summaryrefslogtreecommitdiffstats
path: root/doc/man/dnssec-cds.8in
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man/dnssec-cds.8in')
-rw-r--r--doc/man/dnssec-cds.8in229
1 files changed, 229 insertions, 0 deletions
diff --git a/doc/man/dnssec-cds.8in b/doc/man/dnssec-cds.8in
new file mode 100644
index 0000000..f915c35
--- /dev/null
+++ b/doc/man/dnssec-cds.8in
@@ -0,0 +1,229 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-CDS" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-cds \- change DS records for a child zone based on CDS/CDNSKEY
+.SH SYNOPSIS
+.sp
+\fBdnssec\-cds\fP [\fB\-a\fP alg...] [\fB\-c\fP class] [\fB\-D\fP] {\fB\-d\fP dsset\-file} {\fB\-f\fP child\-file} [\fB\-i**[extension]] [\fP\-s** start\-time] [\fB\-T\fP ttl] [\fB\-u\fP] [\fB\-v\fP level] [\fB\-V\fP] {domain}
+.SH DESCRIPTION
+.sp
+The \fBdnssec\-cds\fP command changes DS records at a delegation point
+based on CDS or CDNSKEY records published in the child zone. If both CDS
+and CDNSKEY records are present in the child zone, the CDS is preferred.
+This enables a child zone to inform its parent of upcoming changes to
+its key\-signing keys (KSKs); by polling periodically with \fBdnssec\-cds\fP, the
+parent can keep the DS records up\-to\-date and enable automatic rolling
+of KSKs.
+.sp
+Two input files are required. The \fB\-f child\-file\fP option specifies a
+file containing the child\(aqs CDS and/or CDNSKEY records, plus RRSIG and
+DNSKEY records so that they can be authenticated. The \fB\-d path\fP option
+specifies the location of a file containing the current DS records. For
+example, this could be a \fBdsset\-\fP file generated by
+\fBdnssec\-signzone\fP, or the output of \fBdnssec\-dsfromkey\fP, or the
+output of a previous run of \fBdnssec\-cds\fP\&.
+.sp
+The \fBdnssec\-cds\fP command uses special DNSSEC validation logic
+specified by \fI\%RFC 7344\fP\&. It requires that the CDS and/or CDNSKEY records
+be validly signed by a key represented in the existing DS records. This
+is typically the pre\-existing KSK.
+.sp
+For protection against replay attacks, the signatures on the child
+records must not be older than they were on a previous run of
+\fBdnssec\-cds\fP\&. Their age is obtained from the modification time of the
+\fBdsset\-\fP file, or from the \fB\-s\fP option.
+.sp
+To protect against breaking the delegation, \fBdnssec\-cds\fP ensures that
+the DNSKEY RRset can be verified by every key algorithm in the new DS
+RRset, and that the same set of keys are covered by every DS digest
+type.
+.sp
+By default, replacement DS records are written to the standard output;
+with the \fB\-i\fP option the input file is overwritten in place. The
+replacement DS records are the same as the existing records, when no
+change is required. The output can be empty if the CDS/CDNSKEY records
+specify that the child zone wants to be insecure.
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+Be careful not to delete the DS records when \fBdnssec\-cds\fP fails!
+.UNINDENT
+.UNINDENT
+.sp
+Alternatively, \fBdnssec\-cds \-u\fP writes an \fBnsupdate\fP script to the
+standard output. The \fB\-u\fP and \fB\-i\fP options can be used together to
+maintain a \fBdsset\-\fP file as well as emit an \fBnsupdate\fP script.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-a algorithm\fP
+This option specifies a digest algorithm to use when converting CDNSKEY records to
+DS records. This option can be repeated, so that multiple DS records
+are created for each CDNSKEY record. This option has no effect when
+using CDS records.
+.sp
+The algorithm must be one of SHA\-1, SHA\-256, or SHA\-384. These values
+are case\-insensitive, and the hyphen may be omitted. If no algorithm
+is specified, the default is SHA\-256.
+.TP
+.B \fB\-c class\fP
+This option specifies the DNS class of the zones.
+.TP
+.B \fB\-D\fP
+This option generates DS records from CDNSKEY records if both CDS and CDNSKEY
+records are present in the child zone. By default CDS records are
+preferred.
+.TP
+.B \fB\-d path\fP
+This specifies the location of the parent DS records. The path can be the name of a file
+containing the DS records; if it is a directory, \fBdnssec\-cds\fP
+looks for a \fBdsset\-\fP file for the domain inside the directory.
+.sp
+To protect against replay attacks, child records are rejected if they
+were signed earlier than the modification time of the \fBdsset\-\fP
+file. This can be adjusted with the \fB\-s\fP option.
+.TP
+.B \fB\-f child\-file\fP
+This option specifies the file containing the child\(aqs CDS and/or CDNSKEY records, plus its
+DNSKEY records and the covering RRSIG records, so that they can be
+authenticated.
+.sp
+The examples below describe how to generate this file.
+.TP
+.B \fB\-iextension\fP
+This option updates the \fBdsset\-\fP file in place, instead of writing DS records to
+the standard output.
+.sp
+There must be no space between the \fB\-i\fP and the extension. If
+no extension is provided, the old \fBdsset\-\fP is discarded. If an
+extension is present, a backup of the old \fBdsset\-\fP file is kept
+with the extension appended to its filename.
+.sp
+To protect against replay attacks, the modification time of the
+\fBdsset\-\fP file is set to match the signature inception time of the
+child records, provided that it is later than the file\(aqs current
+modification time.
+.TP
+.B \fB\-s start\-time\fP
+This option specifies the date and time after which RRSIG records become
+acceptable. This can be either an absolute or a relative time. An
+absolute start time is indicated by a number in YYYYMMDDHHMMSS
+notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017. A
+time relative to the \fBdsset\-\fP file is indicated with \fB\-N\fP, which is N
+seconds before the file modification time. A time relative to the
+current time is indicated with \fBnow+N\fP\&.
+.sp
+If no start\-time is specified, the modification time of the
+\fBdsset\-\fP file is used.
+.TP
+.B \fB\-T ttl\fP
+This option specifies a TTL to be used for new DS records. If not specified, the
+default is the TTL of the old DS records. If they had no explicit TTL,
+the new DS records also have no explicit TTL.
+.TP
+.B \fB\-u\fP
+This option writes an \fBnsupdate\fP script to the standard output, instead of
+printing the new DS reords. The output is empty if no change is
+needed.
+.sp
+Note: The TTL of new records needs to be specified: it can be done in the
+original \fBdsset\-\fP file, with the \fB\-T\fP option, or using the
+\fBnsupdate\fP \fBttl\fP command.
+.TP
+.B \fB\-V\fP
+This option prints version information.
+.TP
+.B \fB\-v level\fP
+This option sets the debugging level. Level 1 is intended to be usefully verbose
+for general users; higher levels are intended for developers.
+.TP
+.B \fBdomain\fP
+This indicates the name of the delegation point/child zone apex.
+.UNINDENT
+.SH EXIT STATUS
+.sp
+The \fBdnssec\-cds\fP command exits 0 on success, or non\-zero if an error
+occurred.
+.sp
+If successful, the DS records may or may not need to be
+changed.
+.SH EXAMPLES
+.sp
+Before running \fBdnssec\-signzone\fP, ensure that the delegations
+are up\-to\-date by running \fBdnssec\-cds\fP on every \fBdsset\-\fP file.
+.sp
+To fetch the child records required by \fBdnssec\-cds\fP, invoke
+\fBdig\fP as in the script below. It is acceptable if the \fBdig\fP fails, since
+\fBdnssec\-cds\fP performs all the necessary checking.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+for f in dsset\-*
+do
+ d=${f#dsset\-}
+ dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+ dnssec\-cds \-i \-f /dev/stdin \-d $f $d
+done
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+When the parent zone is automatically signed by \fBnamed\fP,
+\fBdnssec\-cds\fP can be used with \fBnsupdate\fP to maintain a delegation as follows.
+The \fBdsset\-\fP file allows the script to avoid having to fetch and
+validate the parent DS records, and it maintains the replay attack
+protection time.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+dnssec\-cds \-u \-i \-f /dev/stdin \-d $f $d |
+nsupdate \-l
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBdig(1)\fP, \fBdnssec\-settime(8)\fP, \fBdnssec\-signzone(8)\fP, \fBnsupdate(1)\fP, BIND 9 Administrator
+Reference Manual, \fI\%RFC 7344\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.