diff -Nru bind9-9.16.1/.clang-format bind9-9.16.48/.clang-format --- bind9-9.16.1/.clang-format 2020-03-11 16:46:53.000000000 +0000 +++ bind9-9.16.48/.clang-format 2024-02-11 11:31:39.000000000 +0000 @@ -11,6 +11,7 @@ AfterFunction: false # should also be MultiLine, but not yet supported AfterExternBlock: false BeforeElse: false + BeforeWhile: false IndentBraces: false SplitEmptyFunction: true AllowShortIfStatementsOnASingleLine: false @@ -19,6 +20,7 @@ Cpp11BracedListStyle: false ColumnLimit: 80 AlignAfterOpenBracket: Align +AlignConsecutiveBitFields: true AlignConsecutiveDeclarations: false AlignConsecutiveMacros: true AlignTrailingComments: true @@ -62,6 +64,7 @@ Priority: 1 - Regex: '.*' Priority: 0 +IndentExternBlock: NoIndent KeepEmptyLinesAtTheStartOfBlocks: false MaxEmptyLinesToKeep: 1 PenaltyBreakAssignment: 30 diff -Nru bind9-9.16.1/.clang-format.headers bind9-9.16.48/.clang-format.headers --- bind9-9.16.1/.clang-format.headers 2020-03-11 16:46:53.000000000 +0000 +++ bind9-9.16.48/.clang-format.headers 2024-02-11 11:31:39.000000000 +0000 @@ -11,6 +11,7 @@ AfterFunction: false # should also be MultiLine, but not yet supported AfterExternBlock: false BeforeElse: false + BeforeWhile: false IndentBraces: false SplitEmptyFunction: true AllowShortIfStatementsOnASingleLine: false @@ -19,6 +20,7 @@ Cpp11BracedListStyle: false ColumnLimit: 80 AlignAfterOpenBracket: Align +AlignConsecutiveBitFields: true AlignConsecutiveDeclarations: true AlignConsecutiveMacros: true AlignTrailingComments: true @@ -50,6 +52,7 @@ Priority: 1 - Regex: '".*"' Priority: 9 +IndentExternBlock: NoIndent KeepEmptyLinesAtTheStartOfBlocks: false MaxEmptyLinesToKeep: 1 PenaltyBreakAssignment: 30 diff -Nru bind9-9.16.1/.dir-locals.el bind9-9.16.48/.dir-locals.el --- bind9-9.16.1/.dir-locals.el 2020-03-11 16:46:53.000000000 +0000 +++ bind9-9.16.48/.dir-locals.el 2024-02-11 11:31:39.000000000 +0000 @@ -77,6 +77,9 @@ (expand-file-name (concat directory-of-current-dir-locals-file "bin/rndc/include")) + (expand-file-name "/usr/include/libxml2") + (expand-file-name "/usr/include/json-c") + (expand-file-name "/usr/local/opt/openssl@1.1/include") (expand-file-name "/usr/local/opt/libxml2/include/libxml2") (expand-file-name "/usr/local/opt/json-c/include/json-c/") @@ -106,6 +109,9 @@ (list "--enable=all" "--suppress=missingIncludeSystem" + "--suppress=nullPointerRedundantCheck" + (concat "--suppressions-list=" (expand-file-name + (concat directory-of-current-dir-locals-file "util/suppressions.txt"))) (concat "-include=" (expand-file-name (concat directory-of-current-dir-locals-file "config.h"))) ) diff -Nru bind9-9.16.1/.editorconfig bind9-9.16.48/.editorconfig --- bind9-9.16.1/.editorconfig 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.48/.editorconfig 2024-02-11 11:31:39.000000000 +0000 @@ -0,0 +1,5 @@ +[{bin/tests/**.sh,bin/tests/**.sh.in,util/**.sh}] +indent_style = space +indent_size = 2 +binary_next_line = true +switch_case_indent = true diff -Nru bind9-9.16.1/.gitattributes bind9-9.16.48/.gitattributes --- bind9-9.16.1/.gitattributes 2020-03-11 16:46:53.000000000 +0000 +++ bind9-9.16.48/.gitattributes 2024-02-11 11:31:39.000000000 +0000 @@ -1,6 +1,8 @@ *.sln.in eol=crlf *.vcxproj.* eol=crlf +/fuzz/dns_rdata_fromwire_text.in/input-* -text + .gitignore export-ignore /conftools export-ignore /doc/design export-ignore diff -Nru bind9-9.16.1/.github/workflows/codeql.yml bind9-9.16.48/.github/workflows/codeql.yml --- bind9-9.16.1/.github/workflows/codeql.yml 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.48/.github/workflows/codeql.yml 2024-02-11 11:31:39.000000000 +0000 @@ -0,0 +1,55 @@ +name: "CodeQL" + +on: + push: + branches: [ "bind-9.16", "bind-9.18", "main" ] + schedule: + - cron: '39 8 * * 3' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'cpp' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Install build dependencies + uses: awalsh128/cache-apt-pkgs-action@latest + with: + packages: libuv1-dev libssl-dev libnghttp2-dev libxml2-dev liblmdb-dev libjson-c-dev pkg-config autoconf automake autotools-dev libtool-bin libjemalloc-dev libedit-dev libcap-dev libidn2-dev libkrb5-dev libmaxminddb-dev zlib1g-dev python3-ply + version: 1.0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # âšī¸ Command-line programs to run using the OS shell. + # đ See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff -Nru bind9-9.16.1/.github/workflows/sonarcloud.yml bind9-9.16.48/.github/workflows/sonarcloud.yml --- bind9-9.16.1/.github/workflows/sonarcloud.yml 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.48/.github/workflows/sonarcloud.yml 2024-02-11 11:31:39.000000000 +0000 @@ -0,0 +1,50 @@ +name: SonarCloud + +on: + push: + branches: [ "bind-9.16", "bind-9.18", "main" ] + schedule: + - cron: '39 8 * * 3' + +jobs: + build: + name: Build and analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'cpp' ] + + env: + BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Install build dependencies + uses: awalsh128/cache-apt-pkgs-action@latest + with: + packages: libuv1-dev libssl-dev libnghttp2-dev libxml2-dev liblmdb-dev libjson-c-dev pkg-config autoconf automake autotools-dev libtool-bin libjemalloc-dev libedit-dev libcap-dev libidn2-dev libkrb5-dev libmaxminddb-dev zlib1g-dev python3-ply + version: 1.0 + + - name: Install sonar-scanner and build-wrapper + uses: SonarSource/sonarcloud-github-c-cpp@v1 + + - name: Run build-wrapper + run: | + autoreconf -fi + ./configure + build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} make clean all + + - name: Run sonar-scanner + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: | + sonar-scanner --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}" diff -Nru bind9-9.16.1/.gitlab-ci.yml bind9-9.16.48/.gitlab-ci.yml --- bind9-9.16.1/.gitlab-ci.yml 2020-03-11 16:46:53.000000000 +0000 +++ bind9-9.16.48/.gitlab-ci.yml 2024-02-11 11:31:39.000000000 +0000 @@ -12,115 +12,157 @@ KYUA_RESULT: "$CI_PROJECT_DIR/kyua.results" GIT_DEPTH: 1 + GIT_CLEAN_FLAGS: -ffdxq + + # The following values may be overwritten in GitLab's CI/CD Variables Settings. BUILD_PARALLEL_JOBS: 6 - TEST_PARALLEL_JOBS: 6 + TEST_PARALLEL_JOBS: 4 - MAKE: make CONFIGURE: ./configure - CLANG: clang-9 - SCAN_BUILD: scan-build-9 - SYMBOLIZER: /usr/lib/llvm-9/bin/llvm-symbolizer - ASAN_SYMBOLIZER_PATH: "$SYMBOLIZER" - CLANG_FORMAT: clang-format-10 + CLANG_VERSION: 17 + CLANG: "clang-${CLANG_VERSION}" + SCAN_BUILD: "scan-build-${CLANG_VERSION}" + LLVM_SYMBOLIZER: "/usr/lib/llvm-${CLANG_VERSION}/bin/llvm-symbolizer" + ASAN_SYMBOLIZER_PATH: "/usr/lib/llvm-${CLANG_VERSION}/bin/llvm-symbolizer" + CLANG_FORMAT: "clang-format-${CLANG_VERSION}" - CFLAGS_COMMON: -fno-omit-frame-pointer -fno-optimize-sibling-calls -O1 -g -Wall -Wextra + CFLAGS_COMMON: -fno-omit-frame-pointer -fno-optimize-sibling-calls -O1 -g -Wall -Wextra # Pass run-time flags to AddressSanitizer to get core dumps on error. - ASAN_OPTIONS_COMMON: abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1 + ASAN_OPTIONS: abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1 - TARBALL_COMPRESSOR: xz - TARBALL_EXTENSION: xz + TSAN_OPTIONS_COMMON: "disable_coredump=0 second_deadlock_stack=1 atexit_sleep_ms=1000 history_size=7 log_exe_name=true log_path=tsan" + TSAN_SUPPRESSIONS: "suppressions=${CI_PROJECT_DIR}/.tsan-suppress" + TSAN_OPTIONS_DEBIAN: "${TSAN_OPTIONS_COMMON} ${TSAN_SUPPRESSIONS} external_symbolizer_path=${LLVM_SYMBOLIZER}" + TSAN_OPTIONS_FEDORA: "${TSAN_OPTIONS_COMMON} ${TSAN_SUPPRESSIONS} external_symbolizer_path=/usr/bin/llvm-symbolizer" + + UBSAN_OPTIONS: "halt_on_error=1:abort_on_error=1:disable_coredump=0" + + INSTALL_PATH: "${CI_PROJECT_DIR}/.local" + + # Disable pytest's "cacheprovider" plugin to prevent it from creating + # cross-testrun files as there is no need to use that feature in CI. + PYTEST_ADDOPTS: "-p no:cacheprovider" + + # Default platforms to run "stress" tests on + BIND_STRESS_TEST_OS: linux + BIND_STRESS_TEST_ARCH: amd64 + +default: + # Allow all running CI jobs to be automatically canceled when a new + # version of a branch is pushed. + # + # See: https://docs.gitlab.com/ee/ci/pipelines/settings.html#auto-cancel-redundant-pipelines + interruptible: true stages: - precheck - build - unit - system + - performance - docs - - push - postcheck - release ### Runner Tag Templates -# Note: BSD runners extract the operating system version to use from job name +.libvirt-amd64: &libvirt_amd64 + tags: + - libvirt + - amd64 + +# Jobs with these tags do not run on AWS but on permanent OVH systems. -.freebsd-amd64: &freebsd_amd64 +.linux-respdiff-amd64: &linux_respdiff_amd64 tags: - - freebsd + - linux + - ovh - amd64 +# Autoscaling GitLab Runner on AWS EC2 (amd64) + .linux-amd64: &linux_amd64 tags: - linux + - aws + - runner-manager - amd64 +# Autoscaling GitLab Runner on AWS EC2 (arm64) + .linux-arm64: &linux_arm64 tags: - linux - - arm64 + - aws + - runner-manager + - aarch64 + +# Stress-testing runners -.linux-i386: &linux_i386 +.freebsd-stress-amd64: &freebsd_stress_amd64 tags: - - linux - - i386 + - amd64 + - aws + - bsd-stress + - stress -.openbsd-amd64: &openbsd_amd64 +.windows-amd64: &windows_amd64 tags: - - libvirt + - windows - amd64 ### Docker Image Templates # Alpine Linux -.alpine-3.11-amd64: &alpine_3_11_amd64_image - image: "$CI_REGISTRY_IMAGE:alpine-3.11-amd64" +.alpine-3.19-amd64: &alpine_3_19_amd64_image + image: "$CI_REGISTRY_IMAGE:alpine-3.19-amd64" <<: *linux_amd64 -# CentOS +# Oracle Linux -.centos-centos6-amd64: ¢os_centos6_amd64_image - image: "$CI_REGISTRY_IMAGE:centos-centos6-amd64" +.oraclelinux-7-amd64: &oraclelinux_7_amd64_image + image: "$CI_REGISTRY_IMAGE:oraclelinux-7-amd64" <<: *linux_amd64 -.centos-centos7-amd64: ¢os_centos7_amd64_image - image: "$CI_REGISTRY_IMAGE:centos-centos7-amd64" +.oraclelinux-8-amd64: &oraclelinux_8_amd64_image + image: "$CI_REGISTRY_IMAGE:oraclelinux-8-amd64" <<: *linux_amd64 -.centos-centos8-amd64: ¢os_centos8_amd64_image - image: "$CI_REGISTRY_IMAGE:centos-centos8-amd64" +.oraclelinux-9-amd64: &oraclelinux_9_amd64_image + image: "$CI_REGISTRY_IMAGE:oraclelinux-9-amd64" <<: *linux_amd64 # Debian -.debian-jessie-amd64: &debian_jessie_amd64_image - image: "$CI_REGISTRY_IMAGE:debian-jessie-amd64" +.debian-buster-amd64: &debian_buster_amd64_image + image: "$CI_REGISTRY_IMAGE:debian-buster-amd64" <<: *linux_amd64 -.debian-stretch-amd64: &debian_stretch_amd64_image - image: "$CI_REGISTRY_IMAGE:debian-stretch-amd64" +.debian-bullseye-amd64: &debian_bullseye_amd64_image + image: "$CI_REGISTRY_IMAGE:debian-bullseye-amd64" <<: *linux_amd64 -.debian-stretch-i386: &debian_stretch_i386_image - image: "$CI_REGISTRY_IMAGE:debian-stretch-i386" - <<: *linux_i386 +.respdiff-debian-bookworm-amd64: &respdiff_debian_bookworm_amd64_image + image: "$CI_REGISTRY_IMAGE:debian-bookworm-amd64" + <<: *linux_respdiff_amd64 -.debian-buster-amd64: &debian_buster_amd64_image - image: "$CI_REGISTRY_IMAGE:debian-buster-amd64" +.debian-bookworm-amd64: &debian_bookworm_amd64_image + image: "$CI_REGISTRY_IMAGE:debian-bookworm-amd64" <<: *linux_amd64 -.debian-sid-amd64: &debian_sid_amd64_image - image: "$CI_REGISTRY_IMAGE:debian-sid-amd64" +.tsan-debian-bookworm-amd64: &tsan_debian_bookworm_amd64_image + image: "$CI_REGISTRY_IMAGE:tsan-debian-bookworm-amd64" <<: *linux_amd64 -.debian-sid-arm64: &debian_sid_arm64_image - image: "$CI_REGISTRY_IMAGE:debian-sid-arm64" - <<: *linux_arm64 +.debian-bookworm-amd64cross32: &debian_bookworm_amd64cross32_image + image: "$CI_REGISTRY_IMAGE:debian-bookworm-amd64cross32" + <<: *linux_amd64 -.debian-sid-i386: &debian_sid_i386_image - image: "$CI_REGISTRY_IMAGE:debian-sid-i386" - <<: *linux_i386 +.debian-sid-amd64: &debian_sid_amd64_image + image: "$CI_REGISTRY_IMAGE:debian-sid-amd64" + <<: *linux_amd64 # openSUSE Tumbleweed @@ -130,78 +172,106 @@ # Fedora -.fedora-31-amd64: &fedora_31_amd64_image - image: "$CI_REGISTRY_IMAGE:fedora-31-amd64" +.tsan-fedora-39-amd64: &tsan_fedora_39_amd64_image + image: "$CI_REGISTRY_IMAGE:tsan-fedora-39-amd64" + <<: *linux_amd64 + +.fedora-39-amd64: &fedora_39_amd64_image + image: "$CI_REGISTRY_IMAGE:fedora-39-amd64" <<: *linux_amd64 +.fedora-39-arm64: &fedora_39_arm64_image + image: "$CI_REGISTRY_IMAGE:fedora-39-arm64" + <<: *linux_arm64 + # Ubuntu -.ubuntu-xenial-amd64: &ubuntu_xenial_amd64_image - image: "$CI_REGISTRY_IMAGE:ubuntu-xenial-amd64" +.ubuntu-focal-amd64: &ubuntu_focal_amd64_image + image: "$CI_REGISTRY_IMAGE:ubuntu-focal-amd64" <<: *linux_amd64 -.ubuntu-xenial-i386: &ubuntu_xenial_i386_image - image: "$CI_REGISTRY_IMAGE:ubuntu-xenial-i386" - <<: *linux_i386 - -.ubuntu-bionic-amd64: &ubuntu_bionic_amd64_image - image: "$CI_REGISTRY_IMAGE:ubuntu-bionic-amd64" +.ubuntu-jammy-amd64: &ubuntu_jammy_amd64_image + image: "$CI_REGISTRY_IMAGE:ubuntu-jammy-amd64" <<: *linux_amd64 -.ubuntu-bionic-i386: &ubuntu_bionic_i386_image - image: "$CI_REGISTRY_IMAGE:ubuntu-bionic-i386" - <<: *linux_i386 +# Windows + +.windows-server-2016-amd64: &windows_server_2016_amd64_image + image: "$CI_REGISTRY_IMAGE:windows-server-2016-amd64" + <<: *windows_amd64 + +# Base image +# This is a meta image that is used as a base for non-specific jobs + +.base: &base_image + <<: *debian_bookworm_amd64_image + +### QCOW2 Image Templates + +.freebsd-12-amd64: &freebsd_12_amd64_image + image: "freebsd-12.4-x86_64" + <<: *libvirt_amd64 + +.freebsd-13-amd64: &freebsd_13_amd64_image + image: "freebsd-13.2-x86_64" + <<: *libvirt_amd64 + +.freebsd-14-amd64: &freebsd_14_amd64_image + image: "freebsd-14.0-x86_64" + <<: *libvirt_amd64 + +.openbsd-amd64: &openbsd_amd64_image + image: "openbsd-7.4-x86_64" + <<: *libvirt_amd64 ### Job Templates -.default-triggering-rules: &default_triggering_rules +.api-schedules-tags-triggers-web-triggering-rules: &api_schedules_tags_triggers_web_triggering_rules only: - - merge_requests + - api + - schedules - tags + - triggers - web + +.api-schedules-triggers-web-triggering-rules: &api_schedules_triggers_web_triggering_rules + only: + - api - schedules + - triggers + - web -.release-branch-triggering-rules: &release_branch_triggering_rules +.default-triggering-rules: &default_triggering_rules only: + - api - merge_requests + - schedules - tags + - triggers - web - - schedules - - master@isc-projects/bind9 - - /^v9_[1-9][0-9]$/@isc-projects/bind9 .precheck: &precheck_job <<: *default_triggering_rules - <<: *debian_sid_amd64_image + <<: *base_image stage: precheck -.autoconf: &autoconf_job - <<: *release_branch_triggering_rules - <<: *debian_sid_amd64_image - stage: precheck - script: - - autoreconf -fi - artifacts: - paths: - - aclocal.m4 - - configure - - ltmain.sh - - m4/libtool.m4 - expire_in: "1 day" +.configure: &configure + - ${CONFIGURE} + --disable-maintainer-mode + --enable-developer + --with-libtool + --disable-static + --enable-option-checking=fatal + --enable-dnstap + --with-cmocka + --with-libxml2 + --with-json-c + --without-make-clean + $EXTRA_CONFIGURE + || (test -s config.log && cat config.log; exit 1) -.configure: &configure | - ${CONFIGURE} \ - --disable-maintainer-mode \ - --enable-developer \ - --with-libtool \ - --disable-static \ - --with-cmocka \ - --with-libxml2 \ - --with-json-c \ - --prefix=$HOME/.local \ - --without-make-clean \ - $EXTRA_CONFIGURE \ - || cat config.log +.parse_tsan: &parse_tsan + - find -name 'tsan.*' -exec python3 util/parse_tsan.py {} \; .build: &build_job <<: *default_triggering_rules @@ -211,22 +281,24 @@ - test -n "${OOT_BUILD_WORKSPACE}" && mkdir "${OOT_BUILD_WORKSPACE}" && cd "${OOT_BUILD_WORKSPACE}" script: - *configure - - ${MAKE} -j${BUILD_PARALLEL_JOBS:-1} -k all V=1 - - test -z "${RUN_MAKE_INSTALL}" || make install - - test -z "${RUN_MAKE_INSTALL}" || sh util/check-make-install - dependencies: - - autoreconf:sid:amd64 - needs: - - autoreconf:sid:amd64 + - test -n "${SKIP_MAKE_DEPEND}" || make -j${BUILD_PARALLEL_JOBS:-1} depend 2>&1 | tee make-depend.log + - test -n "${SKIP_MAKE_DEPEND}" || ( ! grep -F "error:" make-depend.log ) + - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1 + - test -z "${BUILD_CONTRIB}" || for DIR in contrib/dlz/modules/*; do test -f "${DIR}/Makefile" && make -C "${DIR}"; done + - test -z "${RUN_MAKE_INSTALL}" || make DESTDIR="${INSTALL_PATH}" install + - test -z "${RUN_MAKE_INSTALL}" -o -z "${BUILD_CONTRIB}" || for DIR in contrib/dlz/modules/*; do test -f "${DIR}/Makefile" && make -C "${DIR}" DESTDIR="${INSTALL_PATH}" install; done + - test -z "${RUN_MAKE_INSTALL}" || DESTDIR="${INSTALL_PATH}" sh util/check-make-install + - if [[ "${CFLAGS}" == *"-fsanitize=address"* ]]; then ( ! grep -F AddressSanitizer config.log ); fi + - test -z "${CROSS_COMPILATION}" || grep -F -A 1 "checking whether we are cross compiling" config.log | grep -q "result.*yes" + - test -z "${CROSS_COMPILATION}" || file lib/dns/gen | grep -F -q "ELF 64-bit LSB" + - test -z "${CROSS_COMPILATION}" || ( ! git ls-files -z --others --exclude lib/dns/gen | xargs -0 file | grep "ELF 64-bit LSB" ) artifacts: untracked: true - expire_in: "1 day" + when: always + needs: [] .windows_build: &windows_build_job stage: build - tags: - - windows - - amd64 script: - 'Push-Location "C:/Program Files (x86)/Microsoft Visual Studio/2017/BuildTools/VC/Auxiliary/Build"' - '& cmd.exe /C "vcvarsall.bat x64 & set" | Foreach-Object { if ($_ -match "(.*?)=(.*)") { Set-Item -force -path "Env:\$($matches[1])" -value "$($matches[2])" } }' @@ -245,25 +317,22 @@ x64' - 'Set-Item -path "Env:CL" -value "/MP$([Math]::Truncate($BUILD_PARALLEL_JOBS/2))"' - '& msbuild.exe /maxCpuCount:2 /t:Build /p:Configuration=$VSCONF bind9.sln' - dependencies: [] - needs: - - autoreconf:sid:amd64 + needs: [] artifacts: untracked: true - expire_in: "1 day" -.setup_interfaces: &setup_interfaces | - if [ "$(id -u)" -eq "0" ]; then - sh -x bin/tests/system/ifconfig.sh up; - else - sudo sh -x bin/tests/system/ifconfig.sh up; - fi - -.setup_softhsm: &setup_softhsm | - export SLOT=$(sh -x bin/tests/prepare-softhsm2.sh) - test -n "${SLOT}" && test "${SLOT}" -gt 0 +.setup_interfaces: &setup_interfaces + - if [ "$(id -u)" -eq "0" ]; then + sh -x bin/tests/system/ifconfig.sh up; + else + sudo sh -x bin/tests/system/ifconfig.sh up; + fi + +.setup_softhsm: &setup_softhsm + - export SLOT=$(sh -x bin/tests/prepare-softhsm2.sh) + - test -n "${SLOT}" && test "${SLOT}" -gt 0 -.system_test: &system_test_job +.system_test_common: &system_test_common <<: *default_triggering_rules stage: system before_script: @@ -272,23 +341,38 @@ script: - ( cd bin/tests/system && make -j${TEST_PARALLEL_JOBS:-1} -k test V=1 ) - test -s bin/tests/system/systests.output + - if git rev-parse > /dev/null 2>&1; then ( ! grep "^I:.*:file.*not removed$" bin/tests/system/systests.output ); fi + - '( ! grep -F "grep: warning:" bin/tests/system/systests.output )' + +.system_test: &system_test_job + <<: *system_test_common + artifacts: + untracked: true + when: on_failure + +.system_test_gcov: &system_test_gcov_job + <<: *system_test_common + artifacts: + untracked: true + when: always + +.system_test_tsan: &system_test_tsan_job + <<: *system_test_common + after_script: + - *parse_tsan artifacts: untracked: true - expire_in: "1 day" when: on_failure -.kyua_report: &kyua_report_html | - kyua --logfile /dev/null report-html \ - --force \ - --results-file "$KYUA_RESULT" \ - --results-filter "" \ - --output kyua_html +.kyua_report: &kyua_report_html + - kyua --logfile /dev/null report-html + --force + --results-file "$KYUA_RESULT" + --results-filter "" + --output kyua_html > /dev/null .windows_system_test: &windows_system_test_job stage: system - tags: - - windows - - amd64 script: - 'Push-Location bin/tests/system' - '$ifIndex = Get-NetIPInterface -AddressFamily IPv4 -InterfaceMetric 75 | Select-Object -ExpandProperty ifIndex' @@ -301,14 +385,9 @@ - 'If (Test-Path C:/CrashDumps/*) { dir C:/CrashDumps; Throw }' artifacts: untracked: true - expire_in: "1 day" when: on_failure - only: - - schedules - - tags - - web -.unit_test: &unit_test_job +.unit_test_common: &unit_test_common <<: *default_triggering_rules stage: unit before_script: @@ -317,60 +396,50 @@ - make unit after_script: - *kyua_report_html + +.unit_test: &unit_test_job + <<: *unit_test_common artifacts: - paths: - - kyua.log - - kyua.results - - kyua_html/ - expire_in: "1 day" + untracked: true when: on_failure -.cppcheck_args: &run_cppcheck | - cppcheck --enable=warning,performance,portability,information,missingInclude \ - --include=config.h \ - --quiet \ - --std=c11 \ - --language=c \ - --project=compile_commands.json \ - --error-exitcode=2 \ - -j ${TEST_PARALLEL_JOBS:-1} \ - --xml \ - --output-file=cppcheck.results \ - --relative-paths="$CI_PROJECT_DIR" \ - --inline-suppr \ - --suppressions-list=util/suppressions.txt - -.cppcheck_report: &cppcheck_report_html | - cppcheck-htmlreport --title="BIND 9 ($CI_COMMIT_SHORT_SHA) Cppcheck Report" \ - --file=cppcheck.results \ - --report-dir=cppcheck_html/ +.unit_test_gcov: &unit_test_gcov_job + <<: *unit_test_common + artifacts: + untracked: true + when: always -.cppcheck: &cppcheck_job - <<: *default_triggering_rules - stage: postcheck - before_script: - - export GCC_VERSION=$(gcc --version | sed -n 's/.*\([0-9]\+\)\.[0-9]\+\.[0-9]\+.*/\1/p') - - sed -i "/gcc\",/a\"-DCPPCHECK\", \"-D__STDC__\", \"-D__GNUC__=${GCC_VERSION}\"," compile_commands.json - script: - - *run_cppcheck +.unit_test_tsan: &unit_test_tsan_job + <<: *unit_test_common after_script: - - *cppcheck_report_html + - *kyua_report_html + - *parse_tsan artifacts: - paths: - - compile_commands.json - - cppcheck.results - - cppcheck_html/ - expire_in: "1 day" + untracked: true when: on_failure +.respdiff: &respdiff_job + stage: system + before_script: + - *configure + - make -j${BUILD_PARALLEL_JOBS:-1} V=1 + - *setup_interfaces + - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git + - cd bind-qa/bind9/respdiff + needs: [] + artifacts: + paths: + - bind-qa/bind9/respdiff + exclude: + - bind-qa/bind9/respdiff/rspworkdir/data.mdb # Exclude a 10 GB file. + untracked: true + when: always + ### Job Definitions # Jobs in the precheck stage -autoreconf:sid:amd64: - <<: *autoconf_job - -misc:sid:amd64: +misc: <<: *precheck_job script: - sh util/check-ans-prereq.sh @@ -378,433 +447,552 @@ - sh util/tabify-changes < CHANGES > CHANGES.tmp - diff -urNap CHANGES CHANGES.tmp - perl util/check-changes CHANGES + - sh util/check-line-length.sh CHANGES - test ! -f CHANGES.SE || sh util/tabify-changes < CHANGES.SE > CHANGES.tmp - test ! -f CHANGES.SE || diff -urNap CHANGES.SE CHANGES.tmp - test ! -f CHANGES.SE || perl util/check-changes master=0 CHANGES.SE + - test ! -f CHANGES.SE || sh util/check-line-length.sh CHANGES.SE - rm CHANGES.tmp - - perl -w util/merge_copyrights - - diff -urNap util/copyrights util/newcopyrights - - rm util/newcopyrights - - perl -w util/update_copyrights < util/copyrights - - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi - xmllint --noout --nonet `git ls-files '*.xml' '*.docbook'` - - xmllint --noout --nonet --html `git ls-files '*.html'` - sh util/check-win32util-configure + - sh util/check-categories.sh + - sh util/xmllint-html.sh artifacts: paths: - - util/newcopyrights - checklibs.out - expire_in: "1 day" when: on_failure -đž:sid:amd64: +black: + <<: *precheck_job + script: + - black $(git ls-files '*.py' '*.py.in') + - git diff > black.patch + - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi + artifacts: + paths: + - black.patch + expire_in: "1 week" + when: on_failure + +clang-format: <<: *precheck_job script: - if [ -r .clang-format ]; then "${CLANG_FORMAT}" -i -style=file $(git ls-files '*.c' '*.h'); fi + - git diff > clang-format.patch - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi + artifacts: + paths: + - clang-format.patch + expire_in: "1 week" + when: on_failure -đ:sid:amd64: +coccinelle: <<: *precheck_job - <<: *debian_buster_amd64_image script: - util/check-cocci - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi -tarball-create:sid:amd64: - <<: *debian_sid_amd64_image +reuse: + <<: *precheck_job + image: + name: docker.io/fsfe/reuse:latest + entrypoint: [""] + script: + - reuse lint + +shfmt: + <<: *precheck_job + needs: [] + script: + - shfmt -w -i 2 -ci -bn bin/tests/system/ util/ $(find bin/tests/system/ -name "*.sh.in") + - git diff > shfmt.patch + - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi + artifacts: + paths: + - shfmt.patch + expire_in: "1 week" + when: on_failure + +danger: + <<: *precheck_job + # Keep the GIT_DEPTH environment variable set to a "high number" before + # https://github.com/libgit2/libgit2/pull/6662 is addressed and integrated + # into pygit2. + variables: + GIT_DEPTH: 1000 + script: + - pip install git+https://gitlab.isc.org/isc-projects/hazard.git + - hazard + only: + refs: + - merge_requests + variables: + - $DANGER_GITLAB_API_TOKEN + +pylint: + <<: *default_triggering_rules + <<: *base_image + stage: postcheck + script: + - *configure + - export PYTHONPATH="$PYTHONPATH:$CI_PROJECT_DIR/bin/python" + - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py|^bin/tests/system/)') + # Ignore Pylint wrong-import-position error in system test to enable use of pytest.importorskip + - pylint --rcfile $CI_PROJECT_DIR/.pylintrc --disable=wrong-import-position $(git ls-files 'bin/tests/system/*.py' | grep -vE 'ans\.py') + needs: [] + +checkbashisms: + <<: *precheck_job + script: + - checkbashisms $(find . -path './.git' -prune -o -type f -exec sh -c 'head -n 1 "{}" | grep -qsF "#!/bin/sh"' \; -print | sed -e '/^\.\/install-sh$/d') + +tarball-create: stage: precheck + <<: *base_image + <<: *default_triggering_rules script: - source version - - export BIND_DIRECTORY="bind-${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}" + - export BIND9_VERSION="${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}" + - export BIND_DIRECTORY="bind-${BIND9_VERSION}" - git archive --prefix="${BIND_DIRECTORY}/" --output="${BIND_DIRECTORY}.tar" HEAD - mkdir "${BIND_DIRECTORY}" - echo "SRCID=$(git rev-list --max-count=1 HEAD | cut -b1-7)" > "${BIND_DIRECTORY}/srcid" - tar --append --file="${BIND_DIRECTORY}.tar" "${BIND_DIRECTORY}/srcid" - - ${TARBALL_COMPRESSOR} "${BIND_DIRECTORY}.tar" + - sphinx-build -b man -d "${BIND_DIRECTORY}/tmp/.doctrees/" -W -a -v -c doc/man/ -D version="@BIND9_VERSION@" -D today="@RELEASE_DATE@" -D release="@BIND9_VERSIONSTRING@" doc/man "${BIND_DIRECTORY}/doc/man" + - rm -rf "${BIND_DIRECTORY}/tmp/.doctrees/" + - for man in "${BIND_DIRECTORY}/doc/man/"*; do mv "$man" "$man"in; done + - tar --append --file="${BIND_DIRECTORY}.tar" "${BIND_DIRECTORY}/doc/man/"*in + - xz "${BIND_DIRECTORY}.tar" artifacts: paths: - - bind-*.tar.${TARBALL_EXTENSION} - only: - - tags + - bind-*.tar.xz -# Jobs for doc builds on Debian Sid (amd64) +# Jobs for doc builds on Debian 12 "bookworm" (amd64) -docs:sid:amd64: - <<: *release_branch_triggering_rules - <<: *debian_sid_amd64_image +docs: + <<: *default_triggering_rules + <<: *base_image stage: docs + before_script: + - test -w "${CCACHE_DIR}" && export PATH="/usr/lib/ccache:${PATH}" + - test -n "${OOT_BUILD_WORKSPACE}" && mkdir "${OOT_BUILD_WORKSPACE}" && cd "${OOT_BUILD_WORKSPACE}" script: - - ./configure || cat config.log - - make -C doc/misc docbook - - make -C doc/arm Bv9ARM.html - dependencies: - - autoreconf:sid:amd64 - needs: - - autoreconf:sid:amd64 + - *configure + - make maintainer-clean + - autoreconf2.69 -fi + - *configure + - make -j${BUILD_PARALLEL_JOBS:-1} all V=1 + - make -j${BUILD_PARALLEL_JOBS:-1} doc V=1 + - if test "$(git status --porcelain | grep -Ev '\?\?' | grep -v -F -e aclocal.m4 -e configure -e ltmain.sh -e bin/named/bind9.xsl.h -e m4/ | wc -l)" -gt "0"; then git status --short; exit 1; fi + - find doc/man/ -maxdepth 1 -name "*.[0-9]" -exec mandoc -T lint "{}" \; | ( ! grep -v -e "skipping paragraph macro. sp after" -e "unknown font, skipping request. ft C" -e "input text line longer than 80 bytes" ) artifacts: paths: - doc/arm/ - expire_in: "1 month" + - doc/man/ + - doc/misc/ + when: always + needs: [] + +docs:pdf: + <<: *api_schedules_tags_triggers_web_triggering_rules + <<: *base_image + stage: docs + before_script: + - apt-get -y install qpdf texlive-full texlive-xetex xindy + script: + - *configure + - make -C doc/arm/ pdf V=1 + - qpdf --check doc/arm/_build/latex/Bv9ARM.pdf + artifacts: + untracked: true + needs: [] -push:docs:sid:amd64: - <<: *debian_sid_amd64_image - stage: push - dependencies: [] +# Job detecting named.conf breakage introduced since the previous point release + +cross-version-config-tests: + stage: system + <<: *base_image + <<: *default_triggering_rules + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON}" + # Disable option checking to prevent problems with new default options in + # the &configure anchor. + EXTRA_CONFIGURE: "--disable-option-checking" script: - - curl -X POST -F token=$GITLAB_PAGES_DOCS_TRIGGER_TOKEN -F ref=master $GITLAB_PAGES_DOCS_TRIGGER_URL - only: - - master@isc-projects/bind9 - - /^v9_[1-9][0-9]$/@isc-projects/bind9 + # Exclude the dyndb test from the system test as the sample library can't + # locate the libdns library from the BIND 9 baseline version. + - sed -i '/^dyndb \\$/d' bin/tests/system/conf.sh.common + - *configure + - *setup_interfaces + - make -j${BUILD_PARALLEL_JOBS:-1} + - export BIND_BRANCH=16 + # When testing a .0 release, compare it against the previous development + # release (e.g., 9.19.0 and 9.18.0 should both be compared against 9.17.22). + - if [ "$(sed -n -E "s|^m4_define\(\[bind_VERSION_PATCH\], ([0-9]+)\)dnl$|\1|p" configure.ac)" = "0" ]; then export BIND_BRANCH=$((BIND_BRANCH - 1 - (BIND_BRANCH % 2))); fi + - BASELINE="$(curl -s "https://gitlab.isc.org/api/v4/projects/1/repository/tags?search=^v9.${BIND_BRANCH}&order_by=version" | jq -r ".[0].name")" + - git clone --branch "${BASELINE}" --depth 1 https://gitlab.isc.org/isc-projects/bind9.git "bind-${BASELINE}" + - cd "bind-${BASELINE}" + - *configure + - make -j${BUILD_PARALLEL_JOBS:-1} + - cd bin/tests/system + # Neutralize shell and pytests; in effect, "nsX" servers are just started + # and stopped, thus configuration checked. + - truncate --size=0 */tests{.sh,*.py} + # Run the setup phase of all system tests in the most recently tagged BIND 9 + # release using the binaries built for the current BIND 9 version. This + # intends to detect obvious backward compatibility issues with the latter. + - sed -i -E "s|(export TOP)=.*|\1=${CI_PROJECT_DIR}|" conf.sh + - make -j${TEST_PARALLEL_JOBS:-1} -k check V=1 + artifacts: + paths: + - bind-* + untracked: true + expire_in: "1 day" + when: on_failure + needs: [] -# Jobs for regular GCC builds on Alpine Linux 3.11 (amd64) +# Jobs for regular GCC builds on Alpine Linux 3.19 (amd64) -gcc:alpine3.11:amd64: +gcc:alpine3.19:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "--enable-dnstap" - <<: *alpine_3_11_amd64_image + <<: *alpine_3_19_amd64_image <<: *build_job -system:gcc:alpine3.11:amd64: - <<: *alpine_3_11_amd64_image +system:gcc:alpine3.19:amd64: + <<: *alpine_3_19_amd64_image <<: *system_test_job - dependencies: - - gcc:alpine3.11:amd64 - needs: ["gcc:alpine3.11:amd64"] + needs: + - job: gcc:alpine3.19:amd64 + artifacts: true -unit:gcc:alpine3.11:amd64: - <<: *alpine_3_11_amd64_image +unit:gcc:alpine3.19:amd64: + <<: *alpine_3_19_amd64_image <<: *unit_test_job - dependencies: - - gcc:alpine3.11:amd64 - needs: ["gcc:alpine3.11:amd64"] + needs: + - job: gcc:alpine3.19:amd64 + artifacts: true -# Jobs for regular GCC builds on CentOS 6 (amd64) +# Jobs for regular GCC builds on Oracle Linux 7 (amd64) -gcc:centos6:amd64: +gcc:oraclelinux7:amd64: variables: CC: gcc - CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "--with-libidn2 --disable-warn-error" - <<: *centos_centos6_amd64_image + # -Wno-address suppresses isc_buffer macro warnings + CFLAGS: "${CFLAGS_COMMON} -Wno-address" + EXTRA_CONFIGURE: "--with-libidn2" + <<: *oraclelinux_7_amd64_image <<: *build_job -system:gcc:centos6:amd64: - <<: *centos_centos6_amd64_image +system:gcc:oraclelinux7:amd64: + <<: *oraclelinux_7_amd64_image <<: *system_test_job - dependencies: - - gcc:centos6:amd64 - needs: ["gcc:centos6:amd64"] + needs: + - job: gcc:oraclelinux7:amd64 + artifacts: true -unit:gcc:centos6:amd64: - <<: *centos_centos6_amd64_image +unit:gcc:oraclelinux7:amd64: + <<: *oraclelinux_7_amd64_image <<: *unit_test_job - dependencies: - - gcc:centos6:amd64 - needs: ["gcc:centos6:amd64"] + needs: + - job: gcc:oraclelinux7:amd64 + artifacts: true -# Jobs for regular GCC builds on CentOS 7 (amd64) +# Jobs for regular GCC builds on Oracle Linux 8 (amd64) -gcc:centos7:amd64: +gcc:oraclelinux8:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2" - <<: *centos_centos7_amd64_image + EXTRA_CONFIGURE: "--enable-buffer-useinline --with-libidn2" + <<: *oraclelinux_8_amd64_image <<: *build_job -system:gcc:centos7:amd64: - <<: *centos_centos7_amd64_image +system:gcc:oraclelinux8:amd64: + <<: *oraclelinux_8_amd64_image <<: *system_test_job - dependencies: - - gcc:centos7:amd64 - needs: ["gcc:centos7:amd64"] + needs: + - job: gcc:oraclelinux8:amd64 + artifacts: true -unit:gcc:centos7:amd64: - <<: *centos_centos7_amd64_image +unit:gcc:oraclelinux8:amd64: + <<: *oraclelinux_8_amd64_image <<: *unit_test_job - dependencies: - - gcc:centos7:amd64 - needs: ["gcc:centos7:amd64"] + needs: + - job: gcc:oraclelinux8:amd64 + artifacts: true -# Jobs for regular GCC builds on CentOS 8 (amd64) +# Jobs for regular GCC builds on Oracle Linux 9 (amd64) -gcc:centos8:amd64: +gcc:oraclelinux9:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "--with-libidn2" - <<: *centos_centos8_amd64_image + EXTRA_CONFIGURE: "--with-libidn2 --disable-developer" + <<: *oraclelinux_9_amd64_image <<: *build_job -system:gcc:centos8:amd64: - <<: *centos_centos8_amd64_image +system:gcc:oraclelinux9:amd64: + <<: *oraclelinux_9_amd64_image <<: *system_test_job - dependencies: - - gcc:centos8:amd64 - needs: ["gcc:centos8:amd64"] + needs: + - job: gcc:oraclelinux9:amd64 + artifacts: true -unit:gcc:centos8:amd64: - <<: *centos_centos8_amd64_image +unit:gcc:oraclelinux9:amd64: + <<: *oraclelinux_9_amd64_image <<: *unit_test_job - dependencies: - - gcc:centos8:amd64 - needs: ["gcc:centos8:amd64"] + needs: + - job: gcc:oraclelinux9:amd64 + artifacts: true + +gcc:tarball:nosphinx: + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON}" + EXTRA_CONFIGURE: "--with-libidn2 --disable-developer" + RUN_MAKE_INSTALL: 1 + <<: *oraclelinux_9_amd64_image + <<: *build_job + before_script: + - (! command -v sphinx-build >/dev/null) + - tar --extract --file bind-*.tar.xz + - rm -f bind-*.tar.xz + - cd bind-* + needs: + - job: tarball-create + artifacts: true -# Jobs for regular GCC builds on Debian 8 Jessie (amd64) +# Jobs for regular GCC builds on Debian 10 "buster" (amd64) -gcc:jessie:amd64: +gcc:buster:amd64: variables: CC: gcc - CFLAGS: "${CFLAGS_COMMON} -O2" - EXTRA_CONFIGURE: "--without-cmocka --with-python --disable-geoip" - <<: *debian_jessie_amd64_image + CFLAGS: "${CFLAGS_COMMON}" + EXTRA_CONFIGURE: "--with-libidn2" + <<: *debian_buster_amd64_image <<: *build_job + <<: *api_schedules_tags_triggers_web_triggering_rules -system:gcc:jessie:amd64: - <<: *debian_jessie_amd64_image +system:gcc:buster:amd64: + <<: *debian_buster_amd64_image <<: *system_test_job - dependencies: - - gcc:jessie:amd64 - needs: ["gcc:jessie:amd64"] + <<: *api_schedules_tags_triggers_web_triggering_rules + needs: + - job: gcc:buster:amd64 + artifacts: true -unit:gcc:jessie:amd64: - <<: *debian_jessie_amd64_image +unit:gcc:buster:amd64: + <<: *debian_buster_amd64_image <<: *unit_test_job - dependencies: - - gcc:jessie:amd64 - needs: ["gcc:jessie:amd64"] + <<: *api_schedules_tags_triggers_web_triggering_rules + needs: + - job: gcc:buster:amd64 + artifacts: true -# Jobs for regular GCC builds on Debian 9 Stretch (amd64) +# Jobs for Debian 11 "bullseye" (amd64) -gcc:stretch:amd64: +clang:bullseye:amd64: variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON} -O2" - <<: *debian_stretch_amd64_image + CC: ${CLANG} + CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion" + <<: *debian_bullseye_amd64_image <<: *build_job -system:gcc:stretch:amd64: - <<: *debian_stretch_amd64_image +system:clang:bullseye:amd64: + <<: *debian_bullseye_amd64_image <<: *system_test_job - dependencies: - - gcc:stretch:amd64 - needs: ["gcc:stretch:amd64"] + needs: + - job: clang:bullseye:amd64 + artifacts: true -unit:gcc:stretch:amd64: - <<: *debian_stretch_amd64_image +unit:clang:bullseye:amd64: + <<: *debian_bullseye_amd64_image <<: *unit_test_job - dependencies: - - gcc:stretch:amd64 - needs: ["gcc:stretch:amd64"] - -# Jobs for regular GCC builds on Debian 10 Buster (amd64) + needs: + - job: clang:bullseye:amd64 + artifacts: true -gcc:buster:amd64: +gcc:bullseye:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" - <<: *debian_buster_amd64_image + EXTRA_CONFIGURE: "--with-libidn2" + <<: *debian_bullseye_amd64_image <<: *build_job -system:gcc:buster:amd64: - <<: *debian_buster_amd64_image +system:gcc:bullseye:amd64: + <<: *debian_bullseye_amd64_image <<: *system_test_job - dependencies: - - gcc:buster:amd64 - needs: ["gcc:buster:amd64"] + needs: + - job: gcc:bullseye:amd64 + artifacts: true -unit:gcc:buster:amd64: - <<: *debian_buster_amd64_image +unit:gcc:bullseye:amd64: + <<: *debian_bullseye_amd64_image <<: *unit_test_job - dependencies: - - gcc:buster:amd64 - needs: ["gcc:buster:amd64"] - -# Jobs for scan-build builds on Debian Buster (amd64) - -.scan_build: &scan_build | - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)" \ - --keep-cc \ - --status-bugs \ - --keep-going \ - -o scan-build.reports \ - make -j${BUILD_PARALLEL_JOBS:-1} all V=1 + needs: + - job: gcc:bullseye:amd64 + artifacts: true + +# Jobs for regular GCC builds on Debian 12 "bookworm" (amd64) + +gcc:bookworm:amd64: + variables: + BUILD_CONTRIB: 1 + CC: gcc + CFLAGS: "${CFLAGS_COMMON} --coverage -O0" + EXTRA_CONFIGURE: "--with-libidn2" + LDFLAGS: "--coverage" + RUN_MAKE_INSTALL: 1 + <<: *debian_bookworm_amd64_image + <<: *build_job + +system:gcc:bookworm:amd64: + <<: *debian_bookworm_amd64_image + <<: *system_test_gcov_job + variables: + CI_ENABLE_ALL_TESTS: 1 + needs: + - job: unit:gcc:bookworm:amd64 + artifacts: true + +unit:gcc:bookworm:amd64: + <<: *debian_bookworm_amd64_image + <<: *unit_test_gcov_job + variables: + CI_ENABLE_ALL_TESTS: 1 + needs: + - job: gcc:bookworm:amd64 + artifacts: true + +# Build job for cross-compiled GCC builds on 64-bit Debian 12 "bookworm" +# (amd64) with 32-bit BIND 9. -scan-build:buster:amd64: +gcc:bookworm:amd64cross32: + variables: + BUILD_CC: gcc + BUILD_CFLAGS: "${CFLAGS_COMMON}" + CFLAGS: "${CFLAGS_COMMON}" + CROSS_COMPILATION: 1 + EXTRA_CONFIGURE: "--build=x86_64-linux-gnu --host=i686-linux-gnu --with-libidn2" + <<: *debian_bookworm_amd64cross32_image + <<: *build_job + +# Jobs for scan-build builds on Debian 12 "bookworm" (amd64) + +.scan_build: &scan_build + - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)" + --keep-cc + --status-bugs + --keep-going + -o scan-build.reports make -j${BUILD_PARALLEL_JOBS:-1} all V=1 + +scan-build: <<: *default_triggering_rules - <<: *debian_buster_amd64_image + <<: *base_image stage: postcheck variables: CC: "${CLANG}" CFLAGS: "${CFLAGS_COMMON}" CONFIGURE: "${SCAN_BUILD} ./configure" - EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2" + EXTRA_CONFIGURE: "--with-libidn2" script: - *configure - *scan_build - dependencies: - - autoreconf:sid:amd64 - needs: - - autoreconf:sid:amd64 artifacts: paths: - scan-build.reports/ - expire_in: "1 day" when: on_failure + needs: [] -# Jobs for regular GCC builds on Debian Sid (amd64) +# Jobs for regular GCC builds on Debian "sid" (amd64) +# Also tests configration option: --without-lmdb. gcc:sid:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -O3" - EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2" + EXTRA_CONFIGURE: "--with-libidn2 --without-lmdb" RUN_MAKE_INSTALL: 1 - MAKE: bear make <<: *debian_sid_amd64_image <<: *build_job system:gcc:sid:amd64: <<: *debian_sid_amd64_image <<: *system_test_job - dependencies: - - gcc:sid:amd64 - needs: ["gcc:sid:amd64"] + needs: + - job: gcc:sid:amd64 + artifacts: true unit:gcc:sid:amd64: <<: *debian_sid_amd64_image <<: *unit_test_job - dependencies: - - gcc:sid:amd64 - needs: ["gcc:sid:amd64"] - -cppcheck:gcc:sid:amd64: - <<: *debian_sid_amd64_image - <<: *cppcheck_job - dependencies: - - gcc:sid:amd64 - needs: ["gcc:sid:amd64"] + needs: + - job: gcc:sid:amd64 + artifacts: true -# Job for out-of-tree GCC build on Debian Sid (amd64) +# Job for out-of-tree GCC build on Debian 12 "bookworm" (amd64) +# Also tests configration option: --with-lmdb. -oot:sid:amd64: +gcc:out-of-tree: variables: CC: gcc - CFLAGS: "${CFLAGS_COMMON} -O3" + CFLAGS: "${CFLAGS_COMMON} -Og" CONFIGURE: ../configure - EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2" + EXTRA_CONFIGURE: "--with-libidn2 --with-lmdb" + SKIP_MAKE_DEPEND: 1 RUN_MAKE_INSTALL: 1 OOT_BUILD_WORKSPACE: workspace - <<: *debian_sid_amd64_image + <<: *base_image <<: *build_job -# Jobs for tarball GCC builds on Debian Sid (amd64) +# Jobs for tarball GCC builds on Debian 12 "bookworm" (amd64) -tarball:sid:amd64: +gcc:tarball: variables: CC: gcc - EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2" + EXTRA_CONFIGURE: "--with-libidn2" RUN_MAKE_INSTALL: 1 - <<: *debian_sid_amd64_image + <<: *base_image <<: *build_job before_script: - - tar --extract --file bind-*.tar.${TARBALL_EXTENSION} - - rm -f bind-*.tar.${TARBALL_EXTENSION} + - tar --extract --file bind-*.tar.xz + - rm -f bind-*.tar.xz - cd bind-* - dependencies: - - tarball-create:sid:amd64 - needs: ["tarball-create:sid:amd64"] - only: - - tags + needs: + - job: tarball-create + artifacts: true -system:tarball:sid:amd64: - <<: *debian_sid_amd64_image +system:gcc:tarball: + <<: *base_image <<: *system_test_job + <<: *api_schedules_tags_triggers_web_triggering_rules before_script: - cd bind-* - *setup_interfaces - dependencies: - - tarball:sid:amd64 - needs: ["tarball:sid:amd64"] - only: - - tags + needs: + - job: gcc:tarball + artifacts: true -unit:tarball:sid:amd64: - <<: *debian_sid_amd64_image +unit:gcc:tarball: + <<: *base_image <<: *unit_test_job + <<: *api_schedules_tags_triggers_web_triggering_rules before_script: - cd bind-* - dependencies: - - tarball:sid:amd64 - needs: ["tarball:sid:amd64"] - only: - - tags - -# Jobs for regular GCC builds on Debian Sid (arm64) - -gcc:sid:arm64: - variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON} -O3" - EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2" - RUN_MAKE_INSTALL: 1 - MAKE: bear make - <<: *debian_sid_arm64_image - <<: *build_job - -system:gcc:sid:arm64: - <<: *debian_sid_arm64_image - <<: *system_test_job - dependencies: - - gcc:sid:arm64 - needs: ["gcc:sid:arm64"] - -unit:gcc:sid:arm64: - <<: *debian_sid_arm64_image - <<: *unit_test_job - dependencies: - - gcc:sid:arm64 - needs: ["gcc:sid:arm64"] - -cppcheck:gcc:sid:arm64: - <<: *debian_sid_arm64_image - <<: *cppcheck_job - dependencies: - - gcc:sid:arm64 - needs: ["gcc:sid:arm64"] - -# Jobs for regular GCC builds on Debian Sid (i386) - -gcc:sid:i386: - variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2 --without-python" - <<: *debian_sid_i386_image - <<: *build_job - -system:gcc:sid:i386: - <<: *debian_sid_i386_image - <<: *system_test_job - dependencies: - - gcc:sid:i386 - needs: ["gcc:sid:i386"] - -unit:gcc:sid:i386: - <<: *debian_sid_i386_image - <<: *unit_test_job - dependencies: - - gcc:sid:i386 - needs: ["gcc:sid:i386"] + needs: + - job: gcc:tarball + artifacts: true -# Jobs for regular GCC builds on openSUSE Tumbleweed (amd64) +# Jobs for debug GCC builds on openSUSE Tumbleweed (amd64) gcc:tumbleweed:amd64: variables: CC: gcc - CFLAGS: "${CFLAGS_COMMON}" + CFLAGS: "${CFLAGS_COMMON} -DDEBUG" EXTRA_CONFIGURE: "--with-libidn2" <<: *tumbleweed_latest_amd64_image <<: *build_job @@ -812,336 +1000,333 @@ system:gcc:tumbleweed:amd64: <<: *tumbleweed_latest_amd64_image <<: *system_test_job - dependencies: - - gcc:tumbleweed:amd64 - needs: ["gcc:tumbleweed:amd64"] + needs: + - job: gcc:tumbleweed:amd64 + artifacts: true unit:gcc:tumbleweed:amd64: <<: *tumbleweed_latest_amd64_image <<: *unit_test_job - dependencies: - - gcc:tumbleweed:amd64 - needs: ["gcc:tumbleweed:amd64"] + needs: + - job: gcc:tumbleweed:amd64 + artifacts: true -# Jobs for regular GCC builds on Fedora 31 (amd64) +# Jobs for regular GCC builds on Ubuntu 20.04 Focal Fossa (amd64) -gcc:fedora31:amd64: +gcc:focal:amd64: variables: CC: gcc - CFLAGS: "${CFLAGS_COMMON} -O1" - EXTRA_CONFIGURE: "--with-libidn2" - <<: *fedora_31_amd64_image + CFLAGS: "${CFLAGS_COMMON} -Og" + EXTRA_CONFIGURE: "--with-libidn2 --with-gssapi=/usr --disable-geoip" + <<: *ubuntu_focal_amd64_image <<: *build_job -system:gcc:fedora31:amd64: - <<: *fedora_31_amd64_image +system:gcc:focal:amd64: + <<: *ubuntu_focal_amd64_image <<: *system_test_job - dependencies: - - gcc:fedora31:amd64 - needs: ["gcc:fedora31:amd64"] + needs: + - job: gcc:focal:amd64 + artifacts: true -unit:gcc:fedora31:amd64: - <<: *fedora_31_amd64_image +unit:gcc:focal:amd64: + <<: *ubuntu_focal_amd64_image <<: *unit_test_job - dependencies: - - gcc:fedora31:amd64 - needs: ["gcc:fedora31:amd64"] + needs: + - job: gcc:focal:amd64 + artifacts: true -# Jobs for regular GCC builds on Ubuntu 16.04 Xenial Xerus (amd64) +# Jobs for regular GCC builds on Ubuntu 22.04 Jammy Jellyfish (amd64) -gcc:xenial:amd64: +gcc:jammy:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -O2" - EXTRA_CONFIGURE: "--disable-geoip" - <<: *ubuntu_xenial_amd64_image + EXTRA_CONFIGURE: "--with-libidn2 --disable-dnstap --with-gssapi --without-cmocka" + <<: *ubuntu_jammy_amd64_image <<: *build_job -system:gcc:xenial:amd64: - <<: *ubuntu_xenial_amd64_image +system:gcc:jammy:amd64: + <<: *ubuntu_jammy_amd64_image <<: *system_test_job - dependencies: - - gcc:xenial:amd64 - needs: ["gcc:xenial:amd64"] + needs: + - job: gcc:jammy:amd64 + artifacts: true -unit:gcc:xenial:amd64: - <<: *ubuntu_xenial_amd64_image +unit:gcc:jammy:amd64: + <<: *ubuntu_jammy_amd64_image <<: *unit_test_job - dependencies: - - gcc:xenial:amd64 - needs: ["gcc:xenial:amd64"] + needs: + - job: gcc:jammy:amd64 + artifacts: true -# Jobs for regular GCC builds on Ubuntu 18.04 Bionic Beaver (amd64) +# Jobs for ASAN builds on Fedora 39 (amd64) -gcc:bionic:amd64: +gcc:asan: variables: CC: gcc - CFLAGS: "${CFLAGS_COMMON} -Og" + CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0" + LDFLAGS: "-fsanitize=address,undefined" EXTRA_CONFIGURE: "--with-libidn2" - <<: *ubuntu_bionic_amd64_image + <<: *fedora_39_amd64_image <<: *build_job -system:gcc:bionic:amd64: - <<: *ubuntu_bionic_amd64_image +system:gcc:asan: + <<: *fedora_39_amd64_image <<: *system_test_job - dependencies: - - gcc:bionic:amd64 - needs: ["gcc:bionic:amd64"] + needs: + - job: gcc:asan + artifacts: true -unit:gcc:bionic:amd64: - <<: *ubuntu_bionic_amd64_image +unit:gcc:asan: + <<: *fedora_39_amd64_image <<: *unit_test_job - dependencies: - - gcc:bionic:amd64 - needs: ["gcc:bionic:amd64"] - -# Jobs for GCC builds with ASAN enabled on Debian Sid (amd64) + needs: + - job: gcc:asan + artifacts: true -asan:sid:amd64: +clang:asan: variables: - CC: gcc + CC: ${CLANG} CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0" LDFLAGS: "-fsanitize=address,undefined" EXTRA_CONFIGURE: "--with-libidn2" - <<: *debian_sid_amd64_image + <<: *base_image <<: *build_job -system:asan:sid:amd64: - variables: - ASAN_OPTIONS: ${ASAN_OPTIONS_COMMON} - <<: *debian_sid_amd64_image +system:clang:asan: + <<: *base_image <<: *system_test_job - dependencies: - - asan:sid:amd64 - needs: ["asan:sid:amd64"] + needs: + - job: clang:asan + artifacts: true -unit:asan:sid:amd64: - variables: - ASAN_OPTIONS: ${ASAN_OPTIONS_COMMON} - <<: *debian_sid_amd64_image +unit:clang:asan: + <<: *base_image <<: *unit_test_job - dependencies: - - asan:sid:amd64 - needs: ["asan:sid:amd64"] + needs: + - job: clang:asan + artifacts: true -# Jobs for GCC builds with TSAN enabled on Debian Sid (amd64) +# Jobs for TSAN builds on Fedora 39 (amd64) -tsan:buster:amd64: - <<: *debian_buster_amd64_image - <<: *build_job +gcc:tsan: variables: - CC: "${CLANG}" + CC: gcc CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0" LDFLAGS: "-fsanitize=thread" EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock" + <<: *tsan_fedora_39_amd64_image + <<: *build_job -system:tsan:buster:amd64: +system:gcc:tsan: variables: - TSAN_OPTIONS: "second_deadlock_stack=1 history_size=7 log_exe_name=true log_path=tsan external_symbolizer_path=$SYMBOLIZER exitcode=0" - before_script: - - *setup_interfaces - - echo $TSAN_OPTIONS - <<: *debian_buster_amd64_image - <<: *system_test_job - dependencies: - - tsan:buster:amd64 - needs: ["tsan:buster:amd64"] - allow_failure: true - after_script: - - find bin -name 'tsan.*' -exec python3 util/parse_tsan.py {} \; - artifacts: - expire_in: "1 day" - paths: - - bin/tests/system/*/tsan.* - - bin/tests/system/*/*/tsan.* - - tsan/ - when: on_failure + TSAN_OPTIONS: "${TSAN_OPTIONS_FEDORA}" + <<: *tsan_fedora_39_amd64_image + <<: *system_test_tsan_job + needs: + - job: gcc:tsan + artifacts: true -unit:tsan:buster:amd64: +unit:gcc:tsan: variables: - TSAN_OPTIONS: "second_deadlock_stack=1 history_size=7 log_exe_name=true log_path=tsan external_symbolizer_path=$SYMBOLIZER" - before_script: - - echo $TSAN_OPTIONS - - lib/isc/tests/result_test - <<: *debian_buster_amd64_image - <<: *unit_test_job - dependencies: - - tsan:buster:amd64 - needs: ["tsan:buster:amd64"] - allow_failure: true - after_script: - - find lib -name 'tsan.*' -exec python3 util/parse_tsan.py {} \; - artifacts: - expire_in: "1 day" - paths: - - lib/*/tests/tsan.* - - tsan/ - - kyua.log - - kyua.results - - kyua_html/ - when: on_failure + TSAN_OPTIONS: "${TSAN_OPTIONS_FEDORA}" + <<: *tsan_fedora_39_amd64_image + <<: *unit_test_tsan_job + needs: + - job: gcc:tsan + artifacts: true -rwlock:sid:amd64: +clang:tsan: + <<: *tsan_debian_bookworm_amd64_image + <<: *build_job variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON} -Wall -Wextra -O2 -g -DISC_MEM_USE_INTERNAL_MALLOC=0" + CC: "${CLANG}" + CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0" + LDFLAGS: "-fsanitize=thread" EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock" - <<: *debian_sid_amd64_image - <<: *build_job -system:rwlock:sid:amd64: - <<: *debian_sid_amd64_image - <<: *system_test_job - dependencies: - - rwlock:sid:amd64 - needs: ["rwlock:sid:amd64"] - -unit:rwlock:sid:amd64: - <<: *debian_sid_amd64_image - <<: *unit_test_job - dependencies: - - rwlock:sid:amd64 - needs: ["rwlock:sid:amd64"] - -# Jobs for mutex-based atomics on Debian SID (amd64) -mutexatomics:sid:amd64: +system:clang:tsan: variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON} -DISC_MEM_USE_INTERNAL_MALLOC=0" - EXTRA_CONFIGURE: "--with-libidn2 --enable-mutex-atomics" - <<: *debian_sid_amd64_image - <<: *build_job - -system:mutexatomics:sid:amd64: - <<: *debian_sid_amd64_image - <<: *system_test_job - dependencies: - - mutexatomics:sid:amd64 - needs: ["mutexatomics:sid:amd64"] + TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}" + <<: *tsan_debian_bookworm_amd64_image + <<: *system_test_tsan_job + needs: + - job: clang:tsan + artifacts: true -unit:mutexatomics:sid:amd64: - <<: *debian_sid_amd64_image - <<: *unit_test_job - dependencies: - - mutexatomics:sid:amd64 - needs: ["mutexatomics:sid:amd64"] +unit:clang:tsan: + variables: + TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}" + <<: *tsan_debian_bookworm_amd64_image + <<: *unit_test_tsan_job + needs: + - job: clang:tsan + artifacts: true -# Jobs for Clang builds on Debian Stretch (amd64) +# Jobs for Clang builds on Debian 12 "bookworm" (amd64) -clang:stretch:amd64: +clang:bookworm:amd64: variables: - CC: clang + BUILD_CONTRIB: 1 + CC: ${CLANG} CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion" EXTRA_CONFIGURE: "--with-python=python3" - <<: *debian_stretch_amd64_image + RUN_MAKE_INSTALL: 1 + <<: *debian_bookworm_amd64_image <<: *build_job -unit:clang:stretch:amd64: - <<: *debian_stretch_amd64_image +system:clang:bookworm:amd64: + <<: *debian_bookworm_amd64_image + <<: *system_test_job + needs: + - job: clang:bookworm:amd64 + artifacts: true + +unit:clang:bookworm:amd64: + <<: *debian_bookworm_amd64_image <<: *unit_test_job - dependencies: - - clang:stretch:amd64 - needs: ["clang:stretch:amd64"] + needs: + - job: clang:bookworm:amd64 + artifacts: true -# Jobs for Clang builds on Debian Stretch (i386) +# Jobs for PKCS#11-enabled builds -clang:stretch:i386: +clang:softhsm2.6: variables: - CC: clang - CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion" - EXTRA_CONFIGURE: "--with-python=python2" - <<: *debian_stretch_i386_image + CC: "${CLANG}" + CFLAGS: "${CFLAGS_COMMON} -O1" + EXTRA_CONFIGURE: "--with-libidn2 --enable-native-pkcs11 --with-pkcs11=/usr/lib/softhsm/libsofthsm2.so" + <<: *debian_bullseye_amd64_image <<: *build_job -# Jobs for PKCS#11-enabled GCC builds on Debian Sid (amd64) +system:clang:softhsm2.6: + variables: + DISABLE_ALGORITHM_SUPPORT_CHECKING: 1 + <<: *debian_bullseye_amd64_image + <<: *system_test_job + needs: + - job: clang:softhsm2.6 + artifacts: true -pkcs11:sid:amd64: +unit:clang:softhsm2.6: + <<: *debian_bullseye_amd64_image + <<: *unit_test_job + needs: + - job: clang:softhsm2.6 + artifacts: true + +gcc:softhsm2.6: variables: CC: gcc - CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "--enable-native-pkcs11 --with-pkcs11=/usr/lib/softhsm/libsofthsm2.so" - <<: *debian_sid_amd64_image + CFLAGS: "${CFLAGS_COMMON} -O1" + EXTRA_CONFIGURE: "--with-libidn2 --enable-native-pkcs11 --with-pkcs11=/usr/lib/softhsm/libsofthsm2.so" + <<: *debian_bookworm_amd64_image <<: *build_job -system:pkcs11:sid:amd64: - <<: *debian_sid_amd64_image +system:gcc:softhsm2.6: + variables: + DISABLE_ALGORITHM_SUPPORT_CHECKING: 1 + <<: *debian_bookworm_amd64_image <<: *system_test_job - dependencies: - - pkcs11:sid:amd64 - needs: ["pkcs11:sid:amd64"] + needs: + - job: gcc:softhsm2.6 + artifacts: true -unit:pkcs11:sid:amd64: - <<: *debian_sid_amd64_image +unit:gcc:softhsm2.6: + <<: *debian_bookworm_amd64_image <<: *unit_test_job - dependencies: - - pkcs11:sid:amd64 - needs: ["pkcs11:sid:amd64"] + needs: + - job: gcc:softhsm2.6 + artifacts: true -# Jobs for Clang builds on FreeBSD 11.3 (amd64) +# Jobs for Clang builds on FreeBSD 12 (amd64) -clang:freebsd11.3:amd64: +clang:freebsd12:amd64: variables: CFLAGS: "${CFLAGS_COMMON}" - <<: *freebsd_amd64 + EXTRA_CONFIGURE: "--with-gssapi=krb5-config" + USER: gitlab-runner + <<: *freebsd_12_amd64_image <<: *build_job -system:clang:freebsd11.3:amd64: - <<: *freebsd_amd64 +system:clang:freebsd12:amd64: + <<: *freebsd_12_amd64_image <<: *system_test_job - dependencies: - - clang:freebsd11.3:amd64 - needs: ["clang:freebsd11.3:amd64"] + variables: + USER: gitlab-runner + needs: + - job: clang:freebsd12:amd64 + artifacts: true -unit:clang:freebsd11.3:amd64: - <<: *freebsd_amd64 +unit:clang:freebsd12:amd64: + <<: *freebsd_12_amd64_image <<: *unit_test_job - dependencies: - - clang:freebsd11.3:amd64 - needs: ["clang:freebsd11.3:amd64"] + needs: + - job: clang:freebsd12:amd64 + artifacts: true -# Jobs for Clang builds on FreeBSD 12.0 (amd64) +# Jobs for Clang builds on FreeBSD 13 (amd64) -clang:freebsd12.0:amd64: +clang:freebsd13:amd64: variables: CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "--enable-dnstap" - <<: *freebsd_amd64 + EXTRA_CONFIGURE: "--with-gssapi=/usr/bin/krb5-config" + USER: gitlab-runner + <<: *freebsd_13_amd64_image <<: *build_job -system:clang:freebsd12.0:amd64: - <<: *freebsd_amd64 +system:clang:freebsd13:amd64: + <<: *freebsd_13_amd64_image <<: *system_test_job - dependencies: - - clang:freebsd12.0:amd64 - needs: ["clang:freebsd12.0:amd64"] + variables: + USER: gitlab-runner + needs: + - job: clang:freebsd13:amd64 + artifacts: true -unit:clang:freebsd12.0:amd64: - <<: *freebsd_amd64 +unit:clang:freebsd13:amd64: + <<: *freebsd_13_amd64_image <<: *unit_test_job - dependencies: - - clang:freebsd12.0:amd64 - needs: ["clang:freebsd12.0:amd64"] + needs: + - job: clang:freebsd13:amd64 + artifacts: true -# Jobs for Clang builds on OpenBSD 6.6 (amd64) +# Jobs for Clang builds on FreeBSD 14 (amd64) -clang:openbsd6.6:amd64: +clang:freebsd14:amd64: variables: - CC: clang + CFLAGS: "${CFLAGS_COMMON}" + # Disable BIND 9 GSS-API support because of Heimdal incompatibility; see FreeBSD bug #275241. + EXTRA_CONFIGURE: "${WITH_READLINE_LIBEDIT} --without-gssapi" USER: gitlab-runner - <<: *openbsd_amd64 + <<: *freebsd_14_amd64_image <<: *build_job -system:clang:openbsd6.6:amd64: - <<: *openbsd_amd64 +system:clang:freebsd14:amd64: + <<: *freebsd_14_amd64_image <<: *system_test_job variables: USER: gitlab-runner - dependencies: - - clang:openbsd6.6:amd64 - needs: ["clang:openbsd6.6:amd64"] - only: - - schedules - - web + needs: + - job: clang:freebsd14:amd64 + artifacts: true + +unit:clang:freebsd14:amd64: + <<: *freebsd_14_amd64_image + <<: *unit_test_job + needs: + - job: clang:freebsd14:amd64 + artifacts: true + +# Jobs for Clang builds on OpenBSD (amd64) + +clang:openbsd:amd64: + variables: + CC: clang + USER: gitlab-runner + EXTRA_CONFIGURE: "--disable-dnstap" + <<: *openbsd_amd64_image + <<: *build_job # Jobs with libtool disabled @@ -1156,54 +1341,57 @@ system:nolibtool:sid:amd64: <<: *debian_sid_amd64_image <<: *system_test_job - dependencies: - - nolibtool:sid:amd64 - needs: ["nolibtool:sid:amd64"] + needs: + - job: nolibtool:sid:amd64 + artifacts: true unit:nolibtool:sid:amd64: <<: *debian_sid_amd64_image <<: *unit_test_job - dependencies: - - nolibtool:sid:amd64 - needs: ["nolibtool:sid:amd64"] + needs: + - job: nolibtool:sid:amd64 + artifacts: true # Jobs for Visual Studio 2017 builds on Windows (amd64) msvc:windows:amd64: + <<: *windows_server_2016_amd64_image <<: *windows_build_job <<: *default_triggering_rules variables: VSCONF: Release system:msvc:windows:amd64: + <<: *windows_server_2016_amd64_image <<: *windows_system_test_job + <<: *default_triggering_rules variables: VSCONF: Release - dependencies: - - msvc:windows:amd64 - needs: ["msvc:windows:amd64"] + needs: + - job: msvc:windows:amd64 + artifacts: true msvc-debug:windows:amd64: + <<: *windows_server_2016_amd64_image <<: *windows_build_job + <<: *api_schedules_tags_triggers_web_triggering_rules variables: VSCONF: Debug - only: - - schedules - - tags - - web system:msvc-debug:windows:amd64: + <<: *windows_server_2016_amd64_image <<: *windows_system_test_job + <<: *api_schedules_tags_triggers_web_triggering_rules variables: VSCONF: Debug - dependencies: - - msvc-debug:windows:amd64 - needs: ["msvc-debug:windows:amd64"] + needs: + - job: msvc-debug:windows:amd64 + artifacts: true -# Job producing a release tarball +# Job producing a release directory -release:sid:amd64: - <<: *debian_sid_amd64_image +release: + <<: *base_image stage: release script: # Determine BIND version @@ -1214,77 +1402,121 @@ - find Build/Debug/ \( -name "*.bsc" -o -name "*.idb" \) -print -delete - find Build/ -regextype posix-extended -regex "Build/.*/($(find bin/tests/ -type f | sed -nE "s|^bin/tests(/system)?/win32/(.*)\.vcxproj$|\2|p" | paste -d"|" -s))\..*" -print -delete # Create Windows zips - - openssl dgst -sha256 "${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" | tee Build/Release/SHA256 Build/Debug/SHA256 + - openssl dgst -sha256 "${BIND_DIRECTORY}.tar.xz" | tee Build/Release/SHA256 Build/Debug/SHA256 + - cp "doc/arm/_build/latex/Bv9ARM.pdf" Build/Release/ + - cp "doc/arm/_build/latex/Bv9ARM.pdf" Build/Debug/ - ( cd Build/Release; zip "../../BIND${BIND_DIRECTORY#bind-}.x64.zip" * ) - ( cd Build/Debug; zip "../../BIND${BIND_DIRECTORY#bind-}.debug.x64.zip" * ) # Prepare release tarball contents (tarballs + zips + documentation) - - mkdir -p release/doc/arm - - pushd release - - mv "../${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" ../BIND*.zip . - - tar --extract --file="${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" + - mkdir -p "${BIND_DIRECTORY}-release/doc/arm" + - pushd "${BIND_DIRECTORY}-release" + - mv "../${BIND_DIRECTORY}.tar.xz" ../BIND*.zip . + - tar --extract --file="${BIND_DIRECTORY}.tar.xz" - mv "${BIND_DIRECTORY}"/{CHANGES*,COPYRIGHT,LICENSE,README,srcid} . - - mv "${BIND_DIRECTORY}"/doc/arm/{Bv9ARM{*.html,.pdf},man.*,notes.{html,pdf,txt}} doc/arm/ - rm -rf "${BIND_DIRECTORY}" - - cp doc/arm/notes.html "RELEASE-NOTES-${BIND_DIRECTORY}.html" - - cp doc/arm/notes.pdf "RELEASE-NOTES-${BIND_DIRECTORY}.pdf" - - cp doc/arm/notes.txt "RELEASE-NOTES-${BIND_DIRECTORY}.txt" + - mv "../doc/arm/_build/html" doc/arm/ + - mv "../doc/arm/_build/latex/Bv9ARM.pdf" doc/arm/ + - echo '
- named-checkconf - — named configuration file syntax checking tool -
-
- named-checkconf
- [-chjlvz
]
- [-p
- [-x
- ]]
- [-t
]
- {filename}
- directory
named-checkconf
- checks the syntax, but not the semantics, of a
- named configuration file. The file is parsed
- and checked for syntax errors, along with all files included by it.
- If no file is specified, /etc/named.conf
is read
- by default.
-
- Note: files that named reads in separate
- parser contexts, such as rndc.key
and
- bind.keys
, are not automatically read
- by named-checkconf. Configuration
- errors in these files may cause named to
- fail to run, even if named-checkconf was
- successful. named-checkconf can be run
- on these files explicitly, however.
-
- Print the usage summary and exit. -
-- When loading a zonefile read the journal if it exists. -
-- List all the configured zones. Each line of output - contains the zone name, class (e.g. IN), view, and type - (e.g. master or slave). -
-- Check "core" configuration only. This suppresses the loading - of plugin modules, and causes all parameters to - plugin statements to be ignored. -
-- Ignore warnings on deprecated options. -
-
- Print out the named.conf
and included files
- in canonical form if no errors were detected.
- See also the -x
option.
-
directory
- Chroot to directory
so that include
- directives in the configuration file are processed as if
- run by a similarly chrooted named.
-
- Print the version of the named-checkconf - program and exit. -
-
- When printing the configuration files in canonical
- form, obscure shared secrets by replacing them with
- strings of question marks ('?'). This allows the
- contents of named.conf
and related
- files to be shared — for example, when submitting
- bug reports — without compromising private data.
- This option cannot be used without -p
.
-
- Perform a test load of all master zones found in
- named.conf
.
-
- The name of the configuration file to be checked. If not
- specified, it defaults to /etc/named.conf
.
-
- named-checkzone, - named-compilezone - — zone file validity checking or converting tool -
-
- named-checkzone
- [-d
]
- [-h
]
- [-j
]
- [-q
]
- [-v
]
- [-c
]
- [class
-f
]
- [format
-F
]
- [format
-J
]
- [filename
-i
]
- [mode
-k
]
- [mode
-m
]
- [mode
-M
]
- [mode
-n
]
- [mode
-l
]
- [ttl
-L
]
- [serial
-o
]
- [filename
-r
]
- [mode
-s
]
- [style
-S
]
- [mode
-t
]
- [directory
-T
]
- [mode
-w
]
- [directory
-D
]
- [-W
]
- {zonename}
- {filename}
- mode
- named-compilezone
- [-d
]
- [-j
]
- [-q
]
- [-v
]
- [-c
]
- [class
-C
]
- [mode
-f
]
- [format
-F
]
- [format
-J
]
- [filename
-i
]
- [mode
-k
]
- [mode
-m
]
- [mode
-n
]
- [mode
-l
]
- [ttl
-L
]
- [serial
-r
]
- [mode
-s
]
- [style
-t
]
- [directory
-T
]
- [mode
-w
]
- [directory
-D
]
- [-W
]
- {mode
-o
}
- {zonename}
- {filename}
- filename
named-checkzone - checks the syntax and integrity of a zone file. It performs the - same checks as named does when loading a - zone. This makes named-checkzone useful for - checking zone files before configuring them into a name server. -
-- named-compilezone is similar to - named-checkzone, but it always dumps the - zone contents to a specified file in a specified format. - Additionally, it applies stricter check levels by default, - since the dump output will be used as an actual zone file - loaded by named. - When manually specified otherwise, the check levels must at - least be as strict as those specified in the - named configuration file. -
-- Enable debugging. -
-- Print the usage summary and exit. -
-- Quiet mode - exit code only. -
-- Print the version of the named-checkzone - program and exit. -
-
- When loading a zone file, read the journal if it exists.
- The journal file name is assumed to be the zone file name
- appended with the string .jnl
.
-
filename
- When loading the zone file read the journal from the given - file, if it exists. (Implies -j.) -
-class
- Specify the class of the zone. If not specified, "IN" is assumed. -
-mode
- Perform post-load zone integrity checks. Possible modes are - "full" (default), - "full-sibling", - "local", - "local-sibling" and - "none". -
-- Mode "full" checks that MX records - refer to A or AAAA record (both in-zone and out-of-zone - hostnames). Mode "local" only - checks MX records which refer to in-zone hostnames. -
-- Mode "full" checks that SRV records - refer to A or AAAA record (both in-zone and out-of-zone - hostnames). Mode "local" only - checks SRV records which refer to in-zone hostnames. -
-- Mode "full" checks that delegation NS - records refer to A or AAAA record (both in-zone and out-of-zone - hostnames). It also checks that glue address records - in the zone match those advertised by the child. - Mode "local" only checks NS records which - refer to in-zone hostnames or that some required glue exists, - that is when the nameserver is in a child zone. -
-- Mode "full-sibling" and - "local-sibling" disable sibling glue - checks but are otherwise the same as "full" - and "local" respectively. -
-- Mode "none" disables the checks. -
-format
- Specify the format of the zone file. - Possible formats are "text" (default), - "raw", and "map". -
-format
- Specify the format of the output file specified. - For named-checkzone, - this does not cause any effects unless it dumps the zone - contents. -
-- Possible formats are "text" (default), - which is the standard textual representation of the zone, - and "map", "raw", - and "raw=N", which store the zone in a - binary format for rapid loading by named. - "raw=N" specifies the format version of - the raw zone file: if N is 0, the raw file can be read by - any version of named; if N is 1, the file - can be read by release 9.9.0 or higher; the default is 1. -
-mode
- Perform "check-names" checks with the - specified failure mode. - Possible modes are "fail" - (default for named-compilezone), - "warn" - (default for named-checkzone) and - "ignore". -
-ttl
- Sets a maximum permissible TTL for the input file.
- Any record with a TTL higher than this value will cause
- the zone to be rejected. This is similar to using the
- max-zone-ttl option in
- named.conf
.
-
serial
- When compiling a zone to "raw" or "map" format, set the - "source serial" value in the header to the specified serial - number. (This is expected to be used primarily for testing - purposes.) -
-mode
- Specify whether MX records should be checked to see if they - are addresses. Possible modes are "fail", - "warn" (default) and - "ignore". -
-mode
- Check if a MX record refers to a CNAME. - Possible modes are "fail", - "warn" (default) and - "ignore". -
-mode
- Specify whether NS records should be checked to see if they - are addresses. - Possible modes are "fail" - (default for named-compilezone), - "warn" - (default for named-checkzone) and - "ignore". -
-filename
- Write zone output to filename
.
- If filename
is -
then
- write to standard out.
- This is mandatory for named-compilezone.
-
mode
- Check for records that are treated as different by DNSSEC but - are semantically equal in plain DNS. - Possible modes are "fail", - "warn" (default) and - "ignore". -
-style
- Specify the style of the dumped zone file. - Possible styles are "full" (default) - and "relative". - The full format is most suitable for processing - automatically by a separate script. - On the other hand, the relative format is more - human-readable and is thus suitable for editing by hand. - For named-checkzone - this does not cause any effects unless it dumps the zone - contents. - It also does not have any meaning if the output format - is not text. -
-mode
- Check if a SRV record refers to a CNAME. - Possible modes are "fail", - "warn" (default) and - "ignore". -
-directory
- Chroot to directory
so that
- include
- directives in the configuration file are processed as if
- run by a similarly chrooted named.
-
mode
- Check if Sender Policy Framework (SPF) records exist - and issues a warning if an SPF-formatted TXT record is - not also present. Possible modes are "warn" - (default), "ignore". -
-directory
- chdir to directory
so that
- relative
- filenames in master file $INCLUDE directives work. This
- is similar to the directory clause in
- named.conf
.
-
- Dump zone file in canonical format. - This is always enabled for named-compilezone. -
-mode
- Specify whether to check for non-terminal wildcards. - Non-terminal wildcards are almost always the result of a - failure to understand the wildcard matching algorithm (RFC 1034). - Possible modes are "warn" (default) - and - "ignore". -
-- The domain name of the zone being checked. -
-- The name of the zone file. -
-- ddns-confgen - — ddns key generation tool -
-
- tsig-keygen
- [-a
]
- [algorithm
-h
]
- [name]
-
- ddns-confgen
- [-a
]
- [algorithm
-h
]
- [-k
]
- [keyname
-q
]
- [-r
]
- [
- -s randomfile
name
- | -z zone
- ]
-
- tsig-keygen and ddns-confgen - are invocation methods for a utility that generates keys for use - in TSIG signing. The resulting keys can be used, for example, - to secure dynamic DNS updates to a zone or for the - rndc command channel. -
- -
- When run as tsig-keygen, a domain name
- can be specified on the command line which will be used as
- the name of the generated key. If no name is specified,
- the default is tsig-key
.
-
- When run as ddns-confgen, the generated - key is accompanied by configuration text and instructions - that can be used with nsupdate and - named when setting up dynamic DNS, - including an example update-policy - statement. (This usage similar to the - rndc-confgen command for setting - up command channel security.) -
- -- Note that named itself can configure a - local DDNS key for use with nsupdate -l: - it does this when a zone is configured with - update-policy local;. - ddns-confgen is only needed when a - more elaborate configuration is required: for instance, - if nsupdate is to be used from a remote - system. -
-algorithm
- Specifies the algorithm to use for the TSIG key. Available - choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, - hmac-sha384 and hmac-sha512. The default is hmac-sha256. - Options are case-insensitive, and the "hmac-" prefix - may be omitted. -
-- Prints a short summary of options and arguments. -
-keyname
- Specifies the key name of the DDNS authentication key.
- The default is ddns-key
when neither
- the -s
nor -z
option is
- specified; otherwise, the default
- is ddns-key
as a separate label
- followed by the argument of the option, e.g.,
- ddns-key.example.com.
- The key name must have the format of a valid domain name,
- consisting of letters, digits, hyphens and periods.
-
- (ddns-confgen only.) Quiet mode: Print - only the key, with no explanatory text or usage examples; - This is essentially identical to tsig-keygen. -
-name
- (ddns-confgen only.)
- Generate configuration example to allow dynamic updates
- of a single hostname. The example named.conf
- text shows how to set an update policy for the specified
- name
- using the "name" nametype. The default key name is
- ddns-key.name
.
- Note that the "self" nametype cannot be used, since
- the name to be updated may differ from the key name.
- This option cannot be used with the -z
option.
-
zone
- (ddns-confgen only.)
- Generate configuration example to allow dynamic updates
- of a zone: The example named.conf text
- shows how to set an update policy for the specified
- zone
- using the "zonesub" nametype, allowing updates to
- all subdomain names within that
- zone
.
- This option cannot be used with the -s
option.
-
- rndc-confgen - — rndc key generation tool -
-
- rndc-confgen
- [-a
]
- [-A
]
- [algorithm
-b
]
- [keysize
-c
]
- [keyfile
-h
]
- [-k
]
- [keyname
-p
]
- [port
-s
]
- [address
-t
]
- [chrootdir
-u
]
- user
rndc-confgen
- generates configuration files
- for rndc. It can be used as a
- convenient alternative to writing the
- rndc.conf
file
- and the corresponding controls
- and key
- statements in named.conf
by hand.
- Alternatively, it can be run with the -a
- option to set up a rndc.key
file and
- avoid the need for a rndc.conf
file
- and a controls statement altogether.
-
- Do automatic rndc configuration.
- This creates a file rndc.key
- in /etc
(or whatever
- sysconfdir
- was specified as when BIND was
- built)
- that is read by both rndc
- and named on startup. The
- rndc.key
file defines a default
- command channel and authentication key allowing
- rndc to communicate with
- named on the local host
- with no further configuration.
-
- Running rndc-confgen -a allows
- BIND 9 and rndc to be used as
- drop-in
- replacements for BIND 8 and ndc,
- with no changes to the existing BIND 8
- named.conf
file.
-
- If a more elaborate configuration than that
- generated by rndc-confgen -a
- is required, for example if rndc is to be used remotely,
- you should run rndc-confgen without
- the
- -a option and set up a
- rndc.conf
and
- named.conf
- as directed.
-
algorithm
- Specifies the algorithm to use for the TSIG key. Available - choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, - hmac-sha384 and hmac-sha512. The default is hmac-sha256. -
-keysize
- Specifies the size of the authentication key in bits. - Must be between 1 and 512 bits; the default is the - hash size. -
-keyfile
- Used with the -a option to specify
- an alternate location for rndc.key
.
-
- Prints a short summary of the options and arguments to - rndc-confgen. -
-keyname
- Specifies the key name of the rndc authentication key.
- This must be a valid domain name.
- The default is rndc-key
.
-
port
- Specifies the command channel port where named - listens for connections from rndc. - The default is 953. -
-address
- Specifies the IP address where named - listens for command channel connections from - rndc. The default is the loopback - address 127.0.0.1. -
-chrootdir
- Used with the -a option to specify
- a directory where named will run
- chrooted. An additional copy of the rndc.key
- will be written relative to this directory so that
- it will be found by the chrooted named.
-
user
- Used with the -a option to set the
- owner
- of the rndc.key
file generated.
- If
- -t is also specified only the file
- in
- the chroot area has its owner changed.
-
- delv - — DNS lookup and validation utility -
-
- delv
- [@server]
- [
- [-4
]
- | [-6
]
- ]
- [-a
]
- [anchor-file
-b
]
- [address
-c
]
- [class
-d
]
- [level
-i
]
- [-m
]
- [-p
]
- [port#
-q
]
- [name
-t
]
- [type
-x
]
- [name]
- [type]
- [class]
- [queryopt...]
- addr
- delv
- [-h
]
-
- delv
- [-v
]
-
- delv
- [queryopt...]
- [query...]
-
delv - is a tool for sending - DNS queries and validating the results, using the same internal - resolver and validator logic as named. -
-- delv will send to a specified name server all - queries needed to fetch and validate the requested data; this - includes the original requested query, subsequent queries to follow - CNAME or DNAME chains, and queries for DNSKEY and DS records - to establish a chain of trust for DNSSEC validation. - It does not perform iterative resolution, but simulates the - behavior of a name server configured for DNSSEC validating and - forwarding. -
-- By default, responses are validated using built-in DNSSEC trust - anchor for the root zone ("."). Records returned by - delv are either fully validated or - were not signed. If validation fails, an explanation of - the failure is included in the output; the validation process - can be traced in detail. Because delv does - not rely on an external server to carry out validation, it can - be used to check the validity of DNS responses in environments - where local name servers may not be trustworthy. -
-
- Unless it is told to query a specific name server,
- delv will try each of the servers listed in
- /etc/resolv.conf
. If no usable server
- addresses are found, delv will send
- queries to the localhost addresses (127.0.0.1 for IPv4, ::1
- for IPv6).
-
- When no command line arguments or options are given, - delv will perform an NS query for "." - (the root zone). -
-- A typical invocation of delv looks like: -
-delv @server name type-
- where: - -
-server
- is the name or IP address of the name server to query. This
- can be an IPv4 address in dotted-decimal notation or an IPv6
- address in colon-delimited notation. When the supplied
- server
argument is a hostname,
- delv resolves that name before
- querying that name server (note, however, that this
- initial lookup is not validated
- by DNSSEC).
-
- If no server
argument is
- provided, delv consults
- /etc/resolv.conf
; if an
- address is found there, it queries the name server at
- that address. If either of the -4
or
- -6
options are in use, then
- only addresses for the corresponding transport
- will be tried. If no usable addresses are found,
- delv will send queries to
- the localhost addresses (127.0.0.1 for IPv4,
- ::1 for IPv6).
-
name
- is the domain name to be looked up. -
-type
- indicates what type of query is required —
- ANY, A, MX, etc.
- type
can be any valid query
- type. If no
- type
argument is supplied,
- delv will perform a lookup for an
- A record.
-
-
- -anchor-file
- Specifies a file from which to read DNSSEC trust anchors.
- The default is /etc/bind.keys
, which
- is included with BIND 9 and contains
- one or more trust anchors for the root zone (".").
-
- Keys that do not match the root zone name are ignored.
- An alternate key name can be specified using the
- +root=NAME
options.
-
- Note: When reading the trust anchor file,
- delv treats trust-anchors
- initial-key
and static-key
- entries identically. That is, even if a key is configured
- with initial-key, indicating that it is
- meant to be used only as an initializing key for RFC 5011
- key maintenance, it is still treated by delv
- as if it had been configured as a static-key.
- delv does not consult the managed keys
- database maintained by named. This means
- that if either of the keys in
- /etc/bind.keys
is revoked
- and rolled over, it will be necessary to update
- /etc/bind.keys
to use DNSSEC
- validation in delv.
-
address
- Sets the source IP address of the query to
- address
. This must be a valid address
- on one of the host's network interfaces or "0.0.0.0" or "::".
- An optional source port may be specified by appending
- "#<port>"
-
class
- Sets the query class for the requested data. Currently, - only class "IN" is supported in delv - and any other value is ignored. -
-level
- Set the systemwide debug level to level
.
- The allowed range is from 0 to 99.
- The default is 0 (no debugging).
- Debugging traces from delv become
- more verbose as the debug level increases.
- See the +mtrace
, +rtrace
,
- and +vtrace
options below for additional
- debugging details.
-
- Display the delv help usage output and exit. -
-- Insecure mode. This disables internal DNSSEC validation. - (Note, however, this does not set the CD bit on upstream - queries. If the server being queried is performing DNSSEC - validation, then it will not return invalid data; this - can cause delv to time out. When it - is necessary to examine invalid data to debug a DNSSEC - problem, use dig +cd.) -
-- Enables memory usage debugging. -
-port#
- Specifies a destination port to use for queries instead of - the standard DNS port number 53. This option would be used - with a name server that has been configured to listen - for queries on a non-standard port number. -
-name
- Sets the query name to name
.
- While the query name can be specified without using the
- -q
, it is sometimes necessary to disambiguate
- names from types or classes (for example, when looking up the
- name "ns", which could be misinterpreted as the type NS,
- or "ch", which could be misinterpreted as class CH).
-
type
- Sets the query type to type
, which
- can be any valid query type supported in BIND 9 except
- for zone transfer types AXFR and IXFR. As with
- -q
, this is useful to distinguish
- query name type or class when they are ambiguous.
- it is sometimes necessary to disambiguate names from types.
-
- The default query type is "A", unless the -x
- option is supplied to indicate a reverse lookup, in which case
- it is "PTR".
-
- Print the delv version and exit. -
-addr
- Performs a reverse lookup, mapping an addresses to
- a name. addr
is an IPv4 address in
- dotted-decimal notation, or a colon-delimited IPv6 address.
- When -x
is used, there is no need to provide
- the name
or type
- arguments. delv automatically performs a
- lookup for a name like 11.12.13.10.in-addr.arpa
- and sets the query type to PTR. IPv6 addresses are looked up
- using nibble format under the IP6.ARPA domain.
-
- Forces delv to only use IPv4. -
-- Forces delv to only use IPv6. -
-delv - provides a number of query options which affect the way results are - displayed, and in some cases the way lookups are performed. -
- -
- Each query option is identified by a keyword preceded by a plus sign
- (+
). Some keywords set or reset an
- option. These may be preceded by the string
- no
to negate the meaning of that keyword.
- Other keywords assign values to options like the timeout interval.
- They have the form +keyword=value
.
- The query options are:
-
-
+[no]cdflag
- Controls whether to set the CD (checking disabled) bit in - queries sent by delv. This may be useful - when troubleshooting DNSSEC problems from behind a validating - resolver. A validating resolver will block invalid responses, - making it difficult to retrieve them for analysis. Setting - the CD flag on queries will cause the resolver to return - invalid responses, which delv can then - validate internally and report the errors in detail. -
-+[no]class
- Controls whether to display the CLASS when printing - a record. The default is to display the CLASS. -
-+[no]ttl
- Controls whether to display the TTL when printing - a record. The default is to display the TTL. -
-+[no]rtrace
- Toggle resolver fetch logging. This reports the - name and type of each query sent by delv - in the process of carrying out the resolution and validation - process: this includes including the original query and - all subsequent queries to follow CNAMEs and to establish a - chain of trust for DNSSEC validation. -
-
- This is equivalent to setting the debug level to 1 in
- the "resolver" logging category. Setting the systemwide
- debug level to 1 using the -d
option will
- product the same output (but will affect other logging
- categories as well).
-
+[no]mtrace
- Toggle message logging. This produces a detailed dump of - the responses received by delv in the - process of carrying out the resolution and validation process. -
-
- This is equivalent to setting the debug level to 10
- for the "packets" module of the "resolver" logging
- category. Setting the systemwide debug level to 10 using
- the -d
option will produce the same output
- (but will affect other logging categories as well).
-
+[no]vtrace
- Toggle validation logging. This shows the internal - process of the validator as it determines whether an - answer is validly signed, unsigned, or invalid. -
-
- This is equivalent to setting the debug level to 3
- for the "validator" module of the "dnssec" logging
- category. Setting the systemwide debug level to 3 using
- the -d
option will produce the same output
- (but will affect other logging categories as well).
-
+[no]short
- Provide a terse answer. The default is to print the answer in a - verbose form. -
-+[no]comments
- Toggle the display of comment lines in the output. The default - is to print comments. -
-+[no]rrcomments
- Toggle the display of per-record comments in the output (for - example, human-readable key information about DNSKEY records). - The default is to print per-record comments. -
-+[no]crypto
- Toggle the display of cryptographic fields in DNSSEC records. - The contents of these field are unnecessary to debug most DNSSEC - validation failures and removing them makes it easier to see - the common failures. The default is to display the fields. - When omitted they are replaced by the string "[omitted]" or - in the DNSKEY case the key id is displayed as the replacement, - e.g. "[ key id = value ]". -
-+[no]trust
- Controls whether to display the trust level when printing - a record. The default is to display the trust level. -
-+[no]split[=W]
- Split long hex- or base64-formatted fields in resource
- records into chunks of W
characters
- (where W
is rounded up to the nearest
- multiple of 4).
- +nosplit
or
- +split=0
causes fields not to be
- split at all. The default is 56 characters, or 44 characters
- when multiline mode is active.
-
+[no]all
- Set or clear the display options
- +[no]comments
,
- +[no]rrcomments
, and
- +[no]trust
as a group.
-
+[no]multiline
- Print long records (such as RRSIG, DNSKEY, and SOA records) - in a verbose multi-line format with human-readable comments. - The default is to print each record on a single line, to - facilitate machine parsing of the delv - output. -
-+[no]dnssec
- Indicates whether to display RRSIG records in the
- delv output. The default is to
- do so. Note that (unlike in dig)
- this does not control whether to
- request DNSSEC records or whether to validate them.
- DNSSEC records are always requested, and validation
- will always occur unless suppressed by the use of
- -i
or +noroot
.
-
+[no]root[=ROOT]
- Indicates whether to perform conventional
- DNSSEC validation, and if so, specifies the
- name of a trust anchor. The default is to validate using
- a trust anchor of "." (the root zone), for which there is
- a built-in key. If specifying a different trust anchor,
- then -a
must be used to specify a file
- containing the key.
-
+[no]tcp
- Controls whether to use TCP when sending queries. - The default is to use UDP unless a truncated - response has been received. -
-+[no]unknownformat
- Print all RDATA in unknown RR type presentation format - (RFC 3597). The default is to print RDATA for known types - in the type's presentation format. -
-+[no]yaml
- Print response data in YAML format. -
-- -
-- dig - — DNS lookup utility -
-
- dig
- [@server]
- [-b
]
- [address
-c
]
- [class
-f
]
- [filename
-k
]
- [filename
-m
]
- [-p
]
- [port#
-q
]
- [name
-t
]
- [type
-v
]
- [-x
]
- [addr
-y
]
- [
- [[hmac:]name:key
-4
]
- | [-6
]
- ]
- [name]
- [type]
- [class]
- [queryopt...]
-
- dig
- [-h
]
-
- dig
- [global-queryopt...]
- [query...]
-
dig is a flexible tool - for interrogating DNS name servers. It performs DNS lookups and - displays the answers that are returned from the name server(s) that - were queried. Most DNS administrators use dig to - troubleshoot DNS problems because of its flexibility, ease of use and - clarity of output. Other lookup tools tend to have less functionality - than dig. -
- -
- Although dig is normally used with
- command-line
- arguments, it also has a batch mode of operation for reading lookup
- requests from a file. A brief summary of its command-line arguments
- and options is printed when the -h
option is given.
- Unlike earlier versions, the BIND 9 implementation of
- dig allows multiple lookups to be issued
- from the
- command line.
-
- Unless it is told to query a specific name server,
- dig will try each of the servers listed in
- /etc/resolv.conf
. If no usable server addresses
- are found, dig will send the query to the local
- host.
-
- When no command line arguments or options are given, - dig will perform an NS query for "." (the root). -
- -
- It is possible to set per-user defaults for dig via
- ${HOME}/.digrc
. This file is read and any
- options in it are applied before the command line arguments.
- The -r
option disables this feature, for
- scripts that need predictable behaviour.
-
- The IN and CH class names overlap with the IN and CH top level
- domain names. Either use the -t
and
- -c
options to specify the type and class,
- use the -q
the specify the domain name, or
- use "IN." and "CH." when looking up these top level domains.
-
- A typical invocation of dig looks like: -
-dig @server name type-
- where: - -
-server
- is the name or IP address of the name server to query. This
- can be an IPv4 address in dotted-decimal notation or an IPv6
- address in colon-delimited notation. When the supplied
- server
argument is a hostname,
- dig resolves that name before querying
- that name server.
-
- If no server
argument is
- provided, dig consults
- /etc/resolv.conf
; if an
- address is found there, it queries the name server at
- that address. If either of the -4
or
- -6
options are in use, then
- only addresses for the corresponding transport
- will be tried. If no usable addresses are found,
- dig will send the query to the
- local host. The reply from the name server that
- responds is displayed.
-
name
- is the name of the resource record that is to be looked up. -
-type
- indicates what type of query is required —
- ANY, A, MX, SIG, etc.
- type
can be any valid query
- type. If no
- type
argument is supplied,
- dig will perform a lookup for an
- A record.
-
-
- -- Use IPv4 only. -
-- Use IPv6 only. -
-address[#port]
- Set the source IP address of the query.
- The address
must be a valid address on
- one of the host's network interfaces, or "0.0.0.0" or "::". An
- optional port may be specified by appending "#<port>"
-
class
- Set the query class. The
- default class
is IN; other classes
- are HS for Hesiod records or CH for Chaosnet records.
-
file
- Batch mode: dig reads a list of lookup
- requests to process from the
- given file
. Each line in the file
- should be organized in the same way they would be
- presented as queries to
- dig using the command-line interface.
-
keyfile
- Sign queries using TSIG using a key read from the given file.
- Key files can be generated using
-
- tsig-keygen(8)
- .
- When using TSIG authentication with dig,
- the name server that is queried needs to know the key and
- algorithm that is being used. In BIND, this is done by
- providing appropriate key
- and server statements in
- named.conf
.
-
- Enable memory usage debugging. - -
-port
- Send the query to a non-standard port on the server, - instead of the default port 53. This option would be used - to test a name server that has been configured to listen - for queries on a non-standard port number. -
-name
- The domain name to query. This is useful to distinguish
- the name
from other arguments.
-
- Do not read options from ${HOME}/.digrc
.
- This is useful for scripts that need predictable behaviour.
-
type
- The resource record type to query. It can be any valid query
- type. If it is a resource record type supported in BIND 9, it
- can be given by the type mnemonic (such as "NS" or "AAAA").
- The default query type is "A", unless the -x
- option is supplied to indicate a reverse lookup. A zone
- transfer can be requested by specifying a type of AXFR. When
- an incremental zone transfer (IXFR) is required, set the
- type
to ixfr=N
.
- The incremental zone transfer will contain the changes
- made to the zone since the serial number in the zone's SOA
- record was
- N
.
-
- All resource record types can be expressed as "TYPEnn", where - "nn" is the number of the type. If the resource record type is - not supported in BIND 9, the result will be displayed as - described in RFC 3597. -
-- Print query times in microseconds instead of milliseconds. -
-- Print the version number and exit. -
-addr
- Simplified reverse lookups, for mapping addresses to
- names. The addr
is an IPv4 address
- in dotted-decimal notation, or a colon-delimited IPv6
- address. When the -x
is used, there is no
- need to provide
- the name
, class
- and type
- arguments. dig automatically performs a
- lookup for a name like
- 94.2.0.192.in-addr.arpa
and sets the
- query type and class to PTR and IN respectively. IPv6
- addresses are looked up using nibble format under the
- IP6.ARPA domain.
-
[hmac:]keyname:secret
- Sign queries using TSIG with the given authentication key.
- keyname
is the name of the key, and
- secret
is the base64 encoded shared secret.
- hmac
is the name of the key algorithm;
- valid choices are hmac-md5
,
- hmac-sha1
, hmac-sha224
,
- hmac-sha256
, hmac-sha384
, or
- hmac-sha512
. If hmac
- is not specified, the default is hmac-md5
- or if MD5 was disabled hmac-sha256
.
-
- NOTE: You should use the -k
option and
- avoid the -y
option, because
- with -y
the shared secret is supplied as
- a command line argument in clear text. This may be visible
- in the output from
-
- ps(1)
-
- or in a history file maintained by the user's shell.
-
dig - provides a number of query options which affect - the way in which lookups are made and the results displayed. Some of - these set or reset flag bits in the query header, some determine which - sections of the answer get printed, and others determine the timeout - and retry strategies. -
- -
- Each query option is identified by a keyword preceded by a plus sign
- (+
). Some keywords set or reset an
- option. These may be preceded
- by the string no
to negate the meaning of
- that keyword. Other
- keywords assign values to options like the timeout interval. They
- have the form +keyword=value
.
- Keywords may be abbreviated, provided the abbreviation is
- unambiguous; for example, +cd
is equivalent
- to +cdflag
.
- The query options are:
-
-
+[no]aaflag
- A synonym for +[no]aaonly
.
-
+[no]aaonly
- Sets the "aa" flag in the query. -
-+[no]additional
- Display [do not display] the additional section of a - reply. The default is to display it. -
-+[no]adflag
- Set [do not set] the AD (authentic data) bit in the - query. This requests the server to return whether - all of the answer and authority sections have all - been validated as secure according to the security - policy of the server. AD=1 indicates that all records - have been validated as secure and the answer is not - from a OPT-OUT range. AD=0 indicate that some part - of the answer was insecure or not validated. This - bit is set by default. -
-+[no]all
- Set or clear all display flags. -
-+[no]answer
- Display [do not display] the answer section of a - reply. The default is to display it. -
-+[no]authority
- Display [do not display] the authority section of a - reply. The default is to display it. -
-+[no]badcookie
- Retry lookup with the new server cookie if a - BADCOOKIE response is received. -
-+[no]besteffort
- Attempt to display the contents of messages which are - malformed. The default is to not display malformed - answers. -
-+bufsize=B
- Set the UDP message buffer size advertised using EDNS0
- to B
bytes. The maximum and
- minimum sizes of this buffer are 65535 and 0 respectively.
- Values outside this range are rounded up or down
- appropriately. Values other than zero will cause a
- EDNS query to be sent.
-
+[no]cdflag
- Set [do not set] the CD (checking disabled) bit in - the query. This requests the server to not perform - DNSSEC validation of responses. -
-+[no]class
- Display [do not display] the CLASS when printing the - record. -
-+[no]cmd
- Toggles the printing of the initial comment in the - output, identifying the version of dig - and the query options that have been applied. This option - always has global effect; it cannot be set globally - and then overridden on a per-lookup basis. The default - is to print this comment. -
-+[no]comments
- Toggles the display of some comment lines in the output, - containing information about the packet header and - OPT pseudosection, and the names of the response - section. The default is to print these comments. -
-- Other types of comments in the output are not affected by - this option, but can be controlled using other command - line switches. These include +[no]cmd, - +[no]question, - +[no]stats, and - +[no]rrcomments. -
-+[no]cookie[=####]
- Send a COOKIE EDNS option, with optional
- value. Replaying a COOKIE from a previous response will
- allow the server to identify a previous client. The
- default is +cookie
.
-
- +cookie is also set when +trace - is set to better emulate the default queries from a - nameserver. -
-+[no]crypto
- Toggle the display of cryptographic fields in DNSSEC - records. The contents of these field are unnecessary - to debug most DNSSEC validation failures and removing - them makes it easier to see the common failures. The - default is to display the fields. When omitted they - are replaced by the string "[omitted]" or in the - DNSKEY case the key id is displayed as the replacement, - e.g. "[ key id = value ]". -
-+[no]defname
- Deprecated, treated as a synonym for
- +[no]search
-
+[no]dnssec
- Requests DNSSEC records be sent by setting the DNSSEC - OK bit (DO) in the OPT record in the additional section - of the query. -
-+domain=somename
- Set the search list to contain the single domain
- somename
, as if specified in
- a domain directive in
- /etc/resolv.conf
, and enable
- search list processing as if the
- +search
option were given.
-
+dscp=value
- Set the DSCP code point to be used when sending the - query. Valid DSCP code points are in the range - [0..63]. By default no code point is explicitly set. -
-+[no]edns[=#]
- Specify the EDNS version to query with. Valid values
- are 0 to 255. Setting the EDNS version will cause
- a EDNS query to be sent. +noedns
- clears the remembered EDNS version. EDNS is set to
- 0 by default.
-
+[no]ednsflags[=#]
- Set the must-be-zero EDNS flags bits (Z bits) to the - specified value. Decimal, hex and octal encodings are - accepted. Setting a named flag (e.g. DO) will silently be - ignored. By default, no Z bits are set. -
-+[no]ednsnegotiation
- Enable / disable EDNS version negotiation. By default - EDNS version negotiation is enabled. -
-+[no]ednsopt[=code[:value]]
- Specify EDNS option with code point code
- and optionally payload of value
as a
- hexadecimal string. code
can be
- either an EDNS option name (for example,
- NSID
or ECS
),
- or an arbitrary numeric value. +noednsopt
- clears the EDNS options to be sent.
-
+[no]expire
- Send an EDNS Expire option. -
-+[no]expandaaaa
- When printing AAAA record print all zero nibbles rather - than the default RFC 5952 preferred presentation format. -
-+[no]fail
- Do not try the next server if you receive a SERVFAIL. - The default is to not try the next server which is - the reverse of normal stub resolver behavior. -
-+[no]header-only
- Send a query with a DNS header without a question section. - The default is to add a question section. The query type - and query name are ignored when this is set. -
-+[no]identify
- Show [or do not show] the IP address and port number
- that supplied the answer when the
- +short
option is enabled. If
- short form answers are requested, the default is not
- to show the source address and port number of the
- server that provided the answer.
-
+[no]idnin
- Process [do not process] IDN domain names on input. - This requires IDN SUPPORT to have been enabled at - compile time. -
-- The default is to process IDN input when standard output - is a tty. The IDN processing on input is disabled when - dig output is redirected to files, pipes, and other - non-tty file descriptors. -
-+[no]idnout
- Convert [do not convert] puny code on output. - This requires IDN SUPPORT to have been enabled at - compile time. -
-- The default is to process puny code on output when - standard output is a tty. The puny code processing on - output is disabled when dig output is redirected to - files, pipes, and other non-tty file descriptors. -
-+[no]ignore
- Ignore truncation in UDP responses instead of retrying - with TCP. By default, TCP retries are performed. -
-+[no]keepalive
- Send [or do not send] an EDNS Keepalive option. -
-+[no]keepopen
- Keep the TCP socket open between queries and reuse
- it rather than creating a new TCP socket for each
- lookup. The default is +nokeepopen
.
-
+[no]mapped
- Allow mapped IPv4 over IPv6 addresses to be used. The
- default is +mapped
.
-
+[no]multiline
- Print records like the SOA records in a verbose - multi-line format with human-readable comments. The - default is to print each record on a single line, to - facilitate machine parsing of the dig - output. -
-+ndots=D
- Set the number of dots that have to appear in
- name
to D
- for it to be considered absolute. The default value
- is that defined using the ndots statement in
- /etc/resolv.conf
, or 1 if no
- ndots statement is present. Names with fewer dots
- are interpreted as relative names and will be searched
- for in the domains listed in the search
- or domain
directive in
- /etc/resolv.conf
if
- +search
is set.
-
+[no]nsid
- Include an EDNS name server ID request when sending - a query. -
-+[no]nssearch
- When this option is set, dig - attempts to find the authoritative name servers for - the zone containing the name being looked up and - display the SOA record that each name server has for - the zone. Addresses of servers that that did not - respond are also printed. -
-+[no]onesoa
- Print only one (starting) SOA record when performing - an AXFR. The default is to print both the starting - and ending SOA records. -
-+[no]opcode=value
- Set [restore] the DNS message opcode to the specified - value. The default value is QUERY (0). -
-+padding=value
- Pad the size of the query packet using the EDNS Padding option
- to blocks of value
bytes. For example,
- +padding=32
would cause a 48-byte query to
- be padded to 64 bytes. The default block size is 0, which
- disables padding. The maximum is 512. Values are
- ordinarily expected to be powers of two, such as 128;
- however, this is not mandatory. Responses to
- padded queries may also be padded, but only if the query
- uses TCP or DNS COOKIE.
-
+[no]qr
- Toggles the display of the query message as it is sent. - By default, the query is not printed. -
-+[no]question
- Toggles the display of the question section of a query - when an answer is returned. The default is to print - the question section as a comment. -
-+[no]raflag
- Set [do not set] the RA (Recursion Available) bit in - the query. The default is +noraflag. This bit should - be ignored by the server for QUERY. -
-+[no]rdflag
- A synonym for +[no]recurse
.
-
+[no]recurse
- Toggle the setting of the RD (recursion desired) bit
- in the query. This bit is set by default, which means
- dig normally sends recursive
- queries. Recursion is automatically disabled when
- using the +nssearch
option, and
- when using +trace
except for
- an initial recursive query to get the list of root
- servers.
-
+retry=T
- Sets the number of times to retry UDP queries to
- server to T
instead of the
- default, 2. Unlike +tries
,
- this does not include the initial query.
-
+[no]rrcomments
- Toggle the display of per-record comments in the - output (for example, human-readable key information - about DNSKEY records). The default is not to print - record comments unless multiline mode is active. -
-+[no]search
- Use [do not use] the search list defined by the
- searchlist or domain directive in
- resolv.conf
(if any). The search
- list is not used by default.
-
- 'ndots' from resolv.conf
(default 1)
- which may be overridden by +ndots
- determines if the name will be treated as relative
- or not and hence whether a search is eventually
- performed or not.
-
+[no]short
- Provide a terse answer. The default is to print the - answer in a verbose form. This option always has global - effect; it cannot be set globally and then overridden on - a per-lookup basis. -
-+[no]showsearch
- Perform [do not perform] a search showing intermediate - results. -
-+[no]sigchase
- This feature is now obsolete and has been removed; - use delv instead. -
-+split=W
- Split long hex- or base64-formatted fields in resource
- records into chunks of W
- characters (where W
is rounded
- up to the nearest multiple of 4).
- +nosplit
or
- +split=0
causes fields not to
- be split at all. The default is 56 characters, or
- 44 characters when multiline mode is active.
-
+[no]stats
- Toggles the printing of statistics: when the query was made, - the size of the reply and so on. The default behavior is to - print the query statistics as a comment after each lookup. -
-+[no]subnet=addr[/prefix-length]
- Send (don't send) an EDNS Client Subnet option with the - specified IP address or network prefix. -
-- dig +subnet=0.0.0.0/0, or simply - dig +subnet=0 for short, sends an EDNS - CLIENT-SUBNET option with an empty address and a source - prefix-length of zero, which signals a resolver that - the client's address information must - not be used when resolving - this query. -
-+[no]tcflag
- Set [do not set] the TC (TrunCation) bit in the query. - The default is +notcflag. This bit should be ignored - by the server for QUERY. -
-+[no]tcp
- Use [do not use] TCP when querying name servers. The
- default behavior is to use UDP unless a type
- any
or ixfr=N
- query is requested, in which case the default is TCP.
- AXFR queries always use TCP.
-
+timeout=T
-
- Sets the timeout for a query to
- T
seconds. The default
- timeout is 5 seconds.
- An attempt to set T
to less
- than 1 will result
- in a query timeout of 1 second being applied.
-
+[no]topdown
- This feature is related to dig +sigchase, - which is obsolete and has been removed. Use - delv instead. -
-+[no]trace
- Toggle tracing of the delegation path from the root - name servers for the name being looked up. Tracing - is disabled by default. When tracing is enabled, - dig makes iterative queries to - resolve the name being looked up. It will follow - referrals from the root servers, showing the answer - from each server that was used to resolve the lookup. -
- If @server is also specified, it affects only the - initial query for the root zone name servers. -
- +dnssec is also set when +trace - is set to better emulate the default queries from a - nameserver. -
-+tries=T
- Sets the number of times to try UDP queries to server
- to T
instead of the default,
- 3. If T
is less than or equal
- to zero, the number of tries is silently rounded up
- to 1.
-
+trusted-key=####
- Formerly specified trusted keys for use with - dig +sigchase. This feature is now - obsolete and has been removed; use - delv instead. -
-+[no]ttlid
- Display [do not display] the TTL when printing the - record. -
-+[no]ttlunits
- Display [do not display] the TTL in friendly human-readable - time units of "s", "m", "h", "d", and "w", representing - seconds, minutes, hours, days and weeks. Implies +ttlid. -
-+[no]unexpected
- Accept [do not accept] answers from unexpected sources. By - default, dig won't accept a reply from a - source other than the one to which it sent the query. -
-+[no]unknownformat
- Print all RDATA in unknown RR type presentation format - (RFC 3597). The default is to print RDATA for known types - in the type's presentation format. -
-+[no]vc
- Use [do not use] TCP when querying name servers. This
- alternate syntax to +[no]tcp
- is provided for backwards compatibility. The "vc"
- stands for "virtual circuit".
-
+[no]yaml
- Print the responses (and, if +qr
is in use,
- also the outgoing queries) in a detailed YAML format.
-
+[no]zflag
- Set [do not set] the last unassigned DNS header flag in a - DNS query. This flag is off by default. -
-- -
-
- The BIND 9 implementation of dig
- supports
- specifying multiple queries on the command line (in addition to
- supporting the -f
batch file option). Each of those
- queries can be supplied with its own set of flags, options and query
- options.
-
- In this case, each query
argument
- represent an
- individual query in the command-line syntax described above. Each
- consists of any of the standard options and flags, the name to be
- looked up, an optional query type and class and any query options that
- should be applied to that query.
-
- A global set of query options, which should be applied to all queries,
- can also be supplied. These global query options must precede the
- first tuple of name, class, type, options, flags, and query options
- supplied on the command line. Any global query options (except
- +[no]cmd
and +[no]short
options)
- can be overridden by a query-specific set of query options.
- For example:
-
-dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr --
- shows how dig could be used from the
- command line
- to make three lookups: an ANY query for www.isc.org
, a
- reverse lookup of 127.0.0.1 and a query for the NS records of
- isc.org
.
-
- A global query option of +qr
is
- applied, so
- that dig shows the initial query it made
- for each
- lookup. The final query has a local query option of
- +noqr
which means that dig
- will not print the initial query when it looks up the NS records for
- isc.org
.
-
- If dig has been built with IDN (internationalized
- domain name) support, it can accept and display non-ASCII domain names.
- dig appropriately converts character encoding of
- domain name before sending a request to DNS server or displaying a
- reply from the server.
- If you'd like to turn off the IDN support for some reason, use
- parameters +noidnin
and
- +noidnout
or define
- the IDN_DISABLE
environment variable.
-
-
- host - — DNS lookup utility -
-
- host
- [-aACdlnrsTUwv
]
- [-c
]
- [class
-N
]
- [ndots
-R
]
- [number
-t
]
- [type
-W
]
- [wait
-m
]
- [
- [flag
-4
]
- | [-6
]
- ]
- [-v
]
- [-V
]
- {name}
- [server]
-
host - is a simple utility for performing DNS lookups. - It is normally used to convert names to IP addresses and vice versa. - When no arguments or options are given, - host - prints a short summary of its command line arguments and options. -
- -name
is the domain name that is to be
- looked
- up. It can also be a dotted-decimal IPv4 address or a colon-delimited
- IPv6 address, in which case host will by
- default
- perform a reverse lookup for that address.
- server
is an optional argument which
- is either
- the name or IP address of the name server that host
- should query instead of the server or servers listed in
- /etc/resolv.conf
.
-
- Use IPv4 only for query transport.
- See also the -6
option.
-
- Use IPv6 only for query transport.
- See also the -4
option.
-
- "All". The -a
option is normally equivalent
- to -v -t
.
- It also affects the behaviour of the ANY
-l
- list zone option.
-
- "Almost all". The -A
option is equivalent
- to -a
except RRSIG, NSEC, and NSEC3
- records are omitted from the output.
-
class
- Query class: This can be used to lookup HS (Hesiod) or CH - (Chaosnet) class resource records. The default class is IN - (Internet). -
-
- Check consistency: host will query the
- SOA records for zone name
from all
- the listed authoritative name servers for that zone. The
- list of name servers is defined by the NS records that are
- found for the zone.
-
- Print debugging traces.
- Equivalent to the -v
verbose option.
-
- List zone:
- The host command performs a zone transfer of
- zone name
and prints out the NS,
- PTR and address records (A/AAAA).
-
- Together, the -l -a
- options print all records in the zone.
-
ndots
- The number of dots that have to be
- in name
for it to be considered
- absolute. The default value is that defined using the
- ndots statement in /etc/resolv.conf
,
- or 1 if no ndots statement is present. Names with fewer
- dots are interpreted as relative names and will be
- searched for in the domains listed in
- the search or domain directive
- in /etc/resolv.conf
.
-
- Non-recursive query:
- Setting this option clears the RD (recursion desired) bit
- in the query. This should mean that the name server
- receiving the query will not attempt to
- resolve name
.
- The -r
option
- enables host to mimic the behavior of a
- name server by making non-recursive queries and expecting
- to receive answers to those queries that can be
- referrals to other name servers.
-
number
- Number of retries for UDP queries:
- If number
is negative or zero, the
- number of retries will default to 1. The default value is
- 1, or the value of the attempts
- option in /etc/resolv.conf
, if set.
-
- Do not send the query to the next - nameserver if any server responds with a SERVFAIL - response, which is the reverse of normal stub resolver - behavior. -
-type
- Query type:
- The type
argument can be any
- recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
-
- When no query type is specified, host
- automatically selects an appropriate query type. By default, it
- looks for A, AAAA, and MX records.
- If the -C
option is given, queries will
- be made for SOA records.
- If name
is a dotted-decimal IPv4
- address or colon-delimited IPv6
- address, host will query for PTR
- records.
-
- If a query type of IXFR is chosen the starting serial
- number can be specified by appending an equal followed by
- the starting serial number
- (like -t
).
- IXFR=12345678
- TCP/UDP:
- By default, host uses UDP when making
- queries. The -T
option makes it use a TCP
- connection when querying the name server. TCP will be
- automatically selected for queries that require it, such
- as zone transfer (AXFR) requests. Type ANY queries default
- to TCP but can be forced to UDP initially using -U
.
-
flag
- Memory usage debugging: the flag can
- be record
, usage
,
- or trace
. You can specify
- the -m
option more than once to set
- multiple flags.
-
- Verbose output.
- Equivalent to the -d
debug option.
- Verbose output can also be enabled by setting
- the debug
option
- in /etc/resolv.conf
.
-
- Print the version number and exit. -
-
- Wait forever: The query timeout is set to the maximum possible.
- See also the -W
option.
-
wait
- Timeout: Wait for up to wait
- seconds for a reply. If wait
is
- less than one, the wait interval is set to one second.
-
- By default, host will wait for 5
- seconds for UDP responses and 10 seconds for TCP
- connections. These defaults can be overridden by
- the timeout
option
- in /etc/resolv.conf
.
-
- See also the -w
option.
-
- If host has been built with IDN (internationalized
- domain name) support, it can accept and display non-ASCII domain names.
- host appropriately converts character encoding of
- domain name before sending a request to DNS server or displaying a
- reply from the server.
- If you'd like to turn off the IDN support for some reason, define
- the IDN_DISABLE
environment variable.
- The IDN support is disabled if the variable is set when
- host runs.
-
- nslookup - — query Internet name servers interactively -
-
- nslookup
- [-option
]
- [name | -]
- [server]
-
Nslookup - is a program to query Internet domain name servers. Nslookup - has two modes: interactive and non-interactive. Interactive mode allows - the user to query name servers for information about various hosts and - domains or to print a list of hosts in a domain. Non-interactive mode - is - used to print just the name and requested information for a host or - domain. -
-- Interactive mode is entered in the following cases: -
-- when no arguments are given (the default name server will be used) -
-- when the first argument is a hyphen (-) and the second argument is - the host name or Internet address of a name server. -
--
- -- Non-interactive mode is used when the name or Internet address of the - host to be looked up is given as the first argument. The optional second - argument specifies the host name or address of a name server. -
- -- Options can also be specified on the command line if they precede the - arguments and are prefixed with a hyphen. For example, to - change the default query type to host information, and the initial - timeout to 10 seconds, type: - -
--nslookup -query=hinfo -timeout=10 --
- -
-
- The -version
option causes
- nslookup to print the version
- number and immediately exits.
-
host
[server]- Look up information for host using the current default server or - using server, if specified. If host is an Internet address and - the query type is A or PTR, the name of the host is returned. - If host is a name and does not have a trailing period, the - search list is used to qualify the name. -
- -- To look up a host not in the current domain, append a period to - the name. -
-server
domain
lserver
domain
- Change the default server to domain
; lserver
uses the initial
- server to look up information about domain
, while server
uses
- the current default server. If an authoritative answer can't be
- found, the names of servers that might have the answer are
- returned.
-
root
- not implemented -
-finger
- not implemented -
-ls
- not implemented -
-view
- not implemented -
-help
- not implemented -
-?
- not implemented -
-exit
- Exits the program. -
-set
- keyword[=value]
- This command is used to change state information that affects - the lookups. Valid keywords are: -
-all
- Prints the current values of the frequently used - options to set. - Information about the current default - server and host is also printed. -
-class=
value
- Change the query class to one of: -
-IN
- the Internet class -
-CH
- the Chaos class -
-HS
- the Hesiod class -
-ANY
- wildcard -
-- The class specifies the protocol group of the information. - -
-- (Default = IN; abbreviation = cl) -
-[no]
debug
- Turn on or off the display of the full response packet and - any intermediate response packets when searching. -
-- (Default = nodebug; abbreviation = [no]deb) -
-[no]
d2
- Turn debugging mode on or off. This displays more about - what nslookup is doing. -
-- (Default = nod2) -
-domain=
name
- Sets the search list to name
.
-
[no]
search
- If the lookup request contains at least one period but - doesn't end with a trailing period, append the domain - names in the domain search list to the request until an - answer is received. -
-- (Default = search) -
-port=
value
- Change the default TCP/UDP name server port to value
.
-
- (Default = 53; abbreviation = po) -
-querytype=
value
type=
value
- Change the type of the information query. -
-- (Default = A and then AAAA; abbreviations = q, ty) -
-- Note: It is - only possible to specify one query type, only - the default behavior looks up both when an - alternative is not specified. -
-[no]
recurse
- Tell the name server to query other servers if it does not - have the - information. -
-- (Default = recurse; abbreviation = [no]rec) -
-ndots=
number
- Set the number of dots (label separators) in a domain - that will disable searching. Absolute names always - stop searching. -
-retry=
number
- Set the number of retries to number. -
-timeout=
number
- Change the initial timeout interval for waiting for a - reply to number seconds. -
-[no]
vc
- Always use a virtual circuit when sending requests to the - server. -
-- (Default = novc) -
-[no]
fail
- Try the next nameserver if a nameserver responds with - SERVFAIL or a referral (nofail) or terminate query - (fail) on such a response. -
-- (Default = nofail) -
--
-- nslookup returns with an exit status of 1 - if any query failed, and 0 otherwise. -
-
- If nslookup has been built with IDN (internationalized
- domain name) support, it can accept and display non-ASCII domain names.
- nslookup appropriately converts character encoding of
- domain name before sending a request to DNS server or displaying a
- reply from the server.
- If you'd like to turn off the IDN support for some reason, define
- the IDN_DISABLE
environment variable.
- The IDN support is disabled if the variable is set when
- nslookup runs or when the standard output is not
- a tty.
-
- dnssec-cds - — change DS records for a child zone based on CDS/CDNSKEY -
-
- dnssec-cds
- [-a
...]
- [alg
-c
]
- [class
-D
]
- {-d
}
- {dsset-file
-f
}
- [child-file
-i
[extension
]]
- [-s
]
- [start-time
-T
]
- [ttl
-u
]
- [-v
]
- [level
-V
]
- {domain}
-
- The dnssec-cds command changes DS records at - a delegation point based on CDS or CDNSKEY records published in - the child zone. If both CDS and CDNSKEY records are present in - the child zone, the CDS is preferred. This enables a child zone - to inform its parent of upcoming changes to its key-signing keys; - by polling periodically with dnssec-cds, the - parent can keep the DS records up to date and enable automatic - rolling of KSKs. -
-
- Two input files are required. The
- -f
- option specifies a file containing the child's CDS and/or CDNSKEY
- records, plus RRSIG and DNSKEY records so that they can be
- authenticated. The
- child-file
-d
- option specifies the location of a file containing the current DS
- records. For example, this could be a path
dsset-
- file generated by dnssec-signzone, or the output of
- dnssec-dsfromkey, or the output of a previous
- run of dnssec-cds.
-
- The dnssec-cds command uses special DNSSEC - validation logic specified by RFC 7344. It requires that the CDS - and/or CDNSKEY records are validly signed by a key represented in the - existing DS records. This will typically be the pre-existing - key-signing key (KSK). -
-
- For protection against replay attacks, the signatures on the
- child records must not be older than they were on a previous run
- of dnssec-cds. This time is obtained from the
- modification time of the dsset-
file, or
- from the -s
option.
-
- To protect against breaking the delegation, - dnssec-cds ensures that the DNSKEY RRset can be - verified by every key algorithm in the new DS RRset, and that the - same set of keys are covered by every DS digest type. -
-
- By default, replacement DS records are written to the standard
- output; with the -i
option the input file is
- overwritten in place. The replacement DS records will be the
- same as the existing records when no change is required. The
- output can be empty if the CDS / CDNSKEY records specify that
- the child zone wants to go insecure.
-
- Warning: Be careful not to delete the DS records - when dnssec-cds fails! -
-
- Alternatively, dnssec-cds -u writes
- an nsupdate script to the standard output.
- You can use the -u
and -i
- options together to maintain a dsset-
file
- as well as emit an nsupdate script.
-
algorithm
- Specify a digest algorithm to use when converting CDNSKEY - records to DS records. This option can be repeated, so - that multiple DS records are created for each CDNSKEY - record. This option has no effect when using CDS records. -
-
- The algorithm
must be one of
- SHA-1, SHA-256, or SHA-384. These values are case insensitive,
- and the hyphen may be omitted. If no algorithm is specified,
- the default is SHA-256.
-
class
- Specifies the DNS class of the zones. -
-- Generate DS records from CDNSKEY records if both CDS and - CDNSKEY records are present in the child zone. By default - CDS records are preferred. -
-path
- Location of the parent DS records.
- The path
can be the name of a file
- containing the DS records, or if it is a
- directory, dnssec-cds looks for
- a dsset-
file for
- the domain
inside the directory.
-
- To protect against replay attacks, child records are
- rejected if they were signed earlier than the modification
- time of the dsset-
file. This can be
- adjusted with the -s
option.
-
child-file
- File containing the child's CDS and/or CDNSKEY records, - plus its DNSKEY records and the covering RRSIG records so - that they can be authenticated. -
-- The EXAMPLES below describe how to generate this file. -
-extension
]
- Update the dsset-
file in place,
- instead of writing DS records to the standard output.
-
- There must be no space between the -i
and
- the extension
. If you provide
- no extension
then the
- old dsset-
is discarded. If
- an extension
is present, a
- backup of the old dsset-
file is kept
- with the extension
appended to
- its filename.
-
- To protect against replay attacks, the modification time
- of the dsset-
file is set to match
- the signature inception time of the child records,
- provided that is later than the file's current
- modification time.
-
start-time
- Specify the date and time after which RRSIG records become
- acceptable. This can be either an absolute or relative
- time. An absolute start time is indicated by a number in
- YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00
- UTC on August 27th, 2017. A time relative to
- the dsset-
file is indicated with -N,
- which is N seconds before the file modification time. A
- time relative to the current time is indicated with now+N.
-
- If no start-time
is specified, the
- modification time of the dsset-
file
- is used.
-
ttl
- Specifies a TTL to be used for new DS records. If not - specified, the default is the TTL of the old DS records. - If they had no explicit TTL then the new DS records also - have no explicit TTL. -
-- Write an nsupdate script to the - standard output, instead of printing the new DS reords. - The output will be empty if no change is needed. -
-
- Note: The TTL of new records needs to be specified, either
- in the original dsset-
file, or with
- the -T
option, or using
- the nsupdate ttl
- command.
-
- Print version information. -
-level
- Sets the debugging level. Level 1 is intended to be - usefully verbose for general users; higher levels are - intended for developers. -
-domain
- The name of the delegation point / child zone apex. -
-- The dnssec-cds command exits 0 on success, or - non-zero if an error occurred. -
-- In the success case, the DS records might or might not need - to be changed. -
- -
- Before running dnssec-signzone, you can ensure
- that the delegations are up-to-date by running
- dnssec-cds on every dsset-
file.
-
- To fetch the child records required by dnssec-cds - you can invoke dig as in the script below. It's - okay if the dig fails since - dnssec-cds performs all the necessary checking. -
-for f in dsset-* -do - d=${f#dsset-} - dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS | - dnssec-cds -i -f /dev/stdin -d $f $d -done -- -
- When the parent zone is automatically signed by
- named, you can use dnssec-cds
- with nsupdate to maintain a delegation as follows.
- The dsset-
file allows the script to avoid
- having to fetch and validate the parent DS records, and it keeps the
- replay attack protection time.
-
-dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS | -dnssec-cds -u -i -f /dev/stdin -d $f $d | -nsupdate -l --
- dnssec-dsfromkey - — DNSSEC DS RR generation tool -
-
- dnssec-dsfromkey
- [
- -1
- | -2
- | -a
- ]
- [
- alg
-C
- | -l
- ]
- [domain
-T
]
- [TTL
-v
]
- [level
-K
]
- {keyfile}
- directory
- dnssec-dsfromkey
- [
- -1
- | -2
- | -a
- ]
- [
- alg
-C
- | -l
- ]
- [domain
-T
]
- [TTL
-v
]
- [level
-c
]
- [class
-A
]
- {-f
}
- [dnsname]
- file
- dnssec-dsfromkey
- [
- -1
- | -2
- | -a
- ]
- [
- alg
-C
- | -l
- ]
- [domain
-T
]
- [TTL
-v
]
- [level
-c
]
- [class
-K
]
- {-s}
- {dnsname}
- directory
- dnssec-dsfromkey
- [
- -h
- | -V
- ]
-
- The dnssec-dsfromkey command outputs DS (Delegation
- Signer) resource records (RRs), or CDS (Child DS) RRs with the
- -C
option.
-
- The input keys can be specified in a number of ways: -
- -
- By default, dnssec-dsfromkey reads a key file
- named like Knnnn.+aaa+iiiii.key
, as generated
- by dnssec-keygen.
-
- With the -f
- option, dnssec-dsfromkey reads keys from a zone file
- or partial zone file (which can contain just the DNSKEY records).
- file
- With the -s
- option, dnssec-dsfromkey reads
- a keyset-
file, as generated
- by dnssec-keygen -C
.
-
- An abbreviation for -a SHA-1
.
- (Note: The SHA-1 algorithm is no longer recommended for use
- when generating new DS and CDS records.)
-
- An abbreviation for -a SHA-256
.
-
algorithm
- Specify a digest algorithm to use when converting DNSKEY - records to DS records. This option can be repeated, so - that multiple DS records are created for each DNSKEY - record. -
-
- The algorithm
must be one of
- SHA-1, SHA-256, or SHA-384. These values are case insensitive,
- and the hyphen may be omitted. If no algorithm is specified,
- the default is SHA-256.
- (Note: The SHA-1 algorithm is no longer recommended for use
- when generating new DS and CDS records.)
-
- Include ZSKs when generating DS records. Without this option, only
- keys which have the KSK flag set will be converted to DS records
- and printed. Useful only in -f
zone file mode.
-
class
- Specifies the DNS class (default is IN). Useful only
- in -s
keyset or -f
- zone file mode.
-
- Generate CDS records rather than DS records. -
-file
- Zone file mode: dnssec-dsfromkey's
- final dnsname
argument is
- the DNS domain name of a zone whose master file can be read
- from file
. If the zone name is the same as
- file
, then it may be omitted.
-
- If file
is "-"
, then
- the zone data is read from the standard input. This makes it
- possible to use the output of the dig
- command as input, as in:
-
- dig dnskey example.com | dnssec-dsfromkey -f - example.com
-
- Prints usage information. -
-directory
- Look for key files or keyset-
files in
- directory
.
-
- Keyset mode: dnssec-dsfromkey's
- final dnsname
argument is the DNS
- domain name used to locate a keyset-
file.
-
TTL
- Specifies the TTL of the DS records. By default the TTL is omitted. -
-level
- Sets the debugging level. -
-- Prints version information. -
-
- To build the SHA-256 DS RR from the
- Kexample.com.+003+26160
- keyfile name, you can issue the following command:
-
dnssec-dsfromkey -2 Kexample.com.+003+26160
-
- The command would print something like: -
-example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94
-
- dnssec-importkey - — import DNSKEY records from external systems so they can be managed -
-
- dnssec-importkey
- [-K
]
- [directory
-L
]
- [ttl
-P
]
- [date/offset
-P sync
]
- [date/offset
-D
]
- [date/offset
-D sync
]
- [date/offset
-h
]
- [-v
]
- [level
-V
]
- {keyfile
}
-
- dnssec-importkey
- {-f
}
- [filename
-K
]
- [directory
-L
]
- [ttl
-P
]
- [date/offset
-P sync
]
- [date/offset
-D
]
- [date/offset
-D sync
]
- [date/offset
-h
]
- [-v
]
- [level
-V
]
- [dnsname
]
-
dnssec-importkey - reads a public DNSKEY record and generates a pair of - .key/.private files. The DNSKEY record may be read from an - existing .key file, in which case a corresponding .private file - will be generated, or it may be read from any other file or - from the standard input, in which case both .key and .private - files will be generated. -
-
- The newly-created .private file does not
- contain private key data, and cannot be used for signing.
- However, having a .private file makes it possible to set
- publication (-P
) and deletion
- (-D
) times for the key, which means the
- public key can be added to and removed from the DNSKEY RRset
- on schedule even if the true private key is stored offline.
-
filename
- Zone file mode: instead of a public keyfile name, the argument
- is the DNS domain name of a zone master file, which can be read
- from file
. If the domain name is the same as
- file
, then it may be omitted.
-
- If file
is set to "-"
, then
- the zone data is read from the standard input.
-
directory
- Sets the directory in which the key files are to reside. -
-ttl
- Sets the default TTL to use for this key when it is converted
- into a DNSKEY RR. If the key is imported into a zone,
- this is the TTL that will be used for it, unless there was
- already a DNSKEY RRset in place, in which case the existing TTL
- would take precedence. Setting the default TTL to
- 0
or none
removes it.
-
- Emit usage message and exit. -
-level
- Sets the debugging level. -
-- Prints version information. -
-- Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. - If the argument begins with a '+' or '-', it is interpreted as - an offset from the present time. For convenience, if such an offset - is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', - then the offset is computed in years (defined as 365 24-hour days, - ignoring leap years), months (defined as 30 24-hour days), weeks, - days, hours, or minutes, respectively. Without a suffix, the offset - is computed in seconds. To explicitly prevent a date from being - set, use 'none' or 'never'. -
- -date/offset
- Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. -
-date/offset
- Sets the date on which CDS and CDNSKEY records that match this - key are to be published to the zone. -
-date/offset
- Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) -
-date/offset
- Sets the date on which the CDS and CDNSKEY records that match - this key are to be deleted. -
-- dnssec-keyfromlabel - — DNSSEC key generation tool -
-
- dnssec-keyfromlabel
- {-l label
}
- [-3
]
- [-a
]
- [algorithm
-A
]
- [date/offset
-c
]
- [class
-D
]
- [date/offset
-D sync
]
- [date/offset
-E
]
- [engine
-f
]
- [flag
-G
]
- [-I
]
- [date/offset
-i
]
- [interval
-k
]
- [-K
]
- [directory
-L
]
- [ttl
-n
]
- [nametype
-P
]
- [date/offset
-P sync
]
- [date/offset
-p
]
- [protocol
-R
]
- [date/offset
-S
]
- [key
-t
]
- [type
-v
]
- [level
-V
]
- [-y
]
- {name}
-
dnssec-keyfromlabel - generates a key pair of files that referencing a key object stored - in a cryptographic hardware service module (HSM). The private key - file can be used for DNSSEC signing of zone data as if it were a - conventional signing key created by dnssec-keygen, - but the key material is stored within the HSM, and the actual signing - takes place there. -
-
- The name
of the key is specified on the command
- line. This must match the name of the zone for which the key is
- being generated.
-
algorithm
- Selects the cryptographic algorithm. The value of
- algorithm
must be one of RSASHA1,
- NSEC3RSASHA1, RSASHA256, RSASHA512,
- ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
-
- If no algorithm is specified, then RSASHA1 will be used by
- default, unless the -3
option is specified,
- in which case NSEC3RSASHA1 will be used instead. (If
- -3
is used and an algorithm is specified,
- that algorithm will be checked for compatibility with NSEC3.)
-
- These values are case insensitive. In some cases, abbreviations
- are supported, such as ECDSA256 for ECDSAP256SHA256 and
- ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
- along with the -3
option, then NSEC3RSASHA1
- will be used instead.
-
- As of BIND 9.12.0, this option is mandatory except when using
- the -S
option (which copies the algorithm from
- the predecessory key). Previously, the default for newly
- generated keys was RSASHA1.
-
- Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used with an algorithm that has both - NSEC and NSEC3 versions, then the NSEC3 version will be - used; for example, dnssec-keygen -3a RSASHA1 - specifies the NSEC3RSASHA1 algorithm. -
-engine
- Specifies the cryptographic hardware to use. -
-- When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". -
-label
- Specifies the label for a key pair in the crypto hardware. -
-- When BIND 9 is built with OpenSSL-based - PKCS#11 support, the label is an arbitrary string that - identifies a particular key. -
-
- When BIND 9 is built with native PKCS#11
- support, the label is a PKCS#11 URI string in the format
- "pkcs11:keyword
=value
[;keyword
=value
;...]"
- Keywords include "token", which identifies the HSM; "object", which
- identifies the key; and "pin-source", which identifies a file from
- which the HSM's PIN code can be obtained. The label will be
- stored in the on-disk "private" file.
-
- If the label contains a
- pin-source
field, tools using the generated
- key files will be able to use the HSM for signing and other
- operations without any need for an operator to manually enter
- a PIN. Note: Making the HSM's PIN accessible in this manner
- may reduce the security advantage of using an HSM; be sure
- this is what you want to do before making use of this feature.
-
nametype
- Specifies the owner type of the key. The value of
- nametype
must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
- a host (KEY)),
- USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
- These values are case insensitive.
-
- Compatibility mode: generates an old-style key, without
- any metadata. By default, dnssec-keyfromlabel
- will include the key's creation date in the metadata stored
- with the private key, and other dates may be set there as well
- (publication date, activation date, etc). Keys that include
- this data may be incompatible with older versions of BIND; the
- -C
option suppresses them.
-
class
- Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. -
-flag
- Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flags are KSK (Key Signing Key) and REVOKE. -
-- Generate a key, but do not publish it or sign with it. This - option is incompatible with -P and -A. -
-- Prints a short summary of the options and arguments to - dnssec-keyfromlabel. -
-directory
- Sets the directory in which the key files are to be written. -
-- Generate KEY records rather than DNSKEY records. -
-ttl
- Sets the default TTL to use for this key when it is converted
- into a DNSKEY RR. If the key is imported into a zone,
- this is the TTL that will be used for it, unless there was
- already a DNSKEY RRset in place, in which case the existing TTL
- would take precedence. Setting the default TTL to
- 0
or none
removes it.
-
protocol
- Sets the protocol value for the key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. -
-key
- Generate a key as an explicit successor to an existing key. - The name, algorithm, size, and type of the key will be set - to match the predecessor. The activation date of the new - key will be set to the inactivation date of the existing - one. The publication date will be set to the activation - date minus the prepublication interval, which defaults to - 30 days. -
-type
- Indicates the use of the key. type
must be
- one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
- is AUTHCONF. AUTH refers to the ability to authenticate
- data, and CONF the ability to encrypt data.
-
level
- Sets the debugging level. -
-- Prints version information. -
-- Allows DNSSEC key files to be generated even if the key ID - would collide with that of an existing key, in the event of - either key being revoked. (This is only safe to use if you - are sure you won't be using RFC 5011 trust anchor maintenance - with either of the keys involved.) -
-- Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. - If the argument begins with a '+' or '-', it is interpreted as - an offset from the present time. For convenience, if such an offset - is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', - then the offset is computed in years (defined as 365 24-hour days, - ignoring leap years), months (defined as 30 24-hour days), weeks, - days, hours, or minutes, respectively. Without a suffix, the offset - is computed in seconds. To explicitly prevent a date from being - set, use 'none' or 'never'. -
- -date/offset
- Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. If not set, and if the -G option has - not been used, the default is "now". -
-date/offset
- Sets the date on which the CDS and CDNSKEY records which match - this key are to be published to the zone. -
-date/offset
- Sets the date on which the key is to be activated. After that - date, the key will be included in the zone and used to sign - it. If not set, and if the -G option has not been used, the - default is "now". -
-date/offset
- Sets the date on which the key is to be revoked. After that - date, the key will be flagged as revoked. It will be included - in the zone and will be used to sign it. -
-date/offset
- Sets the date on which the key is to be retired. After that - date, the key will still be included in the zone, but it - will not be used to sign it. -
-date/offset
- Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) -
-date/offset
- Sets the date on which the CDS and CDNSKEY records which match - this key are to be deleted. -
-interval
- Sets the prepublication interval for a key. If set, then - the publication and activation dates must be separated by at least - this much time. If the activation date is specified but the - publication date isn't, then the publication date will default - to this much time before the activation date; conversely, if - the publication date is specified but activation date isn't, - then activation will be set to this much time after publication. -
-- If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; - otherwise it is zero. -
-- As with date offsets, if the argument is followed by one of - the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the - interval is measured in years, months, weeks, days, hours, - or minutes, respectively. Without a suffix, the interval is - measured in seconds. -
-
- When dnssec-keyfromlabel completes
- successfully,
- it prints a string of the form Knnnn.+aaa+iiiii
- to the standard output. This is an identification string for
- the key files it has generated.
-
nnnn
is the key name.
-
aaa
is the numeric representation
- of the algorithm.
-
iiiii
is the key identifier (or
- footprint).
-
dnssec-keyfromlabel
- creates two files, with names based
- on the printed string. Knnnn.+aaa+iiiii.key
- contains the public key, and
- Knnnn.+aaa+iiiii.private
contains the
- private key.
-
- The .key
file contains a DNS KEY record
- that
- can be inserted into a zone file (directly or with a $INCLUDE
- statement).
-
- The .private
file contains
- algorithm-specific
- fields. For obvious security reasons, this file does not have
- general read permission.
-
- dnssec-keygen - — DNSSEC key generation tool -
-
- dnssec-keygen
- [-3
]
- [-A
]
- [date/offset
-a
]
- [algorithm
-b
]
- [keysize
-C
]
- [-c
]
- [class
-D
]
- [date/offset
-D sync
]
- [date/offset
-d
]
- [bits
-E
]
- [engine
-f
]
- [flag
-G
]
- [-g
]
- [generator
-h
]
- [-I
]
- [date/offset
-i
]
- [interval
-K
]
- [directory
-k
]
- [policy
-L
]
- [ttl
-l
]
- [file
-n
]
- [nametype
-P
]
- [date/offset
-P sync
]
- [date/offset
-p
]
- [protocol
-q
]
- [-R
]
- [date/offset
-S
]
- [key
-s
]
- [strength
-T
]
- [rrtype
-t
]
- [type
-V
]
- [-v
]
- {name}
- level
dnssec-keygen - generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 - and RFC 4034. It can also generate keys for use with - TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY - (Transaction Key) as defined in RFC 2930. -
-
- The name
of the key is specified on the command
- line. For DNSSEC keys, this must match the name of the zone for
- which the key is being generated.
-
- The dnssec-keymgr command acts as a wrapper - around dnssec-keygen, generating and updating keys - as needed to enforce defined security policies such as key rollover - scheduling. Using dnssec-keymgr may be preferable - to direct use of dnssec-keygen. -
-- Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used with an algorithm that has both - NSEC and NSEC3 versions, then the NSEC3 version will be - used; for example, dnssec-keygen -3a RSASHA1 - specifies the NSEC3RSASHA1 algorithm. -
-algorithm
- Selects the cryptographic algorithm. For DNSSEC keys, the value
- of algorithm
must be one of RSASHA1,
- NSEC3RSASHA1, RSASHA256, RSASHA512,
- ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
- TKEY, the value must be DH (Diffie Hellman); specifying
- his value will automatically set the -T KEY
- option as well.
-
- These values are case insensitive. In some cases, abbreviations
- are supported, such as ECDSA256 for ECDSAP256SHA256 and
- ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
- along with the -3
option, then NSEC3RSASHA1
- will be used instead.
-
- This parameter must be specified except
- when using the -S
option, which copies the
- algorithm from the predecessor key.
-
- In prior releases, HMAC algorithms could be generated for - use as TSIG keys, but that feature has been removed as of - BIND 9.13.0. Use tsig-keygen to generate - TSIG keys. -
-keysize
- Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSA keys must be - between 1024 and 4096 bits. Diffie Hellman keys must be between - 128 and 4096 bits. Elliptic curve algorithms don't need this - parameter. -
-- If the key size is not specified, some algorithms have - pre-defined defaults. For instance, RSA keys have a default - size of 2048 bits. -
-
- Compatibility mode: generates an old-style key, without any
- timing metadata. By default, dnssec-keygen
- will include the key's creation date in the metadata stored with
- the private key, and other dates may be set there as well
- (publication date, activation date, etc). Keys that include this
- data may be incompatible with older versions of BIND; the
- -C
option suppresses them.
-
class
- Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. -
-bits
- Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, - RSASHA256 and RSASHA512 the key size must be in range 1024-4096. - DH size is between 128 and 4096. This option is ignored for - algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448. -
-engine
- Specifies the cryptographic hardware to use, when applicable. -
-- When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". -
-flag
- Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flags are KSK (Key Signing Key) and REVOKE. -
-- Generate a key, but do not publish it or sign with it. This - option is incompatible with -P and -A. -
-generator
- If generating a Diffie Hellman key, use this generator. - Allowed values are 2 and 5. If no generator - is specified, a known prime from RFC 2539 will be used - if possible; otherwise the default is 2. -
-- Prints a short summary of the options and arguments to - dnssec-keygen. -
-directory
- Sets the directory in which the key files are to be written. -
-policy
- Create keys for a specific dnssec-policy. If a policy uses - multiple keys, dnssec-keygen will generate - multiple keys. This will also create a ".state" file to keep - track of the key state. -
-- This option creates keys according to the dnssec-policy - configuration, hence it cannot be used together with many of - the other options that dnssec-keygen - provides. -
-ttl
- Sets the default TTL to use for this key when it is converted
- into a DNSKEY RR. If the key is imported into a zone,
- this is the TTL that will be used for it, unless there was
- already a DNSKEY RRset in place, in which case the existing TTL
- would take precedence. If this value is not set and there
- is no existing DNSKEY RRset, the TTL will default to the
- SOA TTL. Setting the default TTL to 0
- or none
is the same as leaving it unset.
-
file
- Provide a configuration file that contains a dnssec-policy - statement (matching the policy set with -k). -
-nametype
- Specifies the owner type of the key. The value of
- nametype
must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
- with a host (KEY)), USER (for a key associated with a
- user(KEY)) or OTHER (DNSKEY). These values are case
- insensitive. Defaults to ZONE for DNSKEY generation.
-
protocol
- Sets the protocol value for the generated key, for use
- with -T KEY
. The protocol is a number between 0
- and 255. The default is 3 (DNSSEC). Other possible values for
- this argument are listed in RFC 2535 and its successors.
-
- Quiet mode: Suppresses unnecessary output, including
- progress indication. Without this option, when
- dnssec-keygen is run interactively
- to generate an RSA or DSA key pair, it will print a string
- of symbols to stderr
indicating the
- progress of the key generation. A '.' indicates that a
- random number has been found which passed an initial
- sieve test; '+' means a number has passed a single
- round of the Miller-Rabin primality test; a space
- means that the number has passed all the tests and is
- a satisfactory key.
-
key
- Create a new key which is an explicit successor to an - existing key. The name, algorithm, size, and type of the - key will be set to match the existing key. The activation - date of the new key will be set to the inactivation date of - the existing one. The publication date will be set to the - activation date minus the prepublication interval, which - defaults to 30 days. -
-strength
- Specifies the strength value of the key. The strength is - a number between 0 and 15, and currently has no defined - purpose in DNSSEC. -
-rrtype
- Specifies the resource record type to use for the key.
- rrtype
must be either DNSKEY or KEY. The
- default is DNSKEY when using a DNSSEC algorithm, but it can be
- overridden to KEY for use with SIG(0).
-
type
- Indicates the use of the key, for use with -T
- KEY
. type
must be one of AUTHCONF,
- NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
- refers to the ability to authenticate data, and CONF the ability
- to encrypt data.
-
- Prints version information. -
-level
- Sets the debugging level. -
-- Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. - If the argument begins with a '+' or '-', it is interpreted as - an offset from the present time. For convenience, if such an offset - is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', - then the offset is computed in years (defined as 365 24-hour days, - ignoring leap years), months (defined as 30 24-hour days), weeks, - days, hours, or minutes, respectively. Without a suffix, the offset - is computed in seconds. To explicitly prevent a date from being - set, use 'none' or 'never'. -
- -date/offset
- Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. If not set, and if the -G option has - not been used, the default is "now". -
-date/offset
- Sets the date on which CDS and CDNSKEY records that match this - key are to be published to the zone. -
-date/offset
- Sets the date on which the key is to be activated. After that - date, the key will be included in the zone and used to sign - it. If not set, and if the -G option has not been used, the - default is "now". If set, if and -P is not set, then - the publication date will be set to the activation date - minus the prepublication interval. -
-date/offset
- Sets the date on which the key is to be revoked. After that - date, the key will be flagged as revoked. It will be included - in the zone and will be used to sign it. -
-date/offset
- Sets the date on which the key is to be retired. After that - date, the key will still be included in the zone, but it - will not be used to sign it. -
-date/offset
- Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) -
-date/offset
- Sets the date on which the CDS and CDNSKEY records that match this - key are to be deleted. -
-interval
- Sets the prepublication interval for a key. If set, then - the publication and activation dates must be separated by at least - this much time. If the activation date is specified but the - publication date isn't, then the publication date will default - to this much time before the activation date; conversely, if - the publication date is specified but activation date isn't, - then activation will be set to this much time after publication. -
-- If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; - otherwise it is zero. -
-- As with date offsets, if the argument is followed by one of - the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the - interval is measured in years, months, weeks, days, hours, - or minutes, respectively. Without a suffix, the interval is - measured in seconds. -
-
- When dnssec-keygen completes
- successfully,
- it prints a string of the form Knnnn.+aaa+iiiii
- to the standard output. This is an identification string for
- the key it has generated.
-
nnnn
is the key name.
-
aaa
is the numeric representation
- of the
- algorithm.
-
iiiii
is the key identifier (or
- footprint).
-
dnssec-keygen
- creates two files, with names based
- on the printed string. Knnnn.+aaa+iiiii.key
- contains the public key, and
- Knnnn.+aaa+iiiii.private
contains the
- private
- key.
-
- The .key
file contains a DNSKEY or KEY record.
- When a zone is being signed by named
- or dnssec-signzone -S
, DNSKEY
- records are included automatically. In other cases,
- the .key
file can be inserted into a zone file
- manually or with a $INCLUDE
statement.
-
- The .private
file contains
- algorithm-specific
- fields. For obvious security reasons, this file does not have
- general read permission.
-
- To generate an ECDSAP256SHA256 zone-signing key for the zone
- example.com
, issue the command:
-
- dnssec-keygen -a ECDSAP256SHA256 example.com
-
- The command would print a string of the form: -
-Kexample.com.+013+26160
-
- In this example, dnssec-keygen creates
- the files Kexample.com.+013+26160.key
- and
- Kexample.com.+013+26160.private
.
-
- To generate a matching key-signing key, issue the command: -
-
- dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com
-
- dnssec-revoke - — set the REVOKED bit on a DNSSEC key -
-
- dnssec-revoke
- [-hr
]
- [-v
]
- [level
-V
]
- [-K
]
- [directory
-E
]
- [engine
-f
]
- [-R
]
- {keyfile}
-
dnssec-revoke - reads a DNSSEC key file, sets the REVOKED bit on the key as defined - in RFC 5011, and creates a new pair of key files containing the - now-revoked key. -
-- Emit usage message and exit. -
-directory
- Sets the directory in which the key files are to reside. -
-- After writing the new keyset files remove the original keyset - files. -
-level
- Sets the debugging level. -
-- Prints version information. -
-engine
- Specifies the cryptographic hardware to use, when applicable. -
-- When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". -
-- Force overwrite: Causes dnssec-revoke to - write the new key pair even if a file already exists matching - the algorithm and key ID of the revoked key. -
-- Print the key tag of the key with the REVOKE bit set but do - not revoke the key. -
-- dnssec-settime - — set the key timing metadata for a DNSSEC key -
-
- dnssec-settime
- [-f
]
- [-K
]
- [directory
-L
]
- [ttl
-P
]
- [date/offset
-P sync
]
- [date/offset
-A
]
- [date/offset
-R
]
- [date/offset
-I
]
- [date/offset
-D
]
- [date/offset
-D sync
]
- [date/offset
-S
]
- [key
-i
]
- [interval
-h
]
- [-V
]
- [-v
]
- [level
-E
]
- [engine
-s
]
- [-g
]
- [state
-d
]
- [state
date/offset
-k
]
- [state
date/offset
-r
]
- [state
date/offset
-z
]
- {keyfile}
- state
date/offset
dnssec-settime
- reads a DNSSEC private key file and sets the key timing metadata
- as specified by the -P
, -A
,
- -R
, -I
, and -D
- options. The metadata can then be used by
- dnssec-signzone or other signing software to
- determine when a key is to be published, whether it should be
- used for signing a zone, etc.
-
- If none of these options is set on the command line, - then dnssec-settime simply prints the key timing - metadata already stored in the key. -
-
- When key metadata fields are changed, both files of a key
- pair (Knnnn.+aaa+iiiii.key
and
- Knnnn.+aaa+iiiii.private
) are regenerated.
-
- Metadata fields are stored in the private file. A human-readable - description of the metadata is also placed in comments in the key - file. The private file's permissions are always set to be - inaccessible to anyone other than the owner (mode 0600). -
-
- When working with state files, it is possible to update the timing
- metadata in those files as well with -s
. If this
- option is used you can also update key states with -d
- (DS), -k
(DNSKEY), -r
(RRSIG of KSK),
- or -z
(RRSIG of ZSK). Allowed states are HIDDEN,
- RUMOURED, OMNIPRESENT, and UNRETENTIVE.
-
- You can also set the goal state of the key with -g
.
- This should be either HIDDEN or OMNIPRESENT (representing whether the
- key should be removed from the zone, or published).
-
- It is NOT RECOMMENDED to manipulate state files manually except for - testing purposes. -
-- Force an update of an old-format key with no metadata fields. - Without this option, dnssec-settime will - fail when attempting to update a legacy key. With this option, - the key will be recreated in the new format, but with the - original key data retained. The key's creation date will be - set to the present time. If no other values are specified, - then the key's publication and activation dates will also - be set to the present time. -
-directory
- Sets the directory in which the key files are to reside. -
-ttl
- Sets the default TTL to use for this key when it is converted
- into a DNSKEY RR. If the key is imported into a zone,
- this is the TTL that will be used for it, unless there was
- already a DNSKEY RRset in place, in which case the existing TTL
- would take precedence. If this value is not set and there
- is no existing DNSKEY RRset, the TTL will default to the
- SOA TTL. Setting the default TTL to 0
- or none
removes it from the key.
-
- Emit usage message and exit. -
-- Prints version information. -
-level
- Sets the debugging level. -
-engine
- Specifies the cryptographic hardware to use, when applicable. -
-- When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". -
-- Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. - If the argument begins with a '+' or '-', it is interpreted as - an offset from the present time. For convenience, if such an offset - is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', - then the offset is computed in years (defined as 365 24-hour days, - ignoring leap years), months (defined as 30 24-hour days), weeks, - days, hours, or minutes, respectively. Without a suffix, the offset - is computed in seconds. To unset a date, use 'none' or 'never'. -
- -date/offset
- Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. -
-date/offset
- Sets the date on which CDS and CDNSKEY records that match this - key are to be published to the zone. -
-date/offset
- Sets the date on which the key is to be activated. After that - date, the key will be included in the zone and used to sign - it. -
-date/offset
- Sets the date on which the key is to be revoked. After that - date, the key will be flagged as revoked. It will be included - in the zone and will be used to sign it. -
-date/offset
- Sets the date on which the key is to be retired. After that - date, the key will still be included in the zone, but it - will not be used to sign it. -
-date/offset
- Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) -
-date/offset
- Sets the date on which the CDS and CDNSKEY records that match this - key are to be deleted. -
-predecessor key
- Select a key for which the key being modified will be an - explicit successor. The name, algorithm, size, and type of the - predecessor key must exactly match those of the key being - modified. The activation date of the successor key will be set - to the inactivation date of the predecessor. The publication - date will be set to the activation date minus the prepublication - interval, which defaults to 30 days. -
-interval
- Sets the prepublication interval for a key. If set, then - the publication and activation dates must be separated by at least - this much time. If the activation date is specified but the - publication date isn't, then the publication date will default - to this much time before the activation date; conversely, if - the publication date is specified but activation date isn't, - then activation will be set to this much time after publication. -
-- If the key is being set to be an explicit successor to another - key, then the default prepublication interval is 30 days; - otherwise it is zero. -
-- As with date offsets, if the argument is followed by one of - the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the - interval is measured in years, months, weeks, days, hours, - or minutes, respectively. Without a suffix, the interval is - measured in seconds. -
-- Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE. - These should not be set manually except for testing purposes. -
- -- When setting key timing data, also update the state file. -
-- Set the goal state for this key. Must be HIDDEN or OMNIPRESENT. -
-- Set the DS state for this key, and when it was last changed. -
-- Set the DNSKEY state for this key, and when it was last changed. -
-- Set the RRSIG (KSK) state for this key, and when it was last - changed. -
-- Set the RRSIG (ZSK) state for this key, and when it was last - changed. -
-- dnssec-settime can also be used to print the - timing metadata associated with a key. -
- -- Print times in UNIX epoch format. -
-C/P/Psync/A/R/I/D/Dsync/all
- Print a specific metadata value or set of metadata values.
- The -p
option may be followed by one or more
- of the following letters or strings to indicate which value
- or values to print:
- C
for the creation date,
- P
for the publication date,
- Psync
for the CDS and CDNSKEY publication date,
- A
for the activation date,
- R
for the revocation date,
- I
for the inactivation date,
- D
for the deletion date, and
- Dsync
for the CDS and CDNSKEY deletion date
- To print all of the metadata, use -p all
.
-
- dnssec-signzone - — DNSSEC zone signing tool -
-
- dnssec-signzone
- [-a
]
- [-c
]
- [class
-d
]
- [directory
-D
]
- [-E
]
- [engine
-e
]
- [end-time
-f
]
- [output-file
-g
]
- [-h
]
- [-i
]
- [interval
-I
]
- [input-format
-j
]
- [jitter
-K
]
- [directory
-k
]
- [key
-L
]
- [serial
-l
]
- [domain
-M
]
- [maxttl
-N
]
- [soa-serial-format
-o
]
- [origin
-O
]
- [output-format
-P
]
- [-Q
]
- [-q
]
- [-R
]
- [-S
]
- [-s
]
- [start-time
-T
]
- [ttl
-t
]
- [-u
]
- [-v
]
- [level
-V
]
- [-X
]
- [extended end-time
-x
]
- [-z
]
- [-3
]
- [salt
-H
]
- [iterations
-A
]
- {zonefile}
- [key...]
-
dnssec-signzone
- signs a zone. It generates
- NSEC and RRSIG records and produces a signed version of the
- zone. The security status of delegations from the signed zone
- (that is, whether the child zones are secure or not) is
- determined by the presence or absence of a
- keyset
file for each child zone.
-
- Verify all generated signatures. -
-class
- Specifies the DNS class of the zone. -
-
- Compatibility mode: Generate a
- keyset-
- file in addition to
- zonename
dsset-
- when signing a zone, for use by older versions of
- dnssec-signzone.
- zonename
directory
- Look for dsset-
or
- keyset-
files in directory
.
-
- Output only those record types automatically managed by
- dnssec-signzone, i.e. RRSIG, NSEC,
- NSEC3 and NSEC3PARAM records. If smart signing
- (-S
) is used, DNSKEY records are also
- included. The resulting file can be included in the original
- zone file with $INCLUDE. This option
- cannot be combined with -O raw
,
- -O map
, or serial number updating.
-
engine
- When applicable, specifies the hardware to use for - cryptographic operations, such as a secure key store used - for signing. -
-- When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". -
-
- Generate DS records for child zones from
- dsset-
or keyset-
- file. Existing DS records will be removed.
-
directory
- Key repository: Specify a directory to search for DNSSEC keys. - If not specified, defaults to the current directory. -
-key
- Treat specified key as a key signing key ignoring any - key flags. This option may be specified multiple times. -
-maxttl
- Sets the maximum TTL for the signed zone.
- Any TTL higher than maxttl
in the
- input zone will be reduced to maxttl
- in the output. This provides certainty as to the largest
- possible TTL in the signed zone, which is useful to know when
- rolling keys because it is the longest possible time before
- signatures that have been retrieved by resolvers will expire
- from resolver caches. Zones that are signed with this
- option should be configured to use a matching
- max-zone-ttl
in named.conf
.
- (Note: This option is incompatible with -D
,
- because it modifies non-DNSSEC data in the output zone.)
-
start-time
- Specify the date and time when the generated RRSIG records
- become valid. This can be either an absolute or relative
- time. An absolute start time is indicated by a number
- in YYYYMMDDHHMMSS notation; 20000530144500 denotes
- 14:45:00 UTC on May 30th, 2000. A relative start time is
- indicated by +N, which is N seconds from the current time.
- If no start-time
is specified, the current
- time minus 1 hour (to allow for clock skew) is used.
-
end-time
- Specify the date and time when the generated RRSIG records
- expire. As with start-time
, an absolute
- time is indicated in YYYYMMDDHHMMSS notation. A time relative
- to the start time is indicated with +N, which is N seconds from
- the start time. A time relative to the current time is
- indicated with now+N. If no end-time
is
- specified, 30 days from the start time is used as a default.
- end-time
must be later than
- start-time
.
-
extended end-time
- Specify the date and time when the generated RRSIG records - for the DNSKEY RRset will expire. This is to be used in cases - when the DNSKEY signatures need to persist longer than - signatures on other records; e.g., when the private component - of the KSK is kept offline and the KSK signature is to be - refreshed manually. -
-
- As with start-time
, an absolute
- time is indicated in YYYYMMDDHHMMSS notation. A time relative
- to the start time is indicated with +N, which is N seconds from
- the start time. A time relative to the current time is
- indicated with now+N. If no extended end-time
is
- specified, the value of end-time
is used as
- the default. (end-time
, in turn, defaults to
- 30 days from the start time.) extended end-time
- must be later than start-time
.
-
output-file
- The name of the output file containing the signed zone. The
- default is to append .signed
to
- the input filename. If output-file
is
- set to "-"
, then the signed zone is
- written to the standard output, with a default output
- format of "full".
-
- Prints a short summary of the options and arguments to - dnssec-signzone. -
-- Prints version information. -
-interval
- When a previously-signed zone is passed as input, records
- may be resigned. The interval
option
- specifies the cycle interval as an offset from the current
- time (in seconds). If a RRSIG record expires after the
- cycle interval, it is retained. Otherwise, it is considered
- to be expiring soon, and it will be replaced.
-
- The default cycle interval is one quarter of the difference
- between the signature end and start times. So if neither
- end-time
or start-time
- are specified, dnssec-signzone
- generates
- signatures that are valid for 30 days, with a cycle
- interval of 7.5 days. Therefore, if any existing RRSIG records
- are due to expire in less than 7.5 days, they would be
- replaced.
-
input-format
- The format of the input zone file. - Possible formats are "text" (default), - "raw", and "map". - This option is primarily intended to be used for dynamic - signed zones so that the dumped zone file in a non-text - format containing updates can be signed directly. - The use of this option does not make much sense for - non-dynamic zones. -
-jitter
- When signing a zone with a fixed signature lifetime, all
- RRSIG records issued at the time of signing expires
- simultaneously. If the zone is incrementally signed, i.e.
- a previously-signed zone is passed as input to the signer,
- all expired signatures have to be regenerated at about the
- same time. The jitter
option specifies a
- jitter window that will be used to randomize the signature
- expire time, thus spreading incremental signature
- regeneration over time.
-
- Signature lifetime jitter also to some extent benefits - validators and servers by spreading out cache expiration, - i.e. if large numbers of RRSIGs don't expire at the same time - from all caches there will be less congestion than if all - validators need to refetch at mostly the same time. -
-serial
- When writing a signed zone to "raw" or "map" format, set the - "source serial" value in the header to the specified serial - number. (This is expected to be used primarily for testing - purposes.) -
-ncpus
- Specifies the number of threads to use. By default, one - thread is started for each detected CPU. -
-soa-serial-format
- The SOA serial number format of the signed zone. - Possible formats are "keep" (default), - "increment", "unixtime", - and "date". -
- -Do not modify the SOA serial number.
-Increment the SOA serial number using RFC 1982 - arithmetic.
-Set the SOA serial number to the number of seconds - since epoch.
-Set the SOA serial number to today's date in - YYYYMMDDNN format.
-origin
- The zone origin. If not specified, the name of the zone file - is assumed to be the origin. -
-output-format
- The format of the output file containing the signed zone. - Possible formats are "text" (default), - which is the standard textual representation of the zone; - "full", which is text output in a - format suitable for processing by external scripts; - and "map", "raw", - and "raw=N", which store the zone in - binary formats for rapid loading by named. - "raw=N" specifies the format version of - the raw zone file: if N is 0, the raw file can be read by - any version of named; if N is 1, the file - can be read by release 9.9.0 or higher; the default is 1. -
-- Disable post sign verification tests. -
-- The post sign verification test ensures that for each algorithm - in use there is at least one non revoked self signed KSK key, - that all revoked KSK keys are self signed, and that all records - in the zone are signed by the algorithm. - This option skips these tests. -
-- Remove signatures from keys that are no longer active. -
-
- Normally, when a previously-signed zone is passed as input
- to the signer, and a DNSKEY record has been removed and
- replaced with a new one, signatures from the old key
- that are still within their validity period are retained.
- This allows the zone to continue to validate with cached
- copies of the old DNSKEY RRset. The -Q
- forces dnssec-signzone to remove
- signatures from keys that are no longer active. This
- enables ZSK rollover using the procedure described in
- RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
-
- Quiet mode: Suppresses unnecessary output. Without this - option, when dnssec-signzone is run it - will print to standard output the number of keys in use, - the algorithms used to verify the zone was signed correctly - and other status information, and finally the filename - containing the signed zone. With it, that output is - suppressed, leaving only the filename. -
-- Remove signatures from keys that are no longer published. -
-
- This option is similar to -Q
, except it
- forces dnssec-signzone to signatures from
- keys that are no longer published. This enables ZSK rollover
- using the procedure described in RFC 4641, section 4.2.1.2
- ("Double Signature Zone Signing Key Rollover").
-
- Smart signing: Instructs dnssec-signzone to - search the key repository for keys that match the zone being - signed, and to include them in the zone if appropriate. -
-- When a key is found, its timing metadata is examined to - determine how it should be used, according to the following - rules. Each successive rule takes priority over the prior - ones: -
-- If no timing metadata has been set for the key, the key is - published in the zone and used to sign the zone. -
-- If the key's publication date is set and is in the past, the - key is published in the zone. -
-- If the key's activation date is set and in the past, the - key is published (regardless of publication date) and - used to sign the zone. -
-- If the key's revocation date is set and in the past, and the - key is published, then the key is revoked, and the revoked key - is used to sign the zone. -
-- If either of the key's unpublication or deletion dates are set - and in the past, the key is NOT published or used to sign the - zone, regardless of any other metadata. -
-- If key's sync publication date is set and in the past, - synchronization records (type CDS and/or CDNSKEY) are - created. -
-- If key's sync deletion date is set and in the past, - synchronization records (type CDS and/or CDNSKEY) are - removed. -
-ttl
- Specifies a TTL to be used for new DNSKEY records imported
- into the zone from the key repository. If not
- specified, the default is the TTL value from the zone's SOA
- record. This option is ignored when signing without
- -S
, since DNSKEY records are not imported
- from the key repository in that case. It is also ignored if
- there are any pre-existing DNSKEY records at the zone apex,
- in which case new records' TTL values will be set to match
- them, or if any of the imported DNSKEY records had a default
- TTL value. In the event of a a conflict between TTL values in
- imported keys, the shortest one is used.
-
- Print statistics at completion. -
-- Update NSEC/NSEC3 chain when re-signing a previously signed - zone. With this option, a zone signed with NSEC can be - switched to NSEC3, or a zone signed with NSEC3 can - be switch to NSEC or to NSEC3 with different parameters. - Without this option, dnssec-signzone will - retain the existing chain when re-signing. -
-level
- Sets the debugging level. -
-- Only sign the DNSKEY, CDNSKEY, and CDS RRsets with - key-signing keys, and omit signatures from zone-signing - keys. (This is similar to the - dnssec-dnskey-kskonly yes; zone option in - named.) -
-- Ignore KSK flag on key when determining what to sign. This - causes KSK-flagged keys to sign all records, not just the - DNSKEY RRset. (This is similar to the - update-check-ksk no; zone option in - named.) -
-salt
- Generate an NSEC3 chain with the given hex encoded salt.
- A dash (salt
) can
- be used to indicate that no salt is to be used when generating the NSEC3 chain.
-
iterations
- When generating an NSEC3 chain, use this many iterations. The - default is 10. -
-- When generating an NSEC3 chain set the OPTOUT flag on all - NSEC3 records and do not generate NSEC3 records for insecure - delegations. -
-
- Using this option twice (i.e., -AA
)
- turns the OPTOUT flag off for all records. This is useful
- when using the -u
option to modify an NSEC3
- chain which previously had OPTOUT set.
-
- The file containing the zone to be signed. -
-- Specify which keys should be used to sign the zone. If - no keys are specified, then the zone will be examined - for DNSKEY records at the zone apex. If these are found and - there are matching private keys, in the current directory, - then these will be used for signing. -
-
- The following command signs the example.com
- zone with the ECDSAP256SHA256 key generated by key generated by
- dnssec-keygen (Kexample.com.+013+17247).
- Because the -S option is not being used,
- the zone's keys must be in the master file
- (db.example.com
). This invocation looks
- for dsset
files, in the current directory,
- so that DS records can be imported from them (-g).
-
% dnssec-signzone -g -o example.com db.example.com \ -Kexample.com.+013+17247 -db.example.com.signed -%-
- In the above example, dnssec-signzone creates
- the file db.example.com.signed
. This
- file should be referenced in a zone statement in a
- named.conf
file.
-
- This example re-signs a previously signed zone with default parameters. - The private keys are assumed to be in the current directory. -
-% cp db.example.com.signed db.example.com -% dnssec-signzone -o example.com db.example.com -db.example.com.signed -%-
- dnssec-verify - — DNSSEC zone verification tool -
-
- dnssec-verify
- [-c
]
- [class
-E
]
- [engine
-I
]
- [input-format
-o
]
- [origin
-q
]
- [-v
]
- [level
-V
]
- [-x
]
- [-z
]
- {zonefile}
-
dnssec-verify - verifies that a zone is fully signed for each algorithm found - in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 - chains are complete. -
-class
- Specifies the DNS class of the zone. -
-engine
- Specifies the cryptographic hardware to use, when applicable. -
-- When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". -
-input-format
- The format of the input zone file. - Possible formats are "text" (default) - and "raw". - This option is primarily intended to be used for dynamic - signed zones so that the dumped zone file in a non-text - format containing updates can be verified independently. - The use of this option does not make much sense for - non-dynamic zones. -
-origin
- The zone origin. If not specified, the name of the zone file - is assumed to be the origin. -
-level
- Sets the debugging level. -
-- Prints version information. -
-- Quiet mode: Suppresses output. Without this option, when - dnssec-verify is run it will print to - standard output the number of keys in use, the algorithms - used to verify the zone was signed correctly and other - status information. With it, all non-error output is - suppressed, and only the exit code will indicate success. -
-
- Only verify that the DNSKEY RRset is signed with key-signing
- keys. Without this flag, it is assumed that the DNSKEY RRset
- will be signed by all active keys. When this flag is set,
- it will not be an error if the DNSKEY RRset is not signed
- by zone-signing keys. This corresponds to the -x
- option in dnssec-signzone.
-
- Ignore the KSK flag on the keys when determining whether - the zone if correctly signed. Without this flag it is - assumed that there will be a non-revoked, self-signed - DNSKEY with the KSK flag set for each algorithm and - that RRsets other than DNSKEY RRset will be signed with - a different DNSKEY without the KSK flag set. -
-
- With this flag set, we only require that for each algorithm,
- there will be at least one non-revoked, self-signed DNSKEY,
- regardless of the KSK flag state, and that other RRsets
- will be signed by a non-revoked key for the same algorithm
- that includes the self-signed key; the same key may be used
- for both purposes. This corresponds to the -z
- option in dnssec-signzone.
-
- The file containing the zone to be signed. -
-Name | Class | Type | Serial | |||
---|---|---|---|---|---|---|
Name | Class | Type | Serial | Loaded | Expires | Refresh |