9.9.3rc1

parent 813fc5c0
--- 9.9.3rc1 released ---
3546. [func] Add EUI48 and EUI64 types. [RT #33082]
3544. [contrib] check5011.pl: Script to report the status of
managed keys as recorded in managed-keys.bind.
Contributed by Tony Finch <dot@dotat.at>
3543. [bug] Update socket stucture before attaching to socket
manager after accept. [RT #33084]
3541. [bug] Parts of libdns were not properly initialized when
built in libexport mode. [RT #33028]
3540. [test] libt_api: t_info and t_assert were not thread safe.
3539. [port] win32: timestamp format didn't match other platforms.
3538. [test] Running "make test" now requires loopback interfaces
to be set up. [RT #32452]
3537. [tuning] Slave zones, when updated, now send NOTIFY messages
to peers before being dumped to disk rather than
after. [RT #27242]
3535. [bug] Minor win32 cleanups. [RT #32962]
3534. [bug] Extra text after an embedded NULL was ignored when
parsing zone files. [RT #32699]
3533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960]
3532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960]
3531. [bug] win32: A uninitialized value could be returned on out
of memory. [RT #32960]
3530. [contrib] Better RTT tracking in queryperf. [RT #30128]
3528. [func] New "dnssec-coverage" command scans the timing
metadata for a set of DNSSEC keys and reports if a
lapse in signing coverage has been scheduled
inadvertently. (Note: This tool depends on python;
it will not be built or installed on systems that
do not have a python interpreter.) [RT #28098]
3527. [compat] Add a URI to allow applications to explicitly
request a particular XML schema from the statistics
channel, returning 404 if not supported. [RT #32481]
3526. [cleanup] Set up dependencies for unit tests correctly during
build. [RT #32803]
3521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249]
3520. [bug] 'mctx' was not being referenced counted in some places
where it should have been. [RT #32794]
--- 9.9.3b2 released ---
3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777]
......@@ -37,8 +95,10 @@
terse, and none. "yes" and "no" are retained as
synonyms for full and terse, respectively. [RT #29165]
3500. [port] Support NAPTR regular expression validation on
all platforms. [RT #32688]
3500. [security] Support NAPTR regular expression validation on
all platforms without using libregex, which
can be vulnerable to memory exhaustion attack
(CVE-2013-2266). [RT #32688]
3499. [doc] Corrected ARM documentation of built-in zones.
[RT #32694]
......
Frequently Asked Questions about BIND 9
Copyright © 2004-2010 Internet Systems Consortium, Inc. ("ISC")
Copyright © 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
Copyright © 2000-2003 Internet Software Consortium.
......@@ -869,7 +869,7 @@ A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
key "rndc-key" {
algorithm hmac-md5;
algorithm hmac-sha256;
secret "uvceheVuqf17ZwIcTydddw==";
};
......
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
<!--
- Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
......@@ -30,6 +30,7 @@
<year>2008</year>
<year>2009</year>
<year>2010</year>
<year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
......@@ -1564,7 +1565,7 @@ rand_irqs="3 14 15"</programlisting>
<informalexample>
<programlisting>
key "rndc-key" {
algorithm hmac-md5;
algorithm hmac-sha256;
secret "uvceheVuqf17ZwIcTydddw==";
};</programlisting>
</informalexample>
......
# Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
......@@ -61,9 +61,21 @@ tags:
rm -f TAGS
find lib bin -name "*.[ch]" -print | @ETAGS@ -
check: test
test:
test check:
@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>&- || echo fail`"; then \
echo I: NOTE: The tests were not run because they require that; \
echo I: the IP addresses 10.53.0.1 through 10.53.0.8 are configured; \
echo I: as alias addresses on the loopback interface. Please run; \
echo I: \'bin/tests/system/ifconfig.sh up\' as root to configure; \
echo I: them, then rerun the tests. Run make force-test to run the; \
echo I: tests anyway.; \
exit 1; \
fi
${MAKE} test-force
force-test: test-force
test-force:
status=0; \
(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
(test -f unit/unittest.sh && $(SHELL) unit/unittest.sh) || status=1; \
......
......@@ -54,7 +54,7 @@ BIND 9
BIND 9.9.3
BIND 9.9.3 is a maintenance release and patches the security
flaws described in CVE-2012-5688 and CVE-2012-5689.
flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266.
BIND 9.9.2
......
# Copyright (C) 2004, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2007, 2009, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
......@@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = named rndc dig dnssec tests tools nsupdate \
SUBDIRS = named rndc dig dnssec tools tests nsupdate \
check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
TARGETS =
......
/*
* Copyright (C) 2004-2008, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2008, 2011-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
......@@ -149,7 +149,7 @@ free_listener(controllistener_t *listener) {
if (listener->acl != NULL)
dns_acl_detach(&listener->acl);
isc_mem_put(listener->mctx, listener, sizeof(*listener));
isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener));
}
static void
......@@ -1066,8 +1066,9 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
result = ISC_R_NOMEMORY;
if (result == ISC_R_SUCCESS) {
listener->mctx = NULL;
isc_mem_attach(mctx, &listener->mctx);
listener->controls = cp;
listener->mctx = mctx;
listener->task = cp->server->task;
listener->address = *addr;
listener->sock = NULL;
......
/*
* Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
......@@ -80,11 +80,13 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
if (mgr == NULL)
return (ISC_R_NOMEMORY);
mgr->mctx = NULL;
isc_mem_attach(mctx, &mgr->mctx);
result = isc_mutex_init(&mgr->lock);
if (result != ISC_R_SUCCESS)
goto cleanup_mem;
mgr->mctx = mctx;
mgr->taskmgr = taskmgr;
mgr->socketmgr = socketmgr;
mgr->dispatchmgr = dispatchmgr;
......@@ -116,7 +118,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
ns_listenlist_detach(&mgr->listenon4);
ns_listenlist_detach(&mgr->listenon6);
cleanup_mem:
isc_mem_put(mctx, mgr, sizeof(*mgr));
isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
return (result);
}
......@@ -129,7 +131,7 @@ ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) {
clearlistenon(mgr);
DESTROYLOCK(&mgr->lock);
mgr->magic = 0;
isc_mem_put(mgr->mctx, mgr, sizeof(*mgr));
isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
}
dns_aclenv_t *
......
......@@ -1622,6 +1622,14 @@ add_listener(ns_server_t *server, ns_statschannel_t **listenerp,
#ifdef HAVE_LIBXML2
isc_httpdmgr_addurl(listener->httpdmgr, "/", render_index, server);
isc_httpdmgr_addurl(listener->httpdmgr, "/xml", render_index, server);
#ifdef NEWSTATS
isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3", render_index,
server);
#else /* OLDSTATS */
isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v2", render_index,
server);
#endif /* NEWSTATS */
#endif
#ifdef NEWSTATS
isc_httpdmgr_addurl(listener->httpdmgr, "/bind9.ver3.xsl", render_xsl,
......
......@@ -22,17 +22,19 @@ top_srcdir = @top_srcdir@
PYTHON = @PYTHON@
TARGETS = dnssec-checkds
SRCS = dnssec-checkds.py
TARGETS = dnssec-checkds dnssec-coverage
SRCS = dnssec-checkds.py dnssec-coverage.py
MANPAGES = dnssec-checkds.8
HTMLPAGES = dnssec-checkds.html
MANPAGES = dnssec-checkds.8 dnssec-coverage.8
HTMLPAGES = dnssec-checkds.html dnssec-coverage.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
dnssec-checkds: dnssec-checkds.py
dnssec-coverage: dnssec-coverage.py
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
......@@ -44,10 +46,12 @@ installdirs:
install:: ${TARGETS} installdirs
${INSTALL_PROGRAM} dnssec-checkds@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_PROGRAM} dnssec-coverage@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8
clean distclean::
rm -f ${TARGETS}
distclean::
rm -f dnssec-checkds.py
rm -f dnssec-checkds.py dnssec-coverage.py
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.dnssec-coverage">
<refentryinfo>
<date>April 16, 2012</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-coverage</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-coverage</application></refname>
<refpurpose>checks future DNSKEY coverage for a zone</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-coverage</command>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">DNSKEY TTL</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">max TTL</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">interval</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">compilezone path</replaceable></option></arg>
<arg choice="opt">zone</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>dnssec-coverage</command>
verifies that the DNSSEC keys for a given zone or a set of zones
have timing metadata set properly to ensure no future lapses in DNSSEC
coverage.
</para>
<para>
If <option>zone</option> is specified, then keys found in
the key repository matching that zone are scanned, and an ordered
list is generated of the events scheduled for that key (i.e.,
publication, activation, inactivation, deletion). The list of
events is walked in order of occurrence. Warnings are generated
if any event is scheduled which could cause the zone to enter a
state in which validation failures might occur: for example, if
the number of published or active keys for a given algorithm drops
to zero, or if a key is deleted from the zone too soon after a new
key is rolled, and cached data signed by the prior key has not had
time to expire from resolver caches.
</para>
<para>
If <option>zone</option> is not specified, then all keys in the
key repository will be scanned, and all zones for which there are
keys will be analyzed. (Note: This method of reporting is only
accurate if all the zones that have keys in a given repository
share the same TTL parameters.)
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-f <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
If a <option>file</option> is specified, then the zone is
read from that file; the largest TTL and the DNSKEY TTL are
determined directly from the zone data, and the
<option>-m</option> and <option>-d</option> options do
not need to be specified on the command line.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which keys can be found. Defaults to the
current working directory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">maximum TTL</replaceable></term>
<listitem>
<para>
Sets the value to be used as the maximum TTL for the zone or
zones being analyzed when determining whether there is a
possibility of validation failure. When a zone-signing key is
deactivated, there must be enough time for the record in the
zone with the longest TTL to have expired from resolver caches
before that key can be purged from the DNSKEY RRset. If that
condition does not apply, a warning will be generated.
</para>
<para>
The length of the TTL can be set in seconds, or in larger units
of time by adding a suffix: 'mi' for minutes, 'h' for hours,
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
</para>
<para>
This option is mandatory unless the <option>-f</option> has
been used to specify a zone file. (If <option>-f</option> has
been specified, this option may still be used; it will overrde
the value found in the file.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">DNSKEY TTL</replaceable></term>
<listitem>
<para>
Sets the value to be used as the DNSKEY TTL for the zone or
zones being analyzed when determining whether there is a
possibility of validation failure. When a key is rolled (that
is, replaced with a new key), there must be enough time
for the old DNSKEY RRset to have expired from resolver caches
before the new key is activated and begins generating
signatures. If that condition does not apply, a warning
will be generated.
</para>
<para>
The length of the TTL can be set in seconds, or in larger units
of time by adding a suffix: 'mi' for minutes, 'h' for hours,
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
</para>
<para>
This option is mandatory unless the <option>-f</option> has
been used to specify a zone file, or a default key TTL was
set with the <option>-L</option> to
<command>dnssec-keygen</command>. (If either of those is true,
this option may still be used; it will overrde the value found
in the zone or key file.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">resign interval</replaceable></term>
<listitem>
<para>
Sets the value to be used as the resign interval for the zone
or zones being analyzed when determining whether there is a
possibility of validation failure. This value defaults to
22.5 days, which is also the default in
<command>named</command>. However, if it has been changed
by the <option>sig-validity-interval</option> option in
<filename>named.conf</filename>, then it should also be
changed here.
</para>
<para>
The length of the interval can be set in seconds, or in larger
units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">compilezone path</replaceable></term>
<listitem>
<para>
Specifies a path to a <command>named-compilezone</command> binary.
Used for testing.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>dnssec-checkds</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-dsfromkey</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
This diff is collapsed.
# Copyright (C) 2004, 2006-2010, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2006-2010, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1999-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
......@@ -49,7 +49,7 @@ dst_test@EXEEXT@: dst_test.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dst_test.@O@ ${LIBS}
t_dst@EXEEXT@: t_dst.@O@ ${DEPLIBS} ${TLIB}
t_dst@EXEEXT@: t_dst.@O@ ${DEPLIBS} ${TLIB} randomfile
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
t_dst.@O@ ${TLIB} ${LIBS}
......@@ -57,9 +57,29 @@ gsstest@EXEEXT@: gsstest.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
gsstest.@O@ ${LIBS}
test: t_dst@EXEEXT@
test: t_dst@EXEEXT@ randomfile
../../tools/genrandom@EXEEXT@ 100 randomfile
-@ ./t_dst@EXEEXT@ -q 1800 -a
randomfile:
../../tools/genrandom@EXEEXT@ 100 randomfile
-@ ./t_dst@EXEEXT@ -b @srcdir@ -q 1800 -a
clean distclean::
rm -f ${TARGETS} randomfile
distclean::
rm -f Kdh.+002+18602.key
rm -f Kdh.+002+18602.private
rm -f Kdh.+002+48957.key
rm -f Kdh.+002+48957.private
rm -f Ktest.+001+00002.key
rm -f Ktest.+001+54622.key
rm -f Ktest.+001+54622.private
rm -f Ktest.+003+23616.key
rm -f Ktest.+003+23616.private
rm -f Ktest.+003+49667.key
rm -f dst_2_data
rm -f t2_data_1
rm -f t2_data_2
rm -f t2_dsasig
rm -f t2_rsasig
# Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
......@@ -30,4 +30,14 @@ do
status=`expr $status + $ret`
done
for db in zones/bad*.db
do
echo "I:checking $db ($n)"
ret=0
$CHECKZONE -i local example $db > test.out.$n 2>&1 && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
done
exit $status
......@@ -43,6 +43,7 @@ REVOKE=$TOP/bin/dnssec/dnssec-revoke
SETTIME=$TOP/bin/dnssec/dnssec-settime
DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
CHECKDS=$TOP/bin/python/dnssec-checkds
COVERAGE=$TOP/bin/python/dnssec-coverage
CHECKZONE=$TOP/bin/check/named-checkzone
CHECKCONF=$TOP/bin/check/named-checkconf
PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -s ${SLOT:-0} -p 1234"
......@@ -51,15 +52,16 @@ PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234"
JOURNALPRINT=$TOP/bin/tools/named-journalprint
VERIFY=$TOP/bin/dnssec/dnssec-verify
ARPANAME=$TOP/bin/tools/arpaname
SAMPLE=$TOP/lib/export/samples/sample
# The "stress" test is not run by default since it creates enough
# load on the machine to make it unusable to other users.
# v6synth
SUBDIRS="acl additional allow_query addzone autosign builtin
cacheclean checkconf @CHECKDS@ checknames checkzone database
dlv dlvauto dlz dlzexternal dname dns64 dnssec ecdsa formerr
forward glue gost ixfr inline limits logfileconfig lwresd
masterfile masterformat metadata notify nsupdate pending
cacheclean checkconf @CHECKDS@ checknames checkzone @COVERAGE@
database dlv dlvauto dlz dlzexternal dname dns64 dnssec ecdsa
formerr forward glue gost ixfr inline limits logfileconfig
lwresd masterfile masterformat metadata notify nsupdate pending
pkcs11 redirect resolver rndc rpz rrsetorder rsabigexponent
sortlist smartsign staticstub stub tkey tsig tsiggss unknown
upforwd verify views wildcard xfer xferquota zonechecks"
......@@ -80,4 +82,4 @@ fi
export NAMED LWRESD DIG NSUPDATE KEYGEN KEYFRLAB SIGNER KEYSIGNER KEYSETTOOL \
PERL SUBDIRS RNDC CHECKZONE PK11GEN PK11LIST PK11DEL TESTSOCK6 \
JOURNALPRINT ARPANAME
JOURNALPRINT ARPANAME SAMPLE
This set includes one KSK rollover. The KSK is deactivated prior to
its replacement being activated. Tool output should resemble:
Checking KSK events for zone example.com, algorithm 7:
ERROR: After 2012-31-Jul (20:59:14):
Inactive: example.com/007/45435 (KSK)
No KSK's are active
Checking ZSK events for zone example.com, algorithm 7:
OK
args="-d 1h -m 2h"
warn=0
error=1
ok=1
retcode=1
match="No KSK's are active"
This set includes one ZSK rollover. The first ZSK is deactivated
prior to its replacement being activated. Tool output should resemble:
Checking KSK events for zone example.com, algorithm 7:
OK
Checking ZSK events for zone example.com, algorithm 7:
ERROR: After 2012-05-Dec (20:39:32):
Inactive: example.com/005/08376 (ZSK)
No ZSK's are active
args="-d 1h -m 2h"
warn=0
error=1
ok=1
retcode=1
match="No ZSK's are active"
This set contains one KSK rollover. The KSK is unpublished before its
successor is published. Tool output should resemble:
Checking KSK events for zone example.com, algorithm 7:
ERROR: After 2012-06-Oct (21:07:57):
Delete: example.com/007/23040 (KSK)
No KSK's are published
Checking ZSK events for zone example.com, algorithm 7:
OK
args="-d 1h -m 2h"
warn=1
error=1
ok=1