9.8.0b1

parent acc2e6bc
--- 9.8.0b1 released ---
3008. [func] Response policy zones (RPZ) support. [RT #21726]
3007. [bug] Named failed to preserve the case of domain names in
rdata which is not compressible when writing master
files. [RT #22863]
3006. [func] Allow dynamically generated TSIG keys to be preserved
across restarts of named. Initially this is for
TSIG keys generated using GSSAPI. [RT #22639]
3005. [port] Solaris: Work around the lack of
gsskrb5_register_acceptor_identity() by setting
the KRB5_KTNAME environment variable to the
contents of tkey-gssapi-keytab. Also fixed
test errors on MacOSX. [RT #22853]
3004. [func] DNS64 reverse support. [RT #22769]
3003. [experimental] Added update-policy match type "external",
enabling named to defer the decision of whether to
allow a dynamic update to an external daemon.
(Contributed by Andrew Tridgell.) [RT #22758]
3002. [bug] isc_mutex_init_errcheck() failed to destroy attr.
[RT #22766]
3001. [func] Added a default trust anchor for the root zone, which
can be switched on by setting "dnssec-validation auto;"
in the named.conf options. [RT #21727]
3000. [bug] More TKEY/GSS fixes:
- nsupdate can now get the default realm from
the user's Kerberos principal
- corrected gsstest compilation flags
- improved documentation
- fixed some NULL dereferences
[RT #22795]
2999. [func] Add GOST support (RFC 5933). [RT #20639]
2998. [func] Add isc_task_beginexclusive and isc_task_endexclusive
to the task api. [RT #22776]
2997. [func] named -V now reports the OpenSSL and libxml2 verions
it was compiled against. [RT #22687]
2996. [security] Temporarily disable SO_ACCEPTFILTER support.
[RT #22589]
2995. [bug] The Kerberos realm was not being correctly extracted
from the signer's identity. [RT #22770]
2994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and
do not use threads on earlier versions. Also kill
the unproven-pthreads, mit-pthreads, and ptl2 support.
2993. [func] Dynamically grow adb hash tables. [RT #21186]
2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
for looking at a secure delegation. [RT #22059]
2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
dynamic zones. [RT #22365]
2990. [bug] 'dnssec-settime -S' no longer tests prepublication
interval validity when the interval is set to 0.
[RT #22761]
2989. [func] Added support for writable DLZ zones. (Contributed
by Andrew Tridgell of the Samba project.) [RT #22629]
2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
of external DLZ drivers that can be loaded as
shared objects at runtime rather than linked with
named. Currently this is switched on via a
compile-time option, "configure --with-dlz-dlopen".
Note: the syntax for configuring DLZ zones
is likely to be refined in future releases.
(Contributed by Andrew Tridgell of the Samba
project.) [RT #22629]
2987. [func] Improve ease of configuring TKEY/GSS updates by
adding a "tkey-gssapi-keytab" option. If set,
updates will be allowed with any key matching
a principal in the specified keytab file.
"tkey-gssapi-credential" is no longer required
and is expected to be deprecated. (Contributed
by Andrew Tridgell of the Samba project.)
[RT #22629]
2986. [func] Add new zone type "static-stub". It's like a stub
zone, but the nameserver names and/or their IP
addresses are statically configured. [RT #21474]
2985. [bug] Add a regression test for change #2896. [RT #21324]
2984. [bug] Don't run MX checks when the target of the MX record
is ".". [RT #22645]
2983. [bug] Include "loadkeys" in rndc help output. [RT #22493]
--- 9.8.0a1 released ---
2982. [bug] Reference count dst keys. dst_key_attach() can be used
......
Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2003 Internet Software Consortium.
Permission to use, copy, modify, and/or distribute this software for any
......@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
$Id: COPYRIGHT,v 1.16 2010/01/04 23:48:51 tbox Exp $
$Id: COPYRIGHT,v 1.17 2011-01-04 23:47:13 tbox Exp $
Portions Copyright (C) 1996-2001 Nominum, Inc.
......
.\" Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
......@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-dsfromkey.8,v 1.12 2010/05/19 01:14:14 tbox Exp $
.\" $Id: dnssec-dsfromkey.8,v 1.13 2010-12-24 01:14:20 tbox Exp $
.\"
.hy 0
.ad l
......@@ -55,7 +55,7 @@ Use SHA\-256 as the digest algorithm.
.RS 4
Select the digest algorithm. The value of
\fBalgorithm\fR
must be one of SHA\-1 (SHA1) or SHA\-256 (SHA256). These values are case insensitive.
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or GOST. These values are case insensitive.
.RE
.PP
\-K \fIdirectory\fR
......@@ -139,5 +139,5 @@ RFC 4509.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2008\-2010 Internet Systems Consortium, Inc. ("ISC")
.br
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-dsfromkey.c,v 1.18 2010/01/11 23:48:37 tbox Exp $ */
/* $Id: dnssec-dsfromkey.c,v 1.19 2010-12-23 04:07:59 marka Exp $ */
/*! \file */
......@@ -299,7 +299,7 @@ usage(void) {
fprintf(stderr, " -K <directory>: directory in which to find "
"key file or keyset file\n");
fprintf(stderr, " -a algorithm: digest algorithm "
"(SHA-1 or SHA-256)\n");
"(SHA-1, SHA-256 or GOST)\n");
fprintf(stderr, " -1: use SHA-1\n");
fprintf(stderr, " -2: use SHA-256\n");
fprintf(stderr, " -l: add lookaside zone and print DLV records\n");
......@@ -414,6 +414,10 @@ main(int argc, char **argv) {
else if (strcasecmp(algname, "SHA256") == 0 ||
strcasecmp(algname, "SHA-256") == 0)
dtype = DNS_DSDIGEST_SHA256;
#ifdef HAVE_OPENSSL_GOST
else if (strcasecmp(algname, "GOST") == 0)
dtype = DNS_DSDIGEST_GOST;
#endif
else
fatal("unknown algorithm %s", algname);
}
......
......@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-dsfromkey.docbook,v 1.10 2009/08/26 21:56:05 jreed Exp $ -->
<!-- $Id: dnssec-dsfromkey.docbook,v 1.12 2010-12-23 23:47:08 tbox Exp $ -->
<refentry id="man.dnssec-dsfromkey">
<refentryinfo>
<date>August 26, 2009</date>
......@@ -38,6 +38,7 @@
<copyright>
<year>2008</year>
<year>2009</year>
<year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
......@@ -105,8 +106,8 @@
<listitem>
<para>
Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1) or
SHA-256 (SHA256). These values are case insensitive.
<option>algorithm</option> must be one of SHA-1 (SHA1),
SHA-256 (SHA256) or GOST. These values are case insensitive.
</para>
</listitem>
</varlistentry>
......
<!--
- Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
......@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-dsfromkey.html,v 1.12 2010/05/19 01:14:14 tbox Exp $ -->
<!-- $Id: dnssec-dsfromkey.html,v 1.13 2010-12-24 01:14:19 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
......@@ -32,14 +32,14 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543461"></a><h2>DESCRIPTION</h2>
<a name="id2543464"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543473"></a><h2>OPTIONS</h2>
<a name="id2543476"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-1</span></dt>
<dd><p>
......@@ -53,8 +53,8 @@
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1) or
SHA-256 (SHA256). These values are case insensitive.
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256) or GOST. These values are case insensitive.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
......@@ -100,7 +100,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543659"></a><h2>EXAMPLE</h2>
<a name="id2543662"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
......@@ -115,7 +115,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543689"></a><h2>FILES</h2>
<a name="id2543692"></a><h2>FILES</h2>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
......@@ -129,13 +129,13 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543724"></a><h2>CAVEAT</h2>
<a name="id2543728"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543734"></a><h2>SEE ALSO</h2>
<a name="id2543737"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
......@@ -145,7 +145,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543773"></a><h2>AUTHOR</h2>
<a name="id2543777"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
......
......@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-keyfromlabel.8,v 1.17 2010/01/20 01:14:19 tbox Exp $
.\" $Id: dnssec-keyfromlabel.8,v 1.18 2010-12-24 01:14:20 tbox Exp $
.\"
.hy 0
.ad l
......@@ -47,7 +47,7 @@ of the key is specified on the command line. This must match the name of the zon
.RS 4
Selects the cryptographic algorithm. The value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. These values are case insensitive.
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. These values are case insensitive.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keyfromlabel.c,v 1.31 2010/01/19 23:48:55 tbox Exp $ */
/* $Id: dnssec-keyfromlabel.c,v 1.32 2010-12-23 04:07:59 marka Exp $ */
/*! \file */
......@@ -55,7 +55,7 @@ int verbose;
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1 |"
" RSASHA256 | RSASHA512";
" RSASHA256 | RSASHA512 | ECCGOST";
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
......@@ -364,7 +364,8 @@ main(int argc, char **argv) {
if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512) {
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.17 2010/01/19 23:48:55 tbox Exp $ -->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.18 2010-12-23 04:07:59 marka Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
......@@ -93,7 +93,7 @@
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
These values are case insensitive.
</para>
<para>
......
......@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.html,v 1.16 2010/01/20 01:14:19 tbox Exp $ -->
<!-- $Id: dnssec-keyfromlabel.html,v 1.17 2010-12-24 01:14:19 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
......@@ -51,7 +51,7 @@
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
These values are case insensitive.
</p>
<p>
......
......@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-keygen.8,v 1.54 2010/08/17 01:15:25 tbox Exp $
.\" $Id: dnssec-keygen.8,v 1.55 2010-12-24 01:14:19 tbox Exp $
.\"
.hy 0
.ad l
......@@ -48,7 +48,7 @@ of the key is specified on the command line. For DNSSEC keys, this must match th
.RS 4
Selects the cryptographic algorithm. For DNSSEC keys, the value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
......@@ -81,7 +81,7 @@ must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256 and RSASHA512 algorithms are NSEC3\-capable.
Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms are NSEC3\-capable.
.RE
.PP
\-C
......
......@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.114 2010/08/16 23:46:51 tbox Exp $ */
/* $Id: dnssec-keygen.c,v 1.115 2010-12-23 04:07:59 marka Exp $ */
/*! \file */
......@@ -84,7 +84,7 @@ usage(void) {
fprintf(stderr, " -a <algorithm>:\n");
fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
" | NSEC3DSA |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n");
fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
"HMAC-SHA256 | \n");
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
......@@ -101,6 +101,7 @@ usage(void) {
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
"by 64\n");
fprintf(stderr, " ECCGOST:\tignored\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
......@@ -129,6 +130,7 @@ usage(void) {
"records with (default: 0)\n");
fprintf(stderr, " -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
"use KEY for SIG(0))\n");
fprintf(stderr, " ECCGOST:\tignored\n");
fprintf(stderr, " -t <type>: "
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
"(default: AUTHCONF)\n");
......@@ -542,7 +544,8 @@ main(int argc, char **argv) {
if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512) {
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
......@@ -574,9 +577,8 @@ main(int argc, char **argv) {
fprintf(stderr, "key size not "
"specified; defaulting "
"to %d\n", size);
} else {
} else if (alg != DST_ALG_ECCGOST)
fatal("key size not specified (-b option)");
}
}
if (!oldstyle && prepub > 0) {
......@@ -703,6 +705,8 @@ main(int argc, char **argv) {
if (size != 0 && !dsa_size_ok(size))
fatal("invalid DSS key size: %d", size);
break;
case DST_ALG_ECCGOST:
break;
case DST_ALG_HMACMD5:
options |= DST_TYPE_KEY;
if (size < 1 || size > 512)
......@@ -767,7 +771,8 @@ main(int argc, char **argv) {
if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 ||
alg == DNS_KEYALG_RSASHA512) && rsa_exp != 0)
alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST) &&
rsa_exp != 0)
fatal("specified RSA exponent for a non-RSA key");
if (alg != DNS_KEYALG_DH && generator != 0)
......@@ -839,6 +844,7 @@ main(int argc, char **argv) {
case DNS_KEYALG_DSA:
case DNS_KEYALG_NSEC3DSA:
case DST_ALG_ECCGOST:
show_progress = ISC_TRUE;
/* fall through */
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.docbook,v 1.35 2010/08/16 23:46:51 tbox Exp $ -->
<!-- $Id: dnssec-keygen.docbook,v 1.36 2010-12-23 04:07:59 marka Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
......@@ -114,7 +114,7 @@
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
......@@ -184,7 +184,7 @@
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256 and RSASHA512 algorithms
default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms
are NSEC3-capable.
</para>
</listitem>
......
......@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.html,v 1.46 2010/08/17 01:15:26 tbox Exp $ -->
<!-- $Id: dnssec-keygen.html,v 1.47 2010-12-24 01:14:20 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
......@@ -53,7 +53,7 @@
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
......@@ -111,7 +111,7 @@
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256 and RSASHA512 algorithms
default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms
are NSEC3-capable.
</p></dd>
<dt><span class="term">-C</span></dt>
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-settime.c,v 1.27 2010/08/16 23:46:51 tbox Exp $ */
/* $Id: dnssec-settime.c,v 1.28 2010-12-19 07:29:36 each Exp $ */
/*! \file */
......@@ -386,7 +386,7 @@ main(int argc, char **argv) {
"generating a successor.");
pub = act - prepub;
if (pub < now)
if (pub < now && prepub != 0)
fatal("Predecessor will become inactive before the\n\t"
"prepublication period ends. Either change "
"its inactivation date,\n\t"
......
......@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.112 2010/11/18 23:20:15 marka Exp $
# $Id: Makefile.in,v 1.114 2010-12-22 09:00:40 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
......@@ -43,9 +43,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES}
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
CDEFINES = @USE_DLZ@ @USE_PKCS11@
CDEFINES = @USE_DLZ@ @USE_PKCS11@ @USE_OPENSSL@
CWARNINGS =
......
/*
* Generated by bindkeys.pl 1.5 2010/06/20 23:46:45 tbox Exp
* From bind.keys 1.6 2010/06/20 07:15:28 marka Exp
* Generated by bindkeys.pl 1.7 2011/01/04 23:47:13 tbox Exp
* From bind.keys 1.7 2011/01/03 23:45:07 each Exp
*/
#define TRUSTED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. As of the current release, the only\n\
# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\
# for any other zones MUST be configured elsewhere; if they are configured\n\
# here, they will not be recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
# named.conf options. To use the built-in DLV key, set\n\
# \"dnssec-lookaside auto;\". Without these options being set,\n\
# the keys in this file are ignored.\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
# These keys are current as of January 2011. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
\n\
trusted-keys {\n\
# NOTE: This key is current as of October 2009.\n\
# If it fails to initialize correctly, it may have expired;\n\
# see https://www.isc.org/solutions/dlv for a replacement.\n\
dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
# NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
# in named.conf.\n\
dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
TDN0YUuWrBNh\";\n\
\n\
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
# for current trust anchor information.\n\
# NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
# in named.conf.\n\
. 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
QxA+Uk1ihz0=\";\n\
};\n\
"