summaryrefslogtreecommitdiff
path: root/contrib/bind9/doc/arm/Bv9ARM-book.xml
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/bind9/doc/arm/Bv9ARM-book.xml')
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM-book.xml181
1 files changed, 141 insertions, 40 deletions
diff --git a/contrib/bind9/doc/arm/Bv9ARM-book.xml b/contrib/bind9/doc/arm/Bv9ARM-book.xml
index c3517843175d8..b899c8b405961 100644
--- a/contrib/bind9/doc/arm/Bv9ARM-book.xml
+++ b/contrib/bind9/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.478.8.2.2.1 2011-06-09 03:17:11 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.478.8.11 2011-08-02 04:58:46 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@@ -70,7 +70,7 @@
</para>
<para>
- This version of the manual corresponds to BIND version 9.7.
+ This version of the manual corresponds to BIND version 9.8.
</para>
</sect1>
@@ -1188,11 +1188,11 @@ zone "eng.example.com" {
</para>
<para>
This command requires that the
- <command>auto-dnssec</command> zone option to be set
- to <literal>allow</literal>,
- <literal>maintain</literal>, or
- <literal>create</literal>, and also requires
- the zone to be configured to allow dynamic DNS.
+ <command>auto-dnssec</command> zone option be set
+ to <literal>allow</literal> or
+ <literal>maintain</literal>,
+ and also requires the zone to be configured to
+ allow dynamic DNS.
See <xref linkend="dynamic_update_policies"/> for
more details.
</para>
@@ -1217,10 +1217,10 @@ zone "eng.example.com" {
</para>
<para>
This command requires that the
- <command>auto-dnssec</command> zone option to
- be set to <literal>maintain</literal> or
- <literal>create</literal>, and also requires
- the zone to be configured to allow dynamic DNS.
+ <command>auto-dnssec</command> zone option
+ be set to <literal>maintain</literal>,
+ and also requires the zone to be configured to
+ allow dynamic DNS.
See <xref linkend="dynamic_update_policies"/> for
more details.
</para>
@@ -5791,12 +5791,15 @@ options {
<userinput>any;</userinput>.
</para>
<para>
- Each <command>dns64</command> supports an optional
- <command>exclude</command> ACL that selects which
- IPv6 addresses will be ignored for the purposes
- of determining whether dns64 is to be applied.
- Any non-matching address will prevent further
- DNS64 processing from occurring for this client.
+ Normally, DNS64 won't apply to a domain name that
+ owns one or more AAAA records; these records will
+ simply be returned. The optional
+ <command>exclude</command> ACL allows specification
+ of a list of IPv6 addresses that will be ignored
+ if they appear in a domain name's AAAA records, and
+ DNS64 will be applied to any A records the domain
+ name owns. If not defined, <command>exclude</command>
+ defaults to none.
</para>
<para>
A optional <command>suffix</command> can also
@@ -5806,6 +5809,21 @@ options {
matching the prefix and mapped IPv4 address
must be zero.
</para>
+ <para>
+ If <command>recursive-only</command> is set to
+ <command>yes</command> the DNS64 synthesis will
+ only happen for recursive queries. The default
+ is <command>no</command>.
+ </para>
+ <para>
+ If <command>break-dnssec</command> is set to
+ <command>yes</command> the DNS64 synthesis will
+ happen even if the result, if validated, would
+ cause a DNSSEC validation failure. If this option
+ is set to <command>no</command> (the default), the DO
+ is set on the incoming query, and there are RRSIGs on
+ the applicable records, then synthesis will not happen.
+ </para>
<programlisting>
acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
@@ -7570,22 +7588,27 @@ avoid-v6-udp-ports {};
<varlistentry>
<term><command>serial-query-rate</command></term>
- <listitem>
- <para>
- Slave servers will periodically query master servers
- to find out if zone serial numbers have changed. Each such
- query uses
- a minute amount of the slave server's network bandwidth. To
- limit the
- amount of bandwidth used, BIND 9 limits the rate at which
- queries are
- sent. The value of the <command>serial-query-rate</command> option,
- an integer, is the maximum number of queries sent per
- second.
- The default is 20.
- </para>
- </listitem>
- </varlistentry>
+ <listitem>
+ <para>
+ Slave servers will periodically query master
+ servers to find out if zone serial numbers have
+ changed. Each such query uses a minute amount of
+ the slave server's network bandwidth. To limit
+ the amount of bandwidth used, BIND 9 limits the
+ rate at which queries are sent. The value of the
+ <command>serial-query-rate</command> option, an
+ integer, is the maximum number of queries sent
+ per second. The default is 20.
+ </para>
+ <para>
+ In addition to controlling the rate SOA refresh
+ queries are issued at
+ <command>serial-query-rate</command> also controls
+ the rate at which NOTIFY messages are sent from
+ both master and slave zones.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><command>serial-queries</command></term>
@@ -8618,7 +8641,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<para>
Sets the advertised EDNS UDP buffer size in bytes
to control the size of packets received.
- Valid values are 1024 to 4096 (values outside this range
+ Valid values are 512 to 4096 (values outside this range
will be silently adjusted). The default value
is 4096. The usual reason for setting
<command>edns-udp-size</command> to a non-default
@@ -8731,6 +8754,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The delay, in seconds, between sending sets of notify
messages for a zone. The default is five (5) seconds.
</para>
+ <para>
+ The overall rate that NOTIFY messages are sent for all
+ zones is controlled by <command>serial-query-rate</command>.
+ </para>
</listitem>
</varlistentry>
</variablelist>
@@ -8839,7 +8866,6 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<para>
The current list of empty zones is:
<itemizedlist>
-<!-- XXX: The RFC1918 addresses are #defined out in sources currently.
<listitem>10.IN-ADDR.ARPA</listitem>
<listitem>16.172.IN-ADDR.ARPA</listitem>
<listitem>17.172.IN-ADDR.ARPA</listitem>
@@ -8858,7 +8884,6 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<listitem>30.172.IN-ADDR.ARPA</listitem>
<listitem>31.172.IN-ADDR.ARPA</listitem>
<listitem>168.192.IN-ADDR.ARPA</listitem>
-XXX: end of RFC1918 addresses #defined out -->
<listitem>0.IN-ADDR.ARPA</listitem>
<listitem>127.IN-ADDR.ARPA</listitem>
<listitem>254.169.IN-ADDR.ARPA</listitem>
@@ -9986,7 +10011,7 @@ view "external" {
<optional> min-retry-time <replaceable>number</replaceable> ; </optional>
<optional> max-retry-time <replaceable>number</replaceable> ; </optional>
<optional> key-directory <replaceable>path_name</replaceable>; </optional>
- <optional> auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>create</constant>|<constant>off</constant>; </optional>
+ <optional> auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>off</constant>; </optional>
<optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
};
@@ -9998,6 +10023,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> dnssec-update-mode ( <replaceable>maintain</replaceable> | <replaceable>no-resign</replaceable> ); </optional>
<optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
@@ -11043,7 +11069,7 @@ example.com. NS ns2.example.net.
<para>
Zones configured for dynamic DNS may also use this
option to allow varying levels of automatic DNSSEC key
- management. There are four possible settings:
+ management. There are three possible settings:
</para>
<para>
<command>auto-dnssec allow;</command> permits
@@ -11067,7 +11093,12 @@ example.com. NS ns2.example.net.
<command>named</command> to load keys from the key
repository and schedule key maintenance events to occur
in the future, but it does not sign the full zone
- immediately.
+ immediately. Note: once keys have been loaded for a
+ zone the first time, the repository will be searched
+ for changes periodically, regardless of whether
+ <command>rndc loadkeys</command> is used. The recheck
+ interval is hard-coded to
+ one hour.
</para>
<para>
<command>auto-dnssec create;</command> includes the
@@ -11220,7 +11251,13 @@ example.com. NS ns2.example.net.
The <replaceable>identity</replaceable> field must
contain a fully-qualified domain name.
</para>
-
+ <para>
+ For nametypes <varname>krb5-self</varname>,
+ <varname>ms-self</varname>, <varname>krb5-subdomain</varname>,
+ and <varname>ms-subdomain</varname> the
+ <replaceable>identity</replaceable> field specifies
+ the Windows or Kerberos realm of the machine belongs to.
+ </para>
<para>
The <replaceable>nametype</replaceable> field has 13
values:
@@ -11355,6 +11392,70 @@ example.com. NS ns2.example.net.
<row rowsep="0">
<entry colname="1">
<para>
+ <varname>ms-self</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ This rule takes a Windows machine principal
+ (machine$@REALM) for machine in REALM and
+ and converts it machine.realm allowing the machine
+ to update machine.realm. The REALM to be matched
+ is specified in the <replacable>identity</replacable>
+ field.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>ms-subdomain</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ This rule takes a Windows machine principal
+ (machine$@REALM) for machine in REALM and
+ converts it to machine.realm allowing the machine
+ to update subdomains of machine.realm. The REALM
+ to be matched is specified in the
+ <replacable>identity</replacable> field.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>krb5-self</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ This rule takes a Kerberos machine principal
+ (host/machine@REALM) for machine in REALM and
+ and converts it machine.realm allowing the machine
+ to update machine.realm. The REALM to be matched
+ is specified in the <replacable>identity</replacable>
+ field.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>krb5-subdomain</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ This rule takes a Kerberos machine principal
+ (host/machine@REALM) for machine in REALM and
+ converts it to machine.realm allowing the machine
+ to update subdomains of machine.realm. The REALM
+ to be matched is specified in the
+ <replacable>identity</replacable> field.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
<varname>tcp-self</varname>
</para>
</entry> <entry colname="2">
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 21:42:09 +0000