.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{
.    if \nF \{
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "dnsval.conf 3"
.TH dnsval.conf 3 "2013-01-02" "perl v5.18.1" "Programmer's Manual"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
dnsval.conf, resolv.conf, root.hints \- Configuration policy for the DNSSEC validator library libval(3).
val_add_valpolicy \- Dynamically add a new policy to the validator context
val_remove_valpolicy \- Remove a dynamically added policy from the validator context
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 3
\&    int val_add_valpolicy(val_context_t *context, 
\&                    void *policy_definition,
\&                    val_policy_entry_t **pol);
\&
\&    int val_remove_valpolicy(val_context_t *context,
\&                    val_policy_entry_t *pol);
\&
\&    typedef struct {
\&        char *keyword;
\&        char *zone;
\&        char *value;
\&        long ttl;
\&    } libval_policy_definition_t;
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Applications can use local policy to influence the validation outcome.
Examples of local policy elements include trust anchors for different zones
and untrusted algorithms for cryptographic keys and hashes.  Local policy
may vary for different applications and operating scenarios.
.PP
The \fI\fIval_add_valpolicy()\fI\fR function can be used to dynamically add a new policy
for a given context (the policies are not added persistently to the system
configuration). The policy_definition field contains an implementation-specific
definition of the validator policy to be added. For the libval library this is
represented by the libval_policy_definition_t structure, which contains four
fields: \fIkeyword\fR, \fIzone\fR and \fIvalue\fR arguments are
identical to \fIkeyword\fR, \fIzone\fR and \fIadditional-data\fR defined below for
\&\fBdnsval.conf\fR.  \fIttl\fR specifies the duration in seconds for which the
policy is kept in effect.  A \fItt\fR value of \fB\-1\fR adds to policy to the context
indefinitely.  A handle to the newly added policy is returned in \fI*pol\fR.
This structure is opaque to the applications; applications must not modify the
contents of the memory returned in \fI*pol\fR.
.PP
Applications may also revoke the effects of a newly added policy, \fIpol\fR,
before the expiry of its timeout interval using the
\&\fI\fIval_remove_valpolicy()\fI\fR policy.
.PP
The validator library reads configuration information from three separate
files, \fBresolv.conf\fR, \fBroot.hints\fR, and \fBdnsval.conf\fR.
.IP "resolv.conf" 4
.IX Item "resolv.conf"
The \fInameserver\fR and \fIsearch\fR options are supported in the \fBresolv.conf\fR file.
.Sp
This \fInameserver\fR option is used to specify the \s-1IP\s0 address of the name server to which
queries must be sent by default.  For example,
.Sp
.Vb 1
\&    nameserver 10.0.0.1
.Ve
.Sp
This \fIsearch\fR option is used to specify the search path for issuing queries.
For example,
.Sp
.Vb 1
\&    search test.dnssec\-tools.org dnssec\-tools.org
.Ve
.Sp
The \fIforward\fR option is used to redirect queries for names that match a given zone name
to the provided name server.  For example,
.Sp
.Vb 1
\&    forward 76.216.12.217 test.dnssec\-tools.org
.Ve
.Sp
If the \fBresolv.conf\fR file contains no name servers, the validator
tries to recursively answer the query using information present
in \fBroot.hints\fR.
.IP "root.hints" 4
.IX Item "root.hints"
The \fBroot.hints\fR file contains bootstrapping information for the
resolver while it attempts to recursively answer queries.  The contents of
this file may be generated by the following command:
.Sp
.Vb 1
\&    dig @e.root\-servers.net . ns > root.hints
.Ve
.IP "dnsval.conf" 4
.IX Item "dnsval.conf"
The \fBdnsval.conf\fR file contains the validator policy.  It consists of
a sequence of the following \*(L"policy-fragments\*(R":
.Sp
.Vb 1
\&    <label> <keyword> <additional\-data>;
.Ve
.Sp
Policies are identified by simple text strings called
labels, which must be unique within the configuration system.  For example,
\&\*(L"browser\*(R" could be used as the label that defines the validator policy for all
web-browsers in a system.  A label value of \*(L":\*(R" identifies the default policy,
the policy that is used when a \s-1NULL\s0 context is specified as the \fIctx\fR
parameter for interfaces listed in \fI\fIlibval\fI\|(3)\fR,
\&\fI\fIval_getaddrinfo\fI\|(3)\fR, and \fI\fIval_gethostbyname\fI\|(3)\fR.  The default policy must be 
unique within the configuration system.
.Sp
\&\fIkeyword\fR specifies the policy component within the
policy fragment.  The format of \fIadditional-data\fR depends on the
keyword specified.
.Sp
If multiple policy fragments are defined for the same label and keyword
combination then the first definition in the file is used.
.Sp
The following keywords are defined for \fBdnsval.conf\fR:
.RS 4
.IP "trust-anchor" 4
.IX Item "trust-anchor"
For the \*(L"trust-anchor\*(R" attribute additional-data is a sequence of
ordered pairs, each consisting of the zone name and 
the \s-1RDATA\s0 portion for the trust anchor with an optional prefix. 
Trust anchors may be either \s-1DNSKEY\s0 or \s-1DS\s0 records, the prefix in 
the \s-1RDATA\s0 is use to indicate what type of record it is. 
\&\s-1DNSKEY\s0 is assumed if no prefix is specified.
.Sp
An example is given below.
.Sp
.Vb 10
\&    browser trust\-anchor
\&        .   DS  19036  8  2  \e
\&            49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE\e
\&            1CDDE32F24E8FB5
\&        example.com   257 3 5 AQO8XS4y9r77X 9SHBmrx MoJf1Pf9\e
\&            AT9Mr/L5BBGtO9/e9f/zl4FFgM2l B6M2 XEm6mp6 mit4tzp\e
\&            B/sAEQw1McYz6bJdKkTiqtuWTCfDmgQhI6 /Ha0 Ef GPNSqn\e
\&            Y 99FmbSeWNIRaa4fgSCVFhvbrYq1nXkNVy QPeEVHk oDNCA\e
\&            lr qOA3lw==
\&    ;
.Ve
.IP "zone-security-expectation" 4
.IX Item "zone-security-expectation"
For the \*(L"zone-security-expectation\*(R" attribute additional-data
is a sequence of  &lt;domain name,value&gt; tuples representing 
the security expectation for names in that domain, where value 
can be one of the following:
.RS 4
.IP "ignore" 4
.IX Item "ignore"
Ignore \s-1DNSSEC\s0 validation for names under this domain.
.IP "validate" 4
.IX Item "validate"
Perform \s-1DNSSEC\s0 validation of answers received for names under this domain.
.IP "untrusted" 4
.IX Item "untrusted"
Reject all answers received for names under this domain.
.RE
.RS 4
.Sp
This zone-security-expectation \s-1DNSSEC\s0 validator policy construct 
makes it possible to define various islands of trust for 
DNSSEC-enabled zones and to ignore or validate data from selected 
zones. The default zone security expectation for a domain is 
\&\*(L"validate\*(R".  In the following example, for \s-1DNSSEC\s0 validator 
contexts created with a \s-1DNSSEC\s0 validator policy label of \*(L"browser\*(R",
the \s-1DNSSEC\s0 validation is only performed for names under the 
example.com domain; names under the somebogus.org domain are always
considered to be untrusted and \s-1DNSSEC\s0 validation for all other 
domain names is ignored.
.Sp
.Vb 5
\&    browser zone\-security\-expectation   
\&        example.com  validate      
\&        somebogusname.org untrusted
\&        . ignore
\&    ;
.Ve
.RE
.IP "provably-insecure-status" 4
.IX Item "provably-insecure-status"
For the \*(L"provably-insecure-status\*(R" attribute additional-data is a sequence
of  <domain name,value> tuples representing the validity of the
provably insecure condition, where value is one of the following:
.RS 4
.IP "trusted" 4
.IX Item "trusted"
Treat the provably insecure condition as valid.
.IP "untrusted" 4
.IX Item "untrusted"
Treat the provably insecure condition as invalid.
.RE
.RS 4
.Sp
The default value for the provably insecure status for a domain is \*(L"trusted\*(R".
In the following example, for \s-1DNSSEC\s0 validator contexts created with the default label,
the provably insecure condition is treated as valid for all domains except the net domain,
where this condition is treated as invalid.
.Sp
.Vb 4
\&    : provably\-insecure\-status
\&        . trusted
\&        net untrusted
\&    ;
.Ve
.RE
.IP "clock-skew" 4
.IX Item "clock-skew"
For the \*(L"clock-skew\*(R" attribute additional-data is a sequence of the
domain name and the number of seconds of clock-skew acceptable for signatures
on names in that domain. A clock skew value of \-1 has the effect of turning off
inception and expiration time checks on signatures from that domain. The default clock
skew is 0.
In the following example, for \s-1DNSSEC\s0 validator contexts created with the \*(L"mta\*(R" label, signature
inception and expiration checks are disabled for all names under the example.com domain.
.Sp
.Vb 3
\&    mta clock\-skew
\&        example.com \-1
\&    ;
.Ve
.IP "nsec3\-max\-iter [only if \s-1LIBVAL_NSEC3\s0 is enabled]" 4
.IX Item "nsec3-max-iter [only if LIBVAL_NSEC3 is enabled]"
Specifies the maximum number of iterations allowable while computing
the \s-1NSEC3\s0 hash for a zone.  A value of \-1 does not place a maximum limit on
the number of iterations.  This is also the default setting for a zone.
.IP "dlv-trust-points [only if \s-1LIBVAL_DLV\s0 is enabled]" 4
.IX Item "dlv-trust-points [only if LIBVAL_DLV is enabled]"
Specifies the \s-1DLV\s0 tree for the target zone. In the following example, libval will use
the \s-1DLV\s0 registry defined at dlv.isc.org. for all queries under the root that do not
give us a trustworthy answer using the normal \s-1DNSSEC\s0 mechanism, and have a 
zone-security-expectation of \fBvalidate\fR.
.Sp
.Vb 3
\&    dlv dlv\-trust\-points
\&        .   dlv.isc.org.
\&    ;
.Ve
.Sp
In order for \s-1DLV\s0 to be used in the above example, there must also be a 
trust-anchor policy defined for the dlv registry, with the
zone-security-expectation policy for registry set to validate.
.Sp
.Vb 5
\&    dlv trust\-anchor
\&        dlv.isc.org DS  19297  5  2  \e
\&                    A11D16F6733983E159EDF8053B2FB57B479D81A309A5\e
\&                    0EAA79A81AF48A47C617
\&    ;
.Ve
.RE
.RS 4
.Sp
Apart from zone-specific configuration options, it is also possible to
configure global options for the validation in \fBdnsval.conf\fR. Global
options can be specified using the construct below.
.Sp
.Vb 5
\&    global\-options 
\&        keyowrd1 value1
\&        keyword2 value2
\&        ...
\&    ;
.Ve
.Sp
There can only be one global-options construct defined for \fBdnsval.conf\fR.
If multiple constructs are defined, only the first is used.
.Sp
The following keywords are defined for global-options in \fBdnsval.conf\fR
.IP "trust-local-answers" 4
.IX Item "trust-local-answers"
This option has been deprecated. Use trust-oob-answers instead.
.IP "trust-oob-answers" 4
.IX Item "trust-oob-answers"
If the value against this option is \fByes\fR then, for all answers returned
using some out-of-band mechanism (e.g. a file store such as /etc/hosts), 
the value returned from the \fIval_istrusted()\fR function (see \fB\f(BIlibval\fB\|(3)\fR) 
is greater than one.
.IP "edns0\-size" 4
.IX Item "edns0-size"
In querying various name servers, libsres will also attempt multiple \s-1EDNS0\s0
sizes, ending with a query that has \s-1EDNS0\s0 disabled (i.e. no \s-1CD\s0 bit set).
The following \s-1EDNS0\s0 sizes are tried by default: 4096, 1492, 512
The \*(L"edns0\-size\*(R" policy knob can be used to change the
largest \s-1EDNS0\s0 size that is attempted.
.IP "env-policy" 4
.IX Item "env-policy"
This option allows the administrator of the dnsval.conf to control whether 
libval uses user-specified values in environmental variables while determining 
libval policy and log targets. See the section below on overriding
dnsval.conf policies for additional details on this option.
.IP "app-policy" 4
.IX Item "app-policy"
This option allows the administrator of the dnsval.conf file to control
whether libval will automatically look for a validation policy with a label
equal to the application name in \fBdnsval.conf\fR. See the section below on 
overriding dnsval.conf policies for additional details on this option.
.IP "closest-ta-only" 4
.IX Item "closest-ta-only"
The default validation behavior is to look for any authentication chain that
validates successfully. Thus if there are trust anchors for example.com and
test.example.com the validator will return success if the authentication chain
can be anchored to the example.com trust anchor, even if the trust anchor for
test.example.com does not match. In cases where this is not desirable, the
closest-ta-only option can be used.
.Sp
If this option is set to \fByes\fR then the validation algorithm terminates at
the closest matching \s-1TA.\s0
.IP "rec-fallback" 4
.IX Item "rec-fallback"
This option is used to control whether libval will attempt to fall back to 
a recursive lookup of the name if the response from the caching name server 
returned an error. By default this options is set to \fByes\fR; it can be turned
off by setting this option to \fBno\fR.
.IP "log" 4
.IX Item "log"
This option controls the level of logging and the log target for libval. 
The value expected against this option is the same as that specified for
val_add_log_optarg (see \fB\f(BIlibval\fB\|(3)\fR).
.RE
.RS 4
.Sp
An example global-options construct is given below:
.Sp
.Vb 7
\&    global\-options
\&        trust\-oob\-answers yes
\&        edns0\-size 4096
\&        env\-policy enable
\&        app\-policy enable
\&        log 5:stderr
\&    ;
.Ve
.RE
.SH "OVERRIDING resolv.conf POLICIES"
.IX Header "OVERRIDING resolv.conf POLICIES"
libval first looks at resolver options present in the resolv.conf file 
specfied at the time of running configure. If this file is absent, libval
looks at /etc/resolv.conf file for resolver options.
.PP
This allows users with a simple way of overriding resolver policies. The
system-specific resolv.conf can remain unchanged, while any additional policies
that may have to be specified for libval can be used in the configure-supplied
resolv.conf file.
.SH "OVERRIDING dnsval.conf POLICIES"
.IX Header "OVERRIDING dnsval.conf POLICIES"
libval provides three ways for tailoring dnsval.conf policies for a given environment.
.IP "Multiple include files" 4
.IX Item "Multiple include files"
libval allows additional dnsval.conf files to be included with a given dnsval.conf file.
The option is specified as follows:
.Sp
.Vb 1
\&    include /path/to/override/file/dnsval.conf
.Ve
.Sp
The files are read in breadth-first. The policies are evaluated in a manner that gives the last-defined
policy more precedence over earlier ones. Therefore, an administrator may supply a dnsval.conf
with default policies including another file from the user's home directory. The included file may be used
for overriding policies specified in the base dnsval.conf file.
.IP "Application-name policies" 4
.IX Item "Application-name policies"
If the app-policy global option is not disabled, libval automatically looks for 
a policy in dnsval.conf with a label value constructed from the name of the application.
For example, dnsval.conf may be defined with validator policies for the foo label. 
The foo application, when run, will use the policy defined against the foo label during
its validation operation.
.IP "Policies through environment" 4
.IX Item "Policies through environment"
If the env-policy global option is not disabled, libval looks at the \s-1VAL_CONTEXT_LABEL\s0
and \s-1VAL_LOG_TARGET\s0 environmental variables in order to determine the validator policy 
label and log target.
.IP "Validator Label Precendence" 4
.IX Item "Validator Label Precendence"
There are effectively four different types of polic-labels that can be applied by libval:
application-name policies, policies through \s-1VAL_CONTEXT_LABEL,\s0 and labels specified by the 
application (either \s-1NULL\s0 or non-NULL). The precedence of applying these labels is defined
with the following rules:
.Sp
1. If env-policy is \*(L"override\*(R", use the label specified in the \s-1VAL_CONTEXT_LABEL\s0 env 
variable (if defined).
.Sp
2. If env-policy is \*(L"enable\*(R" and the policy specified by the application  is \s-1NULL, \s0
use the label specified in the \s-1VAL_CONTEXT_LABEL\s0 env variable (if defined).
.Sp
3. if app-policy is \*(L"override\*(R", use the label generated from the application name.
If this policy label does not exist in the configuration system, use the default policy.
.Sp
4. if app-policy is \*(L"enable\*(R" and the policy specified by the application is \s-1NULL, \s0
use the label generated from the application name.
.Sp
5. If policy specified by the application is not \s-1NULL,\s0 use this label.
.Sp
6. Use default policy
.Sp
The following use-cases can therefore be defined
.RS 4
.IP "locked-down system with single policy" 4
.IX Item "locked-down system with single policy"
An administrator that wants to (and is able to) lock down a system to a particular 
validator policy, must set the env-policy and app-policy global options to disable.
This also requires that administrators are able to lock down the system to specific 
applications and that these applications are not written in a way that would allow
them to specify non-NULL policy labels during context creation. (see val_create_context
in \fIlibval\fR\|(3)).
.IP "locked-down system with app-specific policies" 4
.IX Item "locked-down system with app-specific policies"
An administrator that wants to (and is able to) lock down a system to a particular
dnsval.conf file, but wishes to use different policies for different applications must
set the app-policy to override and the env-policy to disable. The administrator must also
define policies for various application names in dnval.conf; for applications that don't have
a policy with a label corresponding to its name, the default policy is used.
.Sp
The administrator may set the app-policy to enable if non-NULL policies specified
by the application during validator context creation is deemed acceptable.
.IP "User controlled" 4
.IX Item "User controlled"
An administrator can set env-policy to override to give the user complete control over
which policy label is used during validation. The validation policy is read through the
\&\s-1VAL_CONTEXT_LABEL\s0 environment variable.
.Sp
If \s-1VAL_CONTEXT_LABEL\s0 is specified globally for the system, the administrator may instead 
choose the env-policy global option to be enable instead of override. In this case, 
the label given in \s-1VAL_CONTEXT_LABEL\s0 is used only when the policy specified by the
application is non-NULL.
.Sp
The label in \s-1VAL_CONTEXT_LABEL\s0 is used only if it is defined. If this value is \s-1NULL,\s0 libval
will read other policy labels as guided by the precedence rules listed above.
.RE
.RS 4
.RE
.SH "FILES"
.IX Header "FILES"
resolv.conf
.PP
root.hints
.PP
dnsval.conf
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2004\-2013 \s-1SPARTA,\s0 Inc.  All rights reserved.
See the \s-1COPYING\s0 file included with the dnssec-tools package for details.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fB\f(BIlibval\fB\|(3)\fR
.PP
http://www.dnssec\-tools.org
http://www.dnssec\-tools.org