Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/external/mpl/bind merge conflicts, bump versions, sync includes



details:   https://anonhg.NetBSD.org/src/rev/402ef99e8258
branches:  trunk
changeset: 998728:402ef99e8258
user:      christos <christos%NetBSD.org@localhost>
date:      Sun Apr 28 00:01:13 2019 +0000

description:
merge conflicts, bump versions, sync includes

diffstat:

 external/mpl/bind/dist/bin/check/named-checkconf.c                                      |    4 +-
 external/mpl/bind/dist/bin/dnssec/dnssec-cds.c                                          |   22 +-
 external/mpl/bind/dist/bin/dnssec/dnssec-dsfromkey.c                                    |    6 +-
 external/mpl/bind/dist/bin/dnssec/dnssec-keygen.8                                       |   85 +-
 external/mpl/bind/dist/bin/dnssec/dnssec-keygen.c                                       |    9 +-
 external/mpl/bind/dist/bin/named/named.conf.5                                           |    6 +-
 external/mpl/bind/dist/bin/named/server.c                                               |   61 +-
 external/mpl/bind/dist/bin/nsupdate/nsupdate.c                                          |   33 +-
 external/mpl/bind/dist/bin/tests/system/checkconf/bad-allow-update-forwarding-view.conf |   14 -
 external/mpl/bind/dist/bin/tests/system/checkconf/bad-allow-update-forwarding.conf      |   14 -
 external/mpl/bind/dist/bin/tests/system/checkconf/bad-allow-update-view.conf            |   14 -
 external/mpl/bind/dist/bin/tests/system/checkconf/bad-allow-update.conf                 |   14 -
 external/mpl/bind/dist/bin/tests/system/dlz/prereq.sh.in                                |   19 -
 external/mpl/bind/dist/bin/tests/system/dlzexternal/driver.c                            |  108 +-
 external/mpl/bind/dist/bin/tests/system/feature-test.c                                  |   11 +-
 external/mpl/bind/dist/bin/tools/dnstap-read.c                                          |    5 +-
 external/mpl/bind/dist/bind.keys.h                                                      |   74 +-
 external/mpl/bind/dist/config.h.in                                                      |    6 +
 external/mpl/bind/dist/configure                                                        |   97 +-
 external/mpl/bind/dist/contrib/dlz/drivers/dlz_filesystem_driver.c                      |    6 +-
 external/mpl/bind/dist/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c          |    6 +-
 external/mpl/bind/dist/lib/bind9/check.c                                                |   59 +-
 external/mpl/bind/dist/lib/dns/byaddr.c                                                 |   10 +-
 external/mpl/bind/dist/lib/dns/client.c                                                 |   46 +-
 external/mpl/bind/dist/lib/dns/dnstap.c                                                 |   11 +-
 external/mpl/bind/dist/lib/dns/ds.c                                                     |   31 +-
 external/mpl/bind/dist/lib/dns/gen.c                                                    |   25 +-
 external/mpl/bind/dist/lib/dns/include/dns/dnstap.h                                     |    5 +-
 external/mpl/bind/dist/lib/dns/include/dns/ds.h                                         |    4 +-
 external/mpl/bind/dist/lib/dns/include/dns/ecs.h                                        |    4 +-
 external/mpl/bind/dist/lib/dns/include/dns/rpz.h                                        |   22 +-
 external/mpl/bind/dist/lib/dns/message.c                                                |   60 +-
 external/mpl/bind/dist/lib/dns/rdata/generic/ds_43.h                                    |    6 +-
 external/mpl/bind/dist/lib/dns/rdata/generic/key_25.h                                   |    6 +-
 external/mpl/bind/dist/lib/dns/rdata/generic/keydata_65533.h                            |    6 +-
 external/mpl/bind/dist/lib/dns/rdata/in_1/eid_31.c                                      |   15 +-
 external/mpl/bind/dist/lib/dns/rdata/in_1/nimloc_32.c                                   |   15 +-
 external/mpl/bind/dist/lib/dns/resolver.c                                               |   15 +-
 external/mpl/bind/dist/lib/dns/rpz.c                                                    |   21 +-
 external/mpl/bind/dist/lib/dns/sdlz.c                                                   |   14 +-
 external/mpl/bind/dist/lib/dns/tests/dnstap_test.c                                      |   10 +-
 external/mpl/bind/dist/lib/dns/tests/rdata_test.c                                       |   52 +-
 external/mpl/bind/dist/lib/dns/tests/result_test.c                                      |    3 +-
 external/mpl/bind/dist/lib/dns/validator.c                                              |    4 +-
 external/mpl/bind/dist/lib/dns/zone.c                                                   |   58 +-
 external/mpl/bind/dist/lib/isc/include/isc/quota.h                                      |    9 +-
 external/mpl/bind/dist/lib/isc/include/isc/result.h                                     |    6 +-
 external/mpl/bind/dist/lib/isc/include/isc/util.h                                       |   23 +-
 external/mpl/bind/dist/lib/isc/lex.c                                                    |    4 +-
 external/mpl/bind/dist/lib/isc/quota.c                                                  |   32 +-
 external/mpl/bind/dist/lib/isc/result.c                                                 |    6 +-
 external/mpl/bind/dist/lib/isc/tests/netaddr_test.c                                     |    3 +-
 external/mpl/bind/dist/lib/isc/tests/result_test.c                                      |    3 +-
 external/mpl/bind/dist/lib/isc/unix/errno2result.c                                      |    8 +-
 external/mpl/bind/dist/lib/isc/unix/socket.c                                            |   17 +-
 external/mpl/bind/dist/lib/isc/win32/errno2result.c                                     |    4 +-
 external/mpl/bind/dist/lib/isccc/tests/result_test.c                                    |    3 +-
 external/mpl/bind/dist/lib/isccfg/namedconf.c                                           |    4 +-
 external/mpl/bind/dist/lib/ns/client.c                                                  |  429 +++++++--
 external/mpl/bind/dist/lib/ns/hooks.c                                                   |   47 +-
 external/mpl/bind/dist/lib/ns/include/ns/client.h                                       |   23 +-
 external/mpl/bind/dist/lib/ns/include/ns/hooks.h                                        |   26 +-
 external/mpl/bind/dist/lib/ns/include/ns/interfacemgr.h                                 |   13 +-
 external/mpl/bind/dist/lib/ns/interfacemgr.c                                            |   11 +-
 external/mpl/bind/dist/lib/ns/query.c                                                   |  170 ++-
 external/mpl/bind/include/config.h                                                      |   12 +-
 external/mpl/bind/include/dns/rdatastruct.h                                             |   12 +-
 external/mpl/bind/lib/libbind9/shlib_version                                            |    4 +-
 external/mpl/bind/lib/libdns/shlib_version                                              |    4 +-
 external/mpl/bind/lib/libirs/shlib_version                                              |    4 +-
 external/mpl/bind/lib/libisc/Makefile                                                   |    6 +-
 external/mpl/bind/lib/libisc/shlib_version                                              |    4 +-
 external/mpl/bind/lib/libisccc/shlib_version                                            |    4 +-
 external/mpl/bind/lib/libisccfg/shlib_version                                           |    4 +-
 external/mpl/bind/lib/libns/Makefile                                                    |    3 +-
 external/mpl/bind/lib/libns/shlib_version                                               |    4 +-
 76 files changed, 1281 insertions(+), 737 deletions(-)

diffs (truncated from 4455 to 300 lines):

diff -r d9edfaacac39 -r 402ef99e8258 external/mpl/bind/dist/bin/check/named-checkconf.c
--- a/external/mpl/bind/dist/bin/check/named-checkconf.c        Sat Apr 27 23:47:13 2019 +0000
+++ b/external/mpl/bind/dist/bin/check/named-checkconf.c        Sun Apr 28 00:01:13 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: named-checkconf.c,v 1.3 2019/01/09 16:54:58 christos Exp $     */
+/*     $NetBSD: named-checkconf.c,v 1.4 2019/04/28 00:01:13 christos Exp $     */
 
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
@@ -65,7 +65,7 @@
 
 static void
 usage(void) {
-       fprintf(stderr, "usage: %s [-hjlvz] [-p [-x]] [-t directory] "
+       fprintf(stderr, "usage: %s [-chjlvz] [-p [-x]] [-t directory] "
                "[named.conf]\n", program);
        exit(1);
 }
diff -r d9edfaacac39 -r 402ef99e8258 external/mpl/bind/dist/bin/dnssec/dnssec-cds.c
--- a/external/mpl/bind/dist/bin/dnssec/dnssec-cds.c    Sat Apr 27 23:47:13 2019 +0000
+++ b/external/mpl/bind/dist/bin/dnssec/dnssec-cds.c    Sun Apr 28 00:01:13 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: dnssec-cds.c,v 1.4 2019/02/24 20:01:27 christos Exp $  */
+/*     $NetBSD: dnssec-cds.c,v 1.5 2019/04/28 00:01:13 christos Exp $  */
 
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
@@ -88,7 +88,7 @@
  * List of digest types used by ds_from_cdnskey(), filled in by add_dtype()
  * from -a arguments. The size of the array is an arbitrary limit.
  */
-static uint8_t dtype[8];
+static dns_dsdigest_t dtype[8];
 
 static const char *startstr  = NULL;   /* from which we derive notbefore */
 static isc_stdtime_t notbefore = 0;    /* restrict sig inception times */
@@ -131,7 +131,7 @@
 typedef struct keyinfo {
        dns_rdata_t rdata;
        dst_key_t *dst;
-       uint8_t algo;
+       dns_secalg_t algo;
        dns_keytag_t tag;
 } keyinfo_t;
 
@@ -616,12 +616,12 @@
  * otherwise the key algorithm. This is used by the signature coverage
  * check functions below.
  */
-static uint8_t *
+static dns_secalg_t *
 matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
              dns_rdataset_t *sigset)
 {
        isc_result_t result;
-       uint8_t *algo;
+       dns_secalg_t *algo;
        int i;
 
        algo = isc_mem_get(mctx, nkey);
@@ -704,7 +704,7 @@
  * fetched from the child zone, any working signature is enough.
  */
 static bool
-signed_loose(uint8_t *algo) {
+signed_loose(dns_secalg_t *algo) {
        bool ok = false;
        int i;
        for (i = 0; i < nkey; i++) {
@@ -723,7 +723,7 @@
  * RRset.
  */
 static bool
-signed_strict(dns_rdataset_t *dsset, uint8_t *algo) {
+signed_strict(dns_rdataset_t *dsset, dns_secalg_t *algo) {
        isc_result_t result;
        bool all_ok = true;
 
@@ -846,14 +846,14 @@
  */
 static int
 cmp_dtype(const void *ap, const void *bp) {
-       int a = *(const uint8_t *)ap;
-       int b = *(const uint8_t *)bp;
+       int a = *(const dns_dsdigest_t *)ap;
+       int b = *(const dns_dsdigest_t *)bp;
        return (a - b);
 }
 
 static void
 add_dtype(const char *dn) {
-       uint8_t dt;
+       dns_dsdigest_t dt;
        unsigned i, n;
 
        dt = strtodsdigest(dn);
@@ -938,7 +938,7 @@
        dns_rdata_t *arrdata;
        dns_rdata_ds_t *ds;
        dns_keytag_t key_tag;
-       uint8_t algorithm;
+       dns_secalg_t algorithm;
        bool match;
        int i, j, n, d;
 
diff -r d9edfaacac39 -r 402ef99e8258 external/mpl/bind/dist/bin/dnssec/dnssec-dsfromkey.c
--- a/external/mpl/bind/dist/bin/dnssec/dnssec-dsfromkey.c      Sat Apr 27 23:47:13 2019 +0000
+++ b/external/mpl/bind/dist/bin/dnssec/dnssec-dsfromkey.c      Sun Apr 28 00:01:13 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: dnssec-dsfromkey.c,v 1.4 2019/02/24 20:01:27 christos Exp $    */
+/*     $NetBSD: dnssec-dsfromkey.c,v 1.5 2019/04/28 00:01:13 christos Exp $    */
 
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
@@ -237,7 +237,7 @@
 }
 
 static void
-emit(unsigned int dtype, bool showall, char *lookaside,
+emit(dns_dsdigest_t dtype, bool showall, char *lookaside,
      bool cds, dns_rdata_t *rdata)
 {
        isc_result_t result;
@@ -352,7 +352,7 @@
        char            *lookaside = NULL;
        char            *endp;
        int             ch;
-       unsigned int    dtype = DNS_DSDIGEST_SHA1;
+       dns_dsdigest_t  dtype = DNS_DSDIGEST_SHA1;
        bool    cds = false;
        bool    both = true;
        bool    usekeyset = false;
diff -r d9edfaacac39 -r 402ef99e8258 external/mpl/bind/dist/bin/dnssec/dnssec-keygen.8
--- a/external/mpl/bind/dist/bin/dnssec/dnssec-keygen.8 Sat Apr 27 23:47:13 2019 +0000
+++ b/external/mpl/bind/dist/bin/dnssec/dnssec-keygen.8 Sun Apr 28 00:01:13 2019 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: dnssec-keygen.8,v 1.4 2019/02/24 20:01:27 christos Exp $
+.\"    $NetBSD: dnssec-keygen.8,v 1.5 2019/04/28 00:01:13 christos Exp $
 .\"
 .\" Copyright (C) 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
 .\" 
@@ -41,7 +41,7 @@
 dnssec-keygen \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP \w'\fBdnssec\-keygen\fR\ 'u
-\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ 
\fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ 
\fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ 
\fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ 
\fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ 
\fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] 
[\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ 
\fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ 
\fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keygen\fR
@@ -60,6 +60,13 @@
 \fBdnssec\-keygen\fR\&.
 .SH "OPTIONS"
 .PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
+\fBdnssec\-keygen \-3a RSASHA1\fR
+specifies the NSEC3RSASHA1 algorithm\&.
+.RE
+.PP
 \-a \fIalgorithm\fR
 .RS 4
 Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
@@ -85,29 +92,15 @@
 .PP
 \-b \fIkeysize\fR
 .RS 4
-Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 
bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
+Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 
bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
 .sp
 If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key 
signing keys (KSKs, generated with
 \fB\-f KSK\fR) default to 2048 bits\&.
 .RE
 .PP
-\-n \fInametype\fR
-.RS 4
-Specifies the owner type of the key\&. The value of
-\fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are 
case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
-.RE
-.PP
-\-3
-.RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
-\fBdnssec\-keygen \-3a RSASHA1\fR
-specifies the NSEC3RSASHA1 algorithm\&.
-.RE
-.PP
 \-C
 .RS 4
-Compatibility mode: generates an old\-style key, without any metadata\&. By default,
+Compatibility mode: generates an old\-style key, without any timing metadata\&. By default,
 \fBdnssec\-keygen\fR
 will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data 
may be incompatible with older versions of BIND; the
 \fB\-C\fR
@@ -152,11 +145,6 @@
 Sets the directory in which the key files are to be written\&.
 .RE
 .PP
-\-k
-.RS 4
-Deprecated in favor of \-T KEY\&.
-.RE
-.PP
 \-L \fIttl\fR
 .RS 4
 Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY 
RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL 
to
@@ -166,9 +154,17 @@
 is the same as leaving it unset\&.
 .RE
 .PP
+\-n \fInametype\fR
+.RS 4
+Specifies the owner type of the key\&. The value of
+\fBnametype\fR
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are 
case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
+.RE
+.PP
 \-p \fIprotocol\fR
 .RS 4
-Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its 
successors\&.
+Sets the protocol value for the generated key, for use with
+\fB\-T KEY\fR\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
 .RE
 .PP
 \-q
@@ -195,27 +191,25 @@
 Specifies the resource record type to use for the key\&.
 \fBrrtype\fR
 must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
-Specifying any TSIG algorithm (HMAC\-* or DH) with
-\fB\-a\fR
-forces this option to KEY\&.
 .RE
 .PP
 \-t \fItype\fR
 .RS 4
-Indicates the use of the key\&.
+Indicates the use of the key, for use with
+\fB\-T KEY\fR\&.
 \fBtype\fR
 must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
 .RE
 .PP
+\-V
+.RS 4
+Prints version information\&.
+.RE
+.PP
 \-v \fIlevel\fR
 .RS 4
 Sets the debugging level\&.
 .RE
-.PP
-\-V
-.RS 4
-Prints version information\&.
-.RE
 .SH "TIMING OPTIONS"
 .PP
 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, 
if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour 
days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date 
from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
@@ -316,23 +310,24 @@
 .PP
 The
 \&.key
-file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
+file contains a DNSKEY or KEY record\&. When a zone is being signed by
+\fBnamed\fR
+or
+\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the
+\&.key
+file can be inserted into a zone file manually or with a
+\fB$INCLUDE\fR
+statement\&.
 .PP
 The
 \&.private
 file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
-.PP
-Both
-\&.key
-and
-\&.private
-files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
 .SH "EXAMPLE"
 .PP
-To generate an ECDSAP256SHA256 key for the domain
-\fBexample\&.com\fR, the following command would be issued:
+To generate an ECDSAP256SHA256 zone\-signing key for the zone
+\fBexample\&.com\fR, issue the command:
 .PP
-\fBdnssec\-keygen \-a ECDSAP256SHA256 \-n ZONE example\&.com\fR
+\fBdnssec\-keygen \-a ECDSAP256SHA256 example\&.com\fR
 .PP
 The command would print a string of the form:
 .PP
@@ -344,6 +339,10 @@
 Kexample\&.com\&.+013+26160\&.key
 and



Home | Main Index | Thread Index | Old Index