- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.450.4.7 2010/05/14 04:49:40 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.450.4.12 2010/08/16 22:27:17 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
Fetch all DNSSEC keys for the given zone
from the key directory (see
<command>key-directory</command> in
- <xref linkend="options"/>), and merge them
- into the zone's DNSKEY RRset. If the DNSKEY RRset
- is changed as a result of this, then the zone is
- automatically re-signed with the new key set.
+ <xref linkend="options"/>). If they are within
+ their publication period, merge them into the
+ zone's DNSKEY RRset. If the DNSKEY RRset
+ is changed, then the zone is automatically
+ re-signed with the new key set.
</para>
<para>
This command requires that the
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><userinput>loadkeys <replaceable>zone</replaceable>
+ <optional><replaceable>class</replaceable>
+ <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+ <listitem>
+ <para>
+ Fetch all DNSSEC keys for the given zone
+ from the key directory (see
+ <command>key-directory</command> in
+ <xref linkend="options"/>). If they are within
+ their publication period, merge them into the
+ zone's DNSKEY RRset. Unlike <command>rndc
+ sign</command>, however, the zone is not
+ immediately re-signed by the new keys, but is
+ allowed to incrementally re-sign over time.
+ </para>
+ <para>
+ This command requires that the
+ <command>auto-dnssec</command> zone option to
+ be set to <literal>maintain</literal> or
+ <literal>create</literal>, and also requires
+ the zone to be configured to allow dynamic DNS.
+ See <xref linkend="dynamic_update_policies"/> for
+ more details.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><userinput>freeze
<optional><replaceable>zone</replaceable>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><userinput>secroots
+ <optional><replaceable>view ...</replaceable></optional></userinput></term>
+ <listitem>
+ <para>
+ Dump the server's security roots to the secroots
+ file for the specified views. If no view is
+ specified, security roots for all
+ views are dumped.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><userinput>stop <optional>-p</optional></userinput></term>
<listitem>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><userinput>addzone
+ <replaceable>zone</replaceable>
+ <optional><replaceable>class</replaceable>
+ <optional><replaceable>view</replaceable></optional></optional>
+ <replaceable>configuration</replaceable>
+ </userinput></term>
+ <listitem>
+ <para>
+ Add a zone while the server is running. This
+ command requires the
+ <command>allow-new-zones</command> option to be set
+ to <userinput>yes</userinput>. The
+ <replaceable>configuration</replaceable> string
+ specified on the command line is the zone
+ configuration text that would ordinarily be
+ placed in <filename>named.conf</filename>.
+ </para>
+ <para>
+ The configuration is saved in a file called
+ <filename><replaceable>hash</replaceable>.nzf</filename>,
+ where <replaceable>hash</replaceable> is a
+ cryptographic hash generated from the name of
+ the view. When <command>named</command> is
+ restarted, the file will be loaded into the view
+ configuration, so that zones that were added
+ can persist after a restart.
+ </para>
+ <para>
+ This sample <command>addzone</command> command
+ would add the zone <literal>example.com</literal>
+ to the default view:
+ </para>
+ <para>
+<prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
+ </para>
+ <para>
+ (Note the brackets and semi-colon around the zone
+ configuration text.)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>delzone
+ <replaceable>zone</replaceable>
+ <optional><replaceable>class</replaceable>
+ <optional><replaceable>view</replaceable></optional></optional>
+ </userinput></term>
+ <listitem>
+ <para>
+ Delete a zone while the server is running.
+ Only zones that were originally added via
+ <command>rndc addzone</command> can be deleted
+ in this matter.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
<para>
<optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
<optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
<optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> allow-new-zones { <replaceable>yes_or_no</replaceable> }; </optional>
<optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
<optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
<optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
<optional> filter-aaaa-on-v4 ( <replaceable>yes_or_no</replaceable> | <replaceable>break-dnssec</replaceable> ); </optional>
+ <optional> filter-aaaa { <replaceable>address_match_list</replaceable> }; </optional>
<optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
<optional> edns-udp-size <replaceable>number</replaceable>; </optional>
<optional> max-udp-size <replaceable>number</replaceable>; </optional>
the server can acquire through the default system
key file, normally <filename>/etc/krb5.keytab</filename>.
Normally this principal is of the form
- "<userinput>dns/</userinput><varname>server.domain</varname>".
+ "<userinput>DNS/</userinput><varname>server.domain</varname>".
To use GSS-TSIG, <command>tkey-domain</command>
must also be set.
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><command>secroots-file</command></term>
+ <listitem>
+ <para>
+ The pathname of the file the server dumps
+ security roots to when instructed to do so with
+ <command>rndc secroots</command>.
+ If not specified, the default is <filename>named.secroots</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><command>session-keyfile</command></term>
<listitem>
<variablelist>
+ <varlistentry>
+ <term><command>allow-new-zones</command></term>
+ <listitem>
+ <para>
+ If <userinput>yes</userinput>, then zones can be
+ added at runtime via <command>rndc addzone</command>
+ or deleted via <command>rndc delzone</command>.
+ The default is <userinput>no</userinput>.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><command>auth-nxdomain</command></term>
<listitem>
</para>
<para>
If <userinput>yes</userinput>,
- the DNS client is at an IPv4 address,
+ the DNS client is at an IPv4 address, in <command>filter-aaaa</command>,
and if the response does not include DNSSEC signatures,
then all AAAA records are deleted from the response.
This filtering applies to all responses and not only
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><command>filter-aaaa</command></term>
+ <listitem>
+ <para>
+ Specifies a list of addresses to which
+ <command>filter-aaaa-on-v4</command>
+ is applies. The default is <userinput>any</userinput>.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</sect3>
</para>
<para>
<command>auto-dnssec allow;</command> permits
- keys to be updated and the zone re-signed whenever the
- user issues the command <command>rndc sign
+ keys to be updated and the zone fully re-signed
+ whenever the user issues the command <command>rndc sign
<replaceable>zonename</replaceable></command>.
</para>
<para>
<command>auto-dnssec maintain;</command> includes the
above, but also automatically adjusts the zone's DNSSEC
keys on schedule, according to the keys' timing metadata
- (see <xref linkend="man.dnssec-keygen"/> and
- <xref linkend="man.dnssec-settime"/>).
+ (see <xref linkend="man.dnyssec-keygen"/> and
+ <xref linkend="man.dnssec-settime"/>). The command
+ <command>rndc sign
+ <replaceable>zonename</replaceable></command> causes
+ <command>named</command> to load keys from the key
+ repository and sign the zone with all keys that are
+ active.
+ <command>rndc loadkeys
+ <replaceable>zonename</replaceable></command> causes
+ <command>named</command> to load keys from the key
+ repository and schedule key maintenance events to occur
+ in the future, but it does not sign the full zone
+ immediately.
</para>
<para>
<command>auto-dnssec create;</command> includes the