all: pdns.txt pdns.pdf html/index.html html.tar.gz
-pdns-expanded.sgml: pdns.sgml
+pdns-expanded.xml: pdns.xml
./expand < $< > $@
clean:
- rm -rf *.xml *.dvi *.pdf *.tex *.toc *.aux *.ps *.bak *.tmp *~ *.log html.tar.gz html pdns
-
-html/index.html: pdns-expanded.sgml
- db2html -V %use-id-as-filename% -o html $<
+ rm -rf *.dvi *.pdf *.tex *.toc *.aux *.ps *.bak *.tmp *~ *.log html.tar.gz html pdns
+html/index.html: pdns-expanded.xml
+ xmlto xhtml -m config.xsl -o html $<
+ cp docbook.css html
+
html.tar.gz: html/index.html
tar czf html.tar.gz html/
-%.txt: %-expanded.sgml
- docbook2txt $<
+%.txt: %-expanded.xml
+ xmlto text -m config.xsl $<
mv pdns-expanded.txt pdns.txt
-%.pdf: %-expanded.sgml
- docbook2pdf $<
+%.pdf: %-expanded.xml
+ xmlto --with-dblatex pdf $<
mv pdns-expanded.pdf pdns.pdf
-%.xml: %.txt
- asciidoc -b docbook -d manpage $<
+#%.xml: %.txt
+# asciidoc -b docbook -d manpage $<
-%: %.xml
- xmlto man $<
+#: %.xml
+# xmlto man $<
%.html: %.txt
asciidoc -b xhtml11 -d manpage $<
publish:
- rsync --rsync-path=./rsync --copy-links --delete -avrze 'ssh -p 2222' ./html pdns.txt pdns.pdf html.tar.gz \
- localhost:/opt/websites/downloads.powerdns.com/www/documentation/
- ssh localhost -p 2222 ln -s /opt/websites/downloads.powerdns.com/www/documentation/images \
- /opt/websites/downloads.powerdns.com/www/documentation/html/
+ rsync --rsync-path=./rsync --exclude "*.png" --copy-links --delete -avrze 'ssh -p 2222' ./html pdns.txt pdns.pdf html.tar.gz \
+ localhost:/opt/websites/downloads.powerdns.com/www/documentation/
+# ssh localhost -p 2222 cp /usr/share/doc/libboost-doc/HTML/doc/html/images/*.png \
+# /opt/websites/downloads.powerdns.com/www/documentation/html/
publish2:
rsync --copy-links --delete -avrze ssh ./html pdns.txt pdns.pdf \
<xsl:param name="callout.list.table" select="'1'"></xsl:param>
<xsl:param name="generate.section.toc.level" select="1"></xsl:param>
<xsl:param name="section.autolabel" select="1"></xsl:param>
-<xsl:param name="section.autolabel.max.depth" select="1"></xsl:param>
-
+<xsl:param name="section.autolabel.max.depth" select="2"></xsl:param>
<xsl:param name="generate.index" select="1"></xsl:param>
</xsl:stylesheet>
A PowerDNSSEC zone can either be operated in NSEC or in one of two NSEC3 modes ('inclusive' and 'narrow').
</para>
</section>
+ <section id="dnssec-supported">
+ <title>Profile, Supported Algorithms, Record Types & Modes of operation</title>
+ <para>
+ PowerDNSSEC aims to serve unexciting, standards compliant, DNSSEC information. One goal is to have
+ relevant parts of our output be identical or equivalent to important fellow-traveller software like NLNetLab's
+ NSD.
+ </para>
+ <para>
+ Particularly, if a PowerDNSSEC secured zone is transfered via AXFR, it should be able to contain the same records
+ as when that zone was signed using 'ldns-signzone' using the same keys and settings.
+ </para>
+ <para>
+ In addition to the above, PowerDNSSEC also supports modes of operation which may not have an equivalent in other
+ pieces of software, for example NSEC3-narrow mode. In such cases we strive for implementing the relevant standards
+ well.
+ </para>
+ <para>
+ PowerDNSSEC supports:
+ <itemizedlist>
+ <listitem><para>
+ NSEC</para>
+ </listitem>
+ <listitem><para>
+ NSEC3
+ </listitem>
+ <listitem><para>
+ NSEC-narrow</para>
+ </listitem>
+ <listitem><para>
+ DS (digest type 1, digest type 2)</para>
+ </listitem>
+ <listitem><para>
+ RSASHA1 (algorithm 5, algorithm 7)</para>
+ </listitem>
+ <listitem><para>
+ RSASHA256 (algorithm 8)</para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ This corresponds to:
+ <itemizedlist>
+ <listitem><para>
+ RFC 4033, 4034, 4035: DNS Security Introduction and Requirements,Resource Records for the DNS Security Extensions, Protocol Modifications for the DNS Security Extensions</para>
+ </listitem>
+ <listitem><para>
+ RFC 4509: Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
+ </listitem>
+ <listitem><para>
+ RFC 5155: DNS Security (DNSSEC) Hashed Authenticated Denial of Existence</para>
+ </listitem>
+ <listitem><para>
+ RFC 5702: Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </section>
<section id="dnssec-migration">
<title>Migration</title>
<para>
<pubdate>v2.9.19 $Date: 2011-01-06 23:00:05 +0100 (Thu, 06 Jan 2011) $</pubdate>
<abstract>
- <para>
+ <para>
+ <blockquote><literallayout>
It is a book about a Spanish guy called Manual. You should read it.
-- Dilbert
+ </literallayout></blockquote>
</para>
</abstract>
</bookinfo>
This corresponds to:
<itemizedlist>
<listitem><para>
- RFC 4033, 4034, 4035: DNS Security Introduction and Requirements,Resource Records for the DNS Security Extensions, Protocol Modifications for the DNS Security Extensions</para>
+ RFC 4033: DNS Security Introduction and Requirements,Resource Records for the DNS Security Extensions, Protocol Modifications for the DNS Security Extensions</para>
+ </listitem>
+ <listitem><para>
+ RFC 4034: Resource Records for the DNS Security Extensions, Protocol Modifications for the DNS Security Extensions</para>
+ </listitem>
+ <listitem><para>
+ RFC 4035: Protocol Modifications for the DNS Security Extensions</para>
</listitem>
<listitem><para>
RFC 4509: Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)</para>
<para>
Keys and hashes are configured using the 'pdnssec' tool, which is described next.
</para>
+ <section id="nsec"><title>(Hashed) Denial of Existence</title>
+ <para>
+ PowerDNS supports unhashed secure denial of existence using NSEC records. These are generated
+ with the help of the (database) backend, which needs to be able to supply the 'previous' and 'next' records
+ in canonical ordering.
+ </para>
+ <para>
+ The Generic SQL Backends have fields that allow them to supply these relative record names.
+ </para>
+ <para>
+ In addition, hashed secure denial of existence is supported using NSEC3 records, in two modes, one
+ with help from the database, the other with the help of some additional calculations.
+ </para>
+ <para>
+ NSEC3 in 'broad' or 'inclusive' mode works with the aid of the backend, where the backend should
+ be able to supply the previous and next domain names in hashed order.
+ </para>
+ <para>
+ NSEC3 in 'narrow' mode uses additional hashing calculations to provide hashed secure denial of existence 'on the fly',
+ without further involving the database.
+ </para>
+ </section>
</section>
<section id="pdnssec">
<title>'pdnssec' for PowerDNSSEC command & control</title>
</listitem>
</varlistentry>
<varlistentry>
- <term>add-zone-key ZONE [ksk|zsk] [bits]</term>
+ <term>add-zone-key ZONE [ksk|zsk] [bits] [rsasha1|rsasha256]</term>
<listitem>
<para>
- Create a new key for zone ZONE, and make it a KSK or a ZSK.
+ Create a new key for zone ZONE, and make it a KSK or a ZSK, with the specified algorithm.
</para>
</listitem>
</varlistentry>
projects / pdns / commitdiff