 -.RS 4n -リゾルバ構成ファイル -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB${HOME}/.digrc\fR\fR -.ad -.sp .6 -.RS 4n -ユーザー定義構成ファイル -.RE - -.SH 属性 -.sp -.LP -属性についての詳細は、マニュアルページの \fBattributes\fR(5) を参照してください。 -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -属性タイプ属性値 -_ -使用条件network/dns/bind -_ -インタフェースの安定性流動的 -.TE - -.SH 関連項目 -.sp -.LP -\fBdnssec-keygen\fR(8), \fBhost\fR(8), \fBnamed\fR(8), \fBnslookup\fR(8), \fBattributes\fR(5) -.sp -.LP -\fIRFC 1035\fR -.sp -.LP -『BIND 9 \fIAdministrator's Reference Manual\fR』を参照してください。このマニュアルページの発行日付時点で、このドキュメントは https://www.isc.org/software/bind/documentation から利用できます。 -.SH 使用上の留意点 -.sp -.LP -クエリーオプションが多すぎる可能性があります。 -.SH 注意事項 -.sp -.LP -\fBnslookup\fR(8) および \fBdig\fR で、「Not Implemented」が \fBNOTIMPL\fR ではなく \fBNOTIMP\fR と報告されるようになりました。これは、\fBNOTIMPL\fR を検索するスクリプトに影響します。 diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/ja/dnssec-dsfromkey.8 --- a/components/bind/Solaris/ja/dnssec-dsfromkey.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,169 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-dsfromkey 8 "2010 年 1 月 11 日" "SunOS 5.12" "システム管理コマンド" -.SH 名前 -dnssec-dsfromkey \- DNSSEC DS RR 生成ツール -.SH 形式 -.LP -.nf -\fBdnssec-dsfromkey\fR [\fB-v\fR \fIlevel\fR] [\fB-1\fR] [\fB-2\fR] [\fB-a\fR \fIalg\fR] \fIkeyfile\fR -.fi - -.LP -.nf -\fBdnssec-dsfromkey\fR \fB-s\fR [\fB-v\fR \fIlevel\fR] [\fB-1\fR] [\fB-2\fR] [\fB-a\fR \fIalg\fR] [\fB-c\fR \fIclass\fR] - [\fB-d\fR \fIdir\fR] \fIkeyfile\fR -.fi - -.SH 機能説明 -.sp -.LP -\fBdnssec-dsfromkey\fR -.SH オプション -.sp -.LP -サポートしているオプションは、次のとおりです。 -.sp -.ne 2 -.mk -.na -\fB\fB-1\fR\fR -.ad -.sp .6 -.RS 4n -ダイジェストアルゴリズムとして \fBSHA-1\fR を使用します。デフォルトでは、\fBSHA-1\fR と \fBSHA-256\fR の両方を使用します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-2\fR\fR -.ad -.sp .6 -.RS 4n -ダイジェストアルゴリズムとして SHA-256 を使用します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR \fIalgorithm\fR\fR -.ad -.sp .6 -.RS 4n -ダイジェストアルゴリズムを選択します。\fIalgorithm\fR の値は、\fBSHA-1\fR (\fBSHA1\fR) または \fBSHA-256\fR (\fBSHA256\fR) のいずれかにする必要があります。これらの値は大文字と小文字が区別されません。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.sp .6 -.RS 4n -デバッグのレベルを設定します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR\fR -.ad -.sp .6 -.RS 4n -鍵セットモード: 鍵ファイル名の代わりに、鍵セットファイルの DNS ドメイン名が引数になります。\fB-c\fR オプションと \fB-d\fR オプションは、このモードでのみ有効です。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -DNS クラスを指定します (デフォルトは \fBIN\fR)。これは鍵セットモードでのみ有効です。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-d\fR \fIdirectory\fR\fR -.ad -.sp .6 -.RS 4n -directory ディレクトリ内の鍵セットファイルを検索します。鍵セットモードでないときは無視されます。 -.RE - -.SH 使用例 -.sp -.LP -\fBKexample.com.+003+26160\fR の鍵ファイル名から SHA-256 DS RR を作成するには、次のようなコマンドを使用します。 -.sp -.in +2 -.nf -# \fBdnssec-dsfromkey -2 Kexample.com.+003+26160\fR -.fi -.in -2 -.sp - -.sp -.LP -このコマンドによって、次のような出力が生成されます。 -.sp -.in +2 -.nf -example.com. IN DS 26160 5 2 -3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 -C5EA0B94 -.fi -.in -2 -.sp - -.SH ファイル -.sp -.LP -鍵ファイルは、鍵 ID \fBK\fR\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR、または完全なファイル名 \fBK\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR.key\fR によって指定できます。これらの鍵は、\fBdnssec-keygen\fR(8) によって生成されます。 -.sp -.LP -鍵セットファイル名は、ディレクトリ、文字列 \fBkeyset-\fR、および \fIdnsname\fR から作成されます。 -.SH 属性 -.sp -.LP -属性についての詳細は、マニュアルページの \fBattributes\fR(5) を参照してください。 -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -属性タイプ属性値 -_ -使用条件service/network/dns/bind -_ -インタフェースの安定性流動的 -.TE - -.SH 関連項目 -.sp -.LP -\fBdnssec-keygen\fR(8), \fBdnssec-signzone\fR(8), \fBattributes\fR(5) -.sp -.LP -\fIRFC 3658\fR、\fIRFC 4509\fR -.sp -.LP -『BIND 9 \fIAdministrator's Reference Manual\fR』を参照してください。このマニュアルページの発行日付時点で、このドキュメントは https://www.isc.org/software/bind/documentation から利用できます。 -.SH 注意 -.sp -.LP -鍵ファイルのエラーにより、ファイルが存在する場合でも「ファイルが見つかりません」というメッセージが生成されることがあります。 diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/ja/dnssec-keyfromlabel.8 --- a/components/bind/Solaris/ja/dnssec-keyfromlabel.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,194 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-keyfromlabel 8 "2010 年 1 月 11 日" "SunOS 5.12" "システム管理コマンド" -.SH 名前 -dnssec-keyfromlabel \- DNSSEC 鍵生成ツール -.SH 形式 -.LP -.nf -\fBdnssec-keyfromlabel\fR \fB-a\fR \fIalgorithm\fR \fB-l\fR \fIlabel\fR [\fB-c\fR \fIclass\fR] [\fB-f\fR \fIflag\fR] [\fB-k\fR] - [\fB-n\fR \fInametype\fR] [\fB-p\fR \fIprotocol\fR] [\fB-t\fR \fItype\fR] [\fB-v\fR \fIlevel\fR] \fIname\fR -.fi - -.SH 機能説明 -.sp -.LP -\fBdnssec-keyfromlabel\fR は、指定されたラベルを含む鍵を暗号化ハードウェアデバイスから取得し、RFC 2535 および RFC 4034 で定義されている DNSSEC (Secure DNS) の鍵ファイルを作成します。 -.SH オプション -.sp -.LP -サポートしているオプションは、次のとおりです。 -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR \fIalgorithm\fR\fR -.ad -.sp .6 -.RS 4n -暗号化アルゴリズムを選択します。\fIalgorithm\fR の値は、\fBRSAMD5\fR (RSA) または \fBRSASHA1\fR、\fBDSA\fR、\fBNSEC3RSASHA1\fR、\fBNSEC3DSA\fR、\fBDH\fR (Diffie-Hellman) のいずれかにする必要があります。これらの値は大文字と小文字が区別されません。 -.sp -\fBDNSSEC\fR の場合、\fBRSASHA1\fR は実装が必須のアルゴリズムであるため、DSA が推奨されることに注意してください。また、\fBDH\fR では \fB-k\fR フラグが自動的に設定されることにも注意してください。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-l\fR \fIlabel\fR \fR -.ad -.sp .6 -.RS 4n -暗号化ハードウェア (PKCS#11) デバイス内の鍵のラベルを指定します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-n\fR \fInametype\fR\fR -.ad -.sp .6 -.RS 4n -鍵の所有者型を指定します。\fInametype\fR の値は、\fBZONE\fR (\fBDNSSEC\fR ゾーン鍵 (\fBKEY\fR/\fBDNSKEY\fR) の場合)、\fBHOST\fR または \fBENTITY\fR (ホストに関連付けられた鍵 (\fBKEY\fR) の場合)、\fBUSER\fR (ユーザーに関連付けられた鍵 (\fBKEY\fR) の場合)、\fBOTHER\fR (\fBDNSKEY\fR) のいずれかにする必要があります。これらの値は大文字と小文字が区別されません。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -鍵を含む DNS レコードに、指定されたクラスが存在するべきであることを示します。指定されていない場合は、クラス \fBIN\fR が使用されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR \fIflag\fR\fR -.ad -.sp .6 -.RS 4n -指定されたフラグを \fBKEY\fR/\fBDNSKEY\fR レコードのフラグフィールドに設定します。認識されるフラグは \fBKSK\fR (Key Signing Key) \fBDNSKEY\fR のみです。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -\fBdnssec-keyfromlabel\fR のオプションと引数の簡単なサマリーを表示します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fI\fR\fR -.ad -.sp .6 -.RS 4n -\fBDNSKEY\fR レコードではなく \fBKEY\fR レコードを生成します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR \fIprotocol\fR\fR -.ad -.sp .6 -.RS 4n -生成された鍵のプロトコル値を設定します。プロトコルは 0 - 255 の数値です。デフォルトは \fB3\fR (\fBDNSSEC\fR) です。この引数に指定可能なほかの値は、RFC 2535 およびそれ以降のバージョンに記載されています。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fItype\fR\fR -.ad -.sp .6 -.RS 4n -鍵の使用を示します。\fItype\fR は、\fBAUTHCONF\fR、\fBNOAUTHCONF\fR、\fBNOAUTH\fR、\fBNOCONF\fR のいずれかにする必要があります。デフォルトは \fBAUTHCONF\fR です。\fBAUTH\fR はデータを認証する機能を、\fBCONF\fR はデータを暗号化する機能を示します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.sp .6 -.RS 4n -デバッグのレベルを設定します。 -.RE - -.SH 生成される鍵ファイル -.sp -.LP -\fBdnssec-keyfromlabel\fR が正常に完了すると、\fBK\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR\fR の形式の文字列が標準出力に表示されます。これは生成された鍵ファイルの識別文字列で、次の内容を示します。 -.RS +4 -.TP -.ie t \(bu -.el o -\fInnnn\fR は鍵名です。 -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fIaaa\fR はアルゴリズムの数値表現です。 -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fIiiiii\fR は鍵識別子 (またはフットプリント) です。 -.RE -.sp -.LP -\fBdnssec-keyfromlabel\fR は、表示された文字列に基づいた名前を持つ 2 つのファイルを作成します。\fBK\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR.key\fR には公開鍵が、\fBK\fInnnn\fR.+\fI aaa\fR+\fIiiiii\fR.private\fR には秘密鍵が含まれます。 -.sp -.LP -最初のファイルには、ゾーンファイルに (直接、または \fB$INCLUDE\fR 文を使用して) 挿入できる \fBDNS\fR \fBKEY\fR レコードが含まれます。 -.sp -.LP -2 番目のファイルには、アルゴリズムに固有のフィールドが含まれます。セキュリティー上の理由から、このファイルには一般的な読み取り権はありません。 -.SH 属性 -.sp -.LP -属性についての詳細は、マニュアルページの \fBattributes\fR(5) を参照してください。 -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -属性タイプ属性値 -_ -使用条件service/network/dns/bind -_ -インタフェースの安定性流動的 -.TE - -.SH 関連項目 -.sp -.LP -\fBdnssec-keygen\fR(8), \fBdnssec-signzone\fR(8), \fBattributes\fR(5) -.sp -.LP -\fIRFC 2539\fR、\fIRFC 2845\fR、\fIRFC 4033\fR -.sp -.LP -『BIND 9 \fIAdministrator's Reference Manual\fR』を参照してください。このマニュアルページの発行日付時点で、このドキュメントは https://www.isc.org/software/bind/documentation から利用できます。 diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/ja/dnssec-keygen.8 --- a/components/bind/Solaris/ja/dnssec-keygen.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,300 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-keygen 8 "2010 年 1 月 11 日" "SunOS 5.12" "システム管理コマンド" -.SH 名前 -dnssec-keygen \- DNSSEC 鍵生成ツール -.SH 形式 -.LP -.nf -\fBdnssec-keygen\fR \fB-a\fR \fIalgorithm\fR \fB-b\fR \fIkeysize\fR \fB-n\fR \fInametype\fR [\fB-ehk\fR] - [\fB-c\fR \fIclass\fR] [\fB-f\fR \fIflag\fR] [\fB-g\fR \fIgenerator\fR] [\fB-p\fR \fIprotocol\fR] - [\fB-r\fR \fIrandomdev\fR] [\fB-s\fR \fIstrength\fR] [\fB-t\fR \fItype\fR] [\fB-v\fR \fIlevel\fR] \fIname\fR -.fi - -.SH 機能説明 -.sp -.LP -\fBdnssec-keygen\fR ユーティリティーは、RFC 2535 および RFC 4034 で定義されている DNSSEC (Secure DNS) の鍵を生成します。また、RFC 2845 で定義されている TSIG (Transaction Signatures) で使用する鍵も生成します。 -.SH オプション -.sp -.LP -サポートしているオプションは、次のとおりです。 -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR \fIalgorithm\fR\fR -.ad -.sp .6 -.RS 4n -暗号化アルゴリズムを選択します。algorithm の値は、RSAMD5 (RSA) または RSASHA1、DSA、NSEC3RSASHA1、NSEC3DSA、\fBDH\fR (Diffie-Hellman)、HMAC-MD5 のいずれかにする必要があります。これらの値は大文字と小文字が区別されません。 -.sp -DNSSEC の場合、RSASHA1 は実装が必須のアルゴリズムであるため、DSA が推奨されます。TSIG の場合は、HMAC-MD5 が必須です。 -.LP -注 - -.sp -.RS 2 -HMAC-MD5 と DH では、\fB-k\fR フラグが自動的に設定されます。 -.RE -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-b\fR \fIkeysize\fR\fR -.ad -.sp .6 -.RS 4n -鍵のビット数を指定します。鍵サイズの選択は、使用されるアルゴリズムによって異なります。RSAMD5 鍵と RSASHA1 鍵は、512 - 2048 ビットの間にする必要があります。Diffie-Hellman 鍵は、128 - 4096 ビットの間にする必要があります。DSA 鍵は、512 - 1024 ビットの間で、ちょうど 64 の倍数になる値にする必要があります。HMAC-MD5 鍵は、1 - 512 ビットの間にする必要があります。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -鍵を含む DNS レコードに、指定されたクラスが存在するべきであることを示します。指定されていない場合は、クラス IN が使用されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-e\fR\fR -.ad -.sp .6 -.RS 4n -RSAMD5 鍵または RSASHA1 鍵を生成する場合は、大きな指数を使用します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR \fIflag\fR\fR -.ad -.sp .6 -.RS 4n -指定されたフラグを KEY/DNSKEY レコードのフラグフィールドに設定します。認識されるフラグは KSK (Key Signing Key) DNSKEY のみです。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-g\fR \fIgenerator\fR\fR -.ad -.sp .6 -.RS 4n -Diffie Hellman 鍵を生成する場合は、この \fIgenerator\fR を使用します。指定可能な値は 2 と 5 です。ジェネレータが指定されていない場合は、可能であれば RFC 2539 からの既知の素数が使用されます。それ以外の場合、デフォルトは 2 です。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -\fBdnssec-keygen\fR のオプションと引数の簡単なサマリーを出力します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR\fR -.ad -.sp .6 -.RS 4n -DNSKEY レコードではなく KEY レコードを生成します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-n\fR \fInametype\fR\fR -.ad -.sp .6 -.RS 4n -鍵の所有者型を指定します。\fInametype\fR の値は、\fBZONE\fR (DNSSEC ゾーン鍵 (KEY/DNSKEY) の場合)、\fBHOST\fR または \fBENTITY\fR (ホストに関連付けられた鍵 (KEY) の場合)、USER (ユーザーに関連付けられた鍵 (KEY) の場合)、\fBOTHER\fR (DNSKEY) のいずれかにする必要があります。これらの値は大文字と小文字が区別されません。デフォルトは、DNSKEY 生成用の ZONE です。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR \fIprotocol\fR\fR -.ad -.sp .6 -.RS 4n -生成された鍵のプロトコル値を設定します。\fIprotocol\fR 引数は 0 - 255 の数値です。デフォルトは 3 (DNSSEC) です。この引数に指定可能なのほか値は、RFC 2535 およびそれ以降のバージョンに記載されています。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-r\fR \fIrandomdev\fR\fR -.ad -.sp .6 -.RS 4n -乱数発生元を指定します。オペレーティングシステムによって \fB/dev/random\fR または同等のデバイスが提供されていない場合、デフォルトの乱数発生元はキーボード入力です。\fIrandomdev\fR は、このデフォルトの代わりに使用される、ランダムデータを含む文字デバイスまたはファイルの名前を指定します。特殊な値「\fBkeyboard\fR」は、キーボード入力を使用する必要があることを示します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR \fIstrength\fR\fR -.ad -.sp .6 -.RS 4n -鍵の強さの値を指定します。\fIstrength\fR 引数は 0 - 15 の数値で、現時点では DNSSEC でその用途は定義されていません。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fItype\fR\fR -.ad -.sp .6 -.RS 4n -鍵の使用を示します。\fBtype\fR は、\fBAUTHCONF\fR、\fBNOAUTHCONF\fR、\fBNOAUTH\fR、\fBNOCONF\fR のいずれかにする必要があります。デフォルトは \fBAUTHCONF\fR です。\fBAUTH\fR はデータを認証する機能を、\fBCONF\fR はデータを暗号化する機能を示します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.sp .6 -.RS 4n -デバッグのレベルを設定します。 -.RE - -.SH 生成される鍵 -.sp -.LP -\fBdnssec-keygen\fR が正常に完了すると、\fBK\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR\fR の形式の文字列が標準出力に表示されます。これは、生成された鍵の識別文字列です。 -.RS +4 -.TP -.ie t \(bu -.el o -\fInnnn\fR は鍵名です。 -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fIaaa\fR はアルゴリズムの数値表現です。 -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fIiiiii\fR は鍵識別子 (またはフットプリント) です。 -.RE -.sp -.LP -\fBdnssec-keygen\fR ユーティリティーは、出力された文字列に基づいた名前を持つ 2 つのファイルを作成します。 -.RS +4 -.TP -.ie t \(bu -.el o -\fBK\fR\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR.\fBkey\fR には公開鍵が含まれます。 -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fBK\fR\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR.\fBprivate\fR には秘密鍵が含まれます。 -.RE -.sp -.LP -\fB\&.key\fR ファイルには、ゾーンファイルに (直接、または \fB$INCLUDE\fR 文を使用して) 挿入できる DNS \fBKEY\fR レコードが含まれます。 -.sp -.LP -\fB\&.private\fR ファイルには、アルゴリズムに固有のフィールドが含まれます。セキュリティー上の理由から、このファイルには一般的な読み取り権はありません。 -.sp -.LP -公開鍵と秘密鍵が同じである場合でも、HMAC-MD5 などの対称暗号化アルゴリズム用に \fB\&.key\fR ファイルと \fB\&.private\fR ファイルの両方が生成されます。 -.SH 使用例 -.LP -\fB例 1 \fR768 ビットの DSA 鍵の生成 -.sp -.LP -ドメイン \fBexample.com\fR 用に 768 ビットの DSA 鍵を生成するには、次のコマンドを発行します。 - -.sp -.in +2 -.nf -dnssec-keygen -a DSA -b 768 -n ZONE example.com -.fi -.in -2 -.sp - -.sp -.LP -このコマンドは、次の形式の文字列を出力します。 - -.sp -.in +2 -.nf -Kexample.com.+003+26160 -.fi -.in -2 -.sp - -.sp -.LP -次のファイルが作成されます。 - -.sp -.in +2 -.nf -Kexample.com.+003+26160.key -Kexample.com.+003+26160.private -.fi -.in -2 -.sp - -.SH 属性 -.sp -.LP -属性についての詳細は、マニュアルページの \fBattributes\fR(5) を参照してください。 -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -属性タイプ属性値 -_ -使用条件service/network/dns/bind -_ -インタフェースの安定性流動的 -.TE - -.SH 関連項目 -.sp -.LP -\fBdnssec-signzone\fR(8), \fBattributes\fR(5) -.sp -.LP -\fIRFC 2539\fR、\fIRFC 2845\fR、\fIRFC 4033\fR -.sp -.LP -『BIND 9 \fIAdministrator's Reference Manual\fR』を参照してください。このマニュアルページの発行日付時点で、このドキュメントは https://www.isc.org/software/bind/documentation から利用できます。 diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/ja/dnssec-signzone.8 --- a/components/bind/Solaris/ja/dnssec-signzone.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,431 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-signzone 8 "2010 年 1 月 11 日" "SunOS 5.12" "システム管理コマンド" -.SH 名前 -dnssec-signzone \- DNSSEC ゾーン署名ツール -.SH 形式 -.LP -.nf -\fBdnssec-signzone\fR [\fB-Aaghptz\fR] [\fB-c\fR \fIclass\fR] [\fB-d\fR \fIdirectory\fR] - [\fB-e\fR \fIend-time\fR] [\fB-f\fR \fIoutput-file\fR] [\fB-H\fR \fIiterations\fR] [\fB-I\fR \fIinput_format\fR] - [\fB-i\fR \fIinterval\fR] [\fB-k\fR \fIkey\fR] [\fB-l\fR \fIdomain\fR] [\fB-N\fR \fIsoa-serial-format\fR] [\fB-n\fR \fIncpus\fR] - [\fB-O\fR \fIoutput_format\fR] [\fB-o\fR \fIorigin\fR] [\fB-r\fR \fIrandomdev\fR] [\fB-s\fR \fIstart-time\fR] - [\fB-v\fR \fIlevel\fR] [\fB-3\fR \fIsalt\fR] \fIzonefile\fR [\fIkey\fR]... -.fi - -.SH 機能説明 -.sp -.LP -\fBdnssec-signzone\fR ユーティリティーはゾーンに署名します。このユーティリティーは \fBNSEC\fR レコードと \fBRRSIG\fR レコードを生成し、ゾーンの署名されたバージョンを生成します。署名されたゾーンからの委譲のセキュリティーステータス (つまり、子ゾーンがセキュリティー保護されているかどうか) は、子ゾーンごとに \fBkeyset\fR ファイルが存在するかどうかによって決まります。 -.SH オプション -.sp -.LP -サポートしているオプションは、次のとおりです。 -.sp -.ne 2 -.mk -.na -\fB\fB-A\fR\fR -.ad -.sp .6 -.RS 4n -NSEC3 チェーンを生成するときに、すべての NSEC3 レコードに \fBOPTOUT\fR フラグを設定し、安全でない委譲に対しては NSEC3 レコードを生成しません。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR\fR -.ad -.sp .6 -.RS 4n -生成されたすべての署名を確認します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -ゾーンの \fBDNS\fR クラスを指定します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-d\fR \fIdirectory\fR\fR -.ad -.sp .6 -.RS 4n -\fIdirectory\fR 内の \fBkeyset\fR ファイルを検索します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-e\fR \fIend-time\fR\fR -.ad -.sp .6 -.RS 4n -生成された \fBRRSIG\fR レコードの有効期限が切れる日時を指定します。\fBstart-time\fR と同様に、\fBYYYYMMDDHHMMSS\fR の表記で絶対時間が示されます。開始時間からの相対時間は +\fIN\fR で示されます。これは、開始時間から \fIN\fR 秒後であることを示します。現在の時間からの相対時間は \fBnow\fR+\fIN\fR で示されます。\fIend-time\fR が指定されていない場合、開始時間から 30 日後の日時がデフォルトとして使用されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR \fIoutput-file\fR\fR -.ad -.sp .6 -.RS 4n -署名されたゾーンを含む出力ファイルの名前。デフォルトでは、入力ファイル名に \fB\&.signed\fR が付加されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-g\fR\fR -.ad -.sp .6 -.RS 4n -\fBkeyset\fR ファイルから子ゾーンの DS レコードを生成します。既存の DS レコードは削除されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-H\fR \fIiterations\fR\fR -.ad -.sp .6 -.RS 4n -NSEC3 チェーンを生成するときに、\fIiterations\fR で指定された繰り返しの数を使用します。デフォルトは 100 です。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -\fBdnssec-signzone()\fR のオプションと引数の簡単なサマリーを出力します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-I\fR \fIinput-format\fR\fR -.ad -.sp .6 -.RS 4n -入力ゾーンファイルの形式。指定可能な形式は \fBtext\fR (デフォルト) と \fBraw\fR です。このオプションは、動的に署名されたゾーンを主に想定したもので、更新を含む非テキスト形式のダンプされたゾーンファイルに直接署名できるようにします。動的でないゾーンに対してこのオプションを使用しても、意味がありません。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-i\fR \fIinterval\fR\fR -.ad -.sp .6 -.RS 4n -サイクル間隔 (秒単位) を現在の時間からのオフセットとして指定します。以前に署名されたゾーンが入力として渡された場合は、レコードに再度署名できます。サイクル間隔のあとで \fBRRSIG\fR レコードの有効期限が切れた場合、そのレコードは保持されます。それ以外の場合は、有効期限が間もなく切れるとみなされ、レコードは置き換えられます。 -.sp -デフォルトのサイクル間隔は、署名の終了時間と開始時間の差の 4 分の 1 です。\fIend-time\fR と \fIstart-time\fR のどちらも指定されていない場合、\fBdnssec-signzone\fR は、有効期間が 30 日でサイクル間隔が 7.5 日の署名を生成します。7.5 日よりも短い期間で有効期限が切れる既存の \fBRRSIG\fR レコードは、すべて置き換えられます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-j\fR \fIjitter\fR\fR -.ad -.sp .6 -.RS 4n -固定された署名有効期間でゾーンに署名すると、署名した時点で発行されたすべての \fBRRSIG\fR レコードが同時に有効期限切れになります。ゾーンが増分的に署名される、つまり、以前に署名されたゾーンが署名者に入力として渡される場合は、期限切れとなるすべての署名をほぼ同じ時間に再生成する必要があります。jitter オプションは、署名の期限切れ時間をランダム化するために使用されるジッター時間を指定することにより、増分的な署名の再生成を徐々に分散させます。 -.sp -署名の有効期間のジッターは、キャッシュの有効期限を分散させるため、バリデータとサーバーにもある程度のメリットをもたらします。つまり、すべてのキャッシュにある多数の \fBRRSIG\fR が同時に有効期限切れにならなければ、すべてのバリデータでほぼ同じ時間に再取得が必要になる場合に比べて輻輳は少なくなります。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fIkey\fR\fR -.ad -.sp .6 -.RS 4n -指定された \fIkey\fR を鍵署名鍵として扱い、鍵フラグをすべて無視します。このオプションは複数回指定できます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-l\fR \fIdomain\fR\fR -.ad -.sp .6 -.RS 4n -鍵 (DNSKEY) と DS セットに加えて DLV セットを生成します。ドメインがレコードの名前に付加されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-N\fR \fIsoa-serial-format\fR\fR -.ad -.sp .6 -.RS 4n -署名されたゾーンの SOA シリアル番号形式。指定可能な形式は、次に説明するように \fBkeep\fR (デフォルト)、\fBincrement\fR、および \fBunixtime\fR です。 -.sp -.ne 2 -.mk -.na -\fB\fBkeep\fR\fR -.ad -.sp .6 -.RS 4n -SOA シリアル番号を変更しません。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBincrement\fR \fR -.ad -.sp .6 -.RS 4n -RFC 1982 の算術式を使用して SOA シリアル番号を増分します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBunixtime\fR\fR -.ad -.sp .6 -.RS 4n -SOA シリアル番号を epoch からの経過秒数に設定します。 -.RE - -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-n\fR \fInthreads\fR\fR -.ad -.sp .6 -.RS 4n -使用するスレッドの数を指定します。デフォルトでは、検出された CPU ごとに 1 つのスレッドが開始されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-O\fR \fIoutput_format\fR\fR -.ad -.sp .6 -.RS 4n -署名されたゾーンを含む出力ファイルの形式。指定可能な形式は \fBtext\fR (デフォルト) と \fBraw\fR です。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-o\fR \fIorigin\fR\fR -.ad -.sp .6 -.RS 4n -ゾーンの起点を指定します。指定されていない場合、ゾーンファイルの名前が起点とみなされます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR\fR -.ad -.sp .6 -.RS 4n -ゾーンに署名するときに疑似乱数データを使用します。この方法は実際のランダムデータを使用する場合に比べて高速ですが、安全性は低下します。このオプションは、大規模なゾーンに署名する場合や、エントロピソースが制限されている場合に役立つことがあります。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-r\fR \fIrandomdev\fR\fR -.ad -.sp .6 -.RS 4n -乱数発生元を指定します。オペレーティングシステムによって \fB/dev/random\fR または同等のデバイスが提供されていない場合、デフォルトの乱数発生元はキーボード入力です。\fIrandomdev\fR は、このデフォルトの \fB/dev/random\fR の代わりに使用される、ランダムデータを含む文字デバイスまたはファイルの名前を指定します。特殊な値 \fBkeyboard\fR は、キーボード入力を使用する必要があることを示します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR \fIstart-time\fR\fR -.ad -.sp .6 -.RS 4n -生成された \fBRRSIG\fR レコードが有効になる日時を指定します。これは絶対時間または相対時間のどちらでもかまいません。絶対開始時間は、\fIYYYYMMDDHHMMSS\fR という表記の数値で示されます。20000530144500 は、2000 年 5 月 30 日の 14:45:00 UTC のことです。相対開始時間は +\fIN\fR で示されます。これは、現在の時間から \fIN\fR 秒後であることを示します。\fIstart-time\fR が指定されていない場合は、(クロックスキューを考慮して) 現在の時間から 1 時間前の時間が使用されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR\fR -.ad -.sp .6 -.RS 4n -完了時に統計情報を出力します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.sp .6 -.RS 4n -デバッグのレベルを設定します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-z\fR\fR -.ad -.sp .6 -.RS 4n -署名する対象を決定するときに、鍵の KSK フラグを無視します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-3\fR \fIsalt\fR\fR -.ad -.sp .6 -.RS 4n -指定された 16 進数でエンコードされた \fIsalt\fR を持つ NSEC3 チェーンを生成します。ダッシュ (\fB-\fR) を使用すると、NSEC3 チェーンを生成するときにソルトが使用されないことを示すことができます。 -.RE - -.SH オペランド -.sp -.LP -次のオペランドがサポートされています。 -.sp -.ne 2 -.mk -.na -\fB\fIzonefile\fR\fR -.ad -.sp .6 -.RS 4n -署名されるゾーンを含むファイル。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fIkey\fR\fR -.ad -.sp .6 -.RS 4n -ゾーンに署名するためにどの鍵を使用するべきかを指定します。鍵が指定されていない場合は、ゾーンの頂点に \fBDNSKEY\fR レコードがないかどうかが検証されます。レコードが見つかり、かつ一致する秘密鍵が現在のディレクトリ内に存在する場合は、これらの秘密鍵が署名に使用されます。 -.RE - -.SH 使用例 -.LP -\fB例 1 \fRDSA 鍵によるゾーンへの署名 -.sp -.LP -次のコマンドは、\fBdnssec-keygen\fR(8) のマニュアルページにある例で生成された DSA 鍵を使用して \fBexample.com\fR ゾーンに署名します (\fBKexample.com.+003+17247\fR)。ゾーンの鍵がマスターファイル (\fBdb.example.com\fR) に存在する必要があります。この呼び出しでは、現在のディレクトリ内で鍵セットファイルを検索することにより、それらのファイルから DS レコードを生成できるようにしています (\fB-g\fR)。 - -.sp -.in +2 -.nf -% \fBdnssec-signzone -g -o example.com db.example.com \e\fR -\fBKexample.com.+003+17247\fR -\fBdb.example.com.signed\fR -% -.fi -.in -2 -.sp - -.sp -.LP -上の例では、\fBdnssec-signzone\fR はファイル \fBdb.example.com.signed\fR を作成します。このファイルは、\fBnamed.conf\fR ファイル内の zone 文で参照される必要があります。 - -.LP -\fB例 2 \fR以前に署名されたゾーンへの再署名 -.sp -.LP -次のコマンドは、デフォルトのパラメータを使用して、以前に署名されたゾーンに再署名します。秘密鍵が現在のディレクトリに存在しているものとします。 - -.sp -.in +2 -.nf -% \fBcp db.example.com.signed db.example.com\fR -% \fBdnssec-signzone -o example.com db.example.com \e\fR -\fBdb.example.com.signed\fR -% -.fi -.in -2 -.sp - -.SH 属性 -.sp -.LP -属性についての詳細は、マニュアルページの \fBattributes\fR(5) を参照してください。 -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -属性タイプ属性値 -_ -使用条件service/network/dns/bind -_ -インタフェースの安定性流動的 -.TE - -.SH 関連項目 -.sp -.LP -\fBdnssec-keygen\fR(8), \fBattributes\fR(5) -.sp -.LP -\fIRFC 4033\fR -.sp -.LP -『BIND 9 \fIAdministrator's Reference Manual\fR』を参照してください。このマニュアルページの発行日付時点で、このドキュメントは https://www.isc.org/software/bind/documentation から利用できます。 diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/ja/nsupdate.8 --- a/components/bind/Solaris/ja/nsupdate.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,397 +0,0 @@ -'\" te -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2000, 2001, 2003 Internet Software Consortium. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2004, Sun Microsystems, Inc. All Rights Reserved. -.TH nsupdate 8 "2008 年 12 月 24 日" "SunOS 5.12" "システム管理コマンド" -.SH 名前 -nsupdate \- 動的 DNS 更新ユーティリティー -.SH 形式 -.LP -.nf -\fBnsupdate\fR [\fB-dv\fR] [\fB-y\fR \fIkeyname:secret\fR | \fB-k\fR \fIkeyfile\fR] [\fB-t\fR \fItimeout\fR] - [\fB-u\fR \fIudptimeout\fR] [\fB-r\fR \fIudpretries\fR] [\fIfilename\fR] -.fi - -.SH 機能説明 -.sp -.LP -\fBnsupdate\fR ユーティリティーは、RFC 2136 に定義されている動的 DNS 更新要求を、ネームサーバーに送信します。このユーティリティーを使用することで、ゾーンファイルを手動で編集しなくても、リソースレコードをゾーンに追加したりゾーンから削除したりできます。1 つの更新要求に、複数のリソースレコードの追加要求や削除要求を含めることができます。 -.sp -.LP -\fBnsupdate\fR または DHCP サーバーにより動的に制御されているゾーンは、手動で編集しないようにしてください。手動で編集すると、動的更新との競合が発生して、データが失われる可能性があります。 -.sp -.LP -\fBnsupdate\fR を使って動的に追加または削除されたリソースレコードは、同じゾーン内に存在する必要があります。要求は、ゾーンの SOA レコードの \fBMNAME\fR フィールドで識別されるゾーンのマスターサーバーに送信されます。 -.sp -.LP -RFC 2845 に記述されている TSIG リソースレコードタイプを使用した動的 DNS 更新の認証には、トランザクション署名を利用できます。この署名が依存している共有シークレットを知るのは、\fBnsupdate\fR とネームサーバーだけです。現在のところ、TSIG でサポートされる暗号化アルゴリズムは、RFC 2104 で定義されている HMAC-MD5 だけです。その他のアルゴリズムが TSIG 用に定義される場合は、アプリケーションで相互の認証時に適切なアルゴリズムと鍵が選択されるようにする必要があります。たとえば、ネームサーバーが適切な秘密鍵とアルゴリズムを TSIG 認証を使用するクライアントアプリケーションの IP アドレスに関連付けることができるように、適切な \fBkey\fR および \fBserver\fR 文が \fB/etc/named.conf\fR に追加されます。\fBnsupdate\fR ユーティリティーは、\fB/etc/named.conf\fR を読み取りません。 -.sp -.LP -\fBnsupdate\fR ユーティリティーとともに \fB-y\fR または \fB-k\fR オプションを使用して、TSIG レコードの生成に必要な共有シークレットを提供し、動的 DNS 更新要求を認証します。これらのオプションは相互に排他的です。詳しくは「オプション」の項を参照してください。 -.SH オプション -.sp -.LP -サポートしているオプションは、次のとおりです。 -.sp -.ne 2 -.mk -.na -\fB\fB-d\fR\fR -.ad -.RS 21n -.rt -デバッグモードで操作します。これにより、作成された更新要求およびネームサーバーから受信した応答に関するトレース情報が提供されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fIkeyfile\fR\fR -.ad -.RS 21n -.rt -\fIkeyfile\fR ファイルから共有シークレットを読み取ります。名前の書式は次のとおりです。\fBK{\fIname\fR}.+157.+{\fIrandom\fR}.private\fR。歴史的な理由で、ファイル \fBK{\fIname\fR}.+157.+{\fI random\fR}.key\fR も存在する必要があります。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-r\fR \fIudpretries\fR\fR -.ad -.RS 21n -.rt -UDP での再試行回数を設定します。デフォルトの再試行回数は 3 です。\fIudpretries\fR がゼロに設定されている場合、更新要求が 1 つだけ作成されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR\fItimeout\fR\fR -.ad -.RS 21n -.rt -更新が中止されるまでのタイムアウト間隔 (秒) を設定します。\fI\fRデフォルトは 300 秒です。ゼロに設定すると、タイムアウトが無効になります。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-u\fR \fIudptimeout\fR\fR -.ad -.RS 21n -.rt -UDP での再試行までの間隔 (秒) を設定します。デフォルトは 3 秒です。ゼロに設定すると、間隔がタイムアウト (\fB-t\fR) と UDP での再試行回数 (\fB-r\fR) に基づいて計算されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR\fR -.ad -.RS 21n -.rt -TCP 接続を使用します。更新要求のバッチを作成する場合は、TCP 接続の使用をお勧めします。デフォルトでは、\fBnsupdate\fR は UDP を使用して更新要求をネームサーバーに送信します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-y\fR \fIkeyname\fR:\fIsecret\fR\fR -.ad -.RS 21n -.rt -\fIkeyname\fR:\fIsecret\fR から署名を生成します。ここで、\fIkeyname\fR は鍵の名前、\fIsecret\fR は Base 64 でエンコードされた共有シークレットです。 -.sp -\fB-y\fR オプションの使用は推奨されていません。これは、共有シークレットが平文のコマンド行引数として指定されるため、\fBps\fR(1) の出力や、ユーザーのシェルで管理される履歴ファイルへの表示が可能であるためです。 -.RE - -.SH 入力形式 -.sp -.LP -\fBnsupdate\fR ユーティリティーは、\fIfilename\fR や標準入力から入力を読み取ります。各コマンドは、入力内に 1 行で指定されます。一部のコマンドは管理用です。その他のコマンドは、更新指示であるか、ゾーンの内容の前提条件チェックです。これらのチェックにより、名前またはリソースレコードのセット (RRset) がゾーンに存在するかどうかの条件が設定されます。更新要求全体を成功させるには、これらの条件を満たしている必要があります。前提条件のテストに失敗すると、更新は拒否されます。 -.sp -.LP -すべての更新要求は、ゼロ以上の前提条件およびゼロ以上の更新で構成されます。この条件のために、指定されたリソースレコードがゾーンに存在または欠落している場合に、適切に認証された更新要求を処理することが可能になります。空白の入力行 (または \fBsend\fR コマンド) が存在すると、累積されたコマンドが 1 つの動的 DNS 更新要求としてネームサーバーに送信されます。 -.sp -.LP -このコマンドの書式とその意味は次のとおりです。 -.sp -.ne 2 -.mk -.na -\fB\fBserver\fR \fIservername\fR [ \fIport\fR ]\fR -.ad -.sp .6 -.RS 4n -すべての動的更新要求をネームサーバー \fIservername\fR に送信します。\fBserver\fR 文が指定されていない場合、\fBnsupdate\fR は更新を適切なゾーンのマスターサーバーに送信します。ゾーンの SOA レコードの \fBMNAME\fR フィールドにより、そのゾーンのマスターサーバーが特定されます。\fIport\fR 引数は、動的更新要求が送信される \fIservername\fR のポート番号です。ポート番号が指定されていない場合は、デフォルト DNS ポート番号 53 が使用されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBlocal\fR \fIaddress\fR [ \fIport\fR ]\fR -.ad -.sp .6 -.RS 4n -ローカルアドレスを使用して、すべての動的更新要求を送信します。\fI\fR\fBlocal\fR 文が指定されていない場合、\fBnsupdate\fR はシステムが選択したアドレスとポートを使って更新を送信します。\fIport\fR 引数を使って、特定のポートからの要求を作成することもできます。ポート番号が指定されていない場合は、システムによりポート番号が割り当てられます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBzone\fR \fIzonename\fR\fR -.ad -.sp .6 -.RS 4n -すべての更新の対象をゾーン \fIzonename\fR に指定します。\fBzone\fR 文が指定されていない場合、\fBnsupdate\fR は残りの入力に基づいて適切な更新対象ゾーンの特定を試みます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBclass\fR \fIclassname\fR\fR -.ad -.sp .6 -.RS 4n -デフォルトクラスを指定します。クラスが指定されていない場合、デフォルトクラスは IN になります。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBkey\fR \fIname\fR \fIsecret\fR\fR -.ad -.sp .6 -.RS 4n -すべての更新を \fIname\fR \fIsecret\fR ペアを使用して TSIG で署名します。\fBkey\fR コマンドは、\fB-y\fR や \fB-k\fR を使ってコマンド行で指定されたどの鍵よりも優先されます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq nxdomain\fR \fIdomain-name\fR\fR -.ad -.sp .6 -.RS 4n -\fIdomain-name\fR という名前のリソースレコードが、どのタイプにも存在しないことを要求します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq yxdomain\fR \fIdomain-name\fR\fR -.ad -.sp .6 -.RS 4n -\fIdomain-name\fR が存在することを要求します。domain-name には、いずれかのタイプのリソースレコードが 1 つ以上含まれている必要があります。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq nxrrset\fR \fIdomain-name\fR [ \fIclass\fR ] \fItype\fR\fR -.ad -.sp .6 -.RS 4n -指定された \fItype\fR、\fIclass\fR、および \fIdomain-name\fR のリソースレコードが存在しないことを要求します。\fIclass\fR を省略すると、IN (インターネット) とみなされます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq yxrrset\fR \fIdomain-name\fR [ \fIclass\fR ] \fItype\fR\fR -.ad -.sp .6 -.RS 4n -指定された \fItype\fR、\fIclass\fR、および \fIdomain-name\fR のリソースレコードが存在することを要求します。\fIclass\fR を省略すると、IN (インターネット) とみなされます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq yxrrset\fR \fIdomain-name\fR [ \fIclass\fR ] \fItype\fR \fIdata\fR...\fR -.ad -.sp .6 -.RS 4n -共通の \fItype\fR、\fIclass\fR、および \fIdomain-name\fR を共有する、この書式の前提条件の各セットから取得された \fIdata\fR は、結合されて RR セットになります。この RR セットは、ゾーン内に存在する \fItype\fR、\fIclass\fR、\fIdomain-name\fR で設定された既存の RR セットと正確に一致している必要があります。\fIdata\fR は、リソースレコードの RDATA の標準テキスト表現で書き込まれます。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBupdate delete\fR \fIdomain-name\fR [ \fIttl\fR ] [ \fIclass\fR ] [ \fItype\fR [ \fIdata\fR... ] ]\fR -.ad -.sp .6 -.RS 4n -\fIdomain-name\fR という名前のリソースレコードをすべて削除します。\fItype\fR および \fIdata\fR が指定されている場合は、一致するリソースレコードだけが削除されます。\fIclass\fR が指定されていない場合は、インターネットクラスとみなされます。\fIttl\fR は無視されます。これは、互換性を維持するためにのみ用意されています。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBupdate add\fR \fIdomain-name\fR \fIttl\fR [ \fIclass\fR ] \fItype\fR \fIdata\fR...\fR -.ad -.sp .6 -.RS 4n -指定された \fIttl\fR、\fIclass\fR、および \fIdata\fR の新規リソースレコードを追加します。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBshow\fR\fR -.ad -.sp .6 -.RS 4n -現在のメッセージを表示します。前回の送信時以降に指定されたすべての前提条件と更新が含まれています。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBsend\fR\fR -.ad -.sp .6 -.RS 4n -現在のメッセージを送信します。これは、空白行を挿入することと同等です。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBanswer\fR\fR -.ad -.sp .6 -.RS 4n -答えを表示します。 -.RE - -.sp -.LP -先頭がセミコロンの行はコメントであり、無視されます。 -.SH 使用例 -.LP -\fB例 1 \fRゾーンに対してリソースレコードの挿入や削除を行う -.sp -.LP -この例では、\fBnsupdate\fR を使用して、\fBexample.com\fR ゾーンに対してリソースレコードの挿入と削除を行う方法を示します。各例では、入力の末尾に空行が含まれることに注目してください。これは、コマンドのグループを 1 つの動的更新要求として \fBexample.com\fR のマスターネームサーバーに送信するためです。 - -.sp -.in +2 -.nf -# nsupdate -> update delete oldhost.example.com A -> update add newhost.example.com 86400 A 172.16.1.1 -> send -.fi -.in -2 -.sp - -.sp -.LP -\fBoldhost.example.com\fR のすべての A レコードが削除されます。IP アドレス 172.16.1.1 の \fBnewhost.example.com\fR の A レコードが追加されます。新たに追加されたレコードの TTL は 1 日 (86400 秒) です。 - -.LP -\fB例 2 \fRレコードが存在しない場合にのみ CNAME を追加する -.sp -.LP -次のコマンドは、レコードが存在しない場合にのみ CNAME を追加します。 - -.sp -.in +2 -.nf -# nsupdate -> prereq nxdomain nickname.example.com -> update add nickname.example.com 86400 CNAME somehost.example.com -> send -.fi -.in -2 -.sp - -.sp -.LP -ネームサーバーは、前提条件に従って、どのタイプのリソースレコードも \fBnickname.example.com\fR に存在しないことを確認します。リソースレコードが存在する場合、更新要求は失敗します。この名前が存在しない場合は、\fBCNAME\fR が追加されます。この動作により、\fBCNAME\fR の追加時に、従来の RFC 1034 の規則 (名前が \fBCNAME\fR として存在する場合は、どのレコードタイプであれ、その名前がほかに存在してはならない) と矛盾することはありません。(この規則は RFC 4035 で DNSSEC 向けに更新され、\fBCNAME\fR が \fB RSIG\fR、\fBDNSKEY\fR、および \fBNSEC\fR レコードを保持することが可能になりました。) - -.SH ファイル -.sp -.ne 2 -.mk -.na -\fB\fB/etc/resolv.conf\fR\fR -.ad -.sp .6 -.RS 4n -デフォルトネームサーバーの識別に使用。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBK{\fIname\fR}.+157.+{\fIrandom\fR}.key\fR\fR -.ad -.sp .6 -.RS 4n -\fBdnssec-keygen\fR(8) により作成された HMAC-MD5 鍵の Base 64 エンコーディング -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBK{\fIname\fR}.+157.+{\fIrandom\fR}.private\fR\fR -.ad -.sp .6 -.RS 4n -\fBdnssec-keygen\fR(8) により作成された HMAC-MD5 鍵の Base 64 エンコーディング -.RE - -.SH 使用上の留意点 -.sp -.LP -TSIG 鍵は 2 つの別個のファイルに重複して格納されます。これは、\fBnsupdate\fR で暗号化操作に DST ライブラリを使用したためで、将来のリリースでは変更される可能性があります。 -.SH 属性 -.sp -.LP -属性についての詳細は、マニュアルページの \fBattributes\fR(5) を参照してください。 -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -属性タイプ属性値 -_ -使用条件service/network/dns/bind -_ -インタフェースの安定性流動的 -.TE - -.SH 関連項目 -.sp -.LP -\fBnamed\fR(8), \fBdnssec-keygen\fR(8), \fBattributes\fR(5) -.sp -.LP -\fIRFC 2136\fR、\fIRFC 3007\fR、\fIRFC 2104\fR、\fIRFC 2845\fR、\fIRFC 1034\fR、\fIRFC 2535\fR、\fIRFC 2931\fR、\fIRFC 4035\fR diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/named-checkconf.8 --- a/components/bind/Solaris/named-checkconf.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,140 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH named-checkconf 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -named-checkconf \- named configuration file syntax checking tool -.SH SYNOPSIS -.LP -.nf -\fBnamed-checkconf\fR [\fB-hjvz\fR] [\fB-t\fR \fIdirectory\fR] \fIfilename\fR -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBnamed-checkconf\fR utility checks the syntax, but not the semantics, of a specified configuration file. -.SH OPTIONS -.sp -.LP -The following options are supported: -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -Display the usage summary and exit. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-j\fR\fR -.ad -.sp .6 -.RS 4n -When loading a zonefile, read the journal if it exists. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fIdirectory\fR\fR -.ad -.sp .6 -.RS 4n -Change the root directory to \fIdirectory\fR so that include directives in the configuration file are processed as if run by a named configuration whose root directory has been similarly changed. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR\fR -.ad -.sp .6 -.RS 4n -Print the version of the \fBnamed-checkconf\fR program and exit. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-z\fR\fR -.ad -.sp .6 -.RS 4n -Perform a test load of the master zones found in \fBnamed.conf\fR. -.RE - -.SH OPERANDS -.sp -.LP -The following operands are supported: -.sp -.ne 2 -.mk -.na -\fB\fIfilename\fR\fR -.ad -.sp .6 -.RS 4n -The name of the configuration file to be checked. If not specified, it defaults to \fB/etc/named.conf\fR. -.RE - -.SH EXIT STATUS -.sp -.ne 2 -.mk -.na -\fB\fB0\fR\fR -.ad -.sp .6 -.RS 4n -No errors were detected. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB1\fR\fR -.ad -.sp .6 -.RS 4n -An error was detected. -.RE - -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilityservice/network/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBnamed\fR(8), \fBnamed-checkzone\fR(8), \fBattributes\fR(7) -.sp -.LP -See the BIND 9 \fIAdministrator's Reference Manual\fR. As of the date of publication of this man page, this document is available at https://www.isc.org/software/bind/documentation\&. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/named-checkzone.8 --- a/components/bind/Solaris/named-checkzone.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,343 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH named-checkzone 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -named-checkzone, named-compilezone \- zone file validity checking or converting tool -.SH SYNOPSIS -.LP -.nf -\fBnamed-checkzone\fR [\fB-Ddhjqv\fR] [\fB-c\fR \fIclass\fR] [\fB-F\fR \fIformat\fR] [\fB-f\fR \fIformat\fR] - [\fB-i\fR \fImode\fR] [\fB-k\fR \fImode\fR] [\fB-M\fR \fImode\fR] [\fB-m\fR \fImode\fR] [\fB-n\fR \fImode\fR] - [\fB-o\fR \fIfilename\fR] [\fB-S\fR \fImode\fR] [\fB-s\fR \fIstyle\fR] [\fB-t\fR \fIdirectory\fR] - [\fB-W\fR \fImode\fR] [\fB-w\fR \fIdirectory\fR] \fIzonename\fR \fIfilename\fR -.fi - -.LP -.nf -\fBnamed-compilezone\fR [\fB-Ddjqv\fR] [\fB-C\fR \fImode\fR] [\fB-c\fR \fIclass\fR] [\fB-F\fR \fIformat\fR] - [\fB-f\fR \fIformat\fR] [\fB-i\fR \fImode\fR] [\fB-k\fR \fImode\fR] [\fB-m\fR \fImode\fR] [\fB-n\fR \fImode\fR] - [\fB-o\fR \fIfilename\fR] [\fB-s\fR \fIstyle\fR] [\fB-t\fR \fIdirectory\fR] - [\fB-W\fR \fImode\fR] [\fB-w\fR \fIdirectory\fR] \fIzonename\fR \fIfilename\fR -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBnamed-checkzone\fR utility checks the syntax and integrity of a zone file. It performs the same checks as \fBnamed\fR(8) does when loading a zone. The \fBnamed-checkzone\fR utility is useful for checking zone files before configuring them into a name server. -.sp -.LP -\fBnamed-compilezone\fR is similar to \fBnamed-checkzone\fR, differing in that it always dumps the zone contents to a specified file in a specified format. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by \fBnamed\fR(8). Unless manually specified otherwise, the check levels must be at least as strict as those specified in the \fBnamed\fR configuration file. -.SH OPTIONS -.sp -.LP -For either or both utilities, the following options are supported: -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -Specify the class of the zone. If not specified, "IN" is assumed. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-D\fR\fR -.ad -.sp .6 -.RS 4n -Dump zone file in canonical format. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-d\fR\fR -.ad -.sp .6 -.RS 4n -Enable debugging. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-F\fR \fIformat\fR\fR -.ad -.sp .6 -.RS 4n -Specify the format of the output file specified. Possible formats are \fBtext\fR (default) and \fBraw\fR. For \fBnamed-checkzone\fR, this does not cause any effects unless it dumps the zone contents. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR \fIformat\fR\fR -.ad -.sp .6 -.RS 4n -Specify the format of the zone file. Possible formats are \fBtext\fR (default) and \fBraw\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -Display usage message for \fBnamed-checkzone\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-i\fR \fImode\fR\fR -.ad -.sp .6 -.RS 4n -Perform post-load zone integrity checks. Possible modes are \fBfull\fR (default), \fBfull-sibling\fR, \fBlocal\fR, \fBlocal-sibling\fR, and \fBnone\fR. -.sp -Mode \fBfull\fR checks that MX records refer to the A or AAAA record (both in-zone and out-of-zone hostnames). Mode \fBlocal\fR checks only MX records that refer to in-zone hostnames. -.sp -Mode \fBfull\fR checks that SRV records refer to the A or AAAA record (both in-zone and out-of-zone hostnames). Mode \fBlocal\fR checks only SRV records that refer to in-zone hostnames. -.sp -Mode \fBfull\fR checks that delegation NS records refer to A or AAAA record (both in-zone and out-of-zone hostnames). It also checks that glue address records in the zone match those advertised by the child. Mode \fBlocal\fR checks only NS records that refer to in-zone hostnames or check that some required glue exists, that is, when the nameserver is in a child zone. -.sp -Mode \fBfull-sibling\fR and \fBlocal-sibling\fR disable sibling glue checks, but are otherwise the same as \fBfull\fR and \fBlocal\fR, respectively. -.sp -Mode \fBnone\fR disables the checks. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fImode\fR\fR -.ad -.sp .6 -.RS 4n -Perform "check-name" checks with the specified failure mode. Possible modes are \fBfail\fR (default for \fBnamed-compilezone\fR), \fBwarn\fR (default for \fBnamed-checkzone\fR) and \fBignore\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-j\fR\fR -.ad -.sp .6 -.RS 4n -Read the journal, if it exists, when loading the zone file. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-M\fR \fImode\fR\fR -.ad -.sp .6 -.RS 4n -Check if an MX record refers to a \fBCNAME\fR. Possible modes are \fBfail\fR, \fBwarn\fR (default) and \fBignore\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-m\fR \fImode\fR\fR -.ad -.sp .6 -.RS 4n -Specify whether MX records should be checked to see if they are addresses. Possible modes are \fBfail\fR, \fBwarn\fR (default) and \fBignore\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-n\fR \fImode\fR\fR -.ad -.sp .6 -.RS 4n -Specify whether NS records should be checked to see if they are addresses. Possible modes are \fBfail\fR (default for \fBnamed-compilezone\fR), \fBwarn\fR (default for \fBnamed-checkzone\fR) and \fBignore\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-o\fR \fIfilename\fR\fR -.ad -.sp .6 -.RS 4n -Write zone output to \fIfilename\fR. If filename is \fB-\fR (a hyphen), then write to standard out. The hyphen mandatory for \fBnamed-compilezone\fR -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-q\fR\fR -.ad -.sp .6 -.RS 4n -Run in quiet mode, reporting only the exit status. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-S\fR \fImode\fR\fR -.ad -.sp .6 -.RS 4n -Check if a SRV record refers to a \fBCNAME\fR. Possible modes are \fBfail\fR, \fBwarn\fR (default) and \fBignore\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR \fIstyle\fR\fR -.ad -.sp .6 -.RS 4n -Specify the style of the dumped zone file. Possible styles are \fBfull\fR (default) and \fBrelative\fR. The \fBfull\fR format is most suitable for processing automatically by a separate script. The \fBrelative\fR format is more human-readable and is thus suitable for editing by hand. For \fBnamed-checkzone\fR this option does not cause any effects unless it dumps the zone contents. It also has no effect if the output format is not text. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fIdirectory\fR\fR -.ad -.sp .6 -.RS 4n -\fBchroot\fR to directory so that include directives in the configuration file are processed as if run by a similarly \fBchroot\fRed \fBnamed\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR\fR -.ad -.sp .6 -.RS 4n -Print the version of the \fBnamed-checkzone\fR program and exit. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-W\fR \fImode\fR\fR -.ad -.sp .6 -.RS 4n -Specify whether to check for non-terminal wildcards. Non-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are \fBwarn\fR (default) and \fBignore\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-w\fR \fIdirectory\fR\fR -.ad -.sp .6 -.RS 4n -\fBchdir\fR to \fIdirectory\fR so that relative filenames in master file \fB$INCLUDE\fR directives work. This is similar to the directory clause in \fBnamed.conf\fR. -.RE - -.SH OPERANDS -.sp -.LP -The following operands are supported: -.sp -.ne 2 -.mk -.na -\fB\fIfilename\fR\fR -.ad -.sp .6 -.RS 4n -The name of the zone file. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fIzonename\fR\fR -.ad -.sp .6 -.RS 4n -The domain name of the zone being checked. -.RE - -.SH EXIT STATUS -.sp -.ne 2 -.mk -.na -\fB\fB0\fR\fR -.ad -.sp .6 -.RS 4n -No errors were detected. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB1\fR\fR -.ad -.sp .6 -.RS 4n -An error was detected. -.RE - -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilityservice/network/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBnamed\fR(8), \fBnamed-checkconf\fR(8), \fBattributes\fR(7) -.sp -.LP -\fIRFC 1035\fR -.sp -.LP -See the BIND 9 \fIAdministrator's Reference Manual\fR. As of the date of publication of this man page, this document is available at https://www.isc.org/software/bind/documentation\&. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/named-compilezone.8 --- a/components/bind/Solaris/named-compilezone.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +0,0 @@ -.so man8/named-checkzone.8 diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/named.8 --- a/components/bind/Solaris/named.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,517 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH named 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -named, in.named \- Internet domain name server -.SH SYNOPSIS -.LP -.nf -\fBnamed\fR [\fB-fgsVv\fR] [\fB-c\fR \fIconfig-file\fR] [\fB-d\fR \fIdebug-level\fR] [\fB-m\fR \fIflag\fR] - [\fB-n\fR \fI#cpus\fR] [\fB-p\fR \fIport\fR] [\fB-S\fR \fI#max-socks\fR] [\fB-t\fR \fIdirectory\fR] - [\fB-u\fR \fIuser\fR] [\fB-x\fR \fIcache-file\fR] [\fB-4\fR | \fB-6\fR] -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBnamed\fR utility is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more information on the DNS, see RFCs 1033, 1034, and 1035. -.sp -.LP -When invoked without arguments, \fBnamed\fR reads the default configuration file \fB/etc/named.conf\fR, reads any initial data, and listens for queries. -.sp -.LP -\fBin.named\fR is a link to \fBnamed\fR. -.SH OPTIONS -.sp -.LP -The following options are supported: -.sp -.ne 2 -.mk -.na -\fB\fB-4\fR\fR -.ad -.sp .6 -.RS 4n -Use only IPv4 transport. By default, both IPv4 and IPv6 transports can be used. Options \fB-4\fR and \fB-6\fR are mutually exclusive. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-6\fR\fR -.ad -.sp .6 -.RS 4n -Use only IPv6 transport. By default, both IPv4 and IPv6 transports can be used. Options \fB-4\fR and \fB-6\fR are mutually exclusive. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIconfig-file\fR\fR -.ad -.sp .6 -.RS 4n -Use \fIconfig-file\fR as the configuration file instead of the default \fB/etc/named.conf\fR. To ensure that reloading the configuration file continues to work after the server has changed its working directory due to to a possible \fIdirectory\fR option in the configuration file, \fIconfig-file\fR should be an absolute pathname. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-d\fR \fIdebug-level\fR\fR -.ad -.sp .6 -.RS 4n -Set the daemon's debug level to \fIdebug-level\fR. Debugging traces from \fBnamed\fR become more verbose as the debug level increases. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR\fR -.ad -.sp .6 -.RS 4n -Run the server in the foreground (that is, do not run as a daemon). -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-g\fR\fR -.ad -.sp .6 -.RS 4n -Run the server in the foreground and force all logging to \fBstderr\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-m\fR \fIflag\fR\fR -.ad -.sp .6 -.RS 4n -Turn on memory usage debugging flags. Possible flags are \fBusage\fR, \fBtrace\fR, and \fBrecord\fR, \fBsize\fR, and \fBmctx\fR. These correspond to the \fBISC_MEM_DEBUG\fR\fIXXXX\fR flags described in \fB\fR\&. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-n\fR \fI#cpus\fR\fR -.ad -.sp .6 -.RS 4n -Create \fI#cpus\fR worker threads to take advantage of multiple CPUs. If not specified, \fBnamed\fR will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR \fIport\fR\fR -.ad -.sp .6 -.RS 4n -Listen for queries on port \fIport\fR. If not specified, the default is port 53. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-S\fR \fI#max-socks\fR\fR -.ad -.sp .6 -.RS 4n -Allow \fBnamed\fR to use up to \fI#max-socks\fR sockets. -.sp -This option should be unnecessary for the vast majority of users. The use of this option could even be harmful, because the specified value might exceed the limitation of the underlying system API. It therefore should be set only when the default configuration causes exhaustion of file descriptors and the operational environment is known to support the specified number of sockets. Note also that the actual maximum number is normally a little smaller than the specified value because \fBnamed\fR reserves some file descriptors for its internal use. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR\fR -.ad -.sp .6 -.RS 4n -Write memory usage statistics to \fIstdout\fR on exit. -.sp -This option is mainly of interest to BIND 9 developers and might be removed or changed in a future release. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fIdirectory\fR\fR -.ad -.sp .6 -.RS 4n -Change the root directory using \fBchroot\fR(2) to \fIdirectory\fR after processing the command line arguments, but before reading the configuration file. -.sp -This option should be used in conjunction with the \fB-u\fR option, as chrooting a process running as root does not enhance security on most systems; the way \fBchroot()\fR is defined allows a process with root privileges to escape a \fBchroot\fR jail. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-u\fR \fIuser\fR\fR -.ad -.sp .6 -.RS 4n -Set the real user ID using \fBsetuid\fR(2) to \fIuser\fR after completing privileged operations, such as creating sockets that listen on privileged ports. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-V\fR\fR -.ad -.sp .6 -.RS 4n -Report the version number and build options, and exit. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR\fR -.ad -.sp .6 -.RS 4n -Report the version number and exit. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-x\fR \fIcache-file\fR\fR -.ad -.sp .6 -.RS 4n -Load data from \fIcache-file\fR into the cache of the default view. -.sp -Do not use this option. It is of interest only to BIND 9 developers and might be removed or changed in a future release. -.RE - -.SH EXTENDED DESCRIPTION -.sp -.LP -This section describes additional attributes of \fBnamed\fR. -.SS "SMF Properties" -.sp -.LP -When starting named from the service management facility, \fBsmf\fR(7), \fBnamed\fR configuration is read from the service configuration repository. Use \fBsvcprop\fR(1) to list the properties and \fBsvccfg\fR(8) to make changes. -.sp -.LP -The following application configuration properties are available to administrators: -.sp -.ne 2 -.mk -.na -\fB\fBoptions\fR/\fIserver\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the server executable to be used instead of the default server, \fB/usr/sbin/named\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBoptions\fR/\fIconfiguration_file\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the configuration file to be used instead of the default, \fB/etc/named.conf\fR. A directory option might be specified in the configuration file. To ensure that reloading the configuration file continues to work in such a situation, \fIconfiguration_file\fR should be specified as an absolute pathname. This pathname should not include the \fIchroot_dir\fR pathname. This property is the equivalent of the \fB-c\fR option. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBoptions\fR/\fIip_interfaces\fR\fR -.ad -.sp .6 -.RS 4n -Specifies over which IP transport, IPv4 or IPv6, BIND will transmit. Possible values are \fBIPv4\fR or \fBIPv6\fR. Any other setting assumes \fBall\fR, the default. This property is the equivalent of command line option \fB-4\fR or \fB-6\fR -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBoptions\fR/\fIlisten_on_port\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the default UDP and TCP port to be used for listening to DNS requests. This property is the equivalent of the command line option \fB-p\fR \fIport\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBoptions\fR/\fIdebug_level\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the default debug level. The default is 0, which means no debugging. The higher the number the more verbose debug information becomes. Equivalent of the command line option \fB-d\fR \fIdebug_level\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBoptions\fR/\fIthreads\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the number of CPU worker threads to create. The default of 0 causes \fBnamed\fR to try and determine the number of CPUs present and create one thread per CPU. Equivalent of command line option \fB-n\fR \fI#cpus\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBoptions\fR/\fIchroot_dir\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the directory to be used as the root directory after processing SMF properties and the command line arguments but before reading the configuration file. Use this property when using a \fBchroot\fR(2) environment. Synonymous to command line option \fB-t\fR \fIpathname\fR. -.sp -When using \fBchroot\fR(2), \fBnamed\fR is unable to disable itself when receiving \fBrndc\fR(8) \fBstop\fR or \fBhalt\fR commands. Instead, you must use the \fBsvcadm\fR(8) \fBdisable\fR command. -.RE - -.sp -.LP -In the event of a configuration error originating in one of the above SMF application options, \fBnamed\fR displays a message providing information about the error and the parameters that need correcting. The process then exits with exit code \fBSMF_EXIT_ERR_CONFIG\fR. -.sp -.LP -At startup, in the event of an error other than a configuration error, \fBnamed\fR exits with exit code \fBSMF_EXIT_ERR_FATAL\fR. Both of this code and \fBSMF_EXIT_ERR_CONFIG\fR cause the start method, \fBsmf_method\fR(7), to place the service in the maintenance state, which can be observed with the \fBsvcs\fR(1) command \fBsvcs\fR \fB-x\fR. -.sp -.LP -In addition to the properties listed above, the following property can be used to invoke \fBnamed\fR as a user other than root: -.sp -.ne 2 -.mk -.na -\fB\fBstart\fR/\fIuser\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the identity of the user that is invoking \fBnamed\fR. See \fBsmf_method\fR(7) and \fBchroot\fR(2). Note that the user must have \fBsolaris.smf.manage.bind\fR authorization. Without this role the \fBnamed\fR will be unable to manage its SMF FMRI and \fBnamed\fR will automatically be restarted by the SMF after an \fBrndc\fR(8) \fBstop\fR or \fBhalt\fR command. See \fBEXAMPLES\fR for a sequence of commands that establishes the correct authorization. -.RE - -.SS "SIGNALS" -.sp -.LP -In routine operation, signals should not be used to control the nameserver; \fBrndc\fR(8) should be used instead. -.sp -.ne 2 -.mk -.na -\fB\fBSIGHUP\fR\fR -.ad -.sp .6 -.RS 4n -Force a reload of the server. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBSIGINT\fR, \fBSIGTERM\fR\fR -.ad -.sp .6 -.RS 4n -Shut down the server. -.RE - -.sp -.LP -The result of sending any other signals to the server is undefined. -.SS "Configuration" -.sp -.LP -The \fBnamed\fR configuration file is too complex to describe in detail here. A list of configuration options is provided in the \fBnamed.conf\fR man page shipped with the BIND 9 distribution. A complete description is provided in the \fIBIND 9 Administrator Reference Manual\fR. -.SH EXAMPLES -.LP -\fBExample 1 \fRConfiguring \fBnamed\fR to Transmit Only over IPv4 Networks -.sp -.LP -The following command sequence configures \fBnamed\fR such that it will transmit only over IPv4 networks. - -.sp -.in +2 -.nf -# \fBsvccfg -s svc:network/dns/server:default setprop \e\fR -\fB> options/ip_interfaces=IPv4\fR -# \fBsvcadm refresh svc:network/dns/server:default\fR -# -.fi -.in -2 -.sp - -.LP -\fBExample 2 \fRListing Current Configuration File and Setting an Alternative File -.sp -.LP -The following sequence of commands lists the current \fBnamed\fR configuration file and sets an alternative file. - -.sp -.in +2 -.nf -# \fBsvcprop -p options/configuration_file dns/server:default\fR -/etc/named.conf -# \fBsvccfg -s dns/server:default setprop \e -> options/configuration_file=/var/named/named.conf\fR -# \fBsvcadm refresh dns/server:default\fR -# \fBsvcprop -p options/configuration_file dns/server:default\fR -/var/named/named.conf -.fi -.in -2 -.sp - -.LP -\fBExample 3 \fREstablishing Appropriate Authorization for \fBnamed\fR -.sp -.LP -To have \fBnamed\fR start with the \fBsolaris.smf.manage.bind\fR authorization, perform the steps shown below. - -.sp -.LP -Add the user \fBdnsadmin\fR to the \fBsolaris.smf.manage.bind\fR role: - -.sp -.in +2 -.nf -# \fBusermod -A solaris.smf.manage.bind dnsadmin\fR -\fBObserve effect of command:\fR -# \fBtail -1 /etc/user_attr\fR -dnsadmin::::type=normal;auths=solaris.smf.manage.bind -.fi -.in -2 -.sp - -.sp -.LP -Modify the service properties: - -.sp -.in +2 -.nf -# \fBsvccfg\fR -svc:> \fBselect svc:/network/dns/server:default\fR -svc:/network/dns/server:default> \fBsetprop start/user = dnsadmin\fR -svc:/network/dns/server:default> \fBsetprop start/group = dnsadmin\fR -svc:/network/dns/server:default> \fBexit\fR -# \fBsvcadm refresh svc:/network/dns/server:default\fR -# \fBsvcadm restart svc:/network/dns/server:default\fR -.fi -.in -2 -.sp - -.sp -.LP -Because only root has write access to create the default process-ID file, \fB/var/run/named/named.pid\fR, \fBnamed\fR must be configured to use an alternative path for the user \fBdnsadmin\fR. Here is an example of how to accomplish this: - -.sp -.in +2 -.nf -# \fBmkdir /var/named/tmp\fR -# \fBchown dnsadmin /var/named/tmp\fR -.fi -.in -2 -.sp - -.sp -.LP -Shown below is what you must add to \fBnamed.conf\fR to make use of the directory created above. - -.sp -.in +2 -.nf -# \fBhead /etc/named.conf\fR -options { -directory "/var/named"; -pid-file "/var/named/tmp/named.pid"; -}; -.fi -.in -2 -.sp - -.SH FILES -.sp -.ne 2 -.mk -.na -\fB\fB/etc/named.conf\fR\fR -.ad -.sp .6 -.RS 4n -default configuration file -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB/var/run/named/named.pid\fR\fR -.ad -.sp .6 -.RS 4n -default process-ID file -.RE - -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilityservice/network/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBsvcs\fR(1), \fBnamed-checkconf\fR(8), \fBnamed-checkzone\fR(8), \fBrndc\fR(8), \fBrndc-confgen\fR(8), \fBsvcadm\fR(8), \fBsvccfg\fR(8), \fBsvcprop\fR(1), \fBchroot\fR(2), \fBsetuid\fR(2), \fBbind\fR(3C), \fBattributes\fR(7), \fBsmf\fR(7), \fBsmf_method\fR(7) -.sp -.LP -\fIRFC 1033\fR, \fIRFC 1034\fR, \fIRFC 1035\fR -.sp -.LP -See the BIND 9 \fIAdministrator's Reference Manual\fR. As of the date of publication of this man page, this document is available at https://www.isc.org/software/bind/documentation\&. -.sp -.LP -The \fBnamed.conf\fR man page shipped with the BIND 9 distribution diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/named.conf.5 --- a/components/bind/Solaris/named.conf.5 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,587 +0,0 @@ -'\" te -.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. -.TH named.conf 5 "19 Oct 2015" "SunOS 5.12" "File Formats" -.SH NAME -named.conf \- configuration file for named -.SH SYNOPSIS -.LP -.nf -named.conf -.fi - -.SH DESCRIPTION -.sp -.LP -\fBnamed.conf\fR is the configuration file for \fBnamed\fR(8). Statements are enclosed in braces and terminated with a semicolon. Clauses in the statements are also terminated with a semicolon. The usual comment styles are supported: -.sp -.ne 2 -.mk -.na -\fBC style\fR -.ad -.RS 14n -.rt -/* */ -.RE - -.sp -.ne 2 -.mk -.na -\fBC++ style\fR -.ad -.RS 14n -.rt -// to end of line -.RE - -.sp -.ne 2 -.mk -.na -\fBUnix style\fR -.ad -.RS 14n -.rt -# to end of line -.RE - -.SS "ACL" -.sp -.in +2 -.nf -acl \fIstring\fR { \fIaddress_match_element\fR; ... }; -.fi -.in -2 - -.SS "Key" -.sp -.in +2 -.nf -key \fIdomain_name\fR { - algorithm \fIstring\fR; - secret \fIstring\fR; -}; -.fi -.in -2 - -.SS "Masters" -.sp -.in +2 -.nf -masters \fIstring\fR [ port \fIinteger\fR ] { - ( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] | - \fIipv6_address\fR [port \fIinteger\fR] ) [ key \fIstring\fR ]; ... -}; -.fi -.in -2 - -.SS "Server" -.sp -.in +2 -.nf -server ( \fIipv4_address\fR[/\fIprefixlen\fR] | \fIipv6_address\fR[/\fIprefixlen\fR] ) { - bogus \fIboolean\fR; - edns \fIboolean\fR; - edns-udp-size \fIinteger\fR; - max-udp-size \fIinteger\fR; - provide-ixfr \fIboolean\fR; - request-ixfr \fIboolean\fR; - keys \fIserver_key\fR; - transfers \fIinteger\fR; - transfer-format ( many-answers | one-answer ); - transfer-source ( \fIipv4_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - transfer-source-v6 ( \fIipv6_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - support-ixfr \fIboolean\fR; // obsolete -}. -.fi -.in -2 - -.SS "Trusted-Keys" -.sp -.in +2 -.nf -trusted-keys { - \fIdomain_name flags protocol algorithm key\fR; ... -}; -.fi -.in -2 - -.SS "Controls" -.sp -.in +2 -.nf -controls { - inet ( \fIipv4_address\fR | \fIipv6_address\fR | * ) - [ port ( \fIinteger\fR | * ) ] - allow { \fIaddress_match_element\fR; ... } - [ keys { \fIstring\fR; ... } ]; - unix \fIunsupported\fR; // not implemented -} -.fi -.in -2 - -.SS "Logging" -.sp -.in +2 -.nf -logging { - channel string { - file \fIlog_file\fR; - syslog \fIoptional_facility\fR; - null; - stderr; - severity \fIlog_severity\fR; - print-time \fIboolean\fR; - print-severity \fIboolean\fR; - print-category \fIboolean\fR; - }; - category \fIstring\fR { \fIstring\fR; ... }; -}; -.fi -.in -2 - -.SS "LWRES" -.sp -.in +2 -.nf -lwres { - listen-on [ port \fIinteger\fR ] { - ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... - }; - view \fI\fR -\fIstring optional_class\fR; - search { \fIstring\fR; ... }; - ndots \fIinteger\fR; -}; -.fi -.in -2 - -.SS "Options" -.sp -.in +2 -.nf -options { - avoid-v4-udp-ports { \fIport\fR; ... }; - avoid-v6-udp-ports { \fIport\fR; ... }; - blackhole { \fIaddress_match_element\fR; ... }; - coresize \fIsize\fR; - datasize \fIsize\fR; - directory \fIquoted_string\fR; - dump-file \fIquoted_string\fR; - files \fIsize\fR; - heartbeat-interval \fIinteger\fR; - host-statistics \fIboolean\fR; // not implemented - host-statistics-max \fInumber\fR; // not implemented - hostname ( \fIquoted_string\fR | none ); - interface-interval \fIinteger\fR; - listen-on [ port \fIinteger\fR ] \e - { \fIaddress_match_element\fR; ... }; - listen-on-v6 [ port \fIinteger\fR ] \e - { \fIaddress_match_element\fR; ... }; - match-mapped-addresses \fIboolean\fR; - memstatistics-file \fIquoted_string\fR; - pid-file ( \fIquoted_string\fR | none ); - port \fIinteger\fR; - querylog \fIboolean\fR; - recursing-file \fIquoted_string\fR; - reserved-sockets \fIinteger\fR; - random-device \fIquoted_string\fR; - recursive-clients \fIinteger\fR; - serial-query-rate \fIinteger\fR; - server-id ( \fIquoted_string\fR | none |; - stacksize \fIsize\fR; - statistics-file \fIquoted_string\fR; - statistics-interval \fIinteger\fR; \e - // not yet implemented - tcp-clients \fIinteger\fR; - tcp-listen-queue \fIinteger\fR; - tkey-dhkey \fIquoted_string integer\fR; - tkey-gssapi-credential \fIquoted_string\fR; - tkey-domain \fIquoted_string\fR; - transfers-per-ns \fIinteger\fR; - transfers-in \fIinteger\fR; - transfers-out \fIinteger\fR; - use-ixfr \fIboolean\fR; - version ( \fIquoted_string\fR | none ); - allow-recursion { \fIaddress_match_element\fR; ... }; - allow-recursion-on { \fIaddress_match_element\fR; ... }; - sortlist { \fIaddress_match_element\fR; ... }; - topology { \fIaddress_match_element\fR; ... }; \e - // not implemented - auth-nxdomain \fIboolean\fR; // default changed - minimal-responses \fIboolean\fR; - recursion \fIboolean\fR; - rrset-order { - [ class \fIstring\fR ] [ type \fIstring\fR ] - [ name \fIquoted_string\fR ] \fIstring string\fR; ... - }; - provide-ixfr \fIboolean\fR; - request-ixfr \fIboolean\fR; - rfc2308-type1 \fIboolean\fR; // not yet implemented - additional-from-auth \fIboolean\fR; - additional-from-cache \fIboolean\fR; - query-source ( ( \fIipv4_address\fR | * ) | \e - [ address ( \fIipv4_address\fR | * ) ] ) \e - [ port ( \fIinteger\fR | * ) ]; - query-source-v6 ( ( \fIipv6_address\fR | * ) | \e - [ address ( \fIipv6_address\fR | * ) ] ) \e - [ port ( \fIinteger\fR | * ) ]; - use-queryport-pool \fIboolean\fR; - queryport-pool-ports \fIinteger\fR; - queryport-pool-updateinterval \fIinteger\fR; - cleaning-interval \fIinteger\fR; - min-roots \fIinteger\fR; // not implemented - lame-ttl \fIinteger\fR; - max-ncache-ttl \fIinteger\fR; - max-cache-ttl \fIinteger\fR; - transfer-format ( many-answers | one-answer ); - max-cache-size \fIsize\fR; - max-acache-size \fIsize\fR; - clients-per-query \fInumber\fR; - max-clients-per-query \fInumber\fR; - check-names ( master | slave | response )\e - ( fail | warn | ignore ); - check-mx ( fail | warn | ignore ); - check-integrity \fIboolean\fR; - check-mx-cname ( fail | warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - cache-file \fIquoted_string\fR; // test option - suppress-initial-notify \fIboolean\fR; \e - // not yet implemented - preferred-glue \fIstring\fR; - dual-stack-servers [ port \fIinteger\fR ] { - ( \fIquoted_string\fR [port \fIinteger\fR] | - ipv4_address [port \fIinteger\fR] | - ipv6_address [port \fIinteger\fR] ); ... - }; - edns-udp-size \fIinteger\fR; - max-udp-size \fIinteger\fR; - root-delegation-only [ exclude - { \fIquoted_string\fR; ... } ]; - disable-algorithms \fIstring\fR { \fIstring\fR; ... }; - dnssec-enable \fIboolean\fR; - dnssec-validation \fIboolean\fR; - dnssec-lookaside string trust-anchor \fIstring\fR; - dnssec-must-be-secure \fIstring boolean\fR; - dnssec-accept-expired \fIboolean\fR; - empty-server \fIstring\fR; - empty-contact \fIstring\fR; - empty-zones-enable \fIboolean\fR; - disable-empty-zone \fIstring\fR; - dialup \fIdialuptype\fR; - ixfr-from-differences ixfrdiff; - allow-query { \fIaddress_match_element\fR; \e - ... }; - allow-query-on { \fIaddress_match_element\fR; \e - ... }; - allow-query-cache { \fIaddress_match_element\fR; \e - ... }; - allow-query-cache-on { \fIaddress_match_element\fR; \e - ... }; - allow-transfer { \fIaddress_match_element\fR; \e - ... }; - allow-update { \fIaddress_match_element\fR; \e - ... }; - allow-update-forwarding { \fIaddress_match_element\fR; \e - ... }; - update-check-ksk \fIboolean\fR; - masterfile-format ( text | raw ); - notify \fInotifytype\fR; - notify-source ( \fIipv4_address\fR | * ) \e - [ port ( \fIinteger\fR | * ) ]; - notify-source-v6 ( \fIipv6_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - notify-delay \fIseconds\fR; - notify-to-soa \fIboolean\fR; - also-notify [ port \fIinteger\fR ] \e - { ( \fIipv4_address\fR | \fIipv6_address\fR \e) - [port integer ]; ... }; - allow-notify { \fIaddress_match_element\fR; ... }; - forward ( first | only ); - forwarders [ port \fIinteger\fR ] { - ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... - }; - max-journal-size \fIsize_no_default\fR; - max-transfer-time-in \fIinteger\fR; - max-transfer-time-out \fIinteger\fR; - max-transfer-idle-in \fIinteger\fR; - max-transfer-idle-out \fIinteger\fR; - max-retry-time \fIinteger\fR; - min-retry-time \fIinteger\fR; - max-refresh-time \fIinteger\fR; - min-refresh-time \fIinteger\fR; - multi-master \fIboolean\fR; - sig-validity-interval \fIinteger\fR; - sig-re-signing-interval \fIinteger\fR; - sig-signing-nodes \fIinteger\fR; - sig-signing-signatures \fIinteger\fR; - sig-signing-type \fIinteger\fR; - transfer-source ( \fIipv4_address\fR | * )\e - [ port ( \fIinteger\fR | * ) ]; - transfer-source-v6 ( \fIipv6_address\fR | * )\e - [ port ( \fIinteger\fR | * ) ]; - alt-transfer-source ( \fIipv4_address\fR | * )\e - [ port ( \fIinteger\fR | * ) ]; - alt-transfer-source-v6 ( \fIipv6_address\fR | * )\e - [ port ( \fIinteger\fR | * ) ]; - use-alt-transfer-source \fIboolean\fR; - zone-statistics \fIboolean\fR; - key-directory \fIquoted_string\fR; - try-tcp-refresh \fIboolean\fR; - zero-no-soa-ttl \fIboolean\fR; - zero-no-soa-ttl-cache \fIboolean\fR; - nsec3-test-zone \fIboolean\fR; // testing only - allow-v6-synthesis { \fIaddress_match_element\fR; ... }; \e - // obsolete - deallocate-on-exit \fIboolean\fR; // obsolete - fake-iquery \fIboolean\fR; // obsolete - fetch-glue \fIboolean\fR; // obsolete - has-old-clients \fIboolean\fR; // obsolete - maintain-ixfr-base \fIboolean\fR; // obsolete - max-ixfr-log-size \fIsize\fR; // obsolete - multiple-cnames \fIboolean\fR; // obsolete - named-xfer \fIquoted_string\fR; // obsolete - serial-queries \fIinteger\fR; // obsolete - treat-cr-as-space \fIboolean\fR; // obsolete - use-id-pool \fIboolean\fR; // obsolete -}; -.fi -.in -2 - -.SS "View" -.sp -.in +2 -.nf -view \fIstring optional_class\fR { - match-clients { \fIaddress_match_element\fR; ... }; - match-destinations { \fIaddress_match_element\fR; ... }; - match-recursive-only \fIboolean\fR; - key \fIstring\fR { - algorithm \fIstring\fR; - secret \fIstring\fR; - }; - zone \fIstring optional_class\fR { - ... - }; - server ( \fIipv4_address\fR[/\fIprefixlen\fR] | \fIipv6_address\fR[/\fIprefixlen\fR]) { - ... - }; - trusted-keys { - \fIstring integer integer integer quoted_string\fR; ... - }; - allow-recursion { \fIaddress_match_element\fR; ... }; - allow-recursion-on { \fIaddress_match_element\fR; ... }; - sortlist { \fIaddress_match_element\fR; ... }; - topology { \fIaddress_match_element\fR; ... }; // not implemented - auth-nxdomain \fIboolean\fR; // default changed - minimal-responses \fIboolean\fR; - recursion \fIboolean\fR; - rrset-order { - [ class \fIstring\fR ] [ type \fIstring\fR ] - [ name \fIquoted_string\fR ] string \fIstring\fR; ... - }; - provide-ixfr \fIboolean\fR; - request-ixfr \fIboolean\fR; - rfc2308-type1 \fIboolean\fR; // not yet implemented - additional-from-auth \fIboolean\fR; - additional-from-cache \fIboolean\fR; - query-source ( ( \fIipv4_address\fR | * ) | [ address \e - ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; - query-source-v6 ( ( \fIipv6_address\fR | * ) | [ address \e - ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; - use-queryport-pool \fIboolean\fR; - queryport-pool-ports \fIinteger\fR; - queryport-pool-updateinterval \fIinteger\fR; - cleaning-interval \fIinteger\fR; - min-roots \fIinteger\fR; // not implemented - lame-ttl \fIinteger\fR; - max-ncache-ttl \fIinteger\fR; - max-cache-ttl \fIinteger\fR; - transfer-format ( many-answers | one-answer ); - max-cache-size \fIsize\fR; - max-acache-size \fIsize\fR; - clients-per-query \fInumber\fR; - max-clients-per-query \fInumber\fR; - check-names ( master | slave | response )\e - ( fail | warn | ignore ); - check-mx ( fail | warn | ignore ); - check-integrity \fIboolean\fR; - check-mx-cname ( fail | warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - cache-file \fIquoted_string\fR; // test option - suppress-initial-notify \fIboolean\fR; // not yet implemented - preferred-glue \fIstring\fR; - dual-stack-servers [ port \fIinteger\fR ] { - ( \fIquoted_string\fR [port \fIinteger\fR] | - \fIipv4_address\fR [port \fIinteger\fR] | - \fIipv6_address\fR [port \fIinteger\fR] ); ... - }; - edns-udp-size \fIinteger\fR; - max-udp-size \fIinteger\fR; - root-delegation-only [ exclude { quoted_string; ... } ]; - disable-algorithms \fIstring\fR { \fIstring\fR; ... }; - dnssec-enable \fIboolean\fR; - dnssec-validation \fIboolean\fR; - dnssec-lookaside \fIstring\fR trust-anchor \fIstring\fR; - dnssec-must-be-secure \fIstring boolean\fR; - dnssec-accept-expired \fIboolean\fR; - empty-server \fIstring\fR; - empty-contact \fIstring\fR; - empty-zones-enable \fIboolean\fR; - disable-empty-zone \fIstring\fR; - dialup \fIdialuptype\fR; - ixfr-from-differences \fIixfrdiff\fR; - allow-query { \fIaddress_match_element\fR; ... }; - allow-query-on { \fIaddress_match_element\fR; ... }; - allow-query-cache { \fI\fR -\fIaddress_match_element\fR; ... }; - allow-query-cache-on { address_match_element; ... }; - allow-transfer { \fIaddress_match_element\fR; ... }; - allow-update { \fIaddress_match_element\fR; ... }; - allow-update-forwarding { \fIaddress_match_element\fR; ... }; - update-check-ksk \fIboolean\fR; - masterfile-format ( text | raw ); - notify notifytype; - notify-source ( \fIipv4_address\fR | * ) \e - [ port ( \fIinteger\fR | * ) ]; - notify-source-v6 ( \fIipv6_address\fR | * ) \e - [ port ( \fIinteger\fR | * ) ]; - notify-delay \fIseconds\fR; - notify-to-soa \fIboolean\fR; - also-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \e - \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... }; - allow-notify { \fIaddress_match_element\fR; ... }; - forward ( first | only ); - forwarders [ port \fIinteger\fR ] \e{ - ( \fIipv4_address\fR | \fIipv6_address\fR ) \e - [ port \fIinteger\fR ]; ... - }; - max-journal-size \fIsize_no_default\fR; - max-transfer-time-in \fIinteger\fR; - max-transfer-time-out \fIinteger\fR; - max-transfer-idle-in \fIinteger\fR; - max-transfer-idle-out \fIinteger\fR; - max-retry-time \fIinteger\fR; - min-retry-time \fIinteger\fR; - max-refresh-time \fIinteger\fR; - min-refresh-time \fIinteger\fR; - multi-master \fIboolean\fR; - sig-validity-interval \fIinteger\fR; - transfer-source ( \fIipv4_address\fR | * )\e - [ port ( \fIinteger\fR | * ) ]; - transfer-source-v6 ( \fIipv6_address\fR | * )\e - [ port ( \fIinteger\fR | * ) ]; - alt-transfer-source ( \fIipv4_address\fR | * )\e - [ port ( \fIinteger\fR | * ) ]; - alt-transfer-source-v6 ( \fIipv6_address\fR | * )\e - [ port ( \fIinteger\fR | * ) ]; - use-alt-transfer-source \fIboolean\fR; - zone-statistics \fIboolean\fR; - try-tcp-refresh \fIboolean\fR; - key-directory \fIquoted_string\fR; - zero-no-soa-ttl \fIboolean\fR; - zero-no-soa-ttl-cache \fIboolean\fR; - allow-v6-synthesis { \fIaddress_match_element\fR; ... };\e - // obsolete - fetch-glue \fIboolean\fR; // obsolete - maintain-ixfr-base \fIboolean\fR; // obsolete - max-ixfr-log-size \fIsize\fR; // obsolete -}; -.fi -.in -2 - -.SS "Zone" -.sp -.in +2 -.nf -zone\fIstring optional_class\fR { - type ( master | slave | stub | hint | - forward | delegation-only ); - file \fIquoted_string\fR; - masters [ port \fIinteger\fR ] \e{ - ( \fImasters\fR | - \fIipv4_address\fR [port \fIinteger\fR] | - \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; ... - }; - database \fIstring\fR; - delegation-only \fIboolean\fR; - check-names ( fail | warn | ignore ); - check-mx ( fail | warn | ignore ); - check-integrity \fIboolean\fR; - check-mx-cname ( fail | warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - dialup \fIdialuptype\fR; - ixfr-from-differences \fIboolean\fR; - journal \fIquoted_string\fR; - zero-no-soa-ttl \fIboolean\fR; - allow-query { \fIaddress_match_element\fR; ... }; - allow-query-on { \fIaddress_match_element\fR; ... }; - allow-transfer { \fIaddress_match_element\fR; ... }; - allow-update { \fIaddress_match_element\fR; ... }; - allow-update-forwarding { \fIaddress_match_element\fR; ... }; - update-policy { - ( grant | deny ) \fIstring\fR - ( name | subdomain | wildcard | self | selfsub | - selfwild |krb5-self | ms-self | krb5-subdomain | - ms-subdomain | tcp-self | 6to4-self ) \fIstring\fR - rrtypelist; ... - }; - update-check-ksk \fIboolean\fR; - masterfile-format ( text | raw ); - notify \fInotifytype\fR; - notify-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; - notify-source-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; - notify-delay \fIseconds\fR; - notify-to-soa \fIboolean\fR; - also-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | ipv6_address ) - [ port integer ]; ... }; - allow-notify { \fIaddress_match_element\fR; ... }; - forward ( first | only ); - forwarders [ port \fIinteger\fR ] { - ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... - }; - max-journal-size \fIsize_no_default\fR; - max-transfer-time-in \fIinteger\fR; - max-transfer-time-out \fIinteger\fR; - max-transfer-idle-in \fIinteger\fR; - max-transfer-idle-out \fIinteger\fR; - max-retry-time \fIinteger\fR; - min-retry-time \fIinteger\fR; - max-refresh-time \fIinteger\fR; - min-refresh-time \fIinteger\fR; - multi-master \fIboolean\fR; - sig-validity-interval \fIinteger\fR; - transfer-source ( \fIipv4_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - transfer-source-v6 ( \fIipv6_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - alt-transfer-source ( \fIipv4_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - alt-transfer-source-v6 ( \fIipv6_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - use-alt-transfer-source \fIboolean\fR; - zone-statistics \fIboolean\fR; - try-tcp-refresh \fIboolean\fR; - key-directory \fIquoted_string\fR; - nsec3-test-zone \fIboolean\fR; // testing only - ixfr-base \fIquoted_string\fR; // obsolete - ixfr-tmp-file \fIquoted_string\fR; // obsolete - maintain-ixfr-base \fIboolean\fR; // obsolete - max-ixfr-log-size \fIsize\fR; // obsolete - pubkey \fIinteger integer integer quoted_string\fR; // obsolete - }; -.fi -.in -2 - -.SH SEE ALSO -.sp -.LP -\fBnamed\fR(8), \fBnamed-checkconf\fR(8), \fBrndc\fR(8) -.sp -.LP -\fIBIND 9 Administrator Reference Manual\fR diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/nslookup.8 --- a/components/bind/Solaris/nslookup.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,413 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH nslookup 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -nslookup \- query Internet name servers interactively -.SH SYNOPSIS -.LP -.nf -\fBnslookup\fR [\fB-\fIoption\fR\fR] [\fIname\fR | \fB-\fR] [\fIserver\fR] -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBnslookup\fR utility is a program to query Internet domain name servers. It has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non-interactive mode is used to print just the name and requested information for a host or domain. -.SH PARAMETERS -.sp -.LP -Interactive mode is entered in the following cases: -.RS +4 -.TP -1. -No arguments are given (the default name server is used). -.RE -.RS +4 -.TP -2. -The first argument is a hyphen (-) and the second argument is the host name or Internet address of a name server. -.RE -.sp -.LP -Non-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server. -.sp -.LP -Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type: -.sp -.in +2 -.nf -nslookup -query=hinfo -timeout=10 -.fi -.in -2 -.sp - -.SH INTERACTIVE COMMANDS -.sp -.ne 2 -.mk -.na -\fB\fBhost\fR [\fIserver\fR]\fR -.ad -.sp .6 -.RS 4n -Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name. To look up a host not in the current domain, append a period to the name. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBserver\fR \fIdomain\fR\fR -.ad -.br -.na -\fB\fBlserver\fR \fIdomain\fR\fR -.ad -.sp .6 -.RS 4n -Change the default server to \fIdomain\fR; \fBlserver\fR uses the initial server to look up information about \fIdomain\fR, while \fBserver\fR uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBroot\fR\fR -.ad -.sp .6 -.RS 4n -Not implemented. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBfinger\fR\fR -.ad -.sp .6 -.RS 4n -Not implemented. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBls\fR\fR -.ad -.sp .6 -.RS 4n -Not implemented. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBview\fR\fR -.ad -.sp .6 -.RS 4n -Not implemented. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBhelp\fR\fR -.ad -.sp .6 -.RS 4n -Not implemented. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB?\fR\fR -.ad -.sp .6 -.RS 4n -Not implemented. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBexit\fR\fR -.ad -.sp .6 -.RS 4n -Exits the program. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBset\fR \fIkeyword\fR[=\fIvalue\fR]\fR -.ad -.sp .6 -.RS 4n -This command is used to change state information that affects the lookups. Valid keywords are: -.sp -.ne 2 -.mk -.na -\fB\fBall\fR\fR -.ad -.sp .6 -.RS 4n -Prints the current values of the frequently used options to \fBset\fR. Information about the current default server and host is also printed. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBclass=\fR\fIvalue\fR\fR -.ad -.sp .6 -.RS 4n -Change the query class to one of: -.sp -.ne 2 -.mk -.na -\fB\fBIN\fR\fR -.ad -.sp .6 -.RS 4n -the Internet class -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBCH\fR\fR -.ad -.sp .6 -.RS 4n -the Chaos class -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBHS\fR\fR -.ad -.sp .6 -.RS 4n -the Hesiod class -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBANY\fR\fR -.ad -.sp .6 -.RS 4n -wildcard -.RE - -The class specifies the protocol group of the information. -.sp -(Default = \fBIN\fR; abbreviation = \fBcl\fR) -.RE - -.sp -.ne 2 -.mk -.na -\fB[\fBno\fR]\fBdebug\fR\fR -.ad -.sp .6 -.RS 4n -Turn on or off the display of the full response packet and any intermediate response packets when searching. -.sp -(Default = \fBnodebug\fR; abbreviation = [\fBno\fR]\fBdeb\fR) -.RE - -.sp -.ne 2 -.mk -.na -\fB[\fBno\fR]\fBd2\fR\fR -.ad -.sp .6 -.RS 4n -Turn debugging mode on or off. This displays more about what \fBnslookup\fR is doing. -.sp -(Default = \fBnod2\fR) -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBdomain=\fR\fIname\fR\fR -.ad -.sp .6 -.RS 4n -Sets the search list to \fIname\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB[\fBno\fR]\fBsearch\fR\fR -.ad -.sp .6 -.RS 4n -If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received. -.sp -(Default = \fBsearch\fR) -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBport=\fR\fIvalue\fR\fR -.ad -.sp .6 -.RS 4n -Change the default TCP/UDP name server port to \fIvalue\fR. -.sp -(Default = \fB53\fR; abbreviation = \fBpo\fR) -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBquerytype=\fR\fIvalue\fR\fR -.ad -.br -.na -\fB\fBtype=\fR\fIvalue\fR\fR -.ad -.sp .6 -.RS 4n -Change the top of the information query. -.sp -(Default = \fBA\fR; abbreviations = \fBq\fR, \fBty\fR) -.RE - -.sp -.ne 2 -.mk -.na -\fB[\fBno\fR]\fBrecurse\fR\fR -.ad -.sp .6 -.RS 4n -Tell the name server to query other servers if it does not have the information. (Default = \fBrecurse\fR; abbreviation = [\fBno\fR]\fBrec\fR) -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBretry=\fR\fInumber\fR\fR -.ad -.sp .6 -.RS 4n -Set the number of retries to number. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBtimeout=\fR\fInumber\fR\fR -.ad -.sp .6 -.RS 4n -Change the initial timeout interval for waiting for a reply to number seconds. -.RE - -.sp -.ne 2 -.mk -.na -\fB[\fBno\fR]\fBvc\fR\fR -.ad -.sp .6 -.RS 4n -Always use a virtual circuit when sending requests to the server. -.sp -(Default = \fBnovc\fR) -.RE - -.sp -.ne 2 -.mk -.na -\fB[\fBno\fR]\fBfail\fR\fR -.ad -.sp .6 -.RS 4n -Try the next nameserver if a nameserver responds with \fBSERVFAIL\fR or a referral (\fBnofail\fR) or terminate query (\fBfail\fR) on such a response. -.sp -(Default = \fBnofail\fR) -.RE - -.RE - -.SH FILES -.sp -.ne 2 -.mk -.na -\fB\fB/etc/resolv.conf\fR\fR -.ad -.sp .6 -.RS 4n -resolver configuration file -.RE - -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilitynetwork/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBdig\fR(8), \fBhost\fR(8), \fBnamed\fR(8), \fBattributes\fR(7) -.sp -.LP -See the BIND 9 \fIAdministrator's Reference Manual\fR. As of the date of publication of this man page, this document is available at https://www.isc.org/software/bind/documentation\&. -.SH NOTES -.sp -.LP -BIND 9 \fBnslookup\fR is deprecated and not as full featured as its BIND 8 version. For more features and functionality refer to \fBdig\fR(8). -.sp -.LP -\fBnslookup\fR and \fBdig\fR(8) now report "Not Implemented" as \fBNOTIMP\fR rather than \fBNOTIMPL\fR. This will have impact on scripts that are looking for \fBNOTIMPL\fR. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/nsupdate.8 --- a/components/bind/Solaris/nsupdate.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,397 +0,0 @@ -'\" te -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2000, 2001, 2003 Internet Software Consortium. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2004, Sun Microsystems, Inc. All Rights Reserved. -.TH nsupdate 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -nsupdate \- Dynamic DNS update utility -.SH SYNOPSIS -.LP -.nf -\fBnsupdate\fR [\fB-dv\fR] [\fB-y\fR \fIkeyname:secret\fR | \fB-k\fR \fIkeyfile\fR] [\fB-t\fR \fItimeout\fR] - [\fB-u\fR \fIudptimeout\fR] [\fB-r\fR \fIudpretries\fR] [\fIfilename\fR] -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBnsupdate\fR utility submits Dynamic DNS Update requests as defined in RFC 2136 to a name server. This utility allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record. -.sp -.LP -Zones that are under dynamic control with \fBnsupdate\fR or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost. -.sp -.LP -The resource records that are dynamically added or removed with \fBnsupdate\fR must be in the same zone. Requests are sent to the zone's master servers identified by the \fBMNAME\fR field of the zone's SOA record. -.sp -.LP -Transaction signatures can be used to authenticate the Dynamic DNS updates using the TSIG resource record type described in RFC 2845. The signatures rely on a shared secret that should only be known to \fBnsupdate\fR and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure that they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable \fBkey\fR and \fBserver\fR statements would be added to \fB/etc/named.conf\fR so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. The \fBnsupdate\fR utility does not read \fB/etc/named.conf\fR. -.sp -.LP -The \fBnsupdate\fR utility uses the \fB-y\fR or \fB-k\fR option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. See OPTIONS. -.SH OPTIONS -.sp -.LP -The following options are supported: -.sp -.ne 2 -.mk -.na -\fB\fB-d\fR\fR -.ad -.RS 21n -.rt -Operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fIkeyfile\fR\fR -.ad -.RS 21n -.rt -Read the shared secret from the file \fIkeyfile\fR, whose name is of the form \fBK{\fIname\fR}.+157.+{\fIrandom\fR}.private\fR. For historical reasons, the file \fBK{\fIname\fR}.+157.+{\fIrandom\fR}.key\fR must also be present. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-r\fR \fIudpretries\fR\fR -.ad -.RS 21n -.rt -Set the number of UDP retries. The default is 3 retries. If \fIudpretries\fR is set to zero, only one update request is made. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fItimeout\fR\fR -.ad -.RS 21n -.rt -Set \fItimeout\fR interval in seconds before update is aborted. The default is 300 seconds. A setting of zero disables the timeout. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-u\fR \fIudptimeout\fR\fR -.ad -.RS 21n -.rt -Set interval in seconds between UDP retires, the default is 3 seconds. A setting of zero causes the interval to be calculated based on the timeout (\fB-t\fR) and the number of UDP retries (\fB-r\fR). -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR\fR -.ad -.RS 21n -.rt -Use a TCP connection. Using a TCP connection could be preferable when a batch of update requests is made. By default, \fBnsupdate\fR uses UDP to send update requests to the name server. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-y\fR \fIkeyname\fR:\fIsecret\fR\fR -.ad -.RS 21n -.rt -Generate a signature from \fIkeyname\fR:\fIsecret\fR, where\fIkeyname\fR is the name of the key and \fIsecret\fR is the base64 encoded shared secret. -.sp -Use of the \fB-y\fR option is discouraged because the shared secret is supplied as a command line argument in clear text and could be visible in the output from \fBps\fR(1) or in a history file maintained by the user's shell. -.RE - -.SH INPUT FORMAT -.sp -.LP -The \fBnsupdate\fR utility reads input from \fIfilename\fR or the standard input. Each command is supplied on exactly one line of input. Some commands are for administrative purposes. The others are either update instructions or prerequisite checks on the contents of the zone. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone. These conditions must be met if the entire update request is to succeed. Updates will be rejected if the tests for the prerequisite conditions fail. -.sp -.LP -Every update request consists of zero or more prerequisites and zero or more updates. This condition allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone. A blank input line (or the \fBsend\fR command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server. -.sp -.LP -The command formats and their meaning are as follows: -.sp -.ne 2 -.mk -.na -\fB\fBserver\fR \fIservername\fR [ \fIport\fR ]\fR -.ad -.sp .6 -.RS 4n -Send all dynamic update requests to the name server \fIservername\fR. When no \fBserver\fR statement is provided, \fBnsupdate\fR sends updates to the master server of the correct zone. The \fBMNAME\fR field of that zone's SOA record identifies the master server for that zone. The \fIport\fR argument is the port number on \fIservername\fR where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBlocal\fR \fIaddress\fR [ \fIport\fR ]\fR -.ad -.sp .6 -.RS 4n -Send all dynamic update requests using the local \fIaddress\fR. When no \fBlocal\fR statement is provided, \fBnsupdate\fR sends updates using an address and port chosen by the system. The \fIport\fR argument can also be used to make requests come from a specific port. If no port number is specified, the system assigns one. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBzone\fR \fIzonename\fR\fR -.ad -.sp .6 -.RS 4n -Specify that all updates are to be made to the zone \fIzonename\fR. If no \fBzone\fR statement is provided, \fBnsupdate\fR attempts to determine the correct zone to update based on the rest of the input. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBclass\fR \fIclassname\fR\fR -.ad -.sp .6 -.RS 4n -Specify the default class. If no class is specified the default class is IN. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBkey\fR \fIname\fR \fIsecret\fR\fR -.ad -.sp .6 -.RS 4n -Specify that all updates are to be TSIG signed using the \fIname\fR \fIsecret\fR pair. The \fBkey\fR command overrides any key specified on the command line with \fB-y\fR or \fB-k\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq nxdomain\fR \fIdomain-name\fR\fR -.ad -.sp .6 -.RS 4n -Require that no resource record of any type exists withthe name \fIdomain-name\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq yxdomain\fR \fIdomain-name\fR\fR -.ad -.sp .6 -.RS 4n -Require that \fIdomain-name\fR exists (has as at least one resource record, of any type). -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq nxrrset\fR \fIdomain-name\fR [ \fIclass\fR ] \fItype\fR\fR -.ad -.sp .6 -.RS 4n -Require that no resource record exists of the specified \fItype\fR, \fIclass\fR and \fIdomain-name\fR. If \fIclass\fR is omitted, IN (internet) is assumed. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq yxrrset\fR \fIdomain-name\fR [ \fIclass\fR ] \fItype\fR\fR -.ad -.sp .6 -.RS 4n -Require that a resource record of the specified \fItype\fR, \fIclass\fR and \fIdomain-name\fR must exist. If \fIclass\fR is omitted, IN (internet) is assumed. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq yxrrset\fR \fIdomain-name\fR [ \fIclass\fR ] \fItype\fR \fIdata\fR...\fR -.ad -.sp .6 -.RS 4n -The \fIdata\fR from each set of prerequisites of this form sharing a common \fItype\fR, \fIclass\fR, and \fIdomain-name\fR are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given \fItype\fR, \fIclass\fR, and \fIdomain-name\fR. The \fIdata\fR are written in the standard text representation of the resource record's RDATA. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBupdate delete\fR \fIdomain-name\fR [ \fIttl\fR ] [ \fIclass\fR ] [ \fItype\fR [ \fIdata\fR... ] ]\fR -.ad -.sp .6 -.RS 4n -Delete any resource records named \fIdomain-name\fR. If \fItype\fR and \fIdata\fR are provided, only matching resource records are removed. The internet class is assumed if \fIclass\fR is not supplied. The \fIttl\fR is ignored, and is only provided for compatibility. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBupdate add\fR \fIdomain-name\fR \fIttl\fR [ \fIclass\fR ] \fItype\fR \fIdata\fR...\fR -.ad -.sp .6 -.RS 4n -Add a new resource record with the specified \fIttl\fR, \fIclass\fR and \fIdata\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBshow\fR\fR -.ad -.sp .6 -.RS 4n -Display the current message, containing all of the prerequisites and updates specified since the last send. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBsend\fR\fR -.ad -.sp .6 -.RS 4n -Sends the current message. This is equivalent to entering a blank line. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBanswer\fR\fR -.ad -.sp .6 -.RS 4n -Displays the answer. -.RE - -.sp -.LP -Lines beginning with a semicolon are comments and are ignored. -.SH EXAMPLES -.LP -\fBExample 1 \fRInserting and Deleting Resource Records from the Zone -.sp -.LP -The examples below show how \fBnsupdate\fR could be used to insert and delete resource records from the \fBexample.com\fR zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for \fBexample.com\fR. - -.sp -.in +2 -.nf -# nsupdate -> update delete oldhost.example.com A -> update add newhost.example.com 86400 A 172.16.1.1 -> send -.fi -.in -2 -.sp - -.sp -.LP -Any A records for \fBoldhost.example.com\fR are deleted. An A record for \fBnewhost.example.com\fR with IP address 172.16.1.1 is added. The newly-added record has a 1 day TTL (86400 seconds). - -.LP -\fBExample 2 \fRAdding CNAME Only If No Records Exist -.sp -.LP -The following command adds a CNAME only if no records already exist for it. - -.sp -.in +2 -.nf -# nsupdate -> prereq nxdomain nickname.example.com -> update add nickname.example.com 86400 CNAME somehost.example.com -> send -.fi -.in -2 -.sp - -.sp -.LP -The prerequisite condition gets the name server to check that there are no resource records of any type for \fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a \fBCNAME\fR for it is added. This action ensures that when the \fBCNAME\fR is added, it cannot conflict with the long-standing rule in RFC 1034 that a name must not exist as any other record type if it exists as a \fBCNAME\fR. (The rule has been updated for DNSSEC in RFC 4035 to allow \fBCNAME\fRs to have \fBRSIG\fR, \fBDNSKEY\fR, and \fBNSEC\fR records.) - -.SH FILES -.sp -.ne 2 -.mk -.na -\fB\fB/etc/resolv.conf\fR\fR -.ad -.sp .6 -.RS 4n -used to identify default name server -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBK{\fIname\fR}.+157.+{\fIrandom\fR}.key\fR\fR -.ad -.sp .6 -.RS 4n -base-64 encoding of HMAC-MD5 key created by \fBdnssec-keygen\fR(8). -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBK{\fIname\fR}.+157.+{\fIrandom\fR}.private\fR\fR -.ad -.sp .6 -.RS 4n -base-64 encoding of HMAC-MD5 key created by \fBdnssec-keygen\fR(8) -.RE - -.SH BUGS -.sp -.LP -The TSIG key is redundantly stored in two separate files. This is a consequence of \fBnsupdate\fR using the DST library for its cryptographic operations and could change in future releases. -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilityservice/network/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBnamed\fR(8), \fBdnssec-keygen\fR(8), \fBattributes\fR(7) -.sp -.LP -\fIRFC 2136\fR, \fIRFC 3007\fR, \fIRFC 2104\fR, \fIRFC 2845\fR, \fIRFC 1034\fR, \fIRFC 2535\fR, \fIRFC 2931\fR, \fIRFC 4035\fR diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/rndc-confgen.8 --- a/components/bind/Solaris/rndc-confgen.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,192 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH rndc-confgen 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -rndc-confgen \- rndc key generation tool -.SH SYNOPSIS -.LP -.nf -\fBrndc-confgen\fR [\fB-ah\fR] [\fB-b\fR \fIkeysize\fR] [\fB-c\fR \fIkeyfile\fR] [\fB-k\fR \fIkeyname\fR] - [\fB-p\fR \fIport\fR] [\fB-r\fR \fIrandomfile\fR] [\fB-s\fR \fIaddress\fR] [\fB-t\fR \fIchrootdir\fR] - [\fB-u\fR \fIuser\fR] -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBrndc-confgen\fR utility generates configuration files for \fBrndc\fR(8). This utility can be used as a convenient alternative to writing by hand the \fBrndc.conf\fR(5) file and the corresponding \fBcontrols\fR and \fBkey\fR statements in \fBnamed.conf\fR. It can also be run with the \fB-a\fR option to set up a \fBrndc.key\fR file and avoid altogether the need for a \fBrndc.conf\fR file and a \fBcontrols\fR statement. -.SH OPTIONS -.sp -.LP -The following options are supported: -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR\fR -.ad -.sp .6 -.RS 4n -Perform automatic \fBrndc\fR configuration. This option creates a file \fBrndc.key\fR in \fB/etc\fR (or however \fIsysconfdir\fR was specified when BIND was built) that is read by both \fBrndc\fR and \fBnamed\fR(8) on startup. The \fBrndc.key\fR file defines a default command channel and authentication key allowing \fBrndc\fR to communicate with \fBnamed\fR with no further configuration. -.sp -Running \fBrndc-confgen\fR with \fB-a\fR specified allows BIND 9 and \fBrndc\fR to be used as drop-in replacements for BIND 8 and \fBndc\fR, with no changes to the existing BIND 8 \fBnamed.conf\fR file. -.sp -If a more elaborate configuration than that generated by \fBrndc-confgen\fR \fB-a\fR is required, for example if \fBrndc\fR is to be used remotely, you should run \fBrndc-confgen\fR without the \fB-a\fR option and set up \fBrndc.conf\fR and \fBnamed.conf\fR files, as directed. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-b\fR \fIkeysize\fR\fR -.ad -.sp .6 -.RS 4n -Specify the size of the authentication key in bits. The \fIkeysize\fR argument must be between 1 and 512 bits; the default is 128. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIkeyfile\fR\fR -.ad -.sp .6 -.RS 4n -Used with the \fB-a\fR option to specify an alternate location for \fBrndc.key\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -Print a short summary of the options and arguments to \fBrndc-confgen\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fIkeyname\fR\fR -.ad -.sp .6 -.RS 4n -Specify the key name of the \fBrndc\fR authentication key. The \fIkeyname\fR argument must be a valid domain name. The default is \fBrndc-key\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR \fIport\fR\fR -.ad -.sp .6 -.RS 4n -Specify the command channel port where \fBnamed\fR listens for connections from \fBrndc\fR. The default is 953. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-r\fR \fIrandomfile\fR\fR -.ad -.sp .6 -.RS 4n -Specify a source of random data for generating the authorization. By default, \fB/dev/random\fR is used. The \fIrandomdev\fR argument specifies the name of a character device or file containing random data to be used instead of the default. The special value \fBkeyboard\fR indicates that keyboard input should be used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR \fIaddress\fR\fR -.ad -.sp .6 -.RS 4n -Specify the IP address where \fBnamed\fR listens for command channel connections from \fBrndc\fR. The default is the loopback address 127.0.0.1. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fIchrootdir\fR\fR -.ad -.sp .6 -.RS 4n -Used with the \fB-a\fR option to specify a directory where \fBnamed\fR will run after the root directory is changed with \fBchroot\fR(2). An additional copy of the \fBrndc.key\fR will be written relative to this directory so that it will be found by the \fBnamed\fR in the new directory. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-u\fR \fIuser\fR\fR -.ad -.sp .6 -.RS 4n -Used with the \fB-a\fR option to set the owner of the \fBrndc.key\fR file generated. If \fB-t\fR is also specified only the file in the chroot area has its owner changed. -.RE - -.SH EXAMPLES -.LP -\fBExample 1 \fRCreate Automatic \fBrndc\fR Configuration -.sp -.LP -The following command creates an automatic \fBrndc\fR configuration, so that \fBrndc\fR can be used immediately. - -.sp -.in +2 -.nf -# rndc-confgen -a -.fi -.in -2 -.sp - -.LP -\fBExample 2 \fRPrint a Sample \fBrndc.conf\fR File -.sp -.LP -The following command prints a sample \fBrndc.conf\fR file with corresponding \fBcontrols\fR and \fBkey\fR statements. These statements can subsequently be manually inserted in the file \fBnamed.conf\fR. - -.sp -.in +2 -.nf -# rndc-confgen -.fi -.in -2 -.sp - -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilitynetwork/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBchroot\fR(2), \fBnamed\fR(8), \fBrndc\fR(8), \fBrndc.conf\fR(5), \fBattributes\fR(7) -.sp -.LP -See the BIND 9 \fIAdministrator's Reference Manual\fR. As of the date of publication of this man page, this document is available at https://www.isc.org/software/bind/documentation\&. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/rndc.8 --- a/components/bind/Solaris/rndc.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,144 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH rndc 8 "19 Oct 2015" "SunOS 5.12" "System Administration Commands" -.SH NAME -rndc \- name server control utility -.SH SYNOPSIS -.LP -.nf -\fBrndc\fR [\fB-V\fR] [\fB-b\fR \fIsrc-addr\fR] [\fB-c\fR \fIconfig-file\fR] [\fB-k\fR \fIkey-file\fR] [\fB-s\fR \fIserver\fR] - [\fB-p\fR \fIport\fR] [\fB-y\fR \fIkey_id\fR] \fIcommand\fR -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBrndc\fR utility controls the operation of a name server. It supersedes the \fBndc\fR utility that was provided in previous BIND releases. If \fBrndc\fR is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments. -.sp -.LP -The \fBrndc\fR utility communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. The only supported authentication algorithm in the current versions of \fBrndc\fR and \fBnamed\fR(8) is HMAC-MD5, which uses a shared secret on each end of the connection. This algorithm provides TSIG-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a \fIkey_id\fR known to the server. -.sp -.LP -The \fBrndc\fR utility reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use. -.SH OPTIONS -.sp -.LP -The following options are supported: -.sp -.ne 2 -.mk -.na -\fB\fB-b\fR \fIsource-address\fR\fR -.ad -.sp .6 -.RS 4n -Use \fIsource-address\fR as the source address for the connection to the server. Multiple instances are permitted to allow setting of both the IPv4 and IPv6 source addresses. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIconfig-file\fR\fR -.ad -.sp .6 -.RS 4n -Use \fIconfig-file\fR as the configuration file instead of the default \fB/etc/rndc.conf\fR. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fIkey-file\fR\fR -.ad -.sp .6 -.RS 4n -Use \fIkey-file\fR as the key file instead of the default, \fB/etc/rndc.key\fR. The key in \fB/etc/rndc.key\fR is used to authenticate commands sent to the server if the \fIconfig-file\fR does not exist. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR \fIserver\fR\fR -.ad -.sp .6 -.RS 4n -The \fIserver\fR argument is the name or address of the server that matches a server statement in the configuration file for \fBrndc\fR. If no server is supplied on the command line, the host named by the default-server clause in the options statement of the \fBrndc\fR configuration file is used. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR \fIport\fR\fR -.ad -.sp .6 -.RS 4n -Send commands to TCP port \fIport\fR instead of BIND 9's default control channel port, 953. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-V\fR\fR -.ad -.sp .6 -.RS 4n -Enable verbose logging. -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-y\fR \fIkey_id\fR\fR -.ad -.sp .6 -.RS 4n -Use the key \fIkey_id\fR from the configuration file. The \fIkey_id\fR argument must be known by \fBnamed\fR with the same algorithm and secret string for control message validation to succeed. If no \fIkey_id\fR is specified, \fBrndc\fR will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the \fBdefault-key\fR clause of the options statement. The configuration file contains shared secrets that are used to send authenticated control commands to name servers. It should therefore not have general read or write access. -.RE - -.sp -.LP -For the complete set of commands supported by \fBrndc\fR, see the \fIBIND 9 Administrator Reference Manual\fR or run \fBrndc\fR without arguments to see its help message. -.SH LIMITATIONS -.sp -.LP -The \fBrndc\fR utility does not support all the commands of the BIND 8 \fBndc\fR utility. -.sp -.LP -There is no way to provide the shared secret for a \fIkey_id\fR without using the configuration file. -.sp -.LP -Several error messages tend toward the cryptic. -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilitynetwork/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBnamed\fR(8), \fBrndc-confgen\fR(8), \fBnamed.conf\fR(5), \fBrndc.conf\fR(5), \fBattributes\fR(7) -.sp -.LP -See the BIND 9 \fIAdministrator's Reference Manual\fR. As of the date of publication of this man page, this document is available at https://www.isc.org/software/bind/documentation\&. diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/rndc.conf.5 --- a/components/bind/Solaris/rndc.conf.5 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,157 +0,0 @@ -'\" te -.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. -.TH rndc.conf 5 "19 Oct 2015" "SunOS 5.12" "File Formats" -.SH NAME -rndc.conf \- rndc configuration file -.SH SYNOPSIS -.LP -.nf -rndc.conf -.fi - -.SH DESCRIPTION -.sp -.LP -\fBrndc.conf\fR is the configuration file for \fBrndc\fR, the BIND 9 name server control utility. This file has a similar structure and syntax to \fBnamed.conf\fR. Statements are enclosed in braces and terminated with a semicolon. Clauses in the statements are also semicolon terminated. The usual comment styles are supported: -.sp -.ne 2 -.mk -.na -\fBC style\fR -.ad -.RS 14n -.rt -/* */ -.RE - -.sp -.ne 2 -.mk -.na -\fBC++ style\fR -.ad -.RS 14n -.rt -// to end of line -.RE - -.sp -.ne 2 -.mk -.na -\fBUnix style\fR -.ad -.RS 14n -.rt -# to end of line -.RE - -.sp -.LP -\fBrndc.conf\fR is much simpler than \fBnamed.conf\fR. The file uses three statements: an options statement, a server statement and a key statement. -.sp -.LP -The \fBoptions\fR statement contains five clauses. The \fBdefault-server\fR clause is followed by the name or address of a name server. This host is used when no name server is provided as an argument to \fBrndc\fR. The \fBdefault-key\fR clause is followed by the name of a key which is identified by a \fBkey\fR statement. If no \fBkeyid\fR is provided on the \fBrndc\fR command line, and no \fBkey\fR clause is found in a matching \fBserver\fR statement, this default key will be used to authenticate the server's commands and responses. The \fBdefault-port\fR clause is followed by the port to connect to on the remote name server. If no \fBport\fR option is provided on the \fBrndc\fR command line, and no \fBport\fR clause is found in a matching \fBserver\fR statement, this default port will be used to connect. The \fBdefault-source-address\fR and \fBdefault-source-address-v6\fR clauses which can be used to set the IPv4 and IPv6 source addresses respectively. -.sp -.LP -After the \fBserver\fR keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses: \fBkey\fR, \fBport\fR, and \fBaddresses\fR. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. If an addresses clause is supplied these addresses will be used instead of the server name. Each address can take an optional port. If a \fBsource-address\fR or \fBsource-address-v6\fR is supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively. -.sp -.LP -The \fBkey\fR statement begins with an identifying string, the name of the key. The statement has two clauses. \fBalgorithm\fR identifies the encryption algorithm for \fBrndc\fR to use; currently only HMAC-MD5 is supported. This is followed by a secret clause which contains the \fBbase-64\fR encoding of the algorithm's encryption key. The \fBbase-64\fR string is enclosed in double quotes. -.sp -.LP -There are two common ways to generate the \fBbase-64\fR string for the secret. The BIND 9 program \fBrndc-confgen\fR(8) can be used to generate a random key, or the \fBmmencode\fR program, also known as \fBmimencode\fR, can be used to generate a \fBbase-64\fR string from known input. \fBmmencode\fR does not ship with BIND 9 but is available on many systems. See the \fBEXAMPLES\fR section for sample command lines for each. -.SH EXAMPLES -.sp -.in +2 -.nf -options { - default-server localhost; - default-key samplekey; -}; - -server localhost { - key samplekey; -}; - -server testserver { - key testkey; - addresses { localhost port 5353; }; -}; - -key samplekey { - algorithm hmac-md5; - secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz"; -}; - -key testkey { - algorithm hmac-md5; - secret "R3HI8P6BKw9ZwXwN3VZKuQ=="; -}; -.fi -.in -2 -.sp - -.sp -.LP -In the above example, \fBrndc\fR by default uses the server at \fBlocalhost\fR (127.0.0.1) and the key called \fBsamplekey\fR. Commands to the \fBlocalhost\fR server will use the \fBsamplekey\fR key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that \fBsamplekey\fR uses the HMAC-MD5 algorithm and its secret clause contains the \fBbase-64\fR encoding of the HMAC-MD5 secret enclosed in double quotes. -.sp -.LP -If \fBrndc -s testserver\fR is used then \fBrndc\fR connects to server on \fBlocalhost\fR port 5353 using the key \fBtestkey\fR. -.sp -.LP -To generate a random secret with \fBrndc-confgen\fR: -.sp -.in +2 -.nf -rndc-confgen -.fi -.in -2 -.sp - -.sp -.LP -A complete \fBrndc.conf\fR file, including the randomly generated key, will be written to the standard output. Commented out \fBkey\fR and \fBcontrols\fR statements for \fBnamed.conf\fR are also printed. -.sp -.LP -To generate a \fBbase-64\fR secret with \fBmmencode\fR: -.sp -.in +2 -.nf -echo "known plaintext for a secret" | mmencode -.fi -.in -2 -.sp - -.SH NAME SERVER CONFIGURATION -.sp -.LP -The name server must be configured to accept \fBrndc\fR connections and to recognize the key specified in the \fBrndc.conf\fR file, using the controls statement in \fBnamed.conf\fR. See the sections on the \fBcontrols\fR statement in the \fIBIND 9 Administrator Reference Manual\fR for details. -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(7) for descriptions of the following attributes: -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -ATTRIBUTE TYPEATTRIBUTE VALUE -_ -Availabilityservice/network/dns/bind -_ -Interface StabilityVolatile -.TE - -.SH SEE ALSO -.sp -.LP -\fBrndc\fR(8), \fBrndc-confgen\fR(8), \fBattributes\fR(7) -.sp -.LP -\fIBIND 9 Administrator Reference Manual\fR diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/server.xml --- a/components/bind/Solaris/server.xml Mon Jun 06 06:11:42 2016 -0700 +++ b/components/bind/Solaris/server.xml Thu Jun 16 13:48:33 2016 +0100 @@ -22,7 +22,7 @@ --> @@ -172,6 +172,27 @@ --> + + + + + + @@ -185,8 +206,8 @@ - + diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/zh/dig.8 --- a/components/bind/Solaris/zh/dig.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,784 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dig 8 "2010 年 1 月 11 日" "SunOS 5.12" "系统管理命令" -.SH 名称 -dig \- DNS 查找实用程序 -.SH 用法概要 -.LP -.nf -\fBdig\fR [@server] [\fB-b\fR \fIaddress\fR] [\fB-c\fR \fIclass\fR] [\fB-f\fR \fIfilename\fR] - [\fB-k\fR \fIfilename\fR] [\fB-m\fR] [\fB-p\fR \fIport#\fR] [\fB-q\fR \fIname\fR] [\fB-t\fR \fItype\fR] [\fB-x\fR \fIaddr\fR] - [\fB-y\fR [\fIhmac\fR:]\fIname:key\fR] [\fB-4\fR] [\fB-6\fR] [\fIname\fR] [\fItype\fR] [\fIclass\fR] [\fIqueryopt\fR]... -.fi - -.LP -.nf -\fBdig\fR [\fB-h\fR] -.fi - -.LP -.nf -\fBdig\fR [\fIglobal-queryopt\fR...] [\fIquery\fR...] -.fi - -.SH 描述 -.sp -.LP -\fBdig\fR 实用程序(域信息探测器)是一种灵活的工具,用于查询 DNS 名称服务器。它可以执行 DNS 查找,并显示从查询的名称服务器返回的答案。由于该实用程序灵活、易用并且输出明确,因此大多数 DNS 管理员都使用 \fBdig\fR 来解决 DNS 问题。其他查找工具的功能通常比 \fBdig\fR 少。 -.sp -.LP -虽然 \fBdig\fR 通常与命令行参数一起使用,但它还具有从文件中读取查找请求的批处理操作模式。如果指定了 \fB-h\fR 选项,将输出该实用程序的命令行参数以及选项的概述。与早期版本不同,\fBdig\fR 的 BIND 9 实现允许从命令行发出多个查找。 -.sp -.LP -除非收到查询特定名称服务器的指令,否则 \fBdig\fR 会尝试查询 \fB/etc/resolv.conf\fR 中列出的每个服务器。 -.sp -.LP -如果未指定任何命令行参数或选项,\fBdig\fR 会执行“.”(根)的 NS 查询。 -.sp -.LP -可以使用 \fB${HOME}/.digrc\fR 为 \fBdig\fR 设置每用户缺省值。系统会读取此文件,且在命令行参数之前应用其中的任何选项。 -.sp -.LP -\fBIN\fR 和 \fBCH\fR 类名与 \fBIN\fR 和 \fBCH\fR 顶级域名重叠。因此,可 \fB-t\fR 和 \fB-c\fR 选项来指定类型和类,或使用 \fB"IN."\fR 和 \fB "CH."\fR查找这些顶级域。 -.SS "简单用法" -.sp -.LP -下面是 \fBdig\fR 的典型调用: -.sp -.in +2 -.nf -dig @server name type -.fi -.in -2 -.sp - -.sp -.LP -其中: -.sp -.ne 2 -.mk -.na -\fB\fIserver\fR\fR -.ad -.sp .6 -.RS 4n -要查询的名称服务器的名称或 IP 地址。可以是采用点分十进制记法的 IPv4 地址或采用冒号分隔记法的 IPv6 地址。如果提供的 \fIserver\fR 参数为主机名,\fBdig\fR 会在查询该名称服务器之前解析该名称。如果未提供 \fIserver\fR 参数,\fBdig\fR 会查找 \fB/etc/resolv.conf\fR 并查询其中列出的名称服务器。将会显示来自做出响应的名称服务器的回复。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fIname\fR\fR -.ad -.sp .6 -.RS 4n -要查找的资源记录的名称。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fItype\fR\fR -.ad -.sp .6 -.RS 4n -指示所需的查询类型(ANY、A、MX、SIG 等)。\fItype\fR 可以是任何有效的查询类型。如果未提供 \fItype\fR 参数,\fBdig\fR 会执行 A 记录查找。 -.RE - -.SH 选项 -.sp -.LP -支持以下选项: -.sp -.ne 2 -.mk -.na -\fB\fB-4\fR\fR -.ad -.sp .6 -.RS 4n -仅使用 IPv4 传输。缺省情况下,IPv4 和 IPv6 传输均可使用。选项 \fB-4\fR 和 \fB-6\fR 互斥。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-6\fR\fR -.ad -.sp .6 -.RS 4n -仅使用 IPv6 传输。缺省情况下,IPv4 和 IPv6 传输均可使用。选项 \fB-4\fR 和 \fB-6\fR 互斥。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-b\fR \fIaddress\fR\fR -.ad -.sp .6 -.RS 4n -将查询的源 IP 地址设置为 \fIaddress\fR。该地址必须是主机的网络接口之一上的有效地址、\fB0.0.0.0\fR 或 \fB::\fR。通过附加 \fB#\fR\fI\fR 可以指定可选端口。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -覆盖缺省的查询类(IN 表示 Internet)。\fIclass\fR 参数可以是任何有效类,例如,HS 表示 Hesiod 记录,CH 表示 CHAOSNET 记录。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR \fIfilename\fR\fR -.ad -.sp .6 -.RS 4n -通过从文件 \fIfilename\fR 中读取要处理的查找请求列表,以批处理模式运行。此文件包含多个查询(每行一个)。文件中每个项的组织方式应与使用命令行界面查询 \fBdig\fR 时显示的方式相同。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -输出命令行参数与选项的概述。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fIfilename\fR\fR -.ad -.sp .6 -.RS 4n -指定事务签名 (TSIG) 密钥文件以使用 TSIG 签署由 \fBdig\fR 发送的 DNS 查询及其响应。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-m\fR\fR -.ad -.sp .6 -.RS 4n -启用内存使用情况调试。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR \fIport#\fR\fR -.ad -.sp .6 -.RS 4n -查询非标准端口号。\fIport#\fR 参数是 \fBdig\fR 发送其查询所用的端口号,而不是标准 DNS 端口号 53。此选项会测试配置为侦听非标准端口号上的查询的名称服务器。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-q\fR \fIname\fR\fR -.ad -.sp .6 -.RS 4n -将查询名称设置为 \fIname\fR。这样可以轻松将查询名称与其他参数区分开来。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fItype\fR\fR -.ad -.sp .6 -.RS 4n -将查询类型设置为 \fItype\fR,可以是 BIND9 中支持的任意有效查询类型。缺省的查询类型为“A”,除非提供了 \fB-x\fR 选项以指示反向查找。通过指定 AXFR 类型可请求区域传输。需要进行增量区域传输 (IXFR) 时,将 \fItype\fR 设置为 \fBixfr\fR=\fIN\fR。由于区域的 SOA 记录中的序列号为 \fIN\fR,增量区域传输将包含对该区域所做的更改。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-x\fR \fIaddr\fR\fR -.ad -.sp .6 -.RS 4n -简化反向查找(将地址映射至名称)。\fIaddr\fR 参数是采用点分十进制记法的 IPv4 地址或采用冒号分隔记法的 IPv6 地址。如果使用此选项,则无需提供 \fIname\fR、\fIclass\fR 和 \fItype\fR 参数。\fBdig\fR 实用程序会自动执行名称查找,例如 \fB11.12.13.10.in-addr.arpa\fR,并将查询类型和类分别设置为 PTR 和 IN。缺省情况下,在 IP6.ARPA 域下使用半字节格式查找 IPv6 地址。要使用采用 IP6.INT 域的早期 RFC1886 方法,请指定 \fB-i\fR 选项。位字符串标签 (RFC 2874) 目前处于试验阶段,不会尝试使用。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-y\fR [\fIhmac\fR:]\fIname\fR:\fIkey\fR\fR -.ad -.sp .6 -.RS 4n -在命令行上指定一个事务签名 (TSIG) 密钥。这样可以签署 \fBdig\fR 发送的 DNS 查询及其响应。您还可以在命令行上使用 \fB-y\fR 选项指定 TSIG 密钥本身。可选的 \fIhmac\fR 是 TSIG 的类型;缺省值为 \fBHMAC-MD5\fR。\fIname\fR 参数是 TSIG 密钥的名称,\fIkey\fR 参数是实际密钥。此密钥为 base-64 编码字符串,通常由 \fBdnssec-keygen\fR(8) 生成。 -.sp -在多用户系统上使用 \fB-y\fR 选项时应谨慎,因为该密钥会显示在来自 \fBps\fR(1) 的输出中或 shell 的历史文件中。将 TSIG 验证与 \fBdig\fR 结合使用时,所查询的名称服务器需要知道正在使用的密钥和算法。在 BIND 中,这一点可通过在 \fBnamed.conf\fR 中提供适当的 \fBkey\fR 和 \fBserver\fR 语句实现。 -.RE - -.SH 查询选项 -.sp -.LP -\fBdig\fR 实用程序提供了一些会影响查找实施以及显示结果的方式的查询选项。其中的一些选项用于设置或复位查询标头中的标志位,一些选项用于确定输出答案的哪些部分,其他选项用于确定超时和重试策略。 -.sp -.LP -每个查询选项都通过一个带加号 (+) 前缀的关键字标识。一些关键字可设置或复位选项。这些关键字可能会具有 no 字符串前缀,以否定该关键字的含义。其他关键字用于分配选项的值,例如超时时间间隔。这些关键字的格式为 \fB+keyword=\fR\fIvalue\fR。查询选项包括: -.sp -.ne 2 -.mk -.na -\fB\fB+[no]tcp\fR\fR -.ad -.sp .6 -.RS 4n -查询名称服务器时使用 [不使用] TCP。缺省的行为是使用 UDP,除非请求了 AXFR 或 IXFR 查询,在这种情况下将使用 TCP 连接。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]vc\fR\fR -.ad -.sp .6 -.RS 4n -查询名称服务器时使用 [不使用] TCP。这是 \fB+[no]tcp\fR 的另一种等效语法,之所以提供此语法是为了实现向后兼容性。“vc”表示 virtual circuit(虚拟线路)。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]ignore\fR\fR -.ad -.sp .6 -.RS 4n -忽略 UDP 响应中的截断,而不是使用 TCP 重试。缺省情况下,执行 TCP 重试。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+domain=\fR\fIsomename\fR\fR -.ad -.sp .6 -.RS 4n -设置搜索列表,使其包含单个域 \fIsomename\fR,如同在 \fB/etc/resolv.conf\fR 的 \fBdomain\fR 指令中指定一样,并且启用搜索列表处理,如同指定了 \fB+search\fR 选项一样。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]search\fR\fR -.ad -.sp .6 -.RS 4n -使用 [不使用] \fBresolv.conf\fR(如果有)中的 \fBsearchlist\fR 或 \fBdomain\fR 指令定义的搜索列表。缺省情况下,不使用此搜索列表。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]showsearch\fR\fR -.ad -.sp .6 -.RS 4n -执行 [不执行] 显示中间结果的搜索。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]defname\fR\fR -.ad -.sp .6 -.RS 4n -已过时,视为 \fB+[no]search\fR 的同义语法。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]aaonly\fR\fR -.ad -.sp .6 -.RS 4n -设置查询中的 \fBaa\fR 标志。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]aaflag\fR\fR -.ad -.sp .6 -.RS 4n -\fB+[no]aaonly\fR 的同义语法。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]adflag\fR\fR -.ad -.sp .6 -.RS 4n -设置 [不设置] 查询中的 AD(authentic data,可信数据)位。这要求服务器返回值,无论是否根据服务器的安全策略将所有答案和授权部分均验证为安全。设置为 \fBAD=1\fR 指示所有记录都已验证为安全,而且答案不是来自 \fBOPT-OUT\fR 范围。\fBAD=0\fR 指示答案的某些部分不安全或未经验证。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]cdflag\fR\fR -.ad -.sp .6 -.RS 4n -设置 [不设置] 查询中的 CD(checking disabled,禁用检查)位。这要求服务器不对响应执行 DNSSEC 验证。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]cl\fR\fR -.ad -.sp .6 -.RS 4n -输出记录时显示 [不显示] 类。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]ttlid\fR\fR -.ad -.sp .6 -.RS 4n -输出记录时显示 [不显示] TTL。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]recurse\fR\fR -.ad -.sp .6 -.RS 4n -切换查询中 RD(recursion desired,需要递归)位的设置。缺省情况下会设置此位,这意味着 \fBdig\fR 通常会发送递归查询。使用 \fB+nssearch\fR 或 \fB+trace\fR 查询选项时,会自动禁用递归。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]nssearch\fR\fR -.ad -.sp .6 -.RS 4n -设置此选项时,\fBdig\fR 会尝试查找区域的包含待查找名称的权威名称服务器,并显示每台名称服务器中对应于该区域的 SOA 记录。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]trace\fR\fR -.ad -.sp .6 -.RS 4n -对要查找的名称,从根名称服务器切换委托路径跟踪。缺省情况下,禁用跟踪。启用跟踪时,\fBdig\fR 会执行迭代查询以解析要查找的名称。将按照来自根服务器的引用,显示来自每个服务器的用于解析查找的答案。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]cmd\fR\fR -.ad -.sp .6 -.RS 4n -切换是否在输出中显示标识 \fBdig\fR 的版本以及所应用的查询选项的初始注释。缺省情况下,输出此注释。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]short\fR\fR -.ad -.sp .6 -.RS 4n -提供扼要答案。缺省情况下,以详细模式输出答案。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]identify\fR\fR -.ad -.sp .6 -.RS 4n -启用 +\fIshort\fR 选项时,显示 [或不显示] 提供答案的 IP 地址和端口号。如果要求提供简洁格式的答案,缺省情况下,不显示提供答案的服务器的源地址和端口号。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]comments\fR\fR -.ad -.sp .6 -.RS 4n -切换输出中注释行的显示。缺省情况下显示注释。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]stats\fR\fR -.ad -.sp .6 -.RS 4n -切换统计信息的输出:执行查询的时间、回复大小等。缺省行为是输出查询统计信息。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]qr\fR\fR -.ad -.sp .6 -.RS 4n -发送时输出 [不输出] 查询。缺省情况下不输出查询。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]question\fR\fR -.ad -.sp .6 -.RS 4n -返回答案时输出 [不输出] 查询的问题部分。缺省情况下,以注释形式输出问题部分。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]answer\fR\fR -.ad -.sp .6 -.RS 4n -显示 [不显示] 回复的答案部分。缺省情况下显示该部分。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]authority\fR\fR -.ad -.sp .6 -.RS 4n -显示 [不显示] 回复的授权部分。缺省情况下显示该部分。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]additional\fR\fR -.ad -.sp .6 -.RS 4n -显示 [不显示] 回复的附加部分。缺省情况下显示该部分。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]all\fR\fR -.ad -.sp .6 -.RS 4n -设置或清除所有显示标志。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+time=\fR\fIT\fR\fR -.ad -.sp .6 -.RS 4n -将查询的超时时间设置为 \fIT\fR 秒。缺省超时时间为 5 秒。尝试将 \fIT\fR 设置为小于 1 的值将会应用 1 秒的查询超时。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+tries=\fR\fIT\fR\fR -.ad -.sp .6 -.RS 4n -将 UDP 尝试的最大次数设置为 \fIT\fR。缺省值为 3(1 次初始尝试以及随后 2 次重试)。如果 T 小于等于 0,会将重试次数向上舍入为 1 次而不显示相关提示。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+retry=\fR\fIT\fR\fR -.ad -.sp .6 -.RS 4n -将 UDP 重试次数设置为 \fIT\fR。缺省 为 2。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+ndots=\fR\fID\fR\fR -.ad -.sp .6 -.RS 4n -将需要显示在 \fIname\fR 中的点数设置为 \fID\fR,以便将其视为绝对名。缺省值是使用 \fB/etc/resolv.conf\fR 中的 \fBndots\fR 语句定义的值,如果 \fBndots\fR 语句不存在,则缺省值为 1。点数较少的名称将解释为相对名称,并在 \fB/etc/resolv.conf\fR 中的 \fBsearch\fR 或 \fBdomain\fR 指令中列出的域中进行搜索。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+bufsize=\fR\fIB\fR\fR -.ad -.sp .6 -.RS 4n -将使用 EDNS0 通告的 UDP 消息缓冲区大小设置为 \fIB\fR 字节。此缓冲区的最大和最小大小分别为 65535 和 0 字节。超出此范围的值将相应地进行向上或向下舍入。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+edns=\fR\fI#\fR\fR -.ad -.sp .6 -.RS 4n -指定用于查询的 EDNS 版本。有效值为 0 至 255。设置 EDNS 版本会导致发送一条 EDNS 查询。\fB+noedns\fR 将清除记住的 EDNS 版本。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]multiline\fR\fR -.ad -.sp .6 -.RS 4n -以详细的多行格式输出包含用户可读注释的记录,例如 SOA 记录。缺省情况下,每行输出一条记录,以便于计算机解析 \fBdig\fR 输出。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]fail\fR\fR -.ad -.sp .6 -.RS 4n -如果收到 \fBSERVFAIL\fR,请勿尝试下一个服务器。缺省情况下,不会尝试下一个服务器,这与常规的桩模块解析器行为相反。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]besteffort\fR\fR -.ad -.sp .6 -.RS 4n -尝试显示格式错误的消息的内容。缺省情况下,不显示格式错误的答案。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]dnssec\fR\fR -.ad -.sp .6 -.RS 4n -通过在查询的附加部分的 OPT 记录中设置 DNSSEC OK 位 (DO),请求发送 DNSSEC 记录。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]sigchase\fR\fR -.ad -.sp .6 -.RS 4n -追踪 DNSSEC 签名链。需要使用 \fB-DDIG_SIGCHASE\fR 来编译 \fBdig\fR。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+trusted-key=\fR####\fR -.ad -.sp .6 -.RS 4n -指定包含与 \fB+sigchase\fR 结合使用的可信密钥的文件。每条 \fBDNSKEY\fR 记录必须占据一行。 -.sp -如果未指定,dig 会查找 \fB/etc/trusted-key.key\fR,然后在当前目录中查找 \fBtrusted-key.key\fR。 -.sp -需要使用 \fB-DDIG_SIGCHASE\fR 来编译 \fBdig\fR。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]topdown\fR\fR -.ad -.sp .6 -.RS 4n -追踪 DNSSEC 签名链时,执行自上而下的验证。需要使用 \fB-DDIG_SIGCHASE\fR 来编译 \fBdig\fR。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB+[no]nsid\fR\fR -.ad -.sp .6 -.RS 4n -发送查询时,包括 EDNS 名称服务器 ID 请求。 -.RE - -.SH 多个查询 -.sp -.LP -除了支持 \fB-f\fR 批处理文件选项以外,\fBdig\fR 的 BIND 9 实现还支持在命令行上指定多个查询。对于每条查询,可提供其自己的标志、选项以及查询选项集。 -.sp -.LP -这种情况下,在上述命令行语法中,每个 \fIquery\fR 参数表示一条查询。每条查询由任一标准选项和标志、要查找的名称、可选的查询类型、类以及应当应用于该查询的任意查询选项组成。 -.sp -.LP -还可以提供应当应用于所有查询的全局查询选项集。这些全局查询选项必须居于命令行上提供的第一组名称、类、类型、选项、标志和查询选项之前。任何全局查询选项(\fB+[no]cmd\fR 选项除外)均可由查询特定的查询选项集覆盖。例如: -.sp -.in +2 -.nf -dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -.fi -.in -2 -.sp - -.sp -.LP -以上语法显示如何在命令行中使用 \fBdig\fR 来执行三个查找:针对 \fBwww.isc.org\fR 的 ANY 查询、反向查找 127.0.0.1 以及查询 \fBisc.org\fR 的 NS 记录。应用全局查询选项 \fB+qr\fR,因此 \fBdig\fR 可以显示针对每次查找所做的初始查询。最后的查询具有本地查询选项 \fB+noqr\fR,表示 \fBdig\fR 在查找 \fBisc.org\fR 的 NS 记录时不会输出初始查询。 -.SH 文件 -.sp -.ne 2 -.mk -.na -\fB\fB/etc/resolv.conf\fR\fR -.ad -.sp .6 -.RS 4n -解析器配置文件 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB${HOME}/.digrc\fR\fR -.ad -.sp .6 -.RS 4n -用户定义的配置文件 -.RE - -.SH 属性 -.sp -.LP -有关下列属性的说明,请参见 \fBattributes\fR(5): -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -属性类型属性值 -_ -可用性network/dns/bind -_ -接口稳定性Volatile(可变) -.TE - -.SH 另请参见 -.sp -.LP -\fBdnssec-keygen\fR(8)、\fBhost\fR(8)、\fBnamed\fR(8)、\fBnslookup\fR(8)、\fBattributes\fR(5) -.sp -.LP -\fIRFC1035\fR -.sp -.LP -请参见《\fIBIND 9 管理员参考手册\fR》。从本手册页发布之日起,将在 https://www.isc.org/software/bind/documentation 上提供该文档。 -.SH 已知问题 -.sp -.LP -查询选项可能过多。 -.SH 附注 -.sp -.LP -\fBnslookup\fR(8) 和 \fBdig\fR 目前将“Not Implemented”(未实施)报告为 \fBNOTIMP\fR 而不是 \fBNOTIMPL\fR。这会影响查找 \fBNOTIMPL\fR 的脚本。 diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/zh/dnssec-dsfromkey.8 --- a/components/bind/Solaris/zh/dnssec-dsfromkey.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,169 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-dsfromkey 8 "2010 年 1 月 11 日" "SunOS 5.12" "系统管理命令" -.SH 名称 -dnssec-dsfromkey \- DNSSEC DS RR 生成工具 -.SH 用法概要 -.LP -.nf -\fBdnssec-dsfromkey\fR [\fB-v\fR \fIlevel\fR] [\fB-1\fR] [\fB-2\fR] [\fB-a\fR \fIalg\fR] \fIkeyfile\fR -.fi - -.LP -.nf -\fBdnssec-dsfromkey\fR \fB-s\fR [\fB-v\fR \fIlevel\fR] [\fB-1\fR] [\fB-2\fR] [\fB-a\fR \fIalg\fR] [\fB-c\fR \fIclass\fR] - [\fB-d\fR \fIdir\fR] \fIkeyfile\fR -.fi - -.SH 描述 -.sp -.LP -\fBdnssec-dsfromkey\fR -.SH 选项 -.sp -.LP -支持以下选项: -.sp -.ne 2 -.mk -.na -\fB\fB-1\fR\fR -.ad -.sp .6 -.RS 4n -将 \fBSHA-1\fR 用作摘要算法。缺省情况下,同时使用 \fBSHA-1\fR 和 \fBSHA-256\fR。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-2\fR\fR -.ad -.sp .6 -.RS 4n -将 SHA-256 用作摘要算法。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR \fIalgorithm\fR\fR -.ad -.sp .6 -.RS 4n -选择摘要算法。\fIalgorithm\fR 的值必须是 \fBSHA-1\fR (\fBSHA1\fR) 或 \fBSHA-256\fR (\fBSHA256\fR) 之一。这些值不区分大小写。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.sp .6 -.RS 4n -设置调试级别。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR\fR -.ad -.sp .6 -.RS 4n -密钥集模式:代替密钥文件名称,该参数是密钥集文件的 DNS 域名。\fB-c\fR 和 \fB-d\fR 选项仅在该模式下才有意义。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -指定 DNS 类(缺省类是 \fBIN\fR);仅在密钥集模式下才有用。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-d\fR \fIdirectory\fR\fR -.ad -.sp .6 -.RS 4n -在作为目录的 directory 中查找密钥集文件;不处于密钥集模式下时忽略。 -.RE - -.SH 示例 -.sp -.LP -要从 \fBKexample.com.+003+26160\fR 密钥文件名称构建 SHA-256 DS RR,请使用以下命令: -.sp -.in +2 -.nf -# \fBdnssec-dsfromkey -2 Kexample.com.+003+26160\fR -.fi -.in -2 -.sp - -.sp -.LP -此命令将生成与下面类似的输出: -.sp -.in +2 -.nf -example.com. IN DS 26160 5 2 -3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 -C5EA0B94 -.fi -.in -2 -.sp - -.SH 文件 -.sp -.LP -该密钥文件可以通过密钥标识 \fBK\fR\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR 或完整文件名 \fBK\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR.key \fR 指定,与由 \fBdnssec-keygen\fR(8) 生成的一样。 -.sp -.LP -密钥集文件名基于目录、字符串 \fBkeyset-\fR 和 \fIdnsname\fR 构建而成。 -.SH 属性 -.sp -.LP -有关下列属性的说明,请参见 \fBattributes\fR(5): -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -属性类型属性值 -_ -可用性service/network/dns/bind -_ -接口稳定性Volatile(可变) -.TE - -.SH 另请参见 -.sp -.LP -\fBdnssec-keygen\fR(8)、\fBdnssec-signzone\fR(8)、\fBattributes\fR(5) -.sp -.LP -\fIRFC 3658\fR、\fIRFC 4509\fR -.sp -.LP -请参见《\fIBIND 9 管理员参考手册\fR》。从本手册页发布之日起,将在 https://www.isc.org/software/bind/documentation 上提供该文档。 -.SH 注意 -.sp -.LP -密钥文件错误可以生成“未找到文件”消息,即使该文件存在也是如此。 diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/zh/dnssec-keyfromlabel.8 --- a/components/bind/Solaris/zh/dnssec-keyfromlabel.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,194 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-keyfromlabel 8 "2010 年 1 月 11 日" "SunOS 5.12" "系统管理命令" -.SH 名称 -dnssec-keyfromlabel \- DNSSEC 密钥生成工具 -.SH 用法概要 -.LP -.nf -\fBdnssec-keyfromlabel\fR \fB-a\fR \fIalgorithm\fR \fB-l\fR \fIlabel\fR [\fB-c\fR \fIclass\fR] [\fB-f\fR \fIflag\fR] [\fB-k\fR] - [\fB-n\fR \fInametype\fR] [\fB-p\fR \fIprotocol\fR] [\fB-t\fR \fItype\fR] [\fB-v\fR \fIlevel\fR] \fIname\fR -.fi - -.SH 描述 -.sp -.LP -\fBdnssec-keyfromlabel\fR 从加密硬件设备使用指定的标签检索密钥,并为 DNSSEC(安全 DNS)生成密钥文件,如 RFC 2535 和 RFC 4034 中所定义的那样。 -.SH 选项 -.sp -.LP -支持以下选项: -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR \fIalgorithm\fR\fR -.ad -.sp .6 -.RS 4n -选择加密算法。\fIalgorithm\fR 的值必须是 \fBRSAMD5\fR (RSA) 或 \fBRSASHA1\fR、\fBDSA\fR、\fBNSEC3RSASHA1\fR、\fBNSEC3DSA\fR 或 \fBDH\fR (Diffie-Hellman) 之一。这些值不区分大小写。 -.sp -请注意,对于 \fBDNSSEC\fR,\fBRSASHA1\fR 是强制实现的算法;DSA 是建议的算法。另请注意,\fBDH\fR 自动设置 \fB-k\fR 标志。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-L\fR \fIlabel\fR\fR -.ad -.sp .6 -.RS 4n -指定加密硬件 (PKCS#11) 设备中的密钥标签。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-n\fR \fInametype\fR\fR -.ad -.sp .6 -.RS 4n -指定密钥的所有者类型。\fInametype\fR 的值必须是 \fBZONE\fR(对于 \fBDNSSEC\fR 区域密钥 (\fBKEY\fR/\fBDNSKEY\fR))、\fBHOST\fR 或 \fBENTITY\fR(对于与主机相关的密钥 (\fBKEY\fR))、\fBUSER\fR(对于与用户相关的密钥 (\fBKEY\fR))或 \fBOTHER\fR (\fBDNSKEY\fR)。这些值不区分大小写。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -表明包含密钥的 DNS 记录应该具有指定类。如果没有指定,将使用类 \fBIN\fR。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR \fIflag\fR\fR -.ad -.sp .6 -.RS 4n -在 \fBKEY\fR/\fBDNSKEY\fR 记录的标志字段中设置指定的标志。唯一识别的标志是 \fBKSK\fR(Key Signing Key,密钥签名密钥)\fBDNSKEY\fR。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -显示 \fBdnssec-keyfromlabel\fR 的选项和参数的简短摘要。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fI\fR\fR -.ad -.sp .6 -.RS 4n -生成 \fBKEY\fR 记录,而不是 \fBDNSKEY\fR 记录。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR \fIprotocol\fR\fR -.ad -.sp .6 -.RS 4n -为生成的密钥设置协议值。协议是 0 到 255 之间的数字。缺省值是 \fB3\fR (\fBDNSSEC\fR)。在 RFC 2535 及其后续 RFC 中列出了此参数的其他可能值。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fItype\fR\fR -.ad -.sp .6 -.RS 4n -表明密钥的用途。\fItype\fR 必须是 \fBAUTHCONF\fR、\fBNOAUTHCONF\fR、\fBNOAUTH\fR 或 \fBNOCONF\fR 之一。缺省值是 \fBAUTHCONF\fR。\fBAUTH\fR 指的是验证数据的能力,\fBCONF\fR 指的是加密数据的能力。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.sp .6 -.RS 4n -设置调试级别。 -.RE - -.SH 生成的密钥文件 -.sp -.LP -当 \fBdnssec-keyfromlabel\fR 成功完成时,会向标准输出中显示 \fBK\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR\fR 格式的字符串。这是其生成的密钥文件的标识字符串,其意义如下。 -.RS +4 -.TP -.ie t \(bu -.el o -\fInnnn\fR 是密钥名称。 -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fIaaa\fR 是算法的数字表示。 -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fIiiiii\fR 是密钥标识符(或足迹)。 -.RE -.sp -.LP -\fBdnssec-keyfromlabel\fR 创建两个文件,并根据显示的字符串命名这两个文件。\fBK\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR.key\fR 包含公钥,\fBK\fInnnn\fR.+\fI aaa\fR+\fIiiiii\fR.private\fR 包含私钥。 -.sp -.LP -第一个文件包含 \fBDNS\fR \fBKEY\fR 记录,该记录可以直接插入到区域文件,也可以使用 \fB$INCLUDE\fR 语句插入。 -.sp -.LP -第二个文件包含算法特定的字段。出于安全原因,此文件不具有一般读取权限。 -.SH 属性 -.sp -.LP -有关下列属性的说明,请参见 \fBattributes\fR(5): -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -属性类型属性值 -_ -可用性service/network/dns/bind -_ -接口稳定性Volatile(可变) -.TE - -.SH 另请参见 -.sp -.LP -\fBdnssec-keygen\fR(8)、\fBdnssec-signzone\fR(8)、\fBattributes\fR(5) -.sp -.LP -\fIRFC 2539\fR、\fIRFC 2845\fR、\fIRFC 4033\fR -.sp -.LP -请参见《\fIBIND 9 管理员参考手册\fR》。从本手册页发布之日起,将在 https://www.isc.org/software/bind/documentation 上提供该文档。 diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/zh/dnssec-keygen.8 --- a/components/bind/Solaris/zh/dnssec-keygen.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,300 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-keygen 8 "2010 年 1 月 11 日" "SunOS 5.12" "系统管理命令" -.SH 名称 -dnssec-keygen \- DNSSEC 密钥生成工具 -.SH 用法概要 -.LP -.nf -\fBdnssec-keygen\fR \fB-a\fR \fIalgorithm\fR \fB-b\fR \fIkeysize\fR \fB-n\fR \fInametype\fR [\fB-ehk\fR] - [\fB-c\fR \fIclass\fR] [\fB-f\fR \fIflag\fR] [\fB-g\fR \fIgenerator\fR] [\fB-p\fR \fIprotocol\fR] - [\fB-r\fR \fIrandomdev\fR] [\fB-s\fR \fIstrength\fR] [\fB-t\fR \fItype\fR] [\fB-v\fR \fIlevel\fR] \fIname\fR -.fi - -.SH 描述 -.sp -.LP -\fBdnssec-keygen\fR 实用程序为 DNSSEC(安全 DNS)生成密钥,如 RFC 2535 和 RFC 4034 中定义的那样。它还可以生成与 TSIG(Transaction Signature,事务签名)一起使用的密钥,如 RFC 2845 中定义的那样。 -.SH 选项 -.sp -.LP -支持以下选项: -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR \fIalgorithm\fR\fR -.ad -.sp .6 -.RS 4n -选择加密算法。algorithm 的值必须是 RSAMD5 (RSA) 或 RSASHA1 之一、DSA、NSEC3RSASHA1、NSEC3DSA、\fBDH\fR (Diffie-Hellman) 或 HMAC-MD5。这些值不区分大小写。 -.sp -对于 DNSSEC,RSASHA1 是强制实现的算法;DSA 是建议的算法。对于 TSIG,HMAC-MD5 是强制算法。 -.LP -注 - -.sp -.RS 2 -HMAC-MD5 和 DH 自动设置 \fB-k\fR 标志。 -.RE -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-b\fR \fIkeysize\fR\fR -.ad -.sp .6 -.RS 4n -指定密钥中的位数。密钥大小的选择取决于使用的算法。RSAMD5 和 RSASHA1 密钥必须在 512 和 2048 位之间。Diffie-Hellman 密钥必须在 128 和 4096 位之间。DSA 密钥必须在 512 和 1024 位之间,并且必须是 64 的整数倍。HMAC-MD5 密钥必须在 1 位和 512 位之间。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -表明包含密钥的 DNS 记录应该具有指定类。如果没有指定,将使用类 IN。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-e\fR\fR -.ad -.sp .6 -.RS 4n -如果生成 RSAMD5 或 RSASHA1 密钥,则使用大指数。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR \fIflag\fR\fR -.ad -.sp .6 -.RS 4n -在 KEY/DNSKEY 记录的标志字段中设置指定的标志。唯一识别的标志是 KSK(Key Signing Key,密钥签名密钥)DNSKEY。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-g\fR \fIgenerator\fR\fR -.ad -.sp .6 -.RS 4n -如果生成 Diffie Hellman 密钥,则使用此 \fIgenerator\fR。允许的值是 2 和 5。如果没有指定 generator,则将使用 RFC 2539 中的已知索数(如果可能);否则,缺省值是 2。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -列出 \fBdnssec-keygen\fR 的选项和参数的简短摘要。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR\fR -.ad -.sp .6 -.RS 4n -生成 KEY 记录,而不是 DNSKEY 记录。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-n\fR \fInametype\fR\fR -.ad -.sp .6 -.RS 4n -指定密钥的所有者类型。\fInametype\fR 的值必须是 \fBZONE\fR(对于 DNSSEC 区域密钥 (KEY/DNSKEY))、\fBHOST\fR 或 \fBENTITY\fR(对于与主机相关的密钥 (KEY))、USER(对于与用户相关的密钥 (KEY))或 \fBOTHER\fR (DNSKEY)。这些值不区分大小写。缺省值是 ZONE(用于生成 DNSKEY)。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR \fIprotocol\fR\fR -.ad -.sp .6 -.RS 4n -为生成的密钥设置协议值。\fIprotocol\fR 参数是 0 到 255 之间的数字。缺省值是 3 (DNSSEC)。在 RFC 2535 及其后续版本中列出了此参数的其他可能值。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-r\fR \fIrandomdev\fR\fR -.ad -.sp .6 -.RS 4n -指定随机源。如果操作系统不提供 \fB/dev/random\fR 或等效设备,则缺省的随机源是键盘输入。\fIrandomdev\fR 指定字符设备的名称或包含要使用的随机数据的文件(而非缺省文件)。特殊值 "\fBkeyboard\fR" 表示应该使用键盘输入。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR \fIstrength\fR\fR -.ad -.sp .6 -.RS 4n -指定密钥的强度值。\fIstrength\fR 参数是 0 到 15 之间的数字,且当前尚未在 DNSSEC 中定义其用途。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fItype\fR\fR -.ad -.sp .6 -.RS 4n -表明密钥的用途。\fBtype\fR 必须是 \fBAUTHCONF\fR、\fBNOAUTHCONF\fR、\fBNOAUTH\fR 或 \fBNOCONF\fR 之一。缺省值是 \fBAUTHCONF\fR。\fBAUTH\fR 指的是验证数据的能力,\fBCONF\fR 指的是加密数据的能力。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.sp .6 -.RS 4n -设置调试级别。 -.RE - -.SH 生成的密钥 -.sp -.LP -当 \fBdnssec-keygen\fR 成功完成时,会向标准输出中输出 \fBK\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR\fR 格式的字符串。这是其生成的密钥的标识字符串。 -.RS +4 -.TP -.ie t \(bu -.el o -\fInnnn\fR 是密钥名称。 -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fIaaa\fR 是算法的数字表示。 -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fIiiiii\fR 是密钥标识符(或足迹)。 -.RE -.sp -.LP -\fBdnssec-keygen\fR 实用程序创建两个文件,并根据列出的字符串命名这两个文件。 -.RS +4 -.TP -.ie t \(bu -.el o -\fBK\fR\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR.\fBkey\fR 包含公钥。 -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fBK\fR\fInnnn\fR.+\fIaaa\fR+\fIiiiii\fR.\fBprivate\fR 包含私钥。 -.RE -.sp -.LP -\fB\&.key\fR 文件包含 DNS \fBKEY\fR 记录,该记录可以直接插入到区域文件,也可以使用 \fB$INCLUDE\fR 语句插入。 -.sp -.LP -\fB\&.private\fR 文件包含算法特定的字段。出于安全原因,此文件不具有一般读取权限。 -.sp -.LP -对于对称加密算法(如 HMAC-MD5),将生成 \fB\&.key\fR 和 \fB\&.private\fR 文件,即使公钥和私钥等效也如此。 -.SH 示例 -.LP -\fB示例 1 \fR生成 768 位 DSA 密钥 -.sp -.LP -要为域 \fBexample.com\fR 生成 768 位 DSA 密钥,则将发出以下命令: - -.sp -.in +2 -.nf -dnssec-keygen -a DSA -b 768 -n ZONE example.com -.fi -.in -2 -.sp - -.sp -.LP -该命令将列出以下格式的字符串: - -.sp -.in +2 -.nf -Kexample.com.+003+26160 -.fi -.in -2 -.sp - -.sp -.LP -将创建以下文件: - -.sp -.in +2 -.nf -Kexample.com.+003+26160.key -Kexample.com.+003+26160.private -.fi -.in -2 -.sp - -.SH 属性 -.sp -.LP -有关下列属性的说明,请参见 \fBattributes\fR(5): -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -属性类型属性值 -_ -可用性service/network/dns/bind -_ -接口稳定性Volatile(可变) -.TE - -.SH 另请参见 -.sp -.LP -\fBdnssec-signzone\fR(8)、\fBattributes\fR(5) -.sp -.LP -\fIRFC 2539\fR、\fIRFC 2845\fR、\fIRFC 4033\fR -.sp -.LP -请参见《\fIBIND 9 管理员参考手册\fR》。从本手册页发布之日起,将在 https://www.isc.org/software/bind/documentation 上提供该文档。 diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/zh/dnssec-signzone.8 --- a/components/bind/Solaris/zh/dnssec-signzone.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,431 +0,0 @@ -'\" te -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") -.\" Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2010, Sun Microsystems, Inc. All Rights Reserved. -.TH dnssec-signzone 8 "2010 年 1 月 11 日" "SunOS 5.12" "系统管理命令" -.SH 名称 -dnssec-signzone \- DNSSEC 区域签名工具 -.SH 用法概要 -.LP -.nf -\fBdnssec-signzone\fR [\fB-Aaghptz\fR] [\fB-c\fR \fIclass\fR] [\fB-d\fR \fIdirectory\fR] - [\fB-e\fR \fIend-time\fR] [\fB-f\fR \fIoutput-file\fR] [\fB-H\fR \fIiterations\fR] [\fB-I\fR \fIinput_format\fR] - [\fB-i\fR \fIinterval\fR] [\fB-k\fR \fIkey\fR] [\fB-l\fR \fIdomain\fR] [\fB-N\fR \fIsoa-serial-format\fR] [\fB-n\fR \fIncpus\fR] - [\fB-O\fR \fIoutput_format\fR] [\fB-o\fR \fIorigin\fR] [\fB-r\fR \fIrandomdev\fR] [\fB-s\fR \fIstart-time\fR] - [\fB-v\fR \fIlevel\fR] [\fB-3\fR \fIsalt\fR] \fIzonefile\fR [\fIkey\fR]... -.fi - -.SH 描述 -.sp -.LP -\fBdnssec-signzone\fR 实用程序可以对区域签名。它生成 \fBNSEC\fR 和 \fBRRSIG\fR 记录并生成已签名版本的区域。已签名区域中委托的安全状态(即子区域是否安全)取决于每个子区域是否存在 \fBkeyset\fR 文件。 -.SH 选项 -.sp -.LP -支持以下选项: -.sp -.ne 2 -.mk -.na -\fB\fB-A\fR\fR -.ad -.sp .6 -.RS 4n -生成 NSEC3 链时,在所有 NSEC3 记录上设置 \fBOPTOUT\fR 标志且不会为不安全的委托生成 NSEC3 记录。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-a\fR\fR -.ad -.sp .6 -.RS 4n -验证所有生成的签名。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-c\fR \fIclass\fR\fR -.ad -.sp .6 -.RS 4n -指定区域的 \fBDNS\fR 类。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-d\fR \fIdirectory\fR\fR -.ad -.sp .6 -.RS 4n -在 \fIdirectory\fR 中查找 \fBkeyset\fR 文件。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-e\fR \fIend-time\fR\fR -.ad -.sp .6 -.RS 4n -指定生成的 \fBRRSIG\fR 记录过期的日期和时间。与 \fBstart-time\fR 一样,绝对时间采用 \fBYYYYMMDDHHMMSS\fR 表示法表示。相对于开始时间的时间用 +\fIN\fR 表示,即开始时间后的 \fIN\fR 秒。相对于当前时间的时间用 \fBnow\fR+\fIN\fR 表示。如果没有指定 \fIend-time\fR,则缺省值是开始时间后的第 30 天。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-f\fR \fIoutput-file\fR\fR -.ad -.sp .6 -.RS 4n -包含已签名区域的输出文件的名称。缺省情况是将 \fB\&.signed\fR 附加到输入文件名称后。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-g\fR\fR -.ad -.sp .6 -.RS 4n -为 \fBkeyset\fR 文件中的子区域生成 DS 记录。将删除现有 DS 记录。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-H\fR \fIiterations\fR\fR -.ad -.sp .6 -.RS 4n -生成 NSEC3 链时,使用 \fIiterations\fR 指定的迭代次数。缺省 为 100。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-h\fR\fR -.ad -.sp .6 -.RS 4n -列出 \fBdnssec-signzone()\fR 的选项和参数的简短摘要。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-I\fR \fIinput-format\fR\fR -.ad -.sp .6 -.RS 4n -输入区域文件的格式。可能的格式是 \fBtext\fR(缺省)和 \fBraw\fR。此选项主要用于动态的已签名区域,以便可以直接对包含更新的非文本格式的转储区域文件签名。使用此选项对非动态区域毫无作用。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-i\fR \fIinterval\fR\fR -.ad -.sp .6 -.RS 4n -将循环间隔指定为当前时间的偏移(以秒为单位)。之前已签名的区域作为输入进行传递时,可以重新对记录签名。如果 \fBRRSIG\fR 记录在循环间隔后过期,则保留该记录。否则,该记录被视为很快将过期并将被替换。 -.sp -缺省循环间隔是签名结束时间和开始时间之差的四分之一。如果没有指定 \fIend-time\fR 和 \fIstart-time\fR,则 \fBdnssec-signzone\fR 将生成有效期为 30 天、循环间隔为 7.5 天的签名。由于任何现有 \fBRRSIG\fR 记录在 7.5 天之内过期,因此会将其替换。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-j\fR \fIjitter\fR\fR -.ad -.sp .6 -.RS 4n -使用固定签名生命周期对区域签名时,签名时发出的所有 \fBRRSIG\fR 记录均同时到期。如果以增量方式对区域签名(即之前签名的区域作为输入传递给签名者),需要大约同时重新生成所有过期的签名。jitter 选项指定用于随机指定签名过期时间的 jitter 窗口,从而随时间以一定增量分散重新生成签名的时间。 -.sp -在某种程度上,签名生命周期 jitter 也通过分散高速缓存失效时间使验证器和服务器受益。也就是说,如果所有高速缓存的大量 \fBRRSIG\fR 不同时到期,则相对于所有验证器需要几乎同时重取来说,前者出现拥塞的可能性更小。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fIkey\fR\fR -.ad -.sp .6 -.RS 4n -将指定的 \fIkey\fR 视作密钥签名密钥,忽略任何密钥标志。可以多次指定此选项。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-l\fR \fIdomain\fR\fR -.ad -.sp .6 -.RS 4n -除密钥 (DNSKEY) 和 DS 集以外,还生成 DLV 集。域附加到记录名称。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-N\fR \fIsoa-serial-format\fR\fR -.ad -.sp .6 -.RS 4n -已签名区域的 SOA 序列号格式。可能的格式是 \fBkeep\fR(缺省)、\fBincrement\fR 和 \fBunixtime\fR,如下所述。 -.sp -.ne 2 -.mk -.na -\fB\fBkeep\fR\fR -.ad -.sp .6 -.RS 4n -不修改 SOA 序列号。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBincrement\fR\fR -.ad -.sp .6 -.RS 4n -使用 RFC 1982 运算递增 SOA 序列号。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBunixtime\fR\fR -.ad -.sp .6 -.RS 4n -将 SOA 序列号设置为自 Unix 时间戳起过去的秒数。 -.RE - -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-n\fR \fInthreads\fR\fR -.ad -.sp .6 -.RS 4n -指定要使用的线程数。缺省情况下,为每个检测出的 CPU 启动一个线程。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-O\fR \fIoutput_format\fR\fR -.ad -.sp .6 -.RS 4n -包含已签名区域的输出文件的格式。可能的格式是 \fBtext\fR(缺省)和 \fBraw\fR。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-o\fR \fIorigin\fR\fR -.ad -.sp .6 -.RS 4n -指定区域源。如果没有指定,则将区域文件的名称假定为源。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-p\fR\fR -.ad -.sp .6 -.RS 4n -签名区域时使用伪随机数据。这比使用实际随机数据更快,但更不安全。签名大型区域或熵源有限时,此选项可能会有用。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-r\fR \fIrandomdev\fR\fR -.ad -.sp .6 -.RS 4n -指定随机源。如果操作系统不提供 \fB/dev/random\fR 或等效设备,则缺省的随机源是键盘输入。\fIrandomdev\fR 指定字符设备的名称或包含要使用的随机数据的文件(而非缺省的 \fB/dev/random\fR)。特殊值 \fBkeyboard\fR 表示应该使用键盘输入。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-s\fR \fIstart-time\fR\fR -.ad -.sp .6 -.RS 4n -指定生成的 \fBRRSIG\fR 记录开始有效的日期和时间。此时间可以是绝对时间,也可以是相对时间。绝对开始时间由采用 \fIYYYYMMDDHHMMSS\fR 表示法的数字表示;20000530144500 表示 2000 年 5 月 30 日 14:45:00 (UTC)。相对开始时间由 +\fIN\fR 表示,即当前时间后的 \fIN\fR 秒。如果没有指定 \fIstart-time\fR,则使用当前时间减去一小时(以允许时钟相位差)后的时间。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR\fR -.ad -.sp .6 -.RS 4n -完成时列出统计信息。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR \fIlevel\fR\fR -.ad -.sp .6 -.RS 4n -设置调试级别。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-z\fR\fR -.ad -.sp .6 -.RS 4n -确定签名内容时,忽略密钥上的 KSK 标志。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-3\fR \fIsalt\fR\fR -.ad -.sp .6 -.RS 4n -使用指定的十六进制编码 \fIsalt\fR 生成 NSEC3 链。破折号(\fB-\fR)可以用于表示生成 NSEC3 链时没有使用 salt。 -.RE - -.SH 操作数 -.sp -.LP -支持下列操作数: -.sp -.ne 2 -.mk -.na -\fB\fIzonefile\fR\fR -.ad -.sp .6 -.RS 4n -包含要签名的区域的文件。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fIkey\fR\fR -.ad -.sp .6 -.RS 4n -指定应在对区域签名时使用的密钥。如果没有指定密钥,则检查该区域以获得区域顶点的 \fBDNSKEY\fR 记录。如果找到这些记录且当前目录中有匹配的私钥,则这些记录将用于进行域名。 -.RE - -.SH 示例 -.LP -\fB示例 1 \fR使用 DSA 密钥对区域签名 -.sp -.LP -以下命令使用 \fBdnssec-keygen\fR(8) 手册页中的示例中生成的 DSA 密钥对 \fBexample.com\fR 区域签名(该示例为 \fBKexample.com.+003+17247\fR)。区域的密钥必须在主文件 (\fBdb.example.com\fR) 中。该调用在当前目录中查找密钥集文件,以便从这些文件生成 DS 记录 (\fB-g\fR)。 - -.sp -.in +2 -.nf -% \fBdnssec-signzone -g -o example.com db.example.com \e\fR -\fBKexample.com.+003+17247\fR -\fBdb.example.com.signed\fR -% -.fi -.in -2 -.sp - -.sp -.LP -在上述示例中,\fBdnssec-signzone\fR 创建文件 \fBdb.example.com.signed\fR。应该在 \fBnamed.conf\fR 文件的区域语句中引用此文件。 - -.LP -\fB示例 2 \fR重新签名之前已签名的区域 -.sp -.LP -以下命令使用缺省参数对以前已签名的区域重新签名。假定私钥位于当前目录中。 - -.sp -.in +2 -.nf -% \fBcp db.example.com.signed db.example.com\fR -% \fBdnssec-signzone -o example.com db.example.com \e\fR -\fBdb.example.com.signed\fR -% -.fi -.in -2 -.sp - -.SH 属性 -.sp -.LP -有关下列属性的说明,请参见 \fBattributes\fR(5): -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -属性类型属性值 -_ -可用性service/network/dns/bind -_ -接口稳定性Volatile(可变) -.TE - -.SH 另请参见 -.sp -.LP -\fBdnssec-keygen\fR(8)、\fBattributes\fR(5) -.sp -.LP -\fIRFC4033\fR -.sp -.LP -请参见《\fIBIND 9 管理员参考手册\fR》。从本手册页发布之日起,将在 https://www.isc.org/software/bind/documentation 上提供该文档。 diff -r cebcbbd80341 -r a498cb624014 components/bind/Solaris/zh/nsupdate.8 --- a/components/bind/Solaris/zh/nsupdate.8 Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,397 +0,0 @@ -'\" te -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2000, 2001, 2003 Internet Software Consortium. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" Portions Copyright (c) 2004, Sun Microsystems, Inc. All Rights Reserved. -.TH nsupdate 8 "2008 年 12 月 24 日" "SunOS 5.12" "系统管理命令" -.SH 名称 -nsupdate \- 动态 DNS 更新实用程序 -.SH 用法概要 -.LP -.nf -\fBnsupdate\fR [\fB-dv\fR] [\fB-y\fR \fIkeyname:secret\fR | \fB-k\fR \fIkeyfile\fR] [\fB-t\fR \fItimeout\fR] - [\fB-u\fR \fIudptimeout\fR] [\fB-r\fR \fIudpretries\fR] [\fIfilename\fR] -.fi - -.SH 描述 -.sp -.LP -\fBnsupdate\fR 实用程序向名称服务器提交动态 DNS 更新请求(如 RFC 2136 中定义)。该实用程序允许从区域添加或删除资源记录,无需手动编辑区域文件。单一更新请求可以包含添加或删除多个资源记录的请求。 -.sp -.LP -\fBnsupdate\fR 或 DHCP 服务器动态控制下的区域不应手动编辑。手动编辑会与动态更新冲突,从而导致数据丢失。 -.sp -.LP -通过 \fBnsupdate\fR 动态添加或删除的资源记录必须在相同区域中。请求将发送到区域 SOA 记录的 \fBMNAME\fR 字段标识的区域主服务器。 -.sp -.LP -事务签名可用于对使用 RFC 2845 中描述的 TSIG 资源记录类型的动态 DNS 更新进行验证。签名依赖于应仅由 \fBnsupdate\fR 和名称服务器知道的共享秘密。当前,TSIG 唯一支持的加密算法是 HMAC-MD5,该算法在 RFC 2104 中定义。一旦为 TSIG 定义其他算法,应用程序在彼此验证时将需要确保它们选择了适当的算法和密钥。例如,适用的 \fBkey\fR 和 \fBserver\fR 语句将会添加到 \fB/etc/named.conf\fR,这样,名称服务器可以将适当的密钥和算法与将要使用 TSIG 验证的客户机应用程序的 IP 地址关联。\fBnsupdate\fR 实用程序不会读取 \fB/etc/named.conf\fR。 -.sp -.LP -\fBnsupdate\fR 实用程序使用 \fB-y\fR 或 \fB-k\fR 选项提供共享秘密,生成用于验证动态 DNS 更新请求的 TSIG 记录时需要该秘密。这些选项是互斥的。请参见“选项”部分。 -.SH 选项 -.sp -.LP -支持以下选项: -.sp -.ne 2 -.mk -.na -\fB\fB-d\fR\fR -.ad -.RS 21n -.rt -在调试模式下操作。这可以提供有关提出的更新请求以及从名称服务器接收到的回复的跟踪信息。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-k\fR \fIkeyfile\fR\fR -.ad -.RS 21n -.rt -从文件 \fIkeyfile\fR 读取共享秘密,其名称格式为 \fBK{\fIname\fR}.+157.+{\fIrandom\fR}.private\fR。由于历史原因,还必须存在文件 \fBK{\fIname\fR}.+157.+{\fI random\fR}.key\fR。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-r\fR \fIudpretries\fR\fR -.ad -.RS 21n -.rt -设置 UDP 重试次数。缺省为重试 3 次。如果将 \fIudpretries\fR 设置为零,仅进行一次更新请求。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-t\fR \fItimeout\fR\fR -.ad -.RS 21n -.rt -设置中止更新前的 \fItimeout\fR 间隔(以秒为单位)。缺省值是 300 秒。设置为零会禁用超时。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-u\fR \fIudptimeout\fR\fR -.ad -.RS 21n -.rt -以秒为单位设置 UDP 重试之间的间隔,缺省设置是 3 秒。如果设置为零,会根据超时 (\fB-t\fR) 和 UDP 重试次数 (\fB-r\fR) 计算间隔时间。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-v\fR\fR -.ad -.RS 21n -.rt -使用 TCP 连接。进行批量更新请求时,使用 TCP 连接更合适。缺省情况下,\fBnsupdate\fR 使用 UDP 向名称服务器发送更新请求。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fB-y\fR \fIkeyname\fR:\fIsecret\fR\fR -.ad -.RS 21n -.rt -从 \fIkeyname\fR:\fIsecret\fR 生成签名,其中 \fIkeyname\fR 是密钥名称,\fIsecret\fR 是 base64 编码的共享秘密。 -.sp -不建议使用 \fB-y\fR 选项,因为共享秘密作为命令行参数以明文形式提供,可以在 \fBps\fR(1)的输出中或用户 shell 维护的历史文件中看到。 -.RE - -.SH 输入格式 -.sp -.LP -\fBnsupdate\fR 实用程序从 \fIfilename\fR 读取输入或读取标准输入。每个命令都以单行输入提供。有些命令用于管理目的。其他则是对区域内容的更新说明或先决条件检查。这些检查设置某些名称或资源记录集合 (RRset) 在区域中存在或不存在的条件。要成功执行整个更新请求,必须满足这些条件。如果对先决条件的测试失败,更新将被拒绝。 -.sp -.LP -每个更新请求都包含零或多个先决条件以及零或多个更新。如果某些指定资源记录在区域中存在或缺失,该条件允许适当验证的更新请求继续执行。空白输入行(或 \fBsend\fR 命令)将累积的命令作为一个动态 DNS 更新请求发送到名称服务器。 -.sp -.LP -命令格式及其意义如下: -.sp -.ne 2 -.mk -.na -\fB\fBserver\fR \fIservername\fR [ \fIport\fR ]\fR -.ad -.sp .6 -.RS 4n -将全部动态更新请求发送到名称服务器 \fIservername\fR。未提供 \fBserver\fR 语句时,\fBnsupdate\fR 将更新发送至正确区域的主服务器。该区域 SOA 记录的 \fBMNAME\fR 字段标识该区域的主服务器。\fIport\fR 参数是动态更新请求发送到的 \fIservername\fR 上的端口号。如果未指定端口号,会使用缺省 DNS 端口号 53。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBlocal\fR \fIaddress\fR [ \fIport\fR ]\fR -.ad -.sp .6 -.RS 4n -使用本地 \fIaddress\fR 发送所有动态更新请求。未提供 \fBlocal\fR 语句时,\fBnsupdate\fR 使用系统选择的地址和端口发送更新。\fIport\fR 参数也可用于从特定端口提出请求。如果没有指定端口号,系统会分配一个。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBzone\fR \fIzonename\fR\fR -.ad -.sp .6 -.RS 4n -指定要对区域 \fIzonename\fR 做出所有更新。如果未提供 \fBzone\fR 语句,\fBnsupdate\fR 会根据输入的剩余部分尝试确定要更新的正确区域。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBclass\fR \fIclassname\fR\fR -.ad -.sp .6 -.RS 4n -指定缺省类。如果未指定类,缺省类为 IN。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBkey\fR \fIname\fR \fIsecret\fR\fR -.ad -.sp .6 -.RS 4n -指定所有更新将使用 \fIname\fR \fIsecret\fR 对进行 TSIG 签名。\fBkey\fR 命令覆盖通过 \fB-y\fR 或 \fB-k\fR 选项在命令行上指定的所有密钥。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq nxdomain\fR \fIdomain-name\fR\fR -.ad -.sp .6 -.RS 4n -要求不能存在名称为 \fIdomain-name\fR 的任何类型的资源记录。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq yxdomain\fR \fIdomain-name\fR\fR -.ad -.sp .6 -.RS 4n -要求存在 \fIdomain-name\fR(至少有一个资源记录,无论类型如何)。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq nxrrset\fR \fIdomain-name\fR [ \fIclass\fR ] \fItype\fR\fR -.ad -.sp .6 -.RS 4n -要求不能存在指定 \fItype\fR、\fIclass\fR 和 \fIdomain-name\fR 的资源记录。如果省略 \fIclass\fR,则假定是 IN (internet)。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq yxrrset\fR \fIdomain-name\fR [ \fIclass\fR ] \fItype\fR\fR -.ad -.sp .6 -.RS 4n -要求必须存在指定 \fItype\fR、\fIclass\fR 和 \fIdomain-name\fR 的资源记录。如果省略 \fIclass\fR,则假定是 IN (internet)。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBprereq yxrrset\fR \fIdomain-name\fR [ \fIclass\fR ] \fItype\fR \fIdata\fR...\fR -.ad -.sp .6 -.RS 4n -来自共享相同 \fItype\fR、\fIclass\fR 和 \fIdomain-name\fR 的格式的每一组先决条件的 \fIdata\fR 将组合构成一个 RR 集合。该 RR 集合必须与区域中给定 \fItype\fR、\fIclass\fR 和 \fIdomain-name\fR 的现有 RR 集合完全匹配。\fIdata\fR 以资源记录的 RDATA 的标准文本表示来书写。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBupdate delete\fR \fIdomain-name\fR [ \fIttl\fR ] [ \fIclass\fR ] [ \fItype\fR [ \fIdata\fR... ] ]\fR -.ad -.sp .6 -.RS 4n -删除名为 \fIdomain-name\fR 的任何资源记录。如果提供了 \fItype\fR 和 \fIdata\fR,只会删除匹配的资源记录。如果未提供 \fIclass\fR,则假定为 internet 类。将忽略 \fIttl\fR,其仅为兼容性而提供。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBupdate add\fR \fIdomain-name\fR \fIttl\fR [ \fIclass\fR ] \fItype\fR \fIdata\fR...\fR -.ad -.sp .6 -.RS 4n -添加具有指定 \fIttl\fR、\fIclass\fR 和 \fIdata\fR 的新资源记录。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBshow\fR\fR -.ad -.sp .6 -.RS 4n -显示当前消息,包含上次发送以来指定的所有先决条件和更新。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBsend\fR\fR -.ad -.sp .6 -.RS 4n -发送当前消息。这等效于输入空白行。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBanswer\fR\fR -.ad -.sp .6 -.RS 4n -显示回答。 -.RE - -.sp -.LP -以分号开始的行是注释,将被忽略。 -.SH 示例 -.LP -\fB示例 1 \fR在区域中插入和删除资源记录 -.sp -.LP -以下示例显示如何使用 \fBnsupdate\fR 在 \fBexample.com\fR 区域插入和删除资源记录。请注意,每个示例中的输入包括一个结尾空白行,这样,一组命令会作为一个动态更新请求发送到 \fBexample.com\fR 主名称服务器。 - -.sp -.in +2 -.nf -# nsupdate -> update delete oldhost.example.com A -> update add newhost.example.com 86400 A 172.16.1.1 -> send -.fi -.in -2 -.sp - -.sp -.LP -\fBoldhost.example.com\fR 的所有 A 记录都会删除。会为 IP 地址为 172.16.1.1 的 \fBnewhost.example.com\fR 添加 A 记录。新添加的记录有 1 天的 TTL(86400 秒)。 - -.LP -\fB示例 2 \fR仅当无记录存在时添加 CNAME -.sp -.LP -以下命令仅在其不存在记录时添加 CNAME。 - -.sp -.in +2 -.nf -# nsupdate -> prereq nxdomain nickname.example.com -> update add nickname.example.com 86400 CNAME somehost.example.com -> send -.fi -.in -2 -.sp - -.sp -.LP -先决条件使名称服务器检查 \fBnickname.example.com\fR 是否有任何类型的资源记录。如果有,更新请求失败。如果该名称不存在,会为其添加 \fBCNAME\fR。该操作确保添加 \fBCNAME\fR 时,它不会与 RFC 1034 中的以下长期存在的规则冲突:如果一个名称作为 \fBCNAME\fR 存在,就不能作为任何其他的记录类型存在。(该规则已经为 RFC 4035 中的 DNSSEC 进行了更新,以允许 \fBCNAME\fR 具有\fB RSIG\fR、\fBDNSKEY\fR 和 \fBNSEC\fR 记录。) - -.SH 文件 -.sp -.ne 2 -.mk -.na -\fB\fB/etc/resolv.conf\fR\fR -.ad -.sp .6 -.RS 4n -用于标识缺省名称服务器 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBK{\fIname\fR}.+157.+{\fIrandom\fR}.key\fR\fR -.ad -.sp .6 -.RS 4n -\fBdnssec-keygen\fR(8) 创建的 HMAC-MD5 密钥的 base-64 编码。 -.RE - -.sp -.ne 2 -.mk -.na -\fB\fBK{\fIname\fR}.+157.+{\fIrandom\fR}.private\fR\fR -.ad -.sp .6 -.RS 4n -\fBdnssec-keygen\fR(8) 创建的 HMAC-MD5 密钥的 base-64 编码 -.RE - -.SH 已知问题 -.sp -.LP -TSIG 密钥分别存储在两个单独文件中。这是为加密操作使用 DST 库的 \fBnsupdate\fR 结果,在未来的发行版中可能会有所变化。 -.SH 属性 -.sp -.LP -有关下列属性的说明,请参见 \fBattributes\fR(5): -.sp - -.sp -.TS -tab() box; -cw(2.75i) |cw(2.75i) -lw(2.75i) |lw(2.75i) -. -属性类型属性值 -_ -可用性service/network/dns/bind -_ -接口稳定性Volatile(可变) -.TE - -.SH 另请参见 -.sp -.LP -\fBnamed\fR(8)、\fBdnssec-keygen\fR(8)、\fBattributes\fR(5) -.sp -.LP -\fIRFC 2136\fR、\fIRFC 3007\fR、\fIRFC 2104\fR、\fIRFC 2845\fR、\fIRFC 1034\fR、\fIRFC 2535\fR、\fIRFC 2931\fR、\fIRFC 4035\fR diff -r cebcbbd80341 -r a498cb624014 components/bind/bind.license --- a/components/bind/bind.license Mon Jun 06 06:11:42 2016 -0700 +++ b/components/bind/bind.license Thu Jun 16 13:48:33 2016 +0100 @@ -1,4 +1,4 @@ -Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 1996-2003 Internet Software Consortium. Permission to use, copy, modify, and/or distribute this software for any diff -r cebcbbd80341 -r a498cb624014 components/bind/bind.p5m --- a/components/bind/bind.p5m Mon Jun 06 06:11:42 2016 -0700 +++ b/components/bind/bind.p5m Thu Jun 16 13:48:33 2016 +0100 @@ -18,18 +18,14 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. # -# Put the various bind man pages in the right directories. - set action.hash Solaris/%<1> > - set action.hash Solaris/ja/%<1> > - set action.hash Solaris/zh/%<1> > + default mangler.man.stability uncommitted> +# HTML documents are obtained directly from source. \ set action.hash doc/arm/%<1> > -# Bypass the mangler for these files because they are pre-Solarified. - add mangler.bypass true > set name=pkg.fmri \ value=pkg:/service/network/dns/bind@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) set name=pkg.summary value="BIND DNS name server and configuration tools." @@ -48,22 +44,41 @@ set name=org.opensolaris.arc-caseid value=PSARC/2009/308 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) - # Solaris additions file Solaris/server.xml path=lib/svc/manifest/network/dns/server.xml file Solaris/dns-server.sh path=lib/svc/method/dns-server mode=0555 # Tools +file path=usr/sbin/ddns-confgen +file path=usr/sbin/dnssec-checkds pkg.depend.bypass-generate=.*/win32api.* \ + pkg.depend.bypass-generate=.*/win32con.* +file path=usr/sbin/dnssec-coverage pkg.depend.bypass-generate=.*/win32api.* \ + pkg.depend.bypass-generate=.*/win32con.* file path=usr/sbin/dnssec-dsfromkey +file path=usr/sbin/dnssec-importkey file path=usr/sbin/dnssec-keyfromlabel file path=usr/sbin/dnssec-keygen +file path=usr/sbin/dnssec-revoke +file path=usr/sbin/dnssec-settime file path=usr/sbin/dnssec-signzone +file path=usr/sbin/dnssec-verify +file path=usr/sbin/genrandom +file path=usr/sbin/isc-hmac-fixup file path=usr/sbin/named file path=usr/sbin/named-checkconf file path=usr/sbin/named-checkzone link path=usr/sbin/named-compilezone target=named-checkzone +file path=usr/sbin/named-journalprint +file path=usr/sbin/named-rrchecker +file path=usr/sbin/nsec3hash +file path=usr/sbin/pkcs11-destroy +file path=usr/sbin/pkcs11-keygen +file path=usr/sbin/pkcs11-list +file path=usr/sbin/pkcs11-tokens +file path=usr/sbin/rndc-confgen +link path=usr/sbin/tsig-keygen target=ddns-confgen -# Documentation +# Standard Documentation file doc/arm/Bv9ARM.pdf path=usr/share/doc/bind/Bv9ARM.pdf file path=usr/share/doc/bind/html/Bv9ARM.ch01.html file path=usr/share/doc/bind/html/Bv9ARM.ch02.html @@ -75,41 +90,69 @@ file path=usr/share/doc/bind/html/Bv9ARM.ch08.html file path=usr/share/doc/bind/html/Bv9ARM.ch09.html file path=usr/share/doc/bind/html/Bv9ARM.ch10.html +file path=usr/share/doc/bind/html/Bv9ARM.ch11.html +file path=usr/share/doc/bind/html/Bv9ARM.ch12.html +file path=usr/share/doc/bind/html/Bv9ARM.ch13.html file path=usr/share/doc/bind/html/Bv9ARM.html +file path=usr/share/doc/bind/html/man.arpaname.html +file path=usr/share/doc/bind/html/man.ddns-confgen.html +file path=usr/share/doc/bind/html/man.delv.html file path=usr/share/doc/bind/html/man.dig.html +file path=usr/share/doc/bind/html/man.dnssec-checkds.html +file path=usr/share/doc/bind/html/man.dnssec-coverage.html file path=usr/share/doc/bind/html/man.dnssec-dsfromkey.html +file path=usr/share/doc/bind/html/man.dnssec-importkey.html file path=usr/share/doc/bind/html/man.dnssec-keyfromlabel.html file path=usr/share/doc/bind/html/man.dnssec-keygen.html +file path=usr/share/doc/bind/html/man.dnssec-revoke.html +file path=usr/share/doc/bind/html/man.dnssec-settime.html file path=usr/share/doc/bind/html/man.dnssec-signzone.html +file path=usr/share/doc/bind/html/man.dnssec-verify.html +file path=usr/share/doc/bind/html/man.genrandom.html file path=usr/share/doc/bind/html/man.host.html +file path=usr/share/doc/bind/html/man.isc-hmac-fixup.html file path=usr/share/doc/bind/html/man.named-checkconf.html file path=usr/share/doc/bind/html/man.named-checkzone.html +file path=usr/share/doc/bind/html/man.named-journalprint.html +file path=usr/share/doc/bind/html/man.named-rrchecker.html file path=usr/share/doc/bind/html/man.named.html +file path=usr/share/doc/bind/html/man.nsec3hash.html file path=usr/share/doc/bind/html/man.nsupdate.html file path=usr/share/doc/bind/html/man.rndc-confgen.html file path=usr/share/doc/bind/html/man.rndc.conf.html file path=usr/share/doc/bind/html/man.rndc.html -file path=usr/share/man/ja_JP.UTF-8/man8/dnssec-dsfromkey.8 -file path=usr/share/man/ja_JP.UTF-8/man8/dnssec-keyfromlabel.8 -file path=usr/share/man/ja_JP.UTF-8/man8/dnssec-keygen.8 -file path=usr/share/man/ja_JP.UTF-8/man8/dnssec-signzone.8 -file Solaris/named.conf.5 path=usr/share/man/man5/named.conf.5 +file path=usr/share/doc/bind/html/notes.html +file path=usr/share/man/man1/named-rrchecker.1 +file path=usr/share/man/man5/named.conf.5 +file path=usr/share/man/man8/ddns-confgen.8 +file path=usr/share/man/man8/dnssec-checkds.8 +file path=usr/share/man/man8/dnssec-coverage.8 file path=usr/share/man/man8/dnssec-dsfromkey.8 +file path=usr/share/man/man8/dnssec-importkey.8 file path=usr/share/man/man8/dnssec-keyfromlabel.8 file path=usr/share/man/man8/dnssec-keygen.8 -file path=usr/share/man/man8/dnssec-makekeyset.8 -file path=usr/share/man/man8/dnssec-signkey.8 +file path=usr/share/man/man8/dnssec-revoke.8 +file path=usr/share/man/man8/dnssec-settime.8 file path=usr/share/man/man8/dnssec-signzone.8 -file path=usr/share/man/man8/in.named.8 +file path=usr/share/man/man8/dnssec-verify.8 +file path=usr/share/man/man8/genrandom.8 +file path=usr/share/man/man8/isc-hmac-fixup.8 file path=usr/share/man/man8/named-checkconf.8 -file path=usr/share/man/man8/named-checkzone.8 +link path=usr/share/man/man8/named-checkzone.8 target=named-compilezone.8 file path=usr/share/man/man8/named-compilezone.8 +file path=usr/share/man/man8/named-journalprint.8 file path=usr/share/man/man8/named.8 -file path=usr/share/man/zh_CN.UTF-8/man8/dnssec-dsfromkey.8 -file path=usr/share/man/zh_CN.UTF-8/man8/dnssec-keyfromlabel.8 -file path=usr/share/man/zh_CN.UTF-8/man8/dnssec-keygen.8 -file path=usr/share/man/zh_CN.UTF-8/man8/dnssec-signzone.8 +file path=usr/share/man/man8/nsec3hash.8 +file path=usr/share/man/man8/pkcs11-destroy.8 +file path=usr/share/man/man8/pkcs11-keygen.8 +file path=usr/share/man/man8/pkcs11-list.8 +file path=usr/share/man/man8/pkcs11-tokens.8 +file path=usr/share/man/man8/rndc-confgen.8 +link path=usr/share/man/man8/tsig-keygen.8 target=ddns-confgen.8 +file Solaris/dns-server.8s path=usr/share/man/man8s/dns-server.8s \ + mangler.bypass=true legacy pkg=SUNWbind desc="BIND DNS Name server" name="BIND DNS Name server" legacy pkg=SUNWbindr desc="BIND Name server Manifest" \ name="BIND Name server Manifest" license bind.license license="ISC license" + diff -r cebcbbd80341 -r a498cb624014 components/bind/bindc.p5m --- a/components/bind/bindc.p5m Mon Jun 06 06:11:42 2016 -0700 +++ b/components/bind/bindc.p5m Thu Jun 16 13:48:33 2016 +0100 @@ -21,13 +21,7 @@ # Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. # -# Put the various bind man pages in the right directories. - set action.hash Solaris/%<1> > - set action.hash Solaris/ja/%<1> > - set action.hash Solaris/zh/%<1> > - -# Bypass the mangler for these files because they are pre-Solarified. - add mangler.bypass true > + default mangler.man.stability uncommitted> set name=pkg.fmri \ value=pkg:/network/dns/bind@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) set name=pkg.summary value="BIND DNS tools" @@ -44,39 +38,43 @@ set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) set name=org.opensolaris.arc-caseid value=PSARC/2009/308 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) -link path=usr/lib/dns/$(MACH64)/libbind9.so target=libbind9.so.50.0.11 -link path=usr/lib/dns/$(MACH64)/libbind9.so.50 target=libbind9.so.50.0.11 -file path=usr/lib/dns/$(MACH64)/libbind9.so.50.0.11 -link path=usr/lib/dns/$(MACH64)/libdns.so target=libdns.so.113.1.2 -link path=usr/lib/dns/$(MACH64)/libdns.so.113 target=libdns.so.113.1.2 -file path=usr/lib/dns/$(MACH64)/libdns.so.113.1.2 -link path=usr/lib/dns/$(MACH64)/libisc.so target=libisc.so.110.0.2 -link path=usr/lib/dns/$(MACH64)/libisc.so.110 target=libisc.so.110.0.2 -file path=usr/lib/dns/$(MACH64)/libisc.so.110.0.2 -link path=usr/lib/dns/$(MACH64)/libisccc.so target=libisccc.so.50.0.6 -link path=usr/lib/dns/$(MACH64)/libisccc.so.50 target=libisccc.so.50.0.6 -file path=usr/lib/dns/$(MACH64)/libisccc.so.50.0.6 -link path=usr/lib/dns/$(MACH64)/libisccfg.so target=libisccfg.so.50.0.10 -link path=usr/lib/dns/$(MACH64)/libisccfg.so.50 target=libisccfg.so.50.0.10 -file path=usr/lib/dns/$(MACH64)/libisccfg.so.50.0.10 -link path=usr/lib/dns/$(MACH64)/liblwres.so target=liblwres.so.50.0.11 -link path=usr/lib/dns/$(MACH64)/liblwres.so.50 target=liblwres.so.50.0.11 -file path=usr/lib/dns/$(MACH64)/liblwres.so.50.0.11 -file path=usr/sbin/dig -file path=usr/sbin/host -file path=usr/sbin/nslookup -file path=usr/sbin/nsupdate +file path=usr/bin/delv +file path=usr/bin/dig +file path=usr/bin/host +file path=usr/bin/nslookup +file path=usr/bin/nsupdate +link path=usr/lib/dns/$(MACH64)/libbind9.so target=libbind9.so.140.0.10 +link path=usr/lib/dns/$(MACH64)/libbind9.so.140 target=libbind9.so.140.0.10 +file path=usr/lib/dns/$(MACH64)/libbind9.so.140.0.10 +link path=usr/lib/dns/$(MACH64)/libdns.so target=libdns.so.162.1.3 +link path=usr/lib/dns/$(MACH64)/libdns.so.162 target=libdns.so.162.1.3 +file path=usr/lib/dns/$(MACH64)/libdns.so.162.1.3 +link path=usr/lib/dns/$(MACH64)/libirs.so target=libirs.so.141.0.4 +link path=usr/lib/dns/$(MACH64)/libirs.so.141 target=libirs.so.141.0.4 +file path=usr/lib/dns/$(MACH64)/libirs.so.141.0.4 +link path=usr/lib/dns/$(MACH64)/libisc.so target=libisc.so.160.0.0 +link path=usr/lib/dns/$(MACH64)/libisc.so.160 target=libisc.so.160.0.0 +file path=usr/lib/dns/$(MACH64)/libisc.so.160.0.0 +link path=usr/lib/dns/$(MACH64)/libisccc.so target=libisccc.so.140.0.4 +link path=usr/lib/dns/$(MACH64)/libisccc.so.140 target=libisccc.so.140.0.4 +file path=usr/lib/dns/$(MACH64)/libisccc.so.140.0.4 +link path=usr/lib/dns/$(MACH64)/libisccfg.so target=libisccfg.so.140.3.0 +link path=usr/lib/dns/$(MACH64)/libisccfg.so.140 target=libisccfg.so.140.3.0 +file path=usr/lib/dns/$(MACH64)/libisccfg.so.140.3.0 +link path=usr/lib/dns/$(MACH64)/liblwres.so target=liblwres.so.141.0.3 +link path=usr/lib/dns/$(MACH64)/liblwres.so.141 target=liblwres.so.141.0.3 +file path=usr/lib/dns/$(MACH64)/liblwres.so.141.0.3 +file path=usr/sbin/arpaname +link path=usr/sbin/dig target=../bin/dig +link path=usr/sbin/host target=../bin/host +link path=usr/sbin/nslookup target=../bin/nslookup +link path=usr/sbin/nsupdate target=../bin/nsupdate file path=usr/sbin/rndc -file path=usr/sbin/rndc-confgen -file path=usr/share/man/ja_JP.UTF-8/man8/dig.8 -file path=usr/share/man/ja_JP.UTF-8/man8/nsupdate.8 -file Solaris/rndc.conf.5 path=usr/share/man/man5/rndc.conf.5 -file path=usr/share/man/man8/dig.8 -file path=usr/share/man/man8/host.8 -file path=usr/share/man/man8/nslookup.8 -file path=usr/share/man/man8/nsupdate.8 -file path=usr/share/man/man8/rndc-confgen.8 +file path=usr/share/man/man1/arpaname.1 +file path=usr/share/man/man1/delv.1 +file path=usr/share/man/man1/dig.1 +file path=usr/share/man/man1/host.1 +file path=usr/share/man/man1/nslookup.1 +file path=usr/share/man/man1/nsupdate.1 file path=usr/share/man/man8/rndc.8 -file path=usr/share/man/zh_CN.UTF-8/man8/dig.8 -file path=usr/share/man/zh_CN.UTF-8/man8/nsupdate.8 license bind.license license="ISC license" diff -r cebcbbd80341 -r a498cb624014 components/bind/patches/001-manpage.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/bind/patches/001-manpage.patch Thu Jun 16 13:48:33 2016 +0100 @@ -0,0 +1,31 @@ +This patch is created by Oracle to: + + 1. Remove reference in named(8) to lwresd(8) which is not, and has + never been, provide with Solaris distribution. + + 2. Add reference to dns-server(8s), SMF manual page. + +diff -r 752254461f9c bin/named/named.8 +--- a/bin/named/named.8 Mon Apr 18 11:28:30 2016 +0100 ++++ b/bin/named/named.8 Thu Apr 21 10:15:34 2016 +0100 +@@ -288,7 +288,7 @@ + \fBnamed\-checkconf\fR(8), + \fBnamed\-checkzone\fR(8), + \fBrndc\fR(8), +-\fBlwresd\fR(8), ++\fBdns-server\fR(8s), + \fBnamed.conf\fR(5), + BIND 9 Administrator Reference Manual. + .SH "AUTHOR" +diff -r 752254461f9c doc/arm/man.named.html +--- a/doc/arm/man.named.html Mon Apr 18 11:28:30 2016 +0100 ++++ b/doc/arm/man.named.html Thu Apr 21 10:59:57 2016 +0100 +@@ -342,7 +342,7 @@ + named-checkconf(8), + named-checkzone(8), + rndc(8), +- lwresd(8), ++ dns-server(8s), + named.conf(5), + BIND 9 Administrator Reference Manual. +

diff -r cebcbbd80341 -r a498cb624014 components/bind/patches/001-reclimit-v96.patch --- a/components/bind/patches/001-reclimit-v96.patch Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1064 +0,0 @@ -This patch was obtained from ISC for 9.6-ESV-R11-P1. The patch can -only be obtained from security-officer@isc.org on an as needed -basis. - -diff --git a/CHANGES b/CHANGES -index 178f73d..8ace4fb 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,17 @@ -+ --- 9.6-ESV-R11-P1 released --- -+ -+4006. [security] A flaw in delegation handling could be exploited -+ to put named into an infinite loop. This has -+ been addressed by placing limits on the number -+ of levels of recursion named will allow (default 7), -+ and the number of iterative queries that it will -+ send (default 50) before terminating a recursive -+ query (CVE-2014-8500). -+ -+ The recursion depth limit is configured via the -+ "max-recursion-depth" option, and the query limit -+ via the "max-recursion-queries" option. [RT #37580] -+ - --- 9.6-ESV-R11 released --- - - --- 9.6-ESV-R11rc2 released --- -diff --git a/bin/named/config.c b/bin/named/config.c -index d85afa7..823d101 100644 ---- a/bin/named/config.c -+++ b/bin/named/config.c -@@ -15,8 +15,6 @@ - * PERFORMANCE OF THIS SOFTWARE. - */ - --/* $Id$ */ -- - /*! \file */ - - #include -@@ -145,6 +143,8 @@ options {\n\ - dnssec-accept-expired no;\n\ - clients-per-query 10;\n\ - max-clients-per-query 100;\n\ -+ max-recursion-depth 7;\n\ -+ max-recursion-queries 50;\n\ - zero-no-soa-ttl-cache no;\n\ - nsec3-test-zone no;\n\ - " -diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h -index 20aff40..771345e 100644 ---- a/bin/named/include/named/query.h -+++ b/bin/named/include/named/query.h -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2004, 2005, 2007, 2010, 2012 Internet Systems Consortium, Inc. ("ISC") -+ * Copyright (C) 2004, 2005, 2007, 2010, 2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any -@@ -15,8 +15,6 @@ - * PERFORMANCE OF THIS SOFTWARE. - */ - --/* $Id$ */ -- - #ifndef NAMED_QUERY_H - #define NAMED_QUERY_H 1 - -diff --git a/bin/named/query.c b/bin/named/query.c -index 10a7d9a..48e4822 100644 ---- a/bin/named/query.c -+++ b/bin/named/query.c -@@ -3343,13 +3343,12 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, - peeraddr = &client->peeraddr; - else - peeraddr = NULL; -- result = dns_resolver_createfetch2(client->view->resolver, -+ result = dns_resolver_createfetch3(client->view->resolver, - client->query.qname, - qtype, qdomain, nameservers, - NULL, peeraddr, client->message->id, -- client->query.fetchoptions, -- client->task, -- query_resume, client, -+ client->query.fetchoptions, 0, NULL, -+ client->task, query_resume, client, - rdataset, sigrdataset, - &client->query.fetch); - -diff --git a/bin/named/server.c b/bin/named/server.c -index af53b48..4d48074 100644 ---- a/bin/named/server.c -+++ b/bin/named/server.c -@@ -15,8 +15,6 @@ - * PERFORMANCE OF THIS SOFTWARE. - */ - --/* $Id$ */ -- - /*! \file */ - - #include -@@ -2048,6 +2046,16 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, - max_clients_per_query); - - obj = NULL; -+ result = ns_config_get(maps, "max-recursion-depth", &obj); -+ INSIST(result == ISC_R_SUCCESS); -+ dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj)); -+ -+ obj = NULL; -+ result = ns_config_get(maps, "max-recursion-queries", &obj); -+ INSIST(result == ISC_R_SUCCESS); -+ dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj)); -+ -+ obj = NULL; - result = ns_config_get(maps, "dnssec-enable", &obj); - INSIST(result == ISC_R_SUCCESS); - view->enablednssec = cfg_obj_asboolean(obj); -diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml -index f894aab..b823dc4 100644 ---- a/doc/arm/Bv9ARM-book.xml -+++ b/doc/arm/Bv9ARM-book.xml -@@ -4652,6 +4652,8 @@ category notify { null; }; - max-acache-size size_spec ; - clients-per-query number ; - max-clients-per-query number ; -+ max-recursion-depth number ; -+ max-recursion-queries number ; - masterfile-format (text|raw) ; - empty-server name ; - empty-contact name ; -@@ -4729,6 +4731,35 @@ category notify { null; }; - - - -+ -+ max-recursion-depth -+ -+ -+ Sets the maximum number of levels of recursion -+ that are permitted at any one time while servicing -+ a recursive query. Resolving a name may require -+ looking up a name server address, which in turn -+ requires resolving another name, etc; if the number -+ of indirections exceeds this value, the recursive -+ query is terminated and returns SERVFAIL. The -+ default is 7. -+ -+ -+ -+ -+ -+ max-recursion-queries -+ -+ -+ Sets the maximum number of iterative queries that -+ may be sent while servicing a recursive query. -+ If more queries are sent, the recursive query -+ is terminated and returns SERVFAIL. The default -+ is 50. -+ -+ -+ -+ - - tkey-gssapi-credential - -diff --git a/lib/dns/adb.c b/lib/dns/adb.c -index 2d7b904..422e59c 100644 ---- a/lib/dns/adb.c -+++ b/lib/dns/adb.c -@@ -200,6 +200,7 @@ struct dns_adbfetch { - unsigned int magic; - dns_fetch_t *fetch; - dns_rdataset_t rdataset; -+ unsigned int depth; - }; - - /*% -@@ -298,8 +299,7 @@ static inline isc_boolean_t dec_entry_refcnt(dns_adb_t *, isc_boolean_t, - static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *); - static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *); - static void clean_target(dns_adb_t *, dns_name_t *); --static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t, -- unsigned int); -+static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t, unsigned int); - static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t); - static isc_boolean_t check_expire_entry(dns_adb_t *, dns_adbentry_t **, - isc_stdtime_t); -@@ -307,6 +307,7 @@ static void cancel_fetches_at_name(dns_adbname_t *); - static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t, - dns_rdatatype_t); - static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t, -+ unsigned int, isc_counter_t *qc, - dns_rdatatype_t); - static inline void check_exit(dns_adb_t *); - static void destroy(dns_adb_t *); -@@ -2282,6 +2283,19 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, - isc_stdtime_t now, dns_name_t *target, - in_port_t port, dns_adbfind_t **findp) - { -+ return (dns_adb_createfind2(adb, task, action, arg, name, -+ qname, qtype, options, now, -+ target, port, 0, NULL, findp)); -+} -+ -+isc_result_t -+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, -+ void *arg, dns_name_t *name, dns_name_t *qname, -+ dns_rdatatype_t qtype, unsigned int options, -+ isc_stdtime_t now, dns_name_t *target, -+ in_port_t port, unsigned int depth, isc_counter_t *qc, -+ dns_adbfind_t **findp) -+{ - dns_adbfind_t *find; - dns_adbname_t *adbname; - int bucket; -@@ -2512,7 +2526,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, - * Start V4. - */ - if (WANT_INET(wanted_fetches) && -- fetch_name(adbname, start_at_zone, -+ fetch_name(adbname, start_at_zone, depth, qc, - dns_rdatatype_a) == ISC_R_SUCCESS) { - DP(DEF_LEVEL, - "dns_adb_createfind: started A fetch for name %p", -@@ -2523,7 +2537,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, - * Start V6. - */ - if (WANT_INET6(wanted_fetches) && -- fetch_name(adbname, start_at_zone, -+ fetch_name(adbname, start_at_zone, depth, qc, - dns_rdatatype_aaaa) == ISC_R_SUCCESS) { - DP(DEF_LEVEL, - "dns_adb_createfind: " -@@ -3256,6 +3270,12 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) { - DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s", - buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA", - dns_result_totext(dev->result)); -+ /* -+ * Don't record a failure unless this is the initial -+ * fetch of a chain. -+ */ -+ if (fetch->depth > 1) -+ goto out; - /* XXXMLG Don't pound on bad servers. */ - if (address_type == DNS_ADBFIND_INET) { - name->expire_v4 = ISC_MIN(name->expire_v4, now + 300); -@@ -3293,9 +3313,8 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) { - } - - static isc_result_t --fetch_name(dns_adbname_t *adbname, -- isc_boolean_t start_at_zone, -- dns_rdatatype_t type) -+fetch_name(dns_adbname_t *adbname, isc_boolean_t start_at_zone, -+ unsigned int depth, isc_counter_t *qc, dns_rdatatype_t type) - { - isc_result_t result; - dns_adbfetch_t *fetch = NULL; -@@ -3340,12 +3359,14 @@ fetch_name(dns_adbname_t *adbname, - result = ISC_R_NOMEMORY; - goto cleanup; - } -+ fetch->depth = depth; - -- result = dns_resolver_createfetch(adb->view->resolver, &adbname->name, -- type, name, nameservers, NULL, -- options, adb->task, fetch_callback, -- adbname, &fetch->rdataset, NULL, -- &fetch->fetch); -+ result = dns_resolver_createfetch3(adb->view->resolver, &adbname->name, -+ type, name, nameservers, NULL, -+ NULL, 0, options, depth, qc, -+ adb->task, fetch_callback, adbname, -+ &fetch->rdataset, NULL, -+ &fetch->fetch); - if (result != ISC_R_SUCCESS) - goto cleanup; - -diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h -index d4d1b05..556fcc2 100644 ---- a/lib/dns/include/dns/adb.h -+++ b/lib/dns/include/dns/adb.h -@@ -334,6 +334,13 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, - dns_rdatatype_t qtype, unsigned int options, - isc_stdtime_t now, dns_name_t *target, - in_port_t port, dns_adbfind_t **find); -+isc_result_t -+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, -+ void *arg, dns_name_t *name, dns_name_t *qname, -+ dns_rdatatype_t qtype, unsigned int options, -+ isc_stdtime_t now, dns_name_t *target, in_port_t port, -+ unsigned int depth, isc_counter_t *qc, -+ dns_adbfind_t **find); - /*%< - * Main interface for clients. The adb will look up the name given in - * "name" and will build up a list of found addresses, and perhaps start -diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h -index d293daa..10c3a3a 100644 ---- a/lib/dns/include/dns/resolver.h -+++ b/lib/dns/include/dns/resolver.h -@@ -270,6 +270,18 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, - dns_rdataset_t *rdataset, - dns_rdataset_t *sigrdataset, - dns_fetch_t **fetchp); -+isc_result_t -+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name, -+ dns_rdatatype_t type, -+ dns_name_t *domain, dns_rdataset_t *nameservers, -+ dns_forwarders_t *forwarders, -+ isc_sockaddr_t *client, isc_uint16_t id, -+ unsigned int options, unsigned int depth, -+ isc_counter_t *qc, isc_task_t *task, -+ isc_taskaction_t action, void *arg, -+ dns_rdataset_t *rdataset, -+ dns_rdataset_t *sigrdataset, -+ dns_fetch_t **fetchp); - /*%< - * Recurse to answer a question. - * -@@ -550,6 +562,30 @@ dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp); - * \li resolver to be valid. - */ - -+void -+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth); -+unsigned int -+dns_resolver_getmaxdepth(dns_resolver_t *resolver); -+/*% -+ * Get and set how many NS indirections will be followed when looking for -+ * nameserver addresses. -+ * -+ * Requires: -+ * \li resolver to be valid. -+ */ -+ -+void -+dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries); -+unsigned int -+dns_resolver_getmaxqueries(dns_resolver_t *resolver); -+/*% -+ * Get and set how many iterative queries will be allowed before -+ * terminating a recursive query. -+ * -+ * Requires: -+ * \li resolver to be valid. -+ */ -+ - ISC_LANG_ENDDECLS - - #endif /* DNS_RESOLVER_H */ -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index 7dcea6d..bd3d9fd 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -21,6 +21,7 @@ - - #include - -+#include - #include - #include - #include -@@ -109,6 +110,16 @@ - #define QTRACE(m) - #endif - -+/* The default maximum number of recursions to follow before giving up. */ -+#ifndef DEFAULT_RECURSION_DEPTH -+#define DEFAULT_RECURSION_DEPTH 7 -+#endif -+ -+/* The default maximum number of iterative queries to allow before giving up. */ -+#ifndef DEFAULT_MAX_QUERIES -+#define DEFAULT_MAX_QUERIES 50 -+#endif -+ - /*% - * Maximum EDNS0 input packet size. - */ -@@ -211,12 +222,13 @@ struct fetchctx { - isc_sockaddrlist_t edns; - isc_sockaddrlist_t edns512; - isc_sockaddrlist_t bad_edns; -- dns_validator_t *validator; -+ dns_validator_t * validator; - ISC_LIST(dns_validator_t) validators; - dns_db_t * cache; - dns_adb_t * adb; - isc_boolean_t ns_ttl_ok; - isc_uint32_t ns_ttl; -+ isc_counter_t * qc; - - /*% - * The number of events we're waiting for. -@@ -283,6 +295,7 @@ struct fetchctx { - unsigned int valfail; - isc_boolean_t timeout; - dns_adbaddrinfo_t *addrinfo; -+ unsigned int depth; - }; - - #define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!') -@@ -394,6 +407,8 @@ struct dns_resolver { - unsigned int spillatmin; - isc_timer_t * spillattimer; - isc_boolean_t zero_no_soa_ttl; -+ unsigned int maxdepth; -+ unsigned int maxqueries; - - /* Locked by lock. */ - unsigned int references; -@@ -1495,6 +1510,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, - if (result != ISC_R_SUCCESS) - goto cleanup_dispatch; - } -+ - fctx->querysent++; - - ISC_LIST_APPEND(fctx->queries, query, link); -@@ -2146,9 +2162,9 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) { - */ - INSIST(!SHUTTINGDOWN(fctx)); - fctx->attributes &= ~FCTX_ATTR_ADDRWAIT; -- if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) -+ if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) { - want_try = ISC_TRUE; -- else { -+ } else { - fctx->findfail++; - if (fctx->pending == 0) { - /* -@@ -2177,7 +2193,7 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) { - else if (want_done) - fctx_done(fctx, ISC_R_FAILURE, __LINE__); - else if (destroy) { -- fctx_destroy(fctx); -+ fctx_destroy(fctx); - if (bucket_empty) - empty_bucket(res); - } -@@ -2499,12 +2515,13 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, - * See what we know about this address. - */ - find = NULL; -- result = dns_adb_createfind(fctx->adb, -- res->buckets[fctx->bucketnum].task, -- fctx_finddone, fctx, name, -- &fctx->name, fctx->type, -- options, now, NULL, -- res->view->dstport, &find); -+ result = dns_adb_createfind2(fctx->adb, -+ res->buckets[fctx->bucketnum].task, -+ fctx_finddone, fctx, name, -+ &fctx->name, fctx->type, -+ options, now, NULL, -+ res->view->dstport, -+ fctx->depth + 1, fctx->qc, &find); - if (result != ISC_R_SUCCESS) { - if (result == DNS_R_ALIAS) { - /* -@@ -2612,6 +2629,14 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { - - res = fctx->res; - -+ if (fctx->depth > res->maxdepth) { -+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, -+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), -+ "too much NS indirection resolving '%s'", -+ fctx->info); -+ return (DNS_R_SERVFAIL); -+ } -+ - /* - * Forwarders. - */ -@@ -3087,6 +3112,16 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) { - } - } - -+ result = isc_counter_increment(fctx->qc); -+ if (result != ISC_R_SUCCESS) { -+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, -+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), -+ "exceeded max queries resolving '%s'", -+ fctx->info); -+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); -+ return; -+ } -+ - result = fctx_query(fctx, addrinfo, fctx->options); - if (result != ISC_R_SUCCESS) - fctx_done(fctx, result, __LINE__); -@@ -3185,6 +3220,7 @@ fctx_destroy(fetchctx_t *fctx) { - isc_mem_put(fctx->mctx, sa, sizeof(*sa)); - } - -+ isc_counter_detach(&fctx->qc); - isc_timer_detach(&fctx->timer); - dns_message_destroy(&fctx->rmessage); - dns_message_destroy(&fctx->qmessage); -@@ -3512,7 +3548,8 @@ log_ns_ttl(fetchctx_t *fctx, const char *where) { - static isc_result_t - fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, - dns_name_t *domain, dns_rdataset_t *nameservers, -- unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp) -+ unsigned int options, unsigned int bucketnum, unsigned int depth, -+ isc_counter_t *qc, fetchctx_t **fctxp) - { - fetchctx_t *fctx; - isc_result_t result; -@@ -3534,6 +3571,21 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, - fctx = isc_mem_get(mctx, sizeof(*fctx)); - if (fctx == NULL) - return (ISC_R_NOMEMORY); -+ -+ fctx->qc = NULL; -+ if (qc != NULL) { -+ isc_counter_attach(qc, &fctx->qc); -+ } else { -+ result = isc_counter_create(res->mctx, -+ res->maxqueries, &fctx->qc); -+ if (result != ISC_R_SUCCESS) -+ goto cleanup_fetch; -+ } -+ -+ /* -+ * Make fctx->info point to a copy of a formatted string -+ * "name/type". -+ */ - dns_name_format(name, buf, sizeof(buf)); - dns_rdatatype_format(type, typebuf, sizeof(typebuf)); - strcat(buf, "/"); /* checked */ -@@ -3541,7 +3593,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, - fctx->info = isc_mem_strdup(mctx, buf); - if (fctx->info == NULL) { - result = ISC_R_NOMEMORY; -- goto cleanup_fetch; -+ goto cleanup_counter; - } - FCTXTRACE("create"); - dns_name_init(&fctx->name, NULL); -@@ -3564,6 +3616,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, - fctx->state = fetchstate_init; - fctx->want_shutdown = ISC_FALSE; - fctx->cloned = ISC_FALSE; -+ fctx->depth = depth; - ISC_LIST_INIT(fctx->queries); - ISC_LIST_INIT(fctx->finds); - ISC_LIST_INIT(fctx->altfinds); -@@ -3768,6 +3821,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, - cleanup_info: - isc_mem_free(mctx, fctx->info); - -+ cleanup_counter: -+ isc_counter_detach(&fctx->qc); -+ - cleanup_fetch: - isc_mem_put(mctx, fctx, sizeof(*fctx)); - -@@ -7339,6 +7395,8 @@ dns_resolver_create(dns_view_t *view, - res->zero_no_soa_ttl = ISC_FALSE; - res->ndisps = 0; - res->nextdisp = 0; /* meaningless at this point, but init it */ -+ res->maxdepth = DEFAULT_RECURSION_DEPTH; -+ res->maxqueries = DEFAULT_MAX_QUERIES; - res->nbuckets = ntasks; - res->activebuckets = ntasks; - res->buckets = isc_mem_get(view->mctx, -@@ -7778,9 +7836,9 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name, - dns_rdataset_t *sigrdataset, - dns_fetch_t **fetchp) - { -- return (dns_resolver_createfetch2(res, name, type, domain, -+ return (dns_resolver_createfetch3(res, name, type, domain, - nameservers, forwarders, NULL, 0, -- options, task, action, arg, -+ options, 0, NULL, task, action, arg, - rdataset, sigrdataset, fetchp)); - } - -@@ -7796,6 +7854,25 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, - dns_rdataset_t *sigrdataset, - dns_fetch_t **fetchp) - { -+ return (dns_resolver_createfetch3(res, name, type, domain, -+ nameservers, forwarders, client, id, -+ options, 0, NULL, task, action, arg, -+ rdataset, sigrdataset, fetchp)); -+} -+ -+isc_result_t -+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name, -+ dns_rdatatype_t type, -+ dns_name_t *domain, dns_rdataset_t *nameservers, -+ dns_forwarders_t *forwarders, -+ isc_sockaddr_t *client, dns_messageid_t id, -+ unsigned int options, unsigned int depth, -+ isc_counter_t *qc, isc_task_t *task, -+ isc_taskaction_t action, void *arg, -+ dns_rdataset_t *rdataset, -+ dns_rdataset_t *sigrdataset, -+ dns_fetch_t **fetchp) -+{ - dns_fetch_t *fetch; - fetchctx_t *fctx = NULL; - isc_result_t result = ISC_R_SUCCESS; -@@ -7882,11 +7959,12 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, - - if (fctx == NULL) { - result = fctx_create(res, name, type, domain, nameservers, -- options, bucketnum, &fctx); -+ options, bucketnum, depth, qc, &fctx); - if (result != ISC_R_SUCCESS) - goto unlock; - new_fctx = ISC_TRUE; -- } -+ } else if (fctx->depth > depth) -+ fctx->depth = depth; - - result = fctx_join(fctx, task, client, id, action, arg, - rdataset, sigrdataset, fetch); -@@ -8637,3 +8715,27 @@ dns_resolver_getoptions(dns_resolver_t *resolver) { - - return (resolver->options); - } -+ -+void -+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) { -+ REQUIRE(VALID_RESOLVER(resolver)); -+ resolver->maxdepth = maxdepth; -+} -+ -+unsigned int -+dns_resolver_getmaxdepth(dns_resolver_t *resolver) { -+ REQUIRE(VALID_RESOLVER(resolver)); -+ return (resolver->maxdepth); -+} -+ -+void -+dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries) { -+ REQUIRE(VALID_RESOLVER(resolver)); -+ resolver->maxqueries = queries; -+} -+ -+unsigned int -+dns_resolver_getmaxqueries(dns_resolver_t *resolver) { -+ REQUIRE(VALID_RESOLVER(resolver)); -+ return (resolver->maxqueries); -+} -diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in -index 0b4020b..afc19ee 100644 ---- a/lib/isc/Makefile.in -+++ b/lib/isc/Makefile.in -@@ -13,8 +13,6 @@ - # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - # PERFORMANCE OF THIS SOFTWARE. - --# $Id$ -- - srcdir = @srcdir@ - VPATH = @srcdir@ - top_srcdir = @top_srcdir@ -@@ -53,7 +51,7 @@ WIN32OBJS = win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \ - # Alphabetically - OBJS = @ISC_EXTRA_OBJS@ \ - assertions.@O@ base32.@O@ base64.@O@ bitstring.@O@ buffer.@O@ \ -- bufferlist.@O@ commandline.@O@ error.@O@ event.@O@ \ -+ bufferlist.@O@ commandline.@O@ counter.@O@ error.@O@ event.@O@ \ - hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \ - httpd.@O@ inet_aton.@O@ iterated_hash.@O@ \ - lex.@O@ lfsr.@O@ lib.@O@ log.@O@ \ -@@ -68,7 +66,7 @@ OBJS = @ISC_EXTRA_OBJS@ \ - # Alphabetically - SRCS = @ISC_EXTRA_SRCS@ \ - assertions.c base32.c base64.c bitstring.c buffer.c \ -- bufferlist.c commandline.c error.c event.c \ -+ bufferlist.c commandline.c counter.c error.c event.c \ - heap.c hex.c hmacmd5.c hmacsha.c \ - httpd.c inet_aton.c iterated_hash.c \ - lex.c lfsr.c lib.c log.c \ -diff --git a/lib/isc/include/isc/Makefile.in b/lib/isc/include/isc/Makefile.in -index 9adca3e..1cfbbd1 100644 ---- a/lib/isc/include/isc/Makefile.in -+++ b/lib/isc/include/isc/Makefile.in -@@ -13,8 +13,6 @@ - # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - # PERFORMANCE OF THIS SOFTWARE. - --# $Id$ -- - srcdir = @srcdir@ - VPATH = @srcdir@ - top_srcdir = @top_srcdir@ -@@ -27,7 +25,7 @@ top_srcdir = @top_srcdir@ - # install target below. - # - HEADERS = app.h assertions.h base64.h bitstring.h boolean.h buffer.h \ -- bufferlist.h commandline.h entropy.h error.h event.h \ -+ bufferlist.h commandline.h counter.h entropy.h error.h event.h \ - eventclass.h file.h formatcheck.h fsaccess.h \ - hash.h heap.h hex.h hmacmd5.h hmacsha.h \ - httpd.h \ -diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h -index 8e8b08f..a646b8b 100644 ---- a/lib/isc/include/isc/types.h -+++ b/lib/isc/include/isc/types.h -@@ -45,6 +45,7 @@ typedef struct isc_buffer isc_buffer_t; /*%< Buffer */ - typedef ISC_LIST(isc_buffer_t) isc_bufferlist_t; /*%< Buffer List */ - typedef struct isc_constregion isc_constregion_t; /*%< Const region */ - typedef struct isc_consttextregion isc_consttextregion_t; /*%< Const Text Region */ -+typedef struct isc_counter isc_counter_t; /*%< Counter */ - typedef struct isc_entropy isc_entropy_t; /*%< Entropy */ - typedef struct isc_entropysource isc_entropysource_t; /*%< Entropy Source */ - typedef struct isc_event isc_event_t; /*%< Event */ -diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c -index fac2633..3023dcc 100644 ---- a/lib/isccfg/namedconf.c -+++ b/lib/isccfg/namedconf.c -@@ -15,8 +15,6 @@ - * PERFORMANCE OF THIS SOFTWARE. - */ - --/* $Id$ */ -- - /*! \file */ - - #include -@@ -830,6 +828,8 @@ view_clauses[] = { - { "max-cache-ttl", &cfg_type_uint32, 0 }, - { "max-clients-per-query", &cfg_type_uint32, 0 }, - { "max-ncache-ttl", &cfg_type_uint32, 0 }, -+ { "max-recursion-depth", &cfg_type_uint32, 0 }, -+ { "max-recursion-queries", &cfg_type_uint32, 0 }, - { "max-udp-size", &cfg_type_uint32, 0 }, - { "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP }, - { "minimal-responses", &cfg_type_boolean, 0 }, -diff --git a/version b/version -index 1be3c16..2058444 100644 ---- a/version -+++ b/version -@@ -10,4 +10,4 @@ MINORVER=6 - PATCHVER= - RELEASETYPE=-ESV - RELEASEVER=-R11 --EXTENSIONS= -+EXTENSIONS=-P1 -diff --git a/lib/isc/counter.c b/lib/isc/counter.c -new file mode 100644 -index 0000000..d7d187b ---- /dev/null -+++ b/lib/isc/counter.c -@@ -0,0 +1,138 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/*! \file */ -+ -+#include -+ -+#include -+ -+#include -+#include -+#include -+#include -+ -+#define COUNTER_MAGIC ISC_MAGIC('C', 'n', 't', 'r') -+#define VALID_COUNTER(r) ISC_MAGIC_VALID(r, COUNTER_MAGIC) -+ -+struct isc_counter { -+ unsigned int magic; -+ isc_mem_t *mctx; -+ isc_mutex_t lock; -+ unsigned int references; -+ unsigned int limit; -+ unsigned int used; -+}; -+ -+isc_result_t -+isc_counter_create(isc_mem_t *mctx, int limit, isc_counter_t **counterp) { -+ isc_result_t result; -+ isc_counter_t *counter; -+ -+ REQUIRE(counterp != NULL && *counterp == NULL); -+ -+ counter = isc_mem_get(mctx, sizeof(*counter)); -+ if (counter == NULL) -+ return (ISC_R_NOMEMORY); -+ -+ result = isc_mutex_init(&counter->lock); -+ if (result != ISC_R_SUCCESS) { -+ isc_mem_put(mctx, counter, sizeof(*counter)); -+ return (result); -+ } -+ -+ counter->mctx = NULL; -+ isc_mem_attach(mctx, &counter->mctx); -+ -+ counter->references = 1; -+ counter->limit = limit; -+ counter->used = 0; -+ -+ counter->magic = COUNTER_MAGIC; -+ *counterp = counter; -+ return (ISC_R_SUCCESS); -+} -+ -+isc_result_t -+isc_counter_increment(isc_counter_t *counter) { -+ isc_result_t result = ISC_R_SUCCESS; -+ -+ LOCK(&counter->lock); -+ counter->used++; -+ if (counter->limit != 0 && counter->used >= counter->limit) -+ result = ISC_R_QUOTA; -+ UNLOCK(&counter->lock); -+ -+ return (result); -+} -+ -+unsigned int -+isc_counter_used(isc_counter_t *counter) { -+ REQUIRE(VALID_COUNTER(counter)); -+ -+ return (counter->used); -+} -+ -+void -+isc_counter_setlimit(isc_counter_t *counter, int limit) { -+ REQUIRE(VALID_COUNTER(counter)); -+ -+ LOCK(&counter->lock); -+ counter->limit = limit; -+ UNLOCK(&counter->lock); -+} -+ -+void -+isc_counter_attach(isc_counter_t *source, isc_counter_t **targetp) { -+ REQUIRE(VALID_COUNTER(source)); -+ REQUIRE(targetp != NULL && *targetp == NULL); -+ -+ LOCK(&source->lock); -+ source->references++; -+ INSIST(source->references > 0); -+ UNLOCK(&source->lock); -+ -+ *targetp = source; -+} -+ -+static void -+destroy(isc_counter_t *counter) { -+ counter->magic = 0; -+ isc_mutex_destroy(&counter->lock); -+ isc_mem_putanddetach(&counter->mctx, counter, sizeof(*counter)); -+} -+ -+void -+isc_counter_detach(isc_counter_t **counterp) { -+ isc_counter_t *counter; -+ isc_boolean_t want_destroy = ISC_FALSE; -+ -+ REQUIRE(counterp != NULL && *counterp != NULL); -+ counter = *counterp; -+ REQUIRE(VALID_COUNTER(counter)); -+ -+ *counterp = NULL; -+ -+ LOCK(&counter->lock); -+ INSIST(counter->references > 0); -+ counter->references--; -+ if (counter->references == 0) -+ want_destroy = ISC_TRUE; -+ UNLOCK(&counter->lock); -+ -+ if (want_destroy) -+ destroy(counter); -+} -diff --git a/lib/isc/include/isc/counter.h b/lib/isc/include/isc/counter.h -new file mode 100644 -index 0000000..e7ebd25 ---- /dev/null -+++ b/lib/isc/include/isc/counter.h -@@ -0,0 +1,90 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+#ifndef ISC_COUNTER_H -+#define ISC_COUNTER_H 1 -+ -+/***** -+ ***** Module Info -+ *****/ -+ -+/*! \file isc/counter.h -+ * -+ * \brief The isc_counter_t object is a simplified version of the -+ * isc_quota_t object; it tracks the consumption of limited -+ * resources, returning an error condition when the quota is -+ * exceeded. However, unlike isc_quota_t, attaching and detaching -+ * from a counter object does not increment or decrement the counter. -+ */ -+ -+/*** -+ *** Imports. -+ ***/ -+ -+#include -+#include -+#include -+ -+/***** -+ ***** Types. -+ *****/ -+ -+ISC_LANG_BEGINDECLS -+ -+isc_result_t -+isc_counter_create(isc_mem_t *mctx, int limit, isc_counter_t **counterp); -+/*%< -+ * Allocate and initialize a counter object. -+ */ -+ -+isc_result_t -+isc_counter_increment(isc_counter_t *counter); -+/*%< -+ * Increment the counter. -+ * -+ * If the counter limit is nonzero and has been reached, then -+ * return ISC_R_QUOTA, otherwise ISC_R_SUCCESS. (The counter is -+ * incremented regardless of return value.) -+ */ -+ -+unsigned int -+isc_counter_used(isc_counter_t *counter); -+/*%< -+ * Return the current counter value. -+ */ -+ -+void -+isc_counter_setlimit(isc_counter_t *counter, int limit); -+/*%< -+ * Set the counter limit. -+ */ -+ -+void -+isc_counter_attach(isc_counter_t *source, isc_counter_t **targetp); -+/*%< -+ * Attach to a counter object, increasing its reference counter. -+ */ -+ -+void -+isc_counter_detach(isc_counter_t **counterp); -+/*%< -+ * Detach (and destroy if reference counter has dropped to zero) -+ * a counter object. -+ */ -+ -+ISC_LANG_ENDDECLS -+ -+#endif /* ISC_COUNTER_H */ -diff --git a/lib/isc/tests/counter_test.c b/lib/isc/tests/counter_test.c -new file mode 100644 -index 0000000..a7a1997 ---- /dev/null -+++ b/lib/isc/tests/counter_test.c -@@ -0,0 +1,69 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+#include -+#include -+ -+#include -+ -+#include -+#include -+ -+#include "isctest.h" -+ -+ATF_TC(isc_counter); -+ATF_TC_HEAD(isc_counter, tc) { -+ atf_tc_set_md_var(tc, "descr", "isc counter object"); -+} -+ATF_TC_BODY(isc_counter, tc) { -+ isc_result_t result; -+ isc_counter_t *counter = NULL; -+ int i; -+ -+ result = isc_test_begin(NULL, ISC_TRUE); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); -+ -+ result = isc_counter_create(mctx, 0, &counter); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); -+ -+ for (i = 0; i < 10; i++) { -+ result = isc_counter_increment(counter); -+ ATF_CHECK_EQ(result, ISC_R_SUCCESS); -+ } -+ -+ ATF_CHECK_EQ(isc_counter_used(counter), 10); -+ -+ isc_counter_setlimit(counter, 15); -+ for (i = 0; i < 10; i++) { -+ result = isc_counter_increment(counter); -+ if (result != ISC_R_SUCCESS) -+ break; -+ } -+ -+ ATF_CHECK_EQ(isc_counter_used(counter), 15); -+ -+ isc_counter_detach(&counter); -+ isc_test_end(); -+} -+ -+/* -+ * Main -+ */ -+ATF_TP_ADD_TCS(tp) { -+ ATF_TP_ADD_TC(tp, isc_counter); -+ return (atf_no_error()); -+} -+ diff -r cebcbbd80341 -r a498cb624014 components/bind/patches/002-RT40046.patch --- a/components/bind/patches/002-RT40046.patch Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,38 +0,0 @@ -This patch was obtained from ISC for 9.6-ESV-R11-P2. The patch can -only be obtained from security-officer@isc.org on an as needed -basis. - ---- a/CHANGES Thu Jul 23 10:45:58 2015 -+++ b/CHANGES Thu Jul 23 10:45:58 2015 -@@ -1,3 +1,9 @@ -+ --- 9.6-ESV-R11-P2 released --- -+ -+4165. [security] A failure to reset a value to NULL in tkey.c could -+ result in an assertion failure. (CVE-2015-5477) -+ [RT #40046] -+ - --- 9.6-ESV-R11-P1 released --- - - 4006. [security] A flaw in delegation handling could be exploited -diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c -index 66210d5..34ad90b 100644 ---- a/lib/dns/tkey.c -+++ b/lib/dns/tkey.c -@@ -654,6 +654,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx, - * Try the answer section, since that's where Win2000 - * puts it. - */ -+ name = NULL; - if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname, - dns_rdatatype_tkey, 0, &name, - &tkeyset) != ISC_R_SUCCESS) { -diff --git version version -index 1be3c16..2058444 100644 ---- a/version -+++ b/version -@@ -10,4 +10,4 @@ MINORVER=6 - PATCHVER= - RELEASETYPE=-ESV - RELEASEVER=-R11 --EXTENSIONS=-P1 -+EXTENSIONS=-P2 diff -r cebcbbd80341 -r a498cb624014 components/bind/patches/002-configure.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/bind/patches/002-configure.patch Thu Jun 16 13:48:33 2016 +0100 @@ -0,0 +1,233 @@ +Patch file created at Oracle to use krb5-config to discover libraries +and include paths for linking with gssapi. + +Intention is to share patch with ISC for their inclusion in future +releases of BIND. + +--- a/configure.in Thu Jun 2 11:28:43 2016 ++++ b/configure.in Thu Jun 2 11:43:34 2016 +@@ -799,6 +799,49 @@ + [ --with-gssapi=PATH Specify path for system-supplied GSSAPI [[default=yes]]], + use_gssapi="$withval", use_gssapi="yes") + ++# first try using krb5-config, if that does not work then fall back to "yes" method. ++if test "$use_gssapi" = "krb5-config" ++then ++ AC_MSG_RESULT(trying krb5_config) ++ AC_PATH_PROG(KRB5_CONFIG, krb5-config) ++ gssapi_cflags=`$KRB5_CONFIG --cflags gssapi` ++ gssapi_libs=`$KRB5_CONFIG --libs gssapi` ++ saved_cppflags="$CPPFLAGS" ++ CPPFLAGS="$gssapi_cflags $CPPFLAGS" ++ AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h, ++ [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"]) ++ if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then ++ AC_MSG_RESULT([krb5-config: gssapi.h not found]) ++ CPPFLAGS="$saved_cppflags" ++ use_gssapi="yes" ++ else ++ AC_CHECK_HEADERS(krb5/krb5.h krb5.h, ++ [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"]) ++ if test "$ISC_PLATFORM_KRB5HEADER" = ""; then ++ AC_MSG_RESULT([krb5-config: krb5.h not found]) ++ CPPFLAGS="$saved_cppflags" ++ use_gssapi="yes" ++ else ++ CPPFLAGS="$saved_cppflags" ++ saved_libs="$LIBS" ++ LIBS=$gssapi_libs ++ AC_MSG_CHECKING([krb5-config linking as $LIBS]) ++ AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()], ++ gssapi_linked=yes, gssapi_linked=no) ++ case $gssapi_linked in ++ yes) AC_MSG_RESULT([krb5-config: linked]);; ++ no) AC_MSG_RESULT([krb5-config: could not determine proper GSSAPI linkage]) ++ use_gssapi="yes" ++ ;; ++ esac ++ LIBS=$saved_libs ++ fi ++ fi ++ if test "$use_gssapi" = "yes"; then ++ AC_MSG_CHECKING([for GSSAPI library, non krb5-config method]) ++ fi ++fi ++ + # gssapi is just the framework, we really require kerberos v5, so + # look for those headers (the gssapi headers must be there, too) + # The problem with this implementation is that it doesn't allow +@@ -842,6 +885,11 @@ + yes) + AC_MSG_ERROR([--with-gssapi must specify a path]) + ;; ++ krb5-config) ++ USE_GSSAPI='-DGSSAPI' ++ DST_GSSAPI_INC="$gssapi_cflags" ++ DNS_GSSAPI_LIBS="$gssapi_libs" ++ ;; + *) + AC_MSG_RESULT(looking in $use_gssapi/lib) + USE_GSSAPI='-DGSSAPI' +--- a/configure Sun Feb 28 16:29:06 2016 ++++ b/configure Thu Jun 2 03:56:59 2016 +@@ -1,5 +1,5 @@ + #! /bin/sh +-# Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") ++# Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") + # Copyright (C) 1996-2003 Internet Software Consortium. + # + # Permission to use, copy, modify, and/or distribute this software for any +@@ -851,6 +851,7 @@ + ISC_PLATFORM_GSSAPI_KRB5_HEADER + ISC_PLATFORM_GSSAPIHEADER + ISC_PLATFORM_HAVEGSSAPI ++KRB5_CONFIG + GEOIPLINKOBJS + GEOIPLINKSRCS + LWRES_PLATFORM_NEEDSYSSELECTH +@@ -13975,6 +13976,133 @@ + fi + + ++# first try using krb5-config, if that does not work then fall back to "yes" method. ++if test "$use_gssapi" = "krb5-config" ++then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: trying krb5_config" >&5 ++$as_echo "trying krb5_config" >&6; } ++ # Extract the first word of "krb5-config", so it can be a program name with args. ++set dummy krb5-config; ac_word=$2 ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 ++$as_echo_n "checking for $ac_word... " >&6; } ++if ${ac_cv_path_KRB5_CONFIG+:} false; then : ++ $as_echo_n "(cached) " >&6 ++else ++ case $KRB5_CONFIG in ++ [\\/]* | ?:[\\/]*) ++ ac_cv_path_KRB5_CONFIG="$KRB5_CONFIG" # Let the user override the test with a path. ++ ;; ++ *) ++ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR ++for as_dir in $PATH ++do ++ IFS=$as_save_IFS ++ test -z "$as_dir" && as_dir=. ++ for ac_exec_ext in '' $ac_executable_extensions; do ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ++ ac_cv_path_KRB5_CONFIG="$as_dir/$ac_word$ac_exec_ext" ++ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 ++ break 2 ++ fi ++done ++ done ++IFS=$as_save_IFS ++ ++ ;; ++esac ++fi ++KRB5_CONFIG=$ac_cv_path_KRB5_CONFIG ++if test -n "$KRB5_CONFIG"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $KRB5_CONFIG" >&5 ++$as_echo "$KRB5_CONFIG" >&6; } ++else ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++fi ++ ++ ++ gssapi_cflags=`$KRB5_CONFIG --cflags gssapi` ++ gssapi_libs=`$KRB5_CONFIG --libs gssapi` ++ saved_cppflags="$CPPFLAGS" ++ CPPFLAGS="$gssapi_cflags $CPPFLAGS" ++ for ac_header in gssapi.h gssapi/gssapi.h ++do : ++ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ++ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" ++if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : ++ cat >>confdefs.h <<_ACEOF ++#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 ++_ACEOF ++ ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>" ++fi ++ ++done ++ ++ if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: gssapi.h not found" >&5 ++$as_echo "krb5-config: gssapi.h not found" >&6; } ++ CPPFLAGS="$saved_cppflags" ++ use_gssapi="yes" ++ else ++ for ac_header in krb5/krb5.h krb5.h ++do : ++ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ++ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" ++if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : ++ cat >>confdefs.h <<_ACEOF ++#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 ++_ACEOF ++ ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>" ++fi ++ ++done ++ ++ if test "$ISC_PLATFORM_KRB5HEADER" = ""; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: krb5.h not found" >&5 ++$as_echo "krb5-config: krb5.h not found" >&6; } ++ CPPFLAGS="$saved_cppflags" ++ use_gssapi="yes" ++ else ++ CPPFLAGS="$saved_cppflags" ++ saved_libs="$LIBS" ++ LIBS=$gssapi_libs ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config linking as $LIBS" >&5 ++$as_echo_n "checking krb5-config linking as $LIBS... " >&6; } ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++ ++int ++main () ++{ ++gss_acquire_cred();krb5_init_context() ++ ; ++ return 0; ++} ++_ACEOF ++if ac_fn_c_try_link "$LINENO"; then : ++ gssapi_linked=yes ++else ++ gssapi_linked=no ++fi ++rm -f core conftest.err conftest.$ac_objext \ ++ conftest$ac_exeext conftest.$ac_ext ++ case $gssapi_linked in ++ yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: linked" >&5 ++$as_echo "krb5-config: linked" >&6; };; ++ no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: could not determine proper GSSAPI linkage" >&5 ++$as_echo "krb5-config: could not determine proper GSSAPI linkage" >&6; } ++ use_gssapi="yes" ++ ;; ++ esac ++ LIBS=$saved_libs ++ fi ++ fi ++ if test "$use_gssapi" = "yes"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library, non krb5-config method" >&5 ++$as_echo_n "checking for GSSAPI library, non krb5-config method... " >&6; } ++ fi ++fi ++ + # gssapi is just the framework, we really require kerberos v5, so + # look for those headers (the gssapi headers must be there, too) + # The problem with this implementation is that it doesn't allow +@@ -14019,6 +14147,11 @@ + yes) + as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5 + ;; ++ krb5-config) ++ USE_GSSAPI='-DGSSAPI' ++ DST_GSSAPI_INC="$gssapi_cflags" ++ DNS_GSSAPI_LIBS="$gssapi_libs" ++ ;; + *) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: looking in $use_gssapi/lib" >&5 + $as_echo "looking in $use_gssapi/lib" >&6; } diff -r cebcbbd80341 -r a498cb624014 components/bind/patches/003-RT40212.patch --- a/components/bind/patches/003-RT40212.patch Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,947 +0,0 @@ -This patch was obtained from ISC for 9.6-ESV-R11-P3. - ---- old/CHANGES Mon Aug 24 00:18:22 2015 -+++ new/CHANGES Mon Aug 24 00:18:22 2015 -@@ -1,3 +1,10 @@ -+ --- 9.6-ESV-R11-P3 released --- -+ -+4168. [security] A buffer accounting error could trigger an -+ assertion failure when parsing certain malformed -+ DNSSEC keys. (CVE-2015-5722) -+ [RT #40212] -+ - --- 9.6-ESV-R11-P2 released --- - - 4165. [security] A failure to reset a value to NULL in tkey.c could ---- old/lib/dns/api Mon Aug 24 00:18:24 2015 -+++ new/lib/dns/api Mon Aug 24 00:18:23 2015 -@@ -5,5 +5,5 @@ - # 9.9: 90-109 - # 9.9-sub: 130-139 - LIBINTERFACE = 114 --LIBREVISION = 1 -+LIBREVISION = 2 - LIBAGE = 1 ---- old/lib/dns/hmac_link.c Mon Aug 24 00:18:24 2015 -+++ new/lib/dns/hmac_link.c Mon Aug 24 00:18:23 2015 -@@ -1,5 +1,5 @@ - /* -- * Portions Copyright (C) 2004-2008, 2012-2014 Internet Systems Consortium, Inc. ("ISC") -+ * Portions Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any -@@ -51,14 +51,10 @@ - #include "dst_internal.h" - #include "dst_parse.h" - --#define HMAC_LEN 64 --#define HMAC_IPAD 0x36 --#define HMAC_OPAD 0x5c -- - static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data); - - struct dst_hmacmd5_key { -- unsigned char key[HMAC_LEN]; -+ unsigned char key[ISC_MD5_BLOCK_LENGTH]; - }; - - static isc_result_t -@@ -80,7 +76,7 @@ - hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t)); - if (hmacmd5ctx == NULL) - return (ISC_R_NOMEMORY); -- isc_hmacmd5_init(hmacmd5ctx, hkey->key, HMAC_LEN); -+ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH); - dctx->ctxdata.hmacmd5ctx = hmacmd5ctx; - return (ISC_R_SUCCESS); - } -@@ -143,7 +139,7 @@ - else if (hkey1 == NULL || hkey2 == NULL) - return (ISC_FALSE); - -- if (isc_safe_memcmp(hkey1->key, hkey2->key, HMAC_LEN)) -+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH)) - return (ISC_TRUE); - else - return (ISC_FALSE); -@@ -153,16 +149,16 @@ - hmacmd5_generate(dst_key_t *key, int pseudorandom_ok) { - isc_buffer_t b; - isc_result_t ret; -- int bytes; -- unsigned char data[HMAC_LEN]; -+ unsigned int bytes; -+ unsigned char data[ISC_MD5_BLOCK_LENGTH]; - - bytes = (key->key_size + 7) / 8; -- if (bytes > HMAC_LEN) { -- bytes = HMAC_LEN; -- key->key_size = HMAC_LEN * 8; -+ if (bytes > ISC_MD5_BLOCK_LENGTH) { -+ bytes = ISC_MD5_BLOCK_LENGTH; -+ key->key_size = ISC_MD5_BLOCK_LENGTH * 8; - } - -- memset(data, 0, HMAC_LEN); -+ memset(data, 0, ISC_MD5_BLOCK_LENGTH); - ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); - - if (ret != ISC_R_SUCCESS) -@@ -171,7 +167,7 @@ - isc_buffer_init(&b, data, bytes); - isc_buffer_add(&b, bytes); - ret = hmacmd5_fromdns(key, &b); -- memset(data, 0, HMAC_LEN); -+ memset(data, 0, ISC_MD5_BLOCK_LENGTH); - - return (ret); - } -@@ -185,6 +181,7 @@ - static void - hmacmd5_destroy(dst_key_t *key) { - dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5; -+ - memset(hkey, 0, sizeof(dst_hmacmd5_key_t)); - isc_mem_put(key->mctx, hkey, sizeof(dst_hmacmd5_key_t)); - key->keydata.hmacmd5 = NULL; -@@ -224,7 +221,7 @@ - - memset(hkey->key, 0, sizeof(hkey->key)); - -- if (r.length > HMAC_LEN) { -+ if (r.length > ISC_MD5_BLOCK_LENGTH) { - isc_md5_init(&md5ctx); - isc_md5_update(&md5ctx, r.base, r.length); - isc_md5_final(&md5ctx, hkey->key); -@@ -237,6 +234,8 @@ - key->key_size = keylen * 8; - key->keydata.hmacmd5 = hkey; - -+ isc_buffer_forward(data, r.length); -+ - return (ISC_R_SUCCESS); - } - -@@ -276,7 +275,8 @@ - unsigned int i; - - /* read private key file */ -- result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv); -+ result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, -+ &priv); - if (result != ISC_R_SUCCESS) - return (result); - -@@ -337,7 +337,7 @@ - static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data); - - struct dst_hmacsha1_key { -- unsigned char key[ISC_SHA1_DIGESTLENGTH]; -+ unsigned char key[ISC_SHA1_BLOCK_LENGTH]; - }; - - static isc_result_t -@@ -348,7 +348,7 @@ - hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t)); - if (hmacsha1ctx == NULL) - return (ISC_R_NOMEMORY); -- isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_DIGESTLENGTH); -+ isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH); - dctx->ctxdata.hmacsha1ctx = hmacsha1ctx; - return (ISC_R_SUCCESS); - } -@@ -411,7 +411,7 @@ - else if (hkey1 == NULL || hkey2 == NULL) - return (ISC_FALSE); - -- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_DIGESTLENGTH)) -+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH)) - return (ISC_TRUE); - else - return (ISC_FALSE); -@@ -421,16 +421,16 @@ - hmacsha1_generate(dst_key_t *key, int pseudorandom_ok) { - isc_buffer_t b; - isc_result_t ret; -- int bytes; -- unsigned char data[HMAC_LEN]; -+ unsigned int bytes; -+ unsigned char data[ISC_SHA1_BLOCK_LENGTH]; - - bytes = (key->key_size + 7) / 8; -- if (bytes > HMAC_LEN) { -- bytes = HMAC_LEN; -- key->key_size = HMAC_LEN * 8; -+ if (bytes > ISC_SHA1_BLOCK_LENGTH) { -+ bytes = ISC_SHA1_BLOCK_LENGTH; -+ key->key_size = ISC_SHA1_BLOCK_LENGTH * 8; - } - -- memset(data, 0, HMAC_LEN); -+ memset(data, 0, ISC_SHA1_BLOCK_LENGTH); - ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); - - if (ret != ISC_R_SUCCESS) -@@ -439,7 +439,7 @@ - isc_buffer_init(&b, data, bytes); - isc_buffer_add(&b, bytes); - ret = hmacsha1_fromdns(key, &b); -- memset(data, 0, ISC_SHA1_DIGESTLENGTH); -+ memset(data, 0, ISC_SHA1_BLOCK_LENGTH); - - return (ret); - } -@@ -453,6 +453,7 @@ - static void - hmacsha1_destroy(dst_key_t *key) { - dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1; -+ - memset(hkey, 0, sizeof(dst_hmacsha1_key_t)); - isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha1_key_t)); - key->keydata.hmacsha1 = NULL; -@@ -492,7 +493,7 @@ - - memset(hkey->key, 0, sizeof(hkey->key)); - -- if (r.length > ISC_SHA1_DIGESTLENGTH) { -+ if (r.length > ISC_SHA1_BLOCK_LENGTH) { - isc_sha1_init(&sha1ctx); - isc_sha1_update(&sha1ctx, r.base, r.length); - isc_sha1_final(&sha1ctx, hkey->key); -@@ -505,6 +506,8 @@ - key->key_size = keylen * 8; - key->keydata.hmacsha1 = hkey; - -+ isc_buffer_forward(data, r.length); -+ - return (ISC_R_SUCCESS); - } - -@@ -606,7 +609,7 @@ - static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data); - - struct dst_hmacsha224_key { -- unsigned char key[ISC_SHA224_DIGESTLENGTH]; -+ unsigned char key[ISC_SHA224_BLOCK_LENGTH]; - }; - - static isc_result_t -@@ -617,7 +620,7 @@ - hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t)); - if (hmacsha224ctx == NULL) - return (ISC_R_NOMEMORY); -- isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_DIGESTLENGTH); -+ isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_BLOCK_LENGTH); - dctx->ctxdata.hmacsha224ctx = hmacsha224ctx; - return (ISC_R_SUCCESS); - } -@@ -680,7 +683,7 @@ - else if (hkey1 == NULL || hkey2 == NULL) - return (ISC_FALSE); - -- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA224_DIGESTLENGTH)) -+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH)) - return (ISC_TRUE); - else - return (ISC_FALSE); -@@ -690,16 +693,16 @@ - hmacsha224_generate(dst_key_t *key, int pseudorandom_ok) { - isc_buffer_t b; - isc_result_t ret; -- int bytes; -- unsigned char data[HMAC_LEN]; -+ unsigned int bytes; -+ unsigned char data[ISC_SHA224_BLOCK_LENGTH]; - - bytes = (key->key_size + 7) / 8; -- if (bytes > HMAC_LEN) { -- bytes = HMAC_LEN; -- key->key_size = HMAC_LEN * 8; -+ if (bytes > ISC_SHA224_BLOCK_LENGTH) { -+ bytes = ISC_SHA224_BLOCK_LENGTH; -+ key->key_size = ISC_SHA224_BLOCK_LENGTH * 8; - } - -- memset(data, 0, HMAC_LEN); -+ memset(data, 0, ISC_SHA224_BLOCK_LENGTH); - ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); - - if (ret != ISC_R_SUCCESS) -@@ -708,7 +711,7 @@ - isc_buffer_init(&b, data, bytes); - isc_buffer_add(&b, bytes); - ret = hmacsha224_fromdns(key, &b); -- memset(data, 0, ISC_SHA224_DIGESTLENGTH); -+ memset(data, 0, ISC_SHA224_BLOCK_LENGTH); - - return (ret); - } -@@ -722,6 +725,7 @@ - static void - hmacsha224_destroy(dst_key_t *key) { - dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224; -+ - memset(hkey, 0, sizeof(dst_hmacsha224_key_t)); - isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha224_key_t)); - key->keydata.hmacsha224 = NULL; -@@ -761,7 +765,7 @@ - - memset(hkey->key, 0, sizeof(hkey->key)); - -- if (r.length > ISC_SHA224_DIGESTLENGTH) { -+ if (r.length > ISC_SHA224_BLOCK_LENGTH) { - isc_sha224_init(&sha224ctx); - isc_sha224_update(&sha224ctx, r.base, r.length); - isc_sha224_final(hkey->key, &sha224ctx); -@@ -774,6 +778,8 @@ - key->key_size = keylen * 8; - key->keydata.hmacsha224 = hkey; - -+ isc_buffer_forward(data, r.length); -+ - return (ISC_R_SUCCESS); - } - -@@ -875,7 +881,7 @@ - static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data); - - struct dst_hmacsha256_key { -- unsigned char key[ISC_SHA256_DIGESTLENGTH]; -+ unsigned char key[ISC_SHA256_BLOCK_LENGTH]; - }; - - static isc_result_t -@@ -886,7 +892,7 @@ - hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t)); - if (hmacsha256ctx == NULL) - return (ISC_R_NOMEMORY); -- isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_DIGESTLENGTH); -+ isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_BLOCK_LENGTH); - dctx->ctxdata.hmacsha256ctx = hmacsha256ctx; - return (ISC_R_SUCCESS); - } -@@ -949,7 +955,7 @@ - else if (hkey1 == NULL || hkey2 == NULL) - return (ISC_FALSE); - -- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA256_DIGESTLENGTH)) -+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH)) - return (ISC_TRUE); - else - return (ISC_FALSE); -@@ -959,16 +965,16 @@ - hmacsha256_generate(dst_key_t *key, int pseudorandom_ok) { - isc_buffer_t b; - isc_result_t ret; -- int bytes; -- unsigned char data[HMAC_LEN]; -+ unsigned int bytes; -+ unsigned char data[ISC_SHA256_BLOCK_LENGTH]; - - bytes = (key->key_size + 7) / 8; -- if (bytes > HMAC_LEN) { -- bytes = HMAC_LEN; -- key->key_size = HMAC_LEN * 8; -+ if (bytes > ISC_SHA256_BLOCK_LENGTH) { -+ bytes = ISC_SHA256_BLOCK_LENGTH; -+ key->key_size = ISC_SHA256_BLOCK_LENGTH * 8; - } - -- memset(data, 0, HMAC_LEN); -+ memset(data, 0, ISC_SHA256_BLOCK_LENGTH); - ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); - - if (ret != ISC_R_SUCCESS) -@@ -977,7 +983,7 @@ - isc_buffer_init(&b, data, bytes); - isc_buffer_add(&b, bytes); - ret = hmacsha256_fromdns(key, &b); -- memset(data, 0, ISC_SHA256_DIGESTLENGTH); -+ memset(data, 0, ISC_SHA256_BLOCK_LENGTH); - - return (ret); - } -@@ -991,6 +997,7 @@ - static void - hmacsha256_destroy(dst_key_t *key) { - dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256; -+ - memset(hkey, 0, sizeof(dst_hmacsha256_key_t)); - isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha256_key_t)); - key->keydata.hmacsha256 = NULL; -@@ -1030,7 +1037,7 @@ - - memset(hkey->key, 0, sizeof(hkey->key)); - -- if (r.length > ISC_SHA256_DIGESTLENGTH) { -+ if (r.length > ISC_SHA256_BLOCK_LENGTH) { - isc_sha256_init(&sha256ctx); - isc_sha256_update(&sha256ctx, r.base, r.length); - isc_sha256_final(hkey->key, &sha256ctx); -@@ -1043,6 +1050,8 @@ - key->key_size = keylen * 8; - key->keydata.hmacsha256 = hkey; - -+ isc_buffer_forward(data, r.length); -+ - return (ISC_R_SUCCESS); - } - -@@ -1144,7 +1153,7 @@ - static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data); - - struct dst_hmacsha384_key { -- unsigned char key[ISC_SHA384_DIGESTLENGTH]; -+ unsigned char key[ISC_SHA384_BLOCK_LENGTH]; - }; - - static isc_result_t -@@ -1155,7 +1164,7 @@ - hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t)); - if (hmacsha384ctx == NULL) - return (ISC_R_NOMEMORY); -- isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_DIGESTLENGTH); -+ isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_BLOCK_LENGTH); - dctx->ctxdata.hmacsha384ctx = hmacsha384ctx; - return (ISC_R_SUCCESS); - } -@@ -1218,7 +1227,7 @@ - else if (hkey1 == NULL || hkey2 == NULL) - return (ISC_FALSE); - -- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA384_DIGESTLENGTH)) -+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH)) - return (ISC_TRUE); - else - return (ISC_FALSE); -@@ -1228,16 +1237,16 @@ - hmacsha384_generate(dst_key_t *key, int pseudorandom_ok) { - isc_buffer_t b; - isc_result_t ret; -- int bytes; -- unsigned char data[HMAC_LEN]; -+ unsigned int bytes; -+ unsigned char data[ISC_SHA384_BLOCK_LENGTH]; - - bytes = (key->key_size + 7) / 8; -- if (bytes > HMAC_LEN) { -- bytes = HMAC_LEN; -- key->key_size = HMAC_LEN * 8; -+ if (bytes > ISC_SHA384_BLOCK_LENGTH) { -+ bytes = ISC_SHA384_BLOCK_LENGTH; -+ key->key_size = ISC_SHA384_BLOCK_LENGTH * 8; - } - -- memset(data, 0, HMAC_LEN); -+ memset(data, 0, ISC_SHA384_BLOCK_LENGTH); - ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); - - if (ret != ISC_R_SUCCESS) -@@ -1246,7 +1255,7 @@ - isc_buffer_init(&b, data, bytes); - isc_buffer_add(&b, bytes); - ret = hmacsha384_fromdns(key, &b); -- memset(data, 0, ISC_SHA384_DIGESTLENGTH); -+ memset(data, 0, ISC_SHA384_BLOCK_LENGTH); - - return (ret); - } -@@ -1260,6 +1269,7 @@ - static void - hmacsha384_destroy(dst_key_t *key) { - dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384; -+ - memset(hkey, 0, sizeof(dst_hmacsha384_key_t)); - isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha384_key_t)); - key->keydata.hmacsha384 = NULL; -@@ -1299,7 +1309,7 @@ - - memset(hkey->key, 0, sizeof(hkey->key)); - -- if (r.length > ISC_SHA384_DIGESTLENGTH) { -+ if (r.length > ISC_SHA384_BLOCK_LENGTH) { - isc_sha384_init(&sha384ctx); - isc_sha384_update(&sha384ctx, r.base, r.length); - isc_sha384_final(hkey->key, &sha384ctx); -@@ -1312,6 +1322,8 @@ - key->key_size = keylen * 8; - key->keydata.hmacsha384 = hkey; - -+ isc_buffer_forward(data, r.length); -+ - return (ISC_R_SUCCESS); - } - -@@ -1413,7 +1425,7 @@ - static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data); - - struct dst_hmacsha512_key { -- unsigned char key[ISC_SHA512_DIGESTLENGTH]; -+ unsigned char key[ISC_SHA512_BLOCK_LENGTH]; - }; - - static isc_result_t -@@ -1424,7 +1436,7 @@ - hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t)); - if (hmacsha512ctx == NULL) - return (ISC_R_NOMEMORY); -- isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_DIGESTLENGTH); -+ isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_BLOCK_LENGTH); - dctx->ctxdata.hmacsha512ctx = hmacsha512ctx; - return (ISC_R_SUCCESS); - } -@@ -1487,7 +1499,7 @@ - else if (hkey1 == NULL || hkey2 == NULL) - return (ISC_FALSE); - -- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA512_DIGESTLENGTH)) -+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH)) - return (ISC_TRUE); - else - return (ISC_FALSE); -@@ -1497,16 +1509,16 @@ - hmacsha512_generate(dst_key_t *key, int pseudorandom_ok) { - isc_buffer_t b; - isc_result_t ret; -- int bytes; -- unsigned char data[HMAC_LEN]; -+ unsigned int bytes; -+ unsigned char data[ISC_SHA512_BLOCK_LENGTH]; - - bytes = (key->key_size + 7) / 8; -- if (bytes > HMAC_LEN) { -- bytes = HMAC_LEN; -- key->key_size = HMAC_LEN * 8; -+ if (bytes > ISC_SHA512_BLOCK_LENGTH) { -+ bytes = ISC_SHA512_BLOCK_LENGTH; -+ key->key_size = ISC_SHA512_BLOCK_LENGTH * 8; - } - -- memset(data, 0, HMAC_LEN); -+ memset(data, 0, ISC_SHA512_BLOCK_LENGTH); - ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); - - if (ret != ISC_R_SUCCESS) -@@ -1515,7 +1527,7 @@ - isc_buffer_init(&b, data, bytes); - isc_buffer_add(&b, bytes); - ret = hmacsha512_fromdns(key, &b); -- memset(data, 0, ISC_SHA512_DIGESTLENGTH); -+ memset(data, 0, ISC_SHA512_BLOCK_LENGTH); - - return (ret); - } -@@ -1529,6 +1541,7 @@ - static void - hmacsha512_destroy(dst_key_t *key) { - dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512; -+ - memset(hkey, 0, sizeof(dst_hmacsha512_key_t)); - isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha512_key_t)); - key->keydata.hmacsha512 = NULL; -@@ -1568,7 +1581,7 @@ - - memset(hkey->key, 0, sizeof(hkey->key)); - -- if (r.length > ISC_SHA512_DIGESTLENGTH) { -+ if (r.length > ISC_SHA512_BLOCK_LENGTH) { - isc_sha512_init(&sha512ctx); - isc_sha512_update(&sha512ctx, r.base, r.length); - isc_sha512_final(hkey->key, &sha512ctx); -@@ -1581,6 +1594,8 @@ - key->key_size = keylen * 8; - key->keydata.hmacsha512 = hkey; - -+ isc_buffer_forward(data, r.length); -+ - return (ISC_R_SUCCESS); - } - ---- old/lib/dns/include/dst/dst.h Mon Aug 24 00:18:24 2015 -+++ new/lib/dns/include/dst/dst.h Mon Aug 24 00:18:23 2015 -@@ -65,6 +65,7 @@ - #define DST_ALG_HMACSHA256 163 /* XXXMPA */ - #define DST_ALG_HMACSHA384 164 /* XXXMPA */ - #define DST_ALG_HMACSHA512 165 /* XXXMPA */ -+#define DST_ALG_INDIRECT 252 - #define DST_ALG_PRIVATE 254 - #define DST_ALG_EXPAND 255 - #define DST_MAX_ALGS 255 ---- old/lib/dns/ncache.c Mon Aug 24 00:18:24 2015 -+++ new/lib/dns/ncache.c Mon Aug 24 00:18:23 2015 -@@ -35,7 +35,7 @@ - #define DNS_NCACHE_RDATA 20U - - /* -- * The format of an ncache rdata is a sequence of one or more records of -+ * The format of an ncache rdata is a sequence of zero or more records of - * the following format: - * - * owner name -@@ -665,13 +665,11 @@ - dns_name_fromregion(&tname, &remaining); - INSIST(remaining.length >= tname.length); - isc_buffer_forward(&source, tname.length); -- remaining.length -= tname.length; -- remaining.base += tname.length; -+ isc_region_consume(&remaining, tname.length); - - INSIST(remaining.length >= 2); - type = isc_buffer_getuint16(&source); -- remaining.length -= 2; -- remaining.base += 2; -+ isc_region_consume(&remaining, 2); - - if (type != dns_rdatatype_rrsig || - !dns_name_equal(&tname, name)) { -@@ -683,8 +681,7 @@ - INSIST(remaining.length >= 1); - trust = isc_buffer_getuint8(&source); - INSIST(trust <= dns_trust_ultimate); -- remaining.length -= 1; -- remaining.base += 1; -+ isc_region_consume(&remaining, 1); - - raw = remaining.base; - count = raw[0] * 256 + raw[1]; ---- old/lib/dns/openssldh_link.c Mon Aug 24 00:18:24 2015 -+++ new/lib/dns/openssldh_link.c Mon Aug 24 00:18:23 2015 -@@ -1,5 +1,5 @@ - /* -- * Portions Copyright (C) 2004-2008, 2012 Internet Systems Consortium, Inc. ("ISC") -+ * Portions Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any -@@ -93,7 +93,7 @@ - if (r.length < len) - return (ISC_R_NOSPACE); - ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv); -- if (ret == 0) -+ if (ret <= 0) - return (dst__openssl_toresult2("DH_compute_key", - DST_R_COMPUTESECRETFAILURE)); - isc_buffer_add(secret, len); -@@ -236,8 +236,10 @@ - - static void - uint16_toregion(isc_uint16_t val, isc_region_t *region) { -- *region->base++ = (val & 0xff00) >> 8; -- *region->base++ = (val & 0x00ff); -+ *region->base = (val & 0xff00) >> 8; -+ isc_region_consume(region, 1); -+ *region->base = (val & 0x00ff); -+ isc_region_consume(region, 1); - } - - static isc_uint16_t -@@ -248,7 +250,8 @@ - val = ((unsigned int)(cp[0])) << 8; - val |= ((unsigned int)(cp[1])); - -- region->base += 2; -+ isc_region_consume(region, 2); -+ - return (val); - } - -@@ -289,16 +292,16 @@ - } - else - BN_bn2bin(dh->p, r.base); -- r.base += plen; -+ isc_region_consume(&r, plen); - - uint16_toregion(glen, &r); - if (glen > 0) - BN_bn2bin(dh->g, r.base); -- r.base += glen; -+ isc_region_consume(&r, glen); - - uint16_toregion(publen, &r); - BN_bn2bin(dh->pub_key, r.base); -- r.base += publen; -+ isc_region_consume(&r, publen); - - isc_buffer_add(data, dnslen); - -@@ -339,10 +342,12 @@ - return (DST_R_INVALIDPUBLICKEY); - } - if (plen == 1 || plen == 2) { -- if (plen == 1) -- special = *r.base++; -- else -+ if (plen == 1) { -+ special = *r.base; -+ isc_region_consume(&r, 1); -+ } else { - special = uint16_fromregion(&r); -+ } - switch (special) { - case 1: - dh->p = &bn768; -@@ -357,10 +362,9 @@ - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); - } -- } -- else { -+ } else { - dh->p = BN_bin2bn(r.base, plen, NULL); -- r.base += plen; -+ isc_region_consume(&r, plen); - } - - /* -@@ -391,8 +395,7 @@ - return (DST_R_INVALIDPUBLICKEY); - } - } -- } -- else { -+ } else { - if (glen == 0) { - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); -@@ -399,7 +402,7 @@ - } - dh->g = BN_bin2bn(r.base, glen, NULL); - } -- r.base += glen; -+ isc_region_consume(&r, glen); - - if (r.length < 2) { - DH_free(dh); -@@ -411,7 +414,7 @@ - return (DST_R_INVALIDPUBLICKEY); - } - dh->pub_key = BN_bin2bn(r.base, publen, NULL); -- r.base += publen; -+ isc_region_consume(&r, publen); - - key->key_size = BN_num_bits(dh->p); - -@@ -577,11 +580,11 @@ - - s = strchr(hexdigits, tolower((unsigned char)str[i])); - RUNTIME_CHECK(s != NULL); -- high = s - hexdigits; -+ high = (unsigned int)(s - hexdigits); - - s = strchr(hexdigits, tolower((unsigned char)str[i + 1])); - RUNTIME_CHECK(s != NULL); -- low = s - hexdigits; -+ low = (unsigned int)(s - hexdigits); - - data[i/2] = (unsigned char)((high << 4) + low); - } ---- old/lib/dns/openssldsa_link.c Mon Aug 24 00:18:24 2015 -+++ new/lib/dns/openssldsa_link.c Mon Aug 24 00:18:23 2015 -@@ -1,5 +1,5 @@ - /* -- * Portions Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") -+ * Portions Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any -@@ -137,6 +137,7 @@ - DSA *dsa = key->keydata.dsa; - isc_region_t r; - DSA_SIG *dsasig; -+ unsigned int klen; - #if USE_EVP - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - EVP_PKEY *pkey; -@@ -209,11 +210,17 @@ - "DSA_do_sign", - DST_R_SIGNFAILURE)); - #endif -- *r.base++ = (key->key_size - 512)/64; -+ -+ klen = (key->key_size - 512)/64; -+ if (klen > 255) -+ return (ISC_R_FAILURE); -+ *r.base = klen; -+ isc_region_consume(&r, 1); -+ - BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH); -- r.base += ISC_SHA1_DIGESTLENGTH; -+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); - BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH); -- r.base += ISC_SHA1_DIGESTLENGTH; -+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); - DSA_SIG_free(dsasig); - isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1); - -@@ -416,15 +423,16 @@ - if (r.length < (unsigned int) dnslen) - return (ISC_R_NOSPACE); - -- *r.base++ = t; -+ *r.base = t; -+ isc_region_consume(&r, 1); - BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH); -- r.base += ISC_SHA1_DIGESTLENGTH; -+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); - BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8); -- r.base += p_bytes; -+ isc_region_consume(&r, p_bytes); - BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8); -- r.base += p_bytes; -+ isc_region_consume(&r, p_bytes); - BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8); -- r.base += p_bytes; -+ isc_region_consume(&r, p_bytes); - - isc_buffer_add(data, dnslen); - -@@ -449,7 +457,8 @@ - return (ISC_R_NOMEMORY); - dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; - -- t = (unsigned int) *r.base++; -+ t = (unsigned int) *r.base; -+ isc_region_consume(&r, 1); - if (t > 8) { - DSA_free(dsa); - return (DST_R_INVALIDPUBLICKEY); -@@ -456,22 +465,22 @@ - } - p_bytes = 64 + 8 * t; - -- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { -+ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { - DSA_free(dsa); - return (DST_R_INVALIDPUBLICKEY); - } - - dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL); -- r.base += ISC_SHA1_DIGESTLENGTH; -+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); - - dsa->p = BN_bin2bn(r.base, p_bytes, NULL); -- r.base += p_bytes; -+ isc_region_consume(&r, p_bytes); - - dsa->g = BN_bin2bn(r.base, p_bytes, NULL); -- r.base += p_bytes; -+ isc_region_consume(&r, p_bytes); - - dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL); -- r.base += p_bytes; -+ isc_region_consume(&r, p_bytes); - - key->key_size = p_bytes * 8; - ---- old/lib/dns/opensslrsa_link.c Mon Aug 24 00:18:24 2015 -+++ new/lib/dns/opensslrsa_link.c Mon Aug 24 00:18:23 2015 -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2004-2012, 2014 Internet Systems Consortium, Inc. ("ISC") -+ * Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any -@@ -908,6 +908,7 @@ - RSA *rsa; - isc_region_t r; - unsigned int e_bytes; -+ unsigned int length; - #if USE_EVP - EVP_PKEY *pkey; - #endif -@@ -915,6 +916,7 @@ - isc_buffer_remainingregion(data, &r); - if (r.length == 0) - return (ISC_R_SUCCESS); -+ length = r.length; - - rsa = RSA_new(); - if (rsa == NULL) -@@ -925,8 +927,8 @@ - RSA_free(rsa); - return (DST_R_INVALIDPUBLICKEY); - } -- e_bytes = *r.base++; -- r.length--; -+ e_bytes = *r.base; -+ isc_region_consume(&r, 1); - - if (e_bytes == 0) { - if (r.length < 2) { -@@ -933,9 +935,10 @@ - RSA_free(rsa); - return (DST_R_INVALIDPUBLICKEY); - } -- e_bytes = ((*r.base++) << 8); -- e_bytes += *r.base++; -- r.length -= 2; -+ e_bytes = (*r.base) << 8; -+ isc_region_consume(&r, 1); -+ e_bytes += *r.base; -+ isc_region_consume(&r, 1); - } - - if (r.length < e_bytes) { -@@ -943,14 +946,13 @@ - return (DST_R_INVALIDPUBLICKEY); - } - rsa->e = BN_bin2bn(r.base, e_bytes, NULL); -- r.base += e_bytes; -- r.length -= e_bytes; -+ isc_region_consume(&r, e_bytes); - - rsa->n = BN_bin2bn(r.base, r.length, NULL); - - key->key_size = BN_num_bits(rsa->n); - -- isc_buffer_forward(data, r.length); -+ isc_buffer_forward(data, length); - - #if USE_EVP - pkey = EVP_PKEY_new(); ---- old/lib/dns/resolver.c Mon Aug 24 00:18:24 2015 -+++ new/lib/dns/resolver.c Mon Aug 24 00:18:23 2015 -@@ -8572,6 +8572,12 @@ - - REQUIRE(VALID_RESOLVER(resolver)); - -+ /* -+ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1. -+ */ -+ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) -+ return (ISC_FALSE); -+ - #if USE_ALGLOCK - RWLOCK(&resolver->alglock, isc_rwlocktype_read); - #endif -@@ -8591,6 +8597,7 @@ - #endif - if (found) - return (ISC_FALSE); -+ - return (dst_algorithm_supported(alg)); - } - ---- old/lib/isc/include/isc/md5.h Mon Aug 24 00:18:24 2015 -+++ new/lib/isc/include/isc/md5.h Mon Aug 24 00:18:23 2015 -@@ -46,7 +46,8 @@ - #include - #include - --#define ISC_MD5_DIGESTLENGTH 16U -+#define ISC_MD5_DIGESTLENGTH 16U -+#define ISC_MD5_BLOCK_LENGTH 64U - - typedef struct { - isc_uint32_t buf[4]; ---- old/version Mon Aug 24 00:18:24 2015 -+++ new/version Mon Aug 24 00:18:23 2015 -@@ -10,4 +10,4 @@ - PATCHVER= - RELEASETYPE=-ESV - RELEASEVER=-R11 --EXTENSIONS=-P2 -+EXTENSIONS=-P3 diff -r cebcbbd80341 -r a498cb624014 components/bind/patches/004-RT9171.patch --- a/components/bind/patches/004-RT9171.patch Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,209 +0,0 @@ -This patch was derived from ISC source differences between bind-9.9.8 -and bind-9.9.8-P1. - -diff -u -r bind-9.6-ESV-R11/CHANGES security_fix/CHANGES ---- bind-9.6-ESV-R11/CHANGES 2015-11-25 10:51:09.302761399 +0000 -+++ security_fix/CHANGES 2015-11-25 11:09:12.099398001 +0000 -@@ -1,3 +1,10 @@ -+ --- 9.6-ESV-R11-P4 released --- -+ -+4260. [security] Insufficient testing when parsing a message allowed -+ records with an incorrect class to be be accepted, -+ triggering a REQUIRE failure when those records -+ were subsequently cached. (CVE-2015-8000) [RT #40987] -+ - --- 9.6-ESV-R11-P3 released --- - - 4168. [security] A buffer accounting error could trigger an -diff -u -r bind-9.6-ESV-R11/lib/dns/include/dns/message.h security_fix/lib/dns/include/dns/message.h ---- bind-9.6-ESV-R11/lib/dns/include/dns/message.h 2014-01-27 19:00:45.000000000 +0000 -+++ security_fix/lib/dns/include/dns/message.h 2015-11-25 10:36:05.092923013 +0000 -@@ -15,8 +15,6 @@ - * PERFORMANCE OF THIS SOFTWARE. - */ - --/* $Id$ */ -- - #ifndef DNS_MESSAGE_H - #define DNS_MESSAGE_H 1 - -@@ -207,6 +205,8 @@ - unsigned int verify_attempted : 1; - unsigned int free_query : 1; - unsigned int free_saved : 1; -+ unsigned int tkey : 1; -+ unsigned int rdclass_set : 1; - - unsigned int opt_reserved; - unsigned int sig_reserved; -@@ -1363,6 +1363,15 @@ - * \li other. - */ - -+void -+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass); -+/*%< -+ * Set the expected class of records in the response. -+ * -+ * Requires: -+ * \li msg be a valid message with parsing intent. -+ */ -+ - ISC_LANG_ENDDECLS - - #endif /* DNS_MESSAGE_H */ -diff -u -r bind-9.6-ESV-R11/lib/dns/message.c security_fix/lib/dns/message.c ---- bind-9.6-ESV-R11/lib/dns/message.c 2014-01-27 19:00:45.000000000 +0000 -+++ security_fix/lib/dns/message.c 2015-11-25 10:36:05.089305076 +0000 -@@ -436,6 +436,8 @@ - m->saved.base = NULL; - m->saved.length = 0; - m->free_saved = 0; -+ m->tkey = 0; -+ m->rdclass_set = 0; - m->querytsig = NULL; - } - -@@ -1084,13 +1086,19 @@ - * If this class is different than the one we already read, - * this is an error. - */ -- if (msg->state == DNS_SECTION_ANY) { -- msg->state = DNS_SECTION_QUESTION; -+ if (msg->rdclass_set == 0) { - msg->rdclass = rdclass; -+ msg->rdclass_set = 1; - } else if (msg->rdclass != rdclass) - DO_FORMERR; - - /* -+ * Is this a TKEY query? -+ */ -+ if (rdtype == dns_rdatatype_tkey) -+ msg->tkey = 1; -+ -+ /* - * Can't ask the same question twice. - */ - result = dns_message_find(name, rdclass, rdtype, 0, NULL); -@@ -1234,12 +1242,12 @@ - * If there was no question section, we may not yet have - * established a class. Do so now. - */ -- if (msg->state == DNS_SECTION_ANY && -+ if (msg->rdclass_set == 0 && - rdtype != dns_rdatatype_opt && /* class is UDP SIZE */ - rdtype != dns_rdatatype_tsig && /* class is ANY */ - rdtype != dns_rdatatype_tkey) { /* class is undefined */ - msg->rdclass = rdclass; -- msg->state = DNS_SECTION_QUESTION; -+ msg->rdclass_set = 1; - } - - /* -@@ -1249,7 +1257,7 @@ - if (msg->opcode != dns_opcode_update - && rdtype != dns_rdatatype_tsig - && rdtype != dns_rdatatype_opt -- && rdtype != dns_rdatatype_dnskey /* in a TKEY query */ -+ && rdtype != dns_rdatatype_key /* in a TKEY query */ - && rdtype != dns_rdatatype_sig /* SIG(0) */ - && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */ - && msg->rdclass != dns_rdataclass_any -@@ -1257,6 +1265,16 @@ - DO_FORMERR; - - /* -+ * If this is not a TKEY query/response then the KEY -+ * record's class needs to match. -+ */ -+ if (msg->opcode != dns_opcode_update && !msg->tkey && -+ rdtype == dns_rdatatype_key && -+ msg->rdclass != dns_rdataclass_any && -+ msg->rdclass != rdclass) -+ DO_FORMERR; -+ -+ /* - * Special type handling for TSIG, OPT, and TKEY. - */ - if (rdtype == dns_rdatatype_tsig) { -@@ -1370,6 +1388,10 @@ - skip_name_search = ISC_TRUE; - skip_type_search = ISC_TRUE; - issigzero = ISC_TRUE; -+ } else { -+ if (msg->rdclass != dns_rdataclass_any && -+ msg->rdclass != rdclass) -+ DO_FORMERR; - } - } else - covers = 0; -@@ -1608,6 +1630,7 @@ - msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source); - - msg->header_ok = 1; -+ msg->state = DNS_SECTION_QUESTION; - - /* - * -1 means no EDNS. -@@ -3491,3 +3514,15 @@ - dns_message_puttemprdatalist(message, &rdatalist); - return (result); - } -+ -+void -+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) { -+ -+ REQUIRE(DNS_MESSAGE_VALID(msg)); -+ REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE); -+ REQUIRE(msg->state == DNS_SECTION_ANY); -+ REQUIRE(msg->rdclass_set == 0); -+ -+ msg->rdclass = rdclass; -+ msg->rdclass_set = 1; -+} -diff -u -r bind-9.6-ESV-R11/lib/dns/resolver.c security_fix/lib/dns/resolver.c ---- bind-9.6-ESV-R11/lib/dns/resolver.c 2015-11-25 10:51:09.306905077 +0000 -+++ security_fix/lib/dns/resolver.c 2015-11-25 10:48:57.126663153 +0000 -@@ -6614,6 +6614,8 @@ - goto done; - } - -+ dns_message_setclass(message, fctx->res->rdclass); -+ - result = dns_message_parse(message, &devent->buffer, 0); - if (result != ISC_R_SUCCESS) { - switch (result) { -@@ -6686,6 +6690,12 @@ - */ - log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx); - -+ if (message->rdclass != fctx->res->rdclass) { -+ resend = ISC_TRUE; -+ FCTXTRACE("bad class"); -+ goto done; -+ } -+ - /* - * Process receive opt record. - */ -diff -u -r bind-9.6-ESV-R11/lib/dns/xfrin.c security_fix/lib/dns/xfrin.c ---- bind-9.6-ESV-R11/lib/dns/xfrin.c 2014-01-27 19:00:45.000000000 +0000 -+++ security_fix/lib/dns/xfrin.c 2015-11-25 10:36:05.092532938 +0000 -@@ -1205,6 +1205,8 @@ - msg->tsigctx = xfr->tsigctx; - xfr->tsigctx = NULL; - -+ dns_message_setclass(msg, xfr->rdclass); -+ - if (xfr->nmsg > 0) - msg->tcp_continuation = 1; - ---- bind-9.6-ESV-R11/version 2015-08-24 00:18:24.000000000 +0000 -+++ security_fix/version 2015-11-25 10:36:05.092532938 +0000 -@@ -10,4 +10,4 @@ - PATCHVER= - RELEASETYPE=-ESV - RELEASEVER=-R11 --EXTENSIONS=-P3 -+EXTENSIONS=-P4 diff -r cebcbbd80341 -r a498cb624014 components/bind/patches/005-RT9522.patch --- a/components/bind/patches/005-RT9522.patch Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,44 +0,0 @@ -This patch was derived from ISC source differences between bind-9.10.3-P2 and bind-9.10.3-P3 - -diff -r f899dcaa07f7 CHANGES ---- a/CHANGES Fri Jan 15 12:48:27 2016 +0000 -+++ b/CHANGES Fri Jan 15 13:12:34 2016 +0000 -@@ -1,3 +1,8 @@ -+ --- 9.6-ESV-R11-P5 released --- -+ -+4285. [security] Specific APL data could trigger a INSIST. -+ (CVE-2015-8704) [RT #41396] -+ - --- 9.6-ESV-R11-P4 released --- - - 4260. [security] Insufficient testing when parsing a message allowed -diff -r f899dcaa07f7 lib/dns/rdata/in_1/apl_42.c ---- a/lib/dns/rdata/in_1/apl_42.c Fri Jan 15 12:48:27 2016 +0000 -+++ b/lib/dns/rdata/in_1/apl_42.c Fri Jan 15 13:12:34 2016 +0000 -@@ -116,7 +116,7 @@ - isc_uint8_t len; - isc_boolean_t neg; - unsigned char buf[16]; -- char txt[sizeof(" !64000")]; -+ char txt[sizeof(" !64000:")]; - const char *sep = ""; - int n; - -@@ -140,7 +140,7 @@ - isc_region_consume(&sr, 1); - INSIST(len <= sr.length); - n = snprintf(txt, sizeof(txt), "%s%s%u:", sep, -- neg ? "!": "", afi); -+ neg ? "!" : "", afi); - INSIST(n < (int)sizeof(txt)); - RETERR(str_totext(txt, target)); - switch (afi) { -diff -r f899dcaa07f7 version ---- a/version Fri Jan 15 12:48:27 2016 +0000 -+++ b/version Fri Jan 15 13:12:34 2016 +0000 -@@ -10,4 +10,4 @@ - PATCHVER= - RELEASETYPE=-ESV - RELEASEVER=-R11 --EXTENSIONS=-P4 -+EXTENSIONS=-P5 diff -r cebcbbd80341 -r a498cb624014 components/bind/patches/006-RT9857.patch --- a/components/bind/patches/006-RT9857.patch Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,516 +0,0 @@ -This patch was derived from ISC source differences between -bind-9.9.8-p3 and bind-9.9.8-p4 - -diff -r e13d04281504 CHANGES ---- a/CHANGES Thu Mar 03 13:53:44 2016 +0000 -+++ b/CHANGES Fri Mar 04 12:27:21 2016 +0000 -@@ -1,3 +1,12 @@ -+ --- 9.6-ESV-R11-P6 released --- -+ -+4319. [security] Fix resolver assertion failure due to improper -+ DNAME handling when parsing fetch reply messages. -+ (CVE-2016-1286) [RT #41753] -+ -+4318. [security] Malformed control messages can trigger assertions -+ in named and rndc. (CVE-2016-1285) [RT #41666] -+ - --- 9.6-ESV-R11-P5 released --- - - 4285. [security] Specific APL data could trigger a INSIST. -diff -r e13d04281504 bin/named/control.c ---- a/bin/named/control.c Thu Mar 03 13:53:44 2016 +0000 -+++ b/bin/named/control.c Fri Mar 04 12:27:21 2016 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2004-2007, 2009, 2010, 2012 Internet Systems Consortium, Inc. ("ISC") -+ * Copyright (C) 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any -@@ -69,7 +69,7 @@ - #endif - - data = isccc_alist_lookup(message, "_data"); -- if (data == NULL) { -+ if (!isccc_alist_alistp(data)) { - /* - * No data section. - */ -diff -r e13d04281504 bin/named/controlconf.c ---- a/bin/named/controlconf.c Thu Mar 03 13:53:44 2016 +0000 -+++ b/bin/named/controlconf.c Fri Mar 04 12:27:21 2016 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2004-2008, 2011-2014 Internet Systems Consortium, Inc. ("ISC") -+ * Copyright (C) 2004-2008, 2011-2014, 2016 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any -@@ -396,7 +396,7 @@ - * Limit exposure to replay attacks. - */ - _ctrl = isccc_alist_lookup(request, "_ctrl"); -- if (_ctrl == NULL) { -+ if (!isccc_alist_alistp(_ctrl)) { - log_invalid(&conn->ccmsg, ISC_R_FAILURE); - goto cleanup_request; - } -diff -r e13d04281504 bin/rndc/rndc.c ---- a/bin/rndc/rndc.c Thu Mar 03 13:53:44 2016 +0000 -+++ b/bin/rndc/rndc.c Fri Mar 04 12:27:21 2016 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC") -+ * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any -@@ -220,8 +220,8 @@ - DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); - - data = isccc_alist_lookup(response, "_data"); -- if (data == NULL) -- fatal("no data section in response"); -+ if (!isccc_alist_alistp(data)) -+ fatal("bad or missing data section in response"); - result = isccc_cc_lookupstring(data, "err", &errormsg); - if (result == ISC_R_SUCCESS) { - failed = ISC_TRUE; -@@ -283,8 +283,8 @@ - DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); - - _ctrl = isccc_alist_lookup(response, "_ctrl"); -- if (_ctrl == NULL) -- fatal("_ctrl section missing"); -+ if (!isccc_alist_alistp(_ctrl)) -+ fatal("bad or missing ctrl section in response"); - nonce = 0; - if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) - nonce = 0; -diff -r e13d04281504 lib/dns/resolver.c ---- a/lib/dns/resolver.c Thu Mar 03 13:53:44 2016 +0000 -+++ b/lib/dns/resolver.c Fri Mar 04 12:27:21 2016 +0000 -@@ -5364,21 +5364,17 @@ - } - - static inline isc_result_t --dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname, -- dns_fixedname_t *fixeddname) -+dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, -+ unsigned int nlabels, dns_fixedname_t *fixeddname) - { - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; -- unsigned int nlabels; -- int order; -- dns_namereln_t namereln; - dns_rdata_dname_t dname; - dns_fixedname_t prefix; - - /* - * Get the target name of the DNAME. - */ -- - result = dns_rdataset_first(rdataset); - if (result != ISC_R_SUCCESS) - return (result); -@@ -5387,14 +5383,6 @@ - if (result != ISC_R_SUCCESS) - return (result); - -- /* -- * Get the prefix of qname. -- */ -- namereln = dns_name_fullcompare(qname, oname, &order, &nlabels); -- if (namereln != dns_namereln_subdomain) { -- dns_rdata_freestruct(&dname); -- return (DNS_R_FORMERR); -- } - dns_fixedname_init(&prefix); - dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); - dns_fixedname_init(fixeddname); -@@ -5789,13 +5777,13 @@ - answer_response(fetchctx_t *fctx) { - isc_result_t result; - dns_message_t *message; -- dns_name_t *name, *qname, tname, *ns_name; -+ dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; - dns_rdataset_t *rdataset, *ns_rdataset; - isc_boolean_t done, external, chaining, aa, found, want_chaining; - isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; - unsigned int aflag; - dns_rdatatype_t type; -- dns_fixedname_t dname, fqname; -+ dns_fixedname_t fdname, fqname; - - FCTXTRACE("answer_response"); - -@@ -5821,10 +5809,15 @@ - type = fctx->type; - result = dns_message_firstname(message, DNS_SECTION_ANSWER); - while (!done && result == ISC_R_SUCCESS) { -+ dns_namereln_t namereln; -+ int order; -+ unsigned int nlabels; -+ - name = NULL; - dns_message_currentname(message, DNS_SECTION_ANSWER, &name); - external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); -- if (dns_name_equal(name, qname)) { -+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels); -+ if (namereln == dns_namereln_equal) { - wanted_chaining = ISC_FALSE; - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; -@@ -5837,6 +5830,10 @@ - * NSEC3 records are not allowed to - * appear in the answer section. - */ -+ isc_log_write(dns_lctx, -+ DNS_LOGCATEGORY_RESOLVER, -+ DNS_LOGMODULE_RESOLVER, -+ ISC_LOG_NOTICE, "NSEC3 in answer"); - return (DNS_R_FORMERR); - } - if (rdataset->type == type && !found_cname) { -@@ -5878,8 +5875,18 @@ - */ - if (type == dns_rdatatype_rrsig || - type == dns_rdatatype_key || -- type == dns_rdatatype_nsec) -+ type == dns_rdatatype_nsec) { -+ char buf[DNS_RDATATYPE_FORMATSIZE]; -+ dns_rdatatype_format(fctx->type, -+ buf, sizeof(buf)); -+ isc_log_write(dns_lctx, -+ DNS_LOGCATEGORY_RESOLVER, -+ DNS_LOGMODULE_RESOLVER, -+ ISC_LOG_NOTICE, -+ "CNAME response " -+ "for %s RR", buf); - return (DNS_R_FORMERR); -+ } - found = ISC_TRUE; - found_cname = ISC_TRUE; - want_chaining = ISC_TRUE; -@@ -5921,10 +5928,11 @@ - */ - INSIST(!external); - if (aflag == -- DNS_RDATASETATTR_ANSWER) -+ DNS_RDATASETATTR_ANSWER) { - have_answer = ISC_TRUE; -- name->attributes |= -- DNS_NAMEATTR_ANSWER; -+ name->attributes |= -+ DNS_NAMEATTR_ANSWER; -+ } - rdataset->attributes |= aflag; - if (aa) - rdataset->trust = -@@ -5979,6 +5987,8 @@ - if (wanted_chaining) - chaining = ISC_TRUE; - } else { -+ dns_rdataset_t *dnameset = NULL; -+ - /* - * Look for a DNAME (or its SIG). Anything else is - * ignored. -@@ -5986,27 +5996,64 @@ - wanted_chaining = ISC_FALSE; - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; -- rdataset = ISC_LIST_NEXT(rdataset, link)) { -- isc_boolean_t found_dname = ISC_FALSE; -- found = ISC_FALSE; -+ rdataset = ISC_LIST_NEXT(rdataset, link)) -+ { -+ /* -+ * Only pass DNAME or RRSIG(DNAME). -+ */ -+ if (rdataset->type != dns_rdatatype_dname && -+ (rdataset->type != dns_rdatatype_rrsig || -+ rdataset->covers != dns_rdatatype_dname)) -+ continue; -+ -+ /* -+ * If we're not chaining, then the DNAME and -+ * its signature should not be external. -+ */ -+ if (!chaining && external) { -+ char qbuf[DNS_NAME_FORMATSIZE]; -+ char obuf[DNS_NAME_FORMATSIZE]; -+ -+ dns_name_format(name, qbuf, -+ sizeof(qbuf)); -+ dns_name_format(&fctx->domain, obuf, -+ sizeof(obuf)); -+ isc_log_write(dns_lctx, -+ DNS_LOGCATEGORY_RESOLVER, -+ DNS_LOGMODULE_RESOLVER, -+ ISC_LOG_NOTICE, -+ "external DNAME or " -+ "RRSIG covering DNAME " -+ "in answer: %s is " -+ "not in %s", qbuf, obuf); -+ return (DNS_R_FORMERR); -+ } -+ -+ if (namereln != dns_namereln_subdomain) { -+ char qbuf[DNS_NAME_FORMATSIZE]; -+ char obuf[DNS_NAME_FORMATSIZE]; -+ -+ dns_name_format(qname, qbuf, -+ sizeof(qbuf)); -+ dns_name_format(name, obuf, -+ sizeof(obuf)); -+ isc_log_write(dns_lctx, -+ DNS_LOGCATEGORY_RESOLVER, -+ DNS_LOGMODULE_RESOLVER, -+ ISC_LOG_NOTICE, -+ "unrelated DNAME " -+ "in answer: %s is " -+ "not in %s", qbuf, obuf); -+ return (DNS_R_FORMERR); -+ } -+ - aflag = 0; - if (rdataset->type == dns_rdatatype_dname) { -- /* -- * We're looking for something else, -- * but we found a DNAME. -- * -- * If we're not chaining, then the -- * DNAME should not be external. -- */ -- if (!chaining && external) -- return (DNS_R_FORMERR); -- found = ISC_TRUE; - want_chaining = ISC_TRUE; - POST(want_chaining); - aflag = DNS_RDATASETATTR_ANSWER; -- result = dname_target(rdataset, -- qname, name, -- &dname); -+ result = dname_target(rdataset, qname, -+ nlabels, &fdname); - if (result == ISC_R_NOSPACE) { - /* - * We can't construct the -@@ -6018,81 +6065,68 @@ - } else if (result != ISC_R_SUCCESS) - return (result); - else -- found_dname = ISC_TRUE; -- } else if (rdataset->type == dns_rdatatype_rrsig -- && rdataset->covers == -- dns_rdatatype_dname) { -+ dnameset = rdataset; -+ -+ dname = dns_fixedname_name(&fdname); -+ } else { - /* - * We've found a signature that - * covers the DNAME. - */ -- found = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWERSIG; - } - -- if (found) { -+ /* -+ * We've found an answer to our -+ * question. -+ */ -+ name->attributes |= DNS_NAMEATTR_CACHE; -+ rdataset->attributes |= DNS_RDATASETATTR_CACHE; -+ rdataset->trust = dns_trust_answer; -+ if (!chaining) { - /* -- * We've found an answer to our -- * question. -+ * This data is "the" answer to -+ * our question only if we're -+ * not chaining. - */ -- name->attributes |= -- DNS_NAMEATTR_CACHE; -- rdataset->attributes |= -- DNS_RDATASETATTR_CACHE; -- rdataset->trust = dns_trust_answer; -- if (!chaining) { -- /* -- * This data is "the" answer -- * to our question only if -- * we're not chaining. -- */ -- INSIST(!external); -- if (aflag == -- DNS_RDATASETATTR_ANSWER) -- have_answer = ISC_TRUE; -+ INSIST(!external); -+ if (aflag == DNS_RDATASETATTR_ANSWER) { -+ have_answer = ISC_TRUE; - name->attributes |= - DNS_NAMEATTR_ANSWER; -- rdataset->attributes |= aflag; -- if (aa) -- rdataset->trust = -- dns_trust_authanswer; -- } else if (external) { -- rdataset->attributes |= -- DNS_RDATASETATTR_EXTERNAL; - } -- -- /* -- * DNAME chaining. -- */ -- if (found_dname) { -- /* -- * Copy the dname into the -- * qname fixed name. -- * -- * Although we check for -- * failure of the copy -- * operation, in practice it -- * should never fail since -- * we already know that the -- * result fits in a fixedname. -- */ -- dns_fixedname_init(&fqname); -- result = dns_name_copy( -- dns_fixedname_name(&dname), -- dns_fixedname_name(&fqname), -- NULL); -- if (result != ISC_R_SUCCESS) -- return (result); -- wanted_chaining = ISC_TRUE; -- name->attributes |= -- DNS_NAMEATTR_CHAINING; -- rdataset->attributes |= -- DNS_RDATASETATTR_CHAINING; -- qname = dns_fixedname_name( -- &fqname); -- } -+ rdataset->attributes |= aflag; -+ if (aa) -+ rdataset->trust = -+ dns_trust_authanswer; -+ } else if (external) { -+ rdataset->attributes |= -+ DNS_RDATASETATTR_EXTERNAL; - } - } -+ -+ /* -+ * DNAME chaining. -+ */ -+ if (dnameset != NULL) { -+ /* -+ * Copy the dname into the qname fixed name. -+ * -+ * Although we check for failure of the copy -+ * operation, in practice it should never fail -+ * since we already know that the result fits -+ * in a fixedname. -+ */ -+ dns_fixedname_init(&fqname); -+ qname = dns_fixedname_name(&fqname); -+ result = dns_name_copy(dname, qname, NULL); -+ if (result != ISC_R_SUCCESS) -+ return (result); -+ wanted_chaining = ISC_TRUE; -+ name->attributes |= DNS_NAMEATTR_CHAINING; -+ dnameset->attributes |= -+ DNS_RDATASETATTR_CHAINING; -+ } - if (wanted_chaining) - chaining = ISC_TRUE; - } -@@ -6106,8 +6140,14 @@ - /* - * We should have found an answer. - */ -- if (!have_answer) -+ if (!have_answer) { -+ isc_log_write(dns_lctx, -+ DNS_LOGCATEGORY_RESOLVER, -+ DNS_LOGMODULE_RESOLVER, -+ ISC_LOG_NOTICE, -+ "reply has no answer"); - return (DNS_R_FORMERR); -+ } - - /* - * This response is now potentially cacheable. -diff -r e13d04281504 lib/isccc/cc.c ---- a/lib/isccc/cc.c Thu Mar 03 13:53:44 2016 +0000 -+++ b/lib/isccc/cc.c Fri Mar 04 12:27:21 2016 +0000 -@@ -286,10 +286,10 @@ - * Extract digest. - */ - _auth = isccc_alist_lookup(alist, "_auth"); -- if (_auth == NULL) -+ if (!isccc_alist_alistp(_auth)) - return (ISC_R_FAILURE); - hmd5 = isccc_alist_lookup(_auth, "hmd5"); -- if (hmd5 == NULL) -+ if (!isccc_sexpr_binaryp(hmd5)) - return (ISC_R_FAILURE); - /* - * Compute digest. -@@ -543,7 +543,7 @@ - REQUIRE(ackp != NULL && *ackp == NULL); - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL || -+ if (!isccc_alist_alistp(_ctrl) || - isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || - isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); -@@ -588,7 +588,7 @@ - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL) -+ if (!isccc_alist_alistp(_ctrl)) - return (ISC_FALSE); - if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS) - return (ISC_TRUE); -@@ -601,7 +601,7 @@ - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL) -+ if (!isccc_alist_alistp(_ctrl)) - return (ISC_FALSE); - if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS) - return (ISC_TRUE); -@@ -621,7 +621,7 @@ - - _ctrl = isccc_alist_lookup(message, "_ctrl"); - _data = isccc_alist_lookup(message, "_data"); -- if (_ctrl == NULL || _data == NULL || -+ if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) || - isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || - isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); -@@ -810,7 +810,7 @@ - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL || -+ if (!isccc_alist_alistp(_ctrl) || - isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS || - isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); -diff -r e13d04281504 version ---- a/version Thu Mar 03 13:53:44 2016 +0000 -+++ b/version Fri Mar 04 12:27:21 2016 +0000 -@@ -10,4 +10,4 @@ - PATCHVER= - RELEASETYPE=-ESV - RELEASEVER=-R11 --EXTENSIONS=-P5 -+EXTENSIONS=-P6 diff -r cebcbbd80341 -r a498cb624014 components/bind/patches/007-RT5818.patch --- a/components/bind/patches/007-RT5818.patch Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,22 +0,0 @@ -Subject of ISC Ticket RT5819, This in-house hack does not address the -issue as such but allows for consistent failure results. - ---- a/bin/tests/dst/Makefile.in Thu Mar 03 13:53:44 2016 +0000 -+++ b/bin/tests/dst/Makefile.in Sat Mar 05 14:22:01 2016 +0000 -@@ -49,7 +49,7 @@ - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dst_test.@O@ ${LIBS} - --t_dst@EXEEXT@: t_dst.@O@ ${DEPLIBS} ${TLIB} randomfile -+t_dst@EXEEXT@: t_dst.@O@ ${DEPLIBS} ${TLIB} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - t_dst.@O@ ${TLIB} ${LIBS} - -@@ -58,7 +58,6 @@ - gsstest.@O@ ${LIBS} - - test: t_dst@EXEEXT@ randomfile -- ../genrandom@EXEEXT@ 100 randomfile - -@ ./t_dst@EXEEXT@ -q 1800 -a - - randomfile: diff -r cebcbbd80341 -r a498cb624014 components/bind/patches/008-configure.patch --- a/components/bind/patches/008-configure.patch Mon Jun 06 06:11:42 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,228 +0,0 @@ -Patch file created at Oracle to use krb5-config to discover libraries -and include paths for linking with gssapi. - -Intention is to share patch with ISC for their inclusion in future -releases of BIND. - -diff -r 5650ddc7a736 -r 13365deff14a configure.in ---- a/configure.in Fri May 27 19:07:55 2016 +0100 -+++ b/configure.in Tue May 31 12:51:40 2016 +0100 -@@ -752,6 +752,49 @@ - [ --with-gssapi=PATH Specify path for system-supplied GSSAPI], - use_gssapi="$withval", use_gssapi="no") - -+# first try using krb5-config, if that does not work then fall back to "yes" method. -+if test "$use_gssapi" = "krb5-config" -+then -+ AC_MSG_RESULT(trying krb5_config) -+ AC_PATH_PROG(KRB5_CONFIG, krb5-config) -+ gssapi_cflags=`$KRB5_CONFIG --cflags gssapi` -+ gssapi_libs=`$KRB5_CONFIG --libs gssapi` -+ saved_cppflags="$CPPFLAGS" -+ CPPFLAGS="$gssapi_cflags $CPPFLAGS" -+ AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h, -+ [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"]) -+ if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then -+ AC_MSG_RESULT([krb5-config: gssapi.h not found]) -+ CPPFLAGS="$saved_cppflags" -+ use_gssapi="yes" -+ else -+ AC_CHECK_HEADERS(krb5/krb5.h krb5.h, -+ [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"]) -+ if test "$ISC_PLATFORM_KRB5HEADER" = ""; then -+ AC_MSG_RESULT([krb5-config: krb5.h not found]) -+ CPPFLAGS="$saved_cppflags" -+ use_gssapi="yes" -+ else -+ CPPFLAGS="$saved_cppflags" -+ saved_libs="$LIBS" -+ LIBS=$gssapi_libs -+ AC_MSG_CHECKING([krb5-config linking as $LIBS]) -+ AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()], -+ gssapi_linked=yes, gssapi_linked=no) -+ case $gssapi_linked in -+ yes) AC_MSG_RESULT([krb5-config: linked]);; -+ no) AC_MSG_RESULT([krb5-config: could not determine proper GSSAPI linkage]) -+ use_gssapi="yes" -+ ;; -+ esac -+ LIBS=$saved_libs -+ fi -+ fi -+ if test "$use_gssapi" = "yes"; then -+ AC_MSG_CHECKING([for GSSAPI library, non krb5-config method]) -+ fi -+fi -+ - gssapidirs="/usr/local /usr/pkg /usr/kerberos /usr" - if test "$use_gssapi" = "yes" - then -@@ -773,6 +816,11 @@ - yes) - AC_MSG_ERROR([--with-gssapi must specify a path]) - ;; -+ krb5-config) -+ USE_GSSAPI='-DGSSAPI' -+ DST_GSSAPI_INC="$gssapi_cflags" -+ DNS_GSSAPI_LIBS="$gssapi_libs" -+ ;; - *) - AC_MSG_RESULT(looking in $use_gssapi/lib) - USE_GSSAPI='-DGSSAPI' -diff -r 5650ddc7a736 -r 13365deff14a configure ---- a/configure Fri May 27 19:07:55 2016 +0100 -+++ b/configure Tue May 31 12:51:40 2016 +0100 -@@ -794,6 +794,7 @@ - ISC_PLATFORM_KRB5HEADER - ISC_PLATFORM_GSSAPIHEADER - ISC_PLATFORM_HAVEGSSAPI -+KRB5_CONFIG - USE_PKCS11 - OPENSSLLINKSRCS - OPENSSLLINKOBJS -@@ -13519,6 +13520,133 @@ - fi - - -+# first try using krb5-config, if that does not work then fall back to "yes" method. -+if test "$use_gssapi" = "krb5-config" -+then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: trying krb5_config" >&5 -+$as_echo "trying krb5_config" >&6; } -+ # Extract the first word of "krb5-config", so it can be a program name with args. -+set dummy krb5-config; ac_word=$2 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if ${ac_cv_path_KRB5_CONFIG+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ case $KRB5_CONFIG in -+ [\\/]* | ?:[\\/]*) -+ ac_cv_path_KRB5_CONFIG="$KRB5_CONFIG" # Let the user override the test with a path. -+ ;; -+ *) -+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+for as_dir in $PATH -+do -+ IFS=$as_save_IFS -+ test -z "$as_dir" && as_dir=. -+ for ac_exec_ext in '' $ac_executable_extensions; do -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then -+ ac_cv_path_KRB5_CONFIG="$as_dir/$ac_word$ac_exec_ext" -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ break 2 -+ fi -+done -+ done -+IFS=$as_save_IFS -+ -+ ;; -+esac -+fi -+KRB5_CONFIG=$ac_cv_path_KRB5_CONFIG -+if test -n "$KRB5_CONFIG"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $KRB5_CONFIG" >&5 -+$as_echo "$KRB5_CONFIG" >&6; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+fi -+ -+ -+ gssapi_cflags=`$KRB5_CONFIG --cflags gssapi` -+ gssapi_libs=`$KRB5_CONFIG --libs gssapi` -+ saved_cppflags="$CPPFLAGS" -+ CPPFLAGS="$gssapi_cflags $CPPFLAGS" -+ for ac_header in gssapi.h gssapi/gssapi.h -+do : -+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : -+ cat >>confdefs.h <<_ACEOF -+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 -+_ACEOF -+ ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>" -+fi -+ -+done -+ -+ if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: gssapi.h not found" >&5 -+$as_echo "krb5-config: gssapi.h not found" >&6; } -+ CPPFLAGS="$saved_cppflags" -+ use_gssapi="yes" -+ else -+ for ac_header in krb5/krb5.h krb5.h -+do : -+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : -+ cat >>confdefs.h <<_ACEOF -+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 -+_ACEOF -+ ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>" -+fi -+ -+done -+ -+ if test "$ISC_PLATFORM_KRB5HEADER" = ""; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: krb5.h not found" >&5 -+$as_echo "krb5-config: krb5.h not found" >&6; } -+ CPPFLAGS="$saved_cppflags" -+ use_gssapi="yes" -+ else -+ CPPFLAGS="$saved_cppflags" -+ saved_libs="$LIBS" -+ LIBS=$gssapi_libs -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config linking as $LIBS" >&5 -+$as_echo_n "checking krb5-config linking as $LIBS... " >&6; } -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+ -+int -+main () -+{ -+gss_acquire_cred();krb5_init_context() -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then : -+ gssapi_linked=yes -+else -+ gssapi_linked=no -+fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+ case $gssapi_linked in -+ yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: linked" >&5 -+$as_echo "krb5-config: linked" >&6; };; -+ no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: could not determine proper GSSAPI linkage" >&5 -+$as_echo "krb5-config: could not determine proper GSSAPI linkage" >&6; } -+ use_gssapi="yes" -+ ;; -+ esac -+ LIBS=$saved_libs -+ fi -+ fi -+ if test "$use_gssapi" = "yes"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library, non krb5-config method" >&5 -+$as_echo_n "checking for GSSAPI library, non krb5-config method... " >&6; } -+ fi -+fi -+ - gssapidirs="/usr/local /usr/pkg /usr/kerberos /usr" - if test "$use_gssapi" = "yes" - then -@@ -13541,6 +13669,11 @@ - yes) - as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5 - ;; -+ krb5-config) -+ USE_GSSAPI='-DGSSAPI' -+ DST_GSSAPI_INC="$gssapi_cflags" -+ DNS_GSSAPI_LIBS="$gssapi_libs" -+ ;; - *) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: looking in $use_gssapi/lib" >&5 - $as_echo "looking in $use_gssapi/lib" >&6; } diff -r cebcbbd80341 -r a498cb624014 components/bind/test/results-i386.master --- a/components/bind/test/results-i386.master Mon Jun 06 06:11:42 2016 -0700 +++ b/components/bind/test/results-i386.master Thu Jun 16 13:48:33 2016 +0100 @@ -4,6 +4,16 @@ (test -f unit/unittest.sh && /bin/bash unit/unittest.sh) || status=1; \ exit $status make[2]: Entering directory '$(@D)/bin/tests' +make[3]: Entering directory '$(@D)/bin/tests/atomic' +S:$(@D)/bin/tests/atomic/.libs/t_atomic: +T:test_atomic_xadd:1:A +A:ensure that isc_atomic_xadd() works. +R:PASS +T:test_atomic_xaddq:1:A +A:ensure that isc_atomic_xaddq() works. +R:PASS +E:$(@D)/bin/tests/atomic/.libs/t_atomic: +make[3]: Leaving directory '$(@D)/bin/tests/atomic' make[3]: Entering directory '$(@D)/bin/tests/db' S:$(@D)/bin/tests/db/.libs/t_db: T:dns_db_load:1:A @@ -84,15 +94,15 @@ E:$(@D)/bin/tests/db/.libs/t_db: make[3]: Leaving directory '$(@D)/bin/tests/db' make[3]: Entering directory '$(@D)/bin/tests/dst' -../genrandom 100 randomfile +../../tools/genrandom 100 randomfile +../../tools/genrandom 100 randomfile S:$(@D)/bin/tests/dst/.libs/t_dst: T:dst:1:A A:the dst module provides the capability to generate, store and retrieve public and private keys, sign and verify data using the RSA, DSA and MD5 algorithms, and compute Diffie-Hellman shared secrets. R:PASS T:dst:2:A A:the dst module provides the capability to verify data signed with the RSA and DSA algorithms -$(SOURCE_DIR)/lib/dns/dst_api.c:217: fatal error: RUNTIME_CHECK(dst_initialized == isc_boolean_true) failed -R:UNRESOLVED +R:PASS E:$(@D)/bin/tests/dst/.libs/t_dst: make[3]: Leaving directory '$(@D)/bin/tests/dst' make[3]: Entering directory '$(@D)/bin/tests/master' @@ -309,6 +319,25 @@ R:PASS E:$(@D)/bin/tests/rbt/.libs/t_rbt: make[3]: Leaving directory '$(@D)/bin/tests/rbt' +make[3]: Entering directory '$(@D)/bin/tests/resolver' +S:$(@D)/bin/tests/resolver/.libs/t_resolver: +T:test_dns_resolver_create:1:A +A:a resolver can be created successfully +R:PASS +T:test_dns_resolver_settimeout:1:A +A:_settimeout() can change the timeout to a non-default +R:PASS +T:test_dns_resolver_gettimeout:1:A +A:The default timeout is returned from _gettimeout() +R:PASS +T:test_dns_resolver_settimeout_to_default:1:A +A:_settimeout() can change the timeout back to a default value by specifying 0 as the timeout. +R:PASS +T:test_dns_resolver_settimeout_over_maximum:1:A +A:_settimeout() cannot set the value larger than the maximum. +R:PASS +E:$(@D)/bin/tests/resolver/.libs/t_resolver: +make[3]: Leaving directory '$(@D)/bin/tests/resolver' make[3]: Entering directory '$(@D)/bin/tests/sockaddr' S:$(@D)/bin/tests/sockaddr/.libs/t_sockaddr: T:isc_sockaddr_eqaddrprefix:1:A @@ -373,13 +402,43 @@ E:$(@D)/bin/tests/timers/.libs/t_timers: make[3]: Leaving directory '$(@D)/bin/tests/timers' make[3]: Entering directory '$(@D)/bin/tests/system' +making all in $(@D)/bin/tests/system/builtin +make[4]: Entering directory '$(@D)/bin/tests/system/builtin' +make[4]: Leaving directory '$(@D)/bin/tests/system/builtin' +making all in $(@D)/bin/tests/system/dlzexternal +make[4]: Entering directory '$(@D)/bin/tests/system/dlzexternal' +make[4]: Leaving directory '$(@D)/bin/tests/system/dlzexternal' +making all in $(@D)/bin/tests/system/fetchlimit +make[4]: Entering directory '$(@D)/bin/tests/system/fetchlimit' +make[4]: Leaving directory '$(@D)/bin/tests/system/fetchlimit' +making all in $(@D)/bin/tests/system/filter-aaaa +make[4]: Entering directory '$(@D)/bin/tests/system/filter-aaaa' +make[4]: Leaving directory '$(@D)/bin/tests/system/filter-aaaa' +making all in $(@D)/bin/tests/system/geoip +make[4]: Entering directory '$(@D)/bin/tests/system/geoip' +make[4]: Leaving directory '$(@D)/bin/tests/system/geoip' making all in $(@D)/bin/tests/system/lwresd make[4]: Entering directory '$(@D)/bin/tests/system/lwresd' make[4]: Leaving directory '$(@D)/bin/tests/system/lwresd' +making all in $(@D)/bin/tests/system/rpz +make[4]: Entering directory '$(@D)/bin/tests/system/rpz' +make[4]: Leaving directory '$(@D)/bin/tests/system/rpz' +making all in $(@D)/bin/tests/system/rsabigexponent +make[4]: Entering directory '$(@D)/bin/tests/system/rsabigexponent' +make[4]: Leaving directory '$(@D)/bin/tests/system/rsabigexponent' +making all in $(@D)/bin/tests/system/statistics +make[4]: Entering directory '$(@D)/bin/tests/system/statistics' +make[4]: Leaving directory '$(@D)/bin/tests/system/statistics' making all in $(@D)/bin/tests/system/tkey make[4]: Entering directory '$(@D)/bin/tests/system/tkey' make[4]: Leaving directory '$(@D)/bin/tests/system/tkey' +making all in $(@D)/bin/tests/system/tsiggss +make[4]: Entering directory '$(@D)/bin/tests/system/tsiggss' +make[4]: Leaving directory '$(@D)/bin/tests/system/tsiggss' if test -f ./runall.sh; then sh ./runall.sh; fi make[3]: Leaving directory '$(@D)/bin/tests/system' +make[3]: Entering directory '$(@D)/bin/tests/pkcs11' +make[3]: Nothing to be done for 'test'. +make[3]: Leaving directory '$(@D)/bin/tests/pkcs11' make[2]: Leaving directory '$(@D)/bin/tests' make[1]: Leaving directory '$(@D)' diff -r cebcbbd80341 -r a498cb624014 components/bind/test/results-sparc.master --- a/components/bind/test/results-sparc.master Mon Jun 06 06:11:42 2016 -0700 +++ b/components/bind/test/results-sparc.master Thu Jun 16 13:48:33 2016 +0100 @@ -4,6 +4,10 @@ (test -f unit/unittest.sh && /bin/bash unit/unittest.sh) || status=1; \ exit $status make[2]: Entering directory '$(@D)/bin/tests' +make[3]: Entering directory '$(@D)/bin/tests/atomic' +S:$(@D)/bin/tests/atomic/.libs/t_atomic: +E:$(@D)/bin/tests/atomic/.libs/t_atomic: +make[3]: Leaving directory '$(@D)/bin/tests/atomic' make[3]: Entering directory '$(@D)/bin/tests/db' S:$(@D)/bin/tests/db/.libs/t_db: T:dns_db_load:1:A @@ -84,15 +88,15 @@ E:$(@D)/bin/tests/db/.libs/t_db: make[3]: Leaving directory '$(@D)/bin/tests/db' make[3]: Entering directory '$(@D)/bin/tests/dst' -../genrandom 100 randomfile +../../tools/genrandom 100 randomfile +../../tools/genrandom 100 randomfile S:$(@D)/bin/tests/dst/.libs/t_dst: T:dst:1:A A:the dst module provides the capability to generate, store and retrieve public and private keys, sign and verify data using the RSA, DSA and MD5 algorithms, and compute Diffie-Hellman shared secrets. R:PASS T:dst:2:A A:the dst module provides the capability to verify data signed with the RSA and DSA algorithms -$(SOURCE_DIR)/lib/dns/dst_api.c:217: fatal error: RUNTIME_CHECK(dst_initialized == isc_boolean_true) failed -R:UNRESOLVED +R:PASS E:$(@D)/bin/tests/dst/.libs/t_dst: make[3]: Leaving directory '$(@D)/bin/tests/dst' make[3]: Entering directory '$(@D)/bin/tests/master' @@ -309,6 +313,25 @@ R:PASS E:$(@D)/bin/tests/rbt/.libs/t_rbt: make[3]: Leaving directory '$(@D)/bin/tests/rbt' +make[3]: Entering directory '$(@D)/bin/tests/resolver' +S:$(@D)/bin/tests/resolver/.libs/t_resolver: +T:test_dns_resolver_create:1:A +A:a resolver can be created successfully +R:PASS +T:test_dns_resolver_settimeout:1:A +A:_settimeout() can change the timeout to a non-default +R:PASS +T:test_dns_resolver_gettimeout:1:A +A:The default timeout is returned from _gettimeout() +R:PASS +T:test_dns_resolver_settimeout_to_default:1:A +A:_settimeout() can change the timeout back to a default value by specifying 0 as the timeout. +R:PASS +T:test_dns_resolver_settimeout_over_maximum:1:A +A:_settimeout() cannot set the value larger than the maximum. +R:PASS +E:$(@D)/bin/tests/resolver/.libs/t_resolver: +make[3]: Leaving directory '$(@D)/bin/tests/resolver' make[3]: Entering directory '$(@D)/bin/tests/sockaddr' S:$(@D)/bin/tests/sockaddr/.libs/t_sockaddr: T:isc_sockaddr_eqaddrprefix:1:A @@ -373,13 +396,43 @@ E:$(@D)/bin/tests/timers/.libs/t_timers: make[3]: Leaving directory '$(@D)/bin/tests/timers' make[3]: Entering directory '$(@D)/bin/tests/system' +making all in $(@D)/bin/tests/system/builtin +make[4]: Entering directory '$(@D)/bin/tests/system/builtin' +make[4]: Leaving directory '$(@D)/bin/tests/system/builtin' +making all in $(@D)/bin/tests/system/dlzexternal +make[4]: Entering directory '$(@D)/bin/tests/system/dlzexternal' +make[4]: Leaving directory '$(@D)/bin/tests/system/dlzexternal' +making all in $(@D)/bin/tests/system/fetchlimit +make[4]: Entering directory '$(@D)/bin/tests/system/fetchlimit' +make[4]: Leaving directory '$(@D)/bin/tests/system/fetchlimit' +making all in $(@D)/bin/tests/system/filter-aaaa +make[4]: Entering directory '$(@D)/bin/tests/system/filter-aaaa' +make[4]: Leaving directory '$(@D)/bin/tests/system/filter-aaaa' +making all in $(@D)/bin/tests/system/geoip +make[4]: Entering directory '$(@D)/bin/tests/system/geoip' +make[4]: Leaving directory '$(@D)/bin/tests/system/geoip' making all in $(@D)/bin/tests/system/lwresd make[4]: Entering directory '$(@D)/bin/tests/system/lwresd' make[4]: Leaving directory '$(@D)/bin/tests/system/lwresd' +making all in $(@D)/bin/tests/system/rpz +make[4]: Entering directory '$(@D)/bin/tests/system/rpz' +make[4]: Leaving directory '$(@D)/bin/tests/system/rpz' +making all in $(@D)/bin/tests/system/rsabigexponent +make[4]: Entering directory '$(@D)/bin/tests/system/rsabigexponent' +make[4]: Leaving directory '$(@D)/bin/tests/system/rsabigexponent' +making all in $(@D)/bin/tests/system/statistics +make[4]: Entering directory '$(@D)/bin/tests/system/statistics' +make[4]: Leaving directory '$(@D)/bin/tests/system/statistics' making all in $(@D)/bin/tests/system/tkey make[4]: Entering directory '$(@D)/bin/tests/system/tkey' make[4]: Leaving directory '$(@D)/bin/tests/system/tkey' +making all in $(@D)/bin/tests/system/tsiggss +make[4]: Entering directory '$(@D)/bin/tests/system/tsiggss' +make[4]: Leaving directory '$(@D)/bin/tests/system/tsiggss' if test -f ./runall.sh; then sh ./runall.sh; fi make[3]: Leaving directory '$(@D)/bin/tests/system' +make[3]: Entering directory '$(@D)/bin/tests/pkcs11' +make[3]: Nothing to be done for 'test'. +make[3]: Leaving directory '$(@D)/bin/tests/pkcs11' make[2]: Leaving directory '$(@D)/bin/tests' make[1]: Leaving directory '$(@D)' diff -r cebcbbd80341 -r a498cb624014 tools/.gnupg/pubring.gpg Binary file tools/.gnupg/pubring.gpg has changed