src - FreeBSD source tree

diff options


context:
space:
mode:

author	Erwin Lansing <erwin@FreeBSD.org>	2012-12-07 12:39:58 +0000
committer	Erwin Lansing <erwin@FreeBSD.org>	2012-12-07 12:39:58 +0000
commit	cfd4d2c42e1c88d28ef6b9bca1ffbab32de3e7ff (patch)
tree	c3abb28c9e8cb3396d1d00b0af4f9a474adaf5f5 /contrib/bind9/bin/dnssec
parent	3945a96431c3efab979305a51a6c989da8072c95 (diff)
parent	2efa5510c3a664350be589050d2b3e8f34b7edb9 (diff)

Update to 9.8.4-P1.

Security Fixes Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. New Features * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] Feature Changes * Improves OpenSSL error logging [RT #29932] * nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Other critical bug fixes are included. Approved by: delphij (mentor) MFC after: 3 days Security: CVE-2012-5688 Sponsored by: DK Hostmaster A/S

Notes

Notes: svn path=/head/; revision=243981

Diffstat (limited to 'contrib/bind9/bin/dnssec')

-rw-r--r--

contrib/bind9/bin/dnssec/Makefile.in

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-dsfromkey.8

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-dsfromkey.c

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-dsfromkey.html

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-keygen.8

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-keygen.c

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-keygen.docbook

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-keygen.html

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-settime.c

-rw-r--r--

contrib/bind9/bin/dnssec/dnssec-signzone.c

15 files changed, 98 insertions, 61 deletions

diff --git a/contrib/bind9/bin/dnssec/Makefile.in b/contrib/bind9/bin/dnssec/Makefile.in
index 6bfd162d8d35..0bca14155724 100644
--- a/contrib/bind9/bin/dnssec/Makefile.in
+++ b/contrib/bind9/bin/dnssec/Makefile.in

@@ -1,4 +1,4 @@

# Permission to use, copy, modify, and/or distribute this software for any

diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8
index 437aa371cff4..ae9bb54000c6 100644
--- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8
+++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8

@@ -1,4 +1,4 @@

.\"

.\" Permission to use, copy, modify, and/or distribute this software for any

.\" purpose with or without fee is hereby granted, provided that the above

@@ -55,7 +55,7 @@ Use SHA\-256 as the digest algorithm.

.RS 4

Select the digest algorithm. The value of

\fBalgorithm\fR

-must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or GOST. These values are case insensitive.

+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384). These values are case insensitive.

.RE

.PP

\-K \fIdirectory\fR

@@ -139,5 +139,5 @@ RFC 4509.

.PP

Internet Systems Consortium

.SH "COPYRIGHT"

-Copyright \(co 2008\-2010 Internet Systems Consortium, Inc. ("ISC")

+Copyright \(co 2008\-2010, 2012 Internet Systems Consortium, Inc. ("ISC")

.br

diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c
index c4b157cd9b1a..93d789b06264 100644
--- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c
+++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -296,7 +296,7 @@ usage(void) {

fprintf(stderr, " -K <directory>: directory in which to find "

"key file or keyset file\n");

fprintf(stderr, " -a algorithm: digest algorithm "

- "(SHA-1, SHA-256 or GOST)\n");

+ "(SHA-1, SHA-256, GOST or SHA-384)\n");

fprintf(stderr, " -1: use SHA-1\n");

fprintf(stderr, " -2: use SHA-256\n");

fprintf(stderr, " -l: add lookaside zone and print DLV records\n");

@@ -415,6 +415,9 @@ main(int argc, char **argv) {

else if (strcasecmp(algname, "GOST") == 0)

dtype = DNS_DSDIGEST_GOST;

#endif

+ else if (strcasecmp(algname, "SHA384") == 0 ||

+ strcasecmp(algname, "SHA-384") == 0)

+ dtype = DNS_DSDIGEST_SHA384;

else

fatal("unknown algorithm %s", algname);

}

diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook
index d139ba5ec7c8..d7050335107a 100644
--- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook
+++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook

@@ -2,7 +2,7 @@

"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"

[<!ENTITY mdash "—">]>

<!--

- Permission to use, copy, modify, and/or distribute this software for any

- purpose with or without fee is hereby granted, provided that the above

@@ -39,6 +39,7 @@

+ <year>2012</year>

<holder>Internet Systems Consortium, Inc. ("ISC")</holder>

</copyright>

</docinfo>

@@ -107,7 +108,8 @@

<para>

Select the digest algorithm. The value of

<option>algorithm</option> must be one of SHA-1 (SHA1),

- SHA-256 (SHA256) or GOST. These values are case insensitive.

+ SHA-256 (SHA256), GOST or SHA-384 (SHA384).

+ These values are case insensitive.

</para>

</listitem>

</varlistentry>

diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html
index 3031c391afa8..24bc0c133896 100644
--- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html
+++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html

@@ -1,5 +1,5 @@

<!--

- Permission to use, copy, modify, and/or distribute this software for any

- purpose with or without fee is hereby granted, provided that the above

@@ -32,14 +32,14 @@

<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>

</div>

-<a name="id2543465"></a><h2>DESCRIPTION</h2>

+<a name="id2543468"></a><h2>DESCRIPTION</h2>

<p><span><strong class="command">dnssec-dsfromkey</strong></span>

outputs the Delegation Signer (DS) resource record (RR), as defined in

RFC 3658 and RFC 4509, for the given key(s).

</p>

</div>

-<a name="id2543477"></a><h2>OPTIONS</h2>

+<a name="id2543480"></a><h2>OPTIONS</h2>

<dd><p>

@@ -54,7 +54,8 @@

<dd><p>

Select the digest algorithm. The value of

<code class="option">algorithm</code> must be one of SHA-1 (SHA1),

- SHA-256 (SHA256) or GOST. These values are case insensitive.

+ SHA-256 (SHA256), GOST or SHA-384 (SHA384).

+ These values are case insensitive.

</p></dd>

<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>

<dd><p>

@@ -100,7 +101,7 @@

</dl></div>

</div>

-<a name="id2543664"></a><h2>EXAMPLE</h2>

+<a name="id2543667"></a><h2>EXAMPLE</h2>

<p>

To build the SHA-256 DS RR from the

<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>

@@ -115,7 +116,7 @@

</p>

</div>

-<a name="id2543693"></a><h2>FILES</h2>

+<a name="id2543697"></a><h2>FILES</h2>

<p>

The keyfile can be designed by the key identification

<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name

@@ -129,13 +130,13 @@

</p>

</div>

-<a name="id2543729"></a><h2>CAVEAT</h2>

+<a name="id2543732"></a><h2>CAVEAT</h2>

<p>

A keyfile error can give a "file not found" even if the file exists.

</p>

</div>

-<a name="id2543738"></a><h2>SEE ALSO</h2>

+<a name="id2543741"></a><h2>SEE ALSO</h2>

<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,

<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,

<em class="citetitle">BIND 9 Administrator Reference Manual</em>,

@@ -145,7 +146,7 @@

</p>

</div>

-<a name="id2543778"></a><h2>AUTHOR</h2>

+<a name="id2543781"></a><h2>AUTHOR</h2>

<p><span class="corpauthor">Internet Systems Consortium</span>

</p>

</div>

diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8
index e3bb48f14006..9867ff7e80c2 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8
+++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8

@@ -1,4 +1,4 @@

.\"

.\" Permission to use, copy, modify, and/or distribute this software for any

.\" purpose with or without fee is hereby granted, provided that the above

@@ -47,7 +47,7 @@ of the key is specified on the command line. This must match the name of the zon

.RS 4

Selects the cryptographic algorithm. The value of

\fBalgorithm\fR

-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. These values are case insensitive.

+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive.

.sp

If no algorithm is specified, then RSASHA1 will be used by default, unless the

\fB\-3\fR

@@ -215,5 +215,5 @@ RFC 4034.

.PP

Internet Systems Consortium

.SH "COPYRIGHT"

-Copyright \(co 2008\-2011 Internet Systems Consortium, Inc. ("ISC")

+Copyright \(co 2008\-2012 Internet Systems Consortium, Inc. ("ISC")

.br

diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c
index 6a0714676382..e91e02dda5ae 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c
+++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -55,7 +55,8 @@ int verbose;

static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"

" NSEC3DSA | NSEC3RSASHA1 |"

- " RSASHA256 | RSASHA512 | ECCGOST";

+ " RSASHA256 | RSASHA512 | ECCGOST |"

+ " ECDSAP256SHA256 | ECDSAP384SHA384";

ISC_PLATFORM_NORETURN_PRE static void

usage(void) ISC_PLATFORM_NORETURN_POST;

@@ -369,7 +370,8 @@ main(int argc, char **argv) {

if (use_nsec3 &&

alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&

alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&

- alg != DST_ALG_ECCGOST) {

+ alg != DST_ALG_ECCGOST &&

+ alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {

fatal("%s is incompatible with NSEC3; "

"do not use the -3 option", algname);

}

diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook
index 5f3e0e681f97..4662e870a8ef 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook

@@ -2,7 +2,7 @@

"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"

[<!ENTITY mdash "—">]>

<!--

- Permission to use, copy, modify, and/or distribute this software for any

- purpose with or without fee is hereby granted, provided that the above

@@ -40,6 +40,7 @@

+ <year>2012</year>

<holder>Internet Systems Consortium, Inc. ("ISC")</holder>

</copyright>

</docinfo>

@@ -94,7 +95,8 @@

<para>

Selects the cryptographic algorithm. The value of

<option>algorithm</option> must be one of RSAMD5, RSASHA1,

- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.

+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,

+ ECDSAP256SHA256 or ECDSAP384SHA384.

These values are case insensitive.

</para>

<para>

diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html
index f2c72c57afe0..0fa3affa277b 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html
+++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html

@@ -1,5 +1,5 @@

<!--

- Permission to use, copy, modify, and/or distribute this software for any

- purpose with or without fee is hereby granted, provided that the above

@@ -31,7 +31,7 @@

<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>

</div>

-<a name="id2543495"></a><h2>DESCRIPTION</h2>

+<a name="id2543498"></a><h2>DESCRIPTION</h2>

<p><span><strong class="command">dnssec-keyfromlabel</strong></span>

gets keys with the given label from a crypto hardware and builds

key files for DNSSEC (Secure DNS), as defined in RFC 2535

@@ -44,14 +44,15 @@

</p>

</div>

-<a name="id2543513"></a><h2>OPTIONS</h2>

+<a name="id2543516"></a><h2>OPTIONS</h2>

<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>

<dd>

<p>

Selects the cryptographic algorithm. The value of

<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,

- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.

+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,

+ ECDSAP256SHA256 or ECDSAP384SHA384.

These values are case insensitive.

</p>

<p>

@@ -163,7 +164,7 @@

</dl></div>

</div>

-<a name="id2543877"></a><h2>TIMING OPTIONS</h2>

+<a name="id2543880"></a><h2>TIMING OPTIONS</h2>

<p>

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.

If the argument begins with a '+' or '-', it is interpreted as

@@ -210,7 +211,7 @@

</dl></div>

</div>

-<a name="id2544043"></a><h2>GENERATED KEY FILES</h2>

+<a name="id2544046"></a><h2>GENERATED KEY FILES</h2>

<p>

When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes

successfully,

@@ -249,7 +250,7 @@

</p>

</div>

-<a name="id2544116"></a><h2>SEE ALSO</h2>

+<a name="id2544119"></a><h2>SEE ALSO</h2>

<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,

<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,

<em class="citetitle">BIND 9 Administrator Reference Manual</em>,

@@ -257,7 +258,7 @@

</p>

</div>

-<a name="id2544149"></a><h2>AUTHOR</h2>

+<a name="id2544152"></a><h2>AUTHOR</h2>

<p><span class="corpauthor">Internet Systems Consortium</span>

</p>

</div>

diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.8 b/contrib/bind9/bin/dnssec/dnssec-keygen.8
index 690abf9325c0..689f23df4edb 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.8
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.8

@@ -1,4 +1,4 @@

.\"

.\" Permission to use, copy, modify, and/or distribute this software for any

@@ -48,7 +48,7 @@ of the key is specified on the command line. For DNSSEC keys, this must match th

.RS 4

Selects the cryptographic algorithm. For DNSSEC keys, the value of

\fBalgorithm\fR

-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.

+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.

.sp

If no algorithm is specified, then RSASHA1 will be used by default, unless the

\fB\-3\fR

@@ -63,7 +63,7 @@ Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the

.PP

\-b \fIkeysize\fR

.RS 4

-Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits.

+Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. Elliptic curve algorithms don't need this parameter.

.sp

The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with

\fB\-f KSK\fR). However, if an algorithm is explicitly specified with the

@@ -81,7 +81,7 @@ must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a

.PP

\-3

.RS 4

-Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms are NSEC3\-capable.

+Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable.

.RE

.PP

\-C

@@ -298,7 +298,7 @@ RFC 4034.

.PP

Internet Systems Consortium

.SH "COPYRIGHT"

-Copyright \(co 2004, 2005, 2007\-2010 Internet Systems Consortium, Inc. ("ISC")

+Copyright \(co 2004, 2005, 2007\-2010, 2012 Internet Systems Consortium, Inc. ("ISC")

.br

diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.c b/contrib/bind9/bin/dnssec/dnssec-keygen.c
index cc1d9b11fa9f..8af100c7bdea 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.c
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -85,6 +85,7 @@ usage(void) {

fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"

" | NSEC3DSA |\n");

fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n");

+ fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");

fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "

"HMAC-SHA256 | \n");

fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");

@@ -102,6 +103,8 @@ usage(void) {

fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "

"by 64\n");

fprintf(stderr, " ECCGOST:\tignored\n");

+ fprintf(stderr, " ECDSAP256SHA256:\tignored\n");

+ fprintf(stderr, " ECDSAP384SHA384:\tignored\n");

fprintf(stderr, " HMAC-MD5:\t[1..512]\n");

fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");

fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");

@@ -549,7 +552,8 @@ main(int argc, char **argv) {

if (use_nsec3 &&

alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&

alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&

- alg != DST_ALG_ECCGOST) {

+ alg != DST_ALG_ECCGOST &&

+ alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {

fatal("%s is incompatible with NSEC3; "

"do not use the -3 option", algname);

}

@@ -579,9 +583,11 @@ main(int argc, char **argv) {

size = 1024;

if (verbose > 0)

fprintf(stderr, "key size not "

- "specified; defaulting "

- "to %d\n", size);

- } else if (alg != DST_ALG_ECCGOST)

+ "specified; defaulting"

+ " to %d\n", size);

+ } else if (alg != DST_ALG_ECCGOST &&

+ alg != DST_ALG_ECDSA256 &&

+ alg != DST_ALG_ECDSA384)

fatal("key size not specified (-b option)");

}

@@ -710,6 +716,8 @@ main(int argc, char **argv) {

fatal("invalid DSS key size: %d", size);

break;

case DST_ALG_ECCGOST:

+ case DST_ALG_ECDSA256:

+ case DST_ALG_ECDSA384:

break;

case DST_ALG_HMACMD5:

options |= DST_TYPE_KEY;

@@ -775,7 +783,8 @@ main(int argc, char **argv) {

if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||

alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 ||

- alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST) &&

+ alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST ||

+ alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384) &&

rsa_exp != 0)

fatal("specified RSA exponent for a non-RSA key");

@@ -849,6 +858,8 @@ main(int argc, char **argv) {

case DNS_KEYALG_DSA:

case DNS_KEYALG_NSEC3DSA:

case DST_ALG_ECCGOST:

+ case DST_ALG_ECDSA256:

+ case DST_ALG_ECDSA384:

show_progress = ISC_TRUE;

/* fall through */

diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
index f0cf7f5f0815..0a1926bd839a 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook

@@ -2,7 +2,7 @@

"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"

[<!ENTITY mdash "—">]>

<!--

- Permission to use, copy, modify, and/or distribute this software for any

@@ -43,6 +43,7 @@

+ <year>2012</year>

<holder>Internet Systems Consortium, Inc. ("ISC")</holder>

</copyright>

@@ -114,7 +115,8 @@

<para>

Selects the cryptographic algorithm. For DNSSEC keys, the value

of <option>algorithm</option> must be one of RSAMD5, RSASHA1,

- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.

+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,

+ ECDSAP256SHA256 or ECDSAP384SHA384.

For TSIG/TKEY, the value must

be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,

HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are

@@ -148,7 +150,8 @@

between 512 and 2048 bits. Diffie Hellman keys must be between

128 and 4096 bits. DSA keys must be between 512 and 1024

bits and an exact multiple of 64. HMAC keys must be

- between 1 and 512 bits.

+ between 1 and 512 bits. Elliptic curve algorithms don't need

+ this parameter.

</para>

<para>

The key size does not need to be specified if using a default

@@ -184,7 +187,8 @@

Use an NSEC3-capable algorithm to generate a DNSSEC key.

If this option is used and no algorithm is explicitly

set on the command line, NSEC3RSASHA1 will be used by

- default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms

+ default. Note that RSASHA256, RSASHA512, ECCGOST,

+ ECDSAP256SHA256 and ECDSAP384SHA384 algorithms

are NSEC3-capable.

</para>

</listitem>

diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.html b/contrib/bind9/bin/dnssec/dnssec-keygen.html
index 4bf1f6b4a094..3bdfa0739f2c 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.html
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.html

@@ -1,5 +1,5 @@

<!--

- Permission to use, copy, modify, and/or distribute this software for any

@@ -32,7 +32,7 @@

<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>

</div>

-<a name="id2543579"></a><h2>DESCRIPTION</h2>

+<a name="id2543582"></a><h2>DESCRIPTION</h2>

<p><span><strong class="command">dnssec-keygen</strong></span>

generates keys for DNSSEC (Secure DNS), as defined in RFC 2535

and RFC 4034. It can also generate keys for use with

@@ -46,14 +46,15 @@

</p>

</div>

-<a name="id2543597"></a><h2>OPTIONS</h2>

+<a name="id2543601"></a><h2>OPTIONS</h2>

<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>

<dd>

<p>

Selects the cryptographic algorithm. For DNSSEC keys, the value

of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,

- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.

+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,

+ ECDSAP256SHA256 or ECDSAP384SHA384.

For TSIG/TKEY, the value must

be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,

HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are

@@ -84,7 +85,8 @@

between 512 and 2048 bits. Diffie Hellman keys must be between

128 and 4096 bits. DSA keys must be between 512 and 1024

bits and an exact multiple of 64. HMAC keys must be

- between 1 and 512 bits.

+ between 1 and 512 bits. Elliptic curve algorithms don't need

+ this parameter.

</p>

<p>

The key size does not need to be specified if using a default

@@ -111,7 +113,8 @@

Use an NSEC3-capable algorithm to generate a DNSSEC key.

If this option is used and no algorithm is explicitly

set on the command line, NSEC3RSASHA1 will be used by

- default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms

+ default. Note that RSASHA256, RSASHA512, ECCGOST,

+ ECDSAP256SHA256 and ECDSAP384SHA384 algorithms

are NSEC3-capable.

</p></dd>

@@ -248,7 +251,7 @@

</dl></div>

</div>

-<a name="id2544166"></a><h2>TIMING OPTIONS</h2>

+<a name="id2544169"></a><h2>TIMING OPTIONS</h2>

<p>

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.

If the argument begins with a '+' or '-', it is interpreted as

@@ -319,7 +322,7 @@

</dl></div>

</div>

-<a name="id2544356"></a><h2>GENERATED KEYS</h2>

+<a name="id2544359"></a><h2>GENERATED KEYS</h2>

<p>

When <span><strong class="command">dnssec-keygen</strong></span> completes

successfully,

@@ -365,7 +368,7 @@

</p>

</div>

-<a name="id2544506"></a><h2>EXAMPLE</h2>

+<a name="id2544441"></a><h2>EXAMPLE</h2>

<p>

To generate a 768-bit DSA key for the domain

<strong class="userinput"><code>example.com</code></strong>, the following command would be

@@ -386,7 +389,7 @@

</p>

</div>

-<a name="id2544550"></a><h2>SEE ALSO</h2>

+<a name="id2544485"></a><h2>SEE ALSO</h2>

<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,

<em class="citetitle">BIND 9 Administrator Reference Manual</em>,

<em class="citetitle">RFC 2539</em>,

@@ -395,7 +398,7 @@

</p>

</div>

-<a name="id2544581"></a><h2>AUTHOR</h2>

+<a name="id2544584"></a><h2>AUTHOR</h2>

<p><span class="corpauthor">Internet Systems Consortium</span>

</p>

</div>

diff --git a/contrib/bind9/bin/dnssec/dnssec-settime.c b/contrib/bind9/bin/dnssec/dnssec-settime.c
index 7a814904a99a..f7f4486eefe7 100644
--- a/contrib/bind9/bin/dnssec/dnssec-settime.c
+++ b/contrib/bind9/bin/dnssec/dnssec-settime.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -38,6 +38,7 @@

#include <dns/keyvalues.h>

#include <dns/result.h>

+#include <dns/log.h>

#include <dst/dst.h>

@@ -151,6 +152,7 @@ main(int argc, char **argv) {

isc_boolean_t force = ISC_FALSE;

isc_boolean_t epoch = ISC_FALSE;

isc_boolean_t changed = ISC_FALSE;

+ isc_log_t *log = NULL;

if (argc == 1)

usage();

@@ -159,6 +161,8 @@ main(int argc, char **argv) {

if (result != ISC_R_SUCCESS)

fatal("Out of memory");

+ setup_logging(verbose, mctx, &log);

dns_result_register();

isc_commandline_errprint = ISC_FALSE;

@@ -578,6 +582,7 @@ main(int argc, char **argv) {

cleanup_entropy(&ectx);

if (verbose > 10)

isc_mem_stats(mctx, stdout);

+ cleanup_logging(&log);

isc_mem_free(mctx, directory);

isc_mem_destroy(&mctx);

diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.c b/contrib/bind9/bin/dnssec/dnssec-signzone.c
index 953e2b086fc8..237624948a26 100644
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.c
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.c

@@ -3893,7 +3893,10 @@ main(int argc, char *argv[]) {

check_result(result, "isc_file_mktemplate");

fp = NULL;

- result = isc_file_openunique(tempfile, &fp);

+ if (outputformat == dns_masterformat_text)

+ result = isc_file_openunique(tempfile, &fp);

+ else

+ result = isc_file_bopenunique(tempfile, &fp);

if (result != ISC_R_SUCCESS)

fatal("failed to open temporary output file: %s",

isc_result_totext(result));