diff options
Diffstat (limited to 'doc')
63 files changed, 8130 insertions, 7692 deletions
diff --git a/doc/Makefile.in b/doc/Makefile.in index 29074b53fb1c..df28cbe80b87 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2007, 2012 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2007, 2012, 2015 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -13,8 +13,6 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.11 2007/06/19 23:47:13 tbox Exp $ - # This Makefile is a placeholder. It exists merely to make # sure that its directory gets created in the object directory # tree when doing a build using separate object directories. @@ -23,7 +21,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -SUBDIRS = arm misc xsl doxygen +SUBDIRS = arm misc xsl doxygen tex TARGETS = @BIND9_MAKE_RULES@ diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index d46710ff4342..fe479b029fa3 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -1,8 +1,5 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" - "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" - [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -18,10 +15,10 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<book xmlns:xi="http://www.w3.org/2001/XInclude"> - <title>BIND 9 Administrator Reference Manual</title> - - <bookinfo> +<!-- Converted by db4-upgrade version 1.0 --> +<book xmlns="http://docbook.org/ns/docbook" version="5.0"> + <info> + <title>BIND 9 Administrator Reference Manual</title> <copyright> <year>2004</year> <year>2005</year> @@ -44,11 +41,11 @@ <year>2003</year> <holder>Internet Software Consortium.</holder> </copyright> - <xi:include href="releaseinfo.xml"/> - </bookinfo> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="releaseinfo.xml"/> + </info> + + <chapter xml:id="Bv9ARM.ch01"><info><title>Introduction</title></info> - <chapter id="Bv9ARM.ch01"> - <title>Introduction</title> <para> The Internet Domain Name System (<acronym>DNS</acronym>) consists of the syntax @@ -60,8 +57,7 @@ hierarchical databases. </para> - <sect1> - <title>Scope of Document</title> + <section xml:id="doc_scope"><info><title>Scope of Document</title></info> <para> The Berkeley Internet Name Domain @@ -72,11 +68,11 @@ <acronym>BIND</acronym> version 9 software package for system administrators. </para> - <xi:include href="pkgversion.xml"/> - </sect1> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pkgversion.xml"/> + </section> + + <section xml:id="organization"><info><title>Organization of This Document</title></info> - <sect1> - <title>Organization of This Document</title> <para> In this document, <emphasis>Chapter 1</emphasis> introduces the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Chapter 2</emphasis> @@ -102,9 +98,8 @@ and the Domain Name System. </para> - </sect1> - <sect1> - <title>Conventions Used in This Document</title> + </section> + <section xml:id="conventions"><info><title>Conventions Used in This Document</title></info> <para> In this document, we use the following general typographic @@ -229,9 +224,9 @@ </tgroup> </informaltable> </para> - </sect1> - <sect1> - <title>The Domain Name System (<acronym>DNS</acronym>)</title> + </section> + <section xml:id="dns_overview"><info><title>The Domain Name System (<acronym>DNS</acronym>)</title></info> + <para> The purpose of this document is to explain the installation and upkeep of the <acronym>BIND</acronym> (Berkeley Internet @@ -240,8 +235,7 @@ (<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>. </para> - <sect2> - <title>DNS Fundamentals</title> + <section xml:id="dns_fundamentals"><info><title>DNS Fundamentals</title></info> <para> The Domain Name System (DNS) is a hierarchical, distributed @@ -263,8 +257,8 @@ from ISC as a separate download. </para> - </sect2><sect2> - <title>Domains and Domain Names</title> + </section> + <section xml:id="domain_names"><info><title>Domains and Domain Names</title></info> <para> The data stored in the DNS is identified by <emphasis>domain names</emphasis> that are organized as a tree according to @@ -312,10 +306,10 @@ the DNS protocol, please refer to the standards documents listed in <xref linkend="rfcs"/>. </para> - </sect2> + </section> + + <section xml:id="zones"><info><title>Zones</title></info> - <sect2> - <title>Zones</title> <para> To properly operate a name server, it is important to understand the difference between a <emphasis>zone</emphasis> @@ -368,10 +362,9 @@ be a slave server for your <emphasis>domain</emphasis>, you are actually asking for slave service for some collection of zones. </para> - </sect2> + </section> - <sect2> - <title>Authoritative Name Servers</title> + <section xml:id="auth_servers"><info><title>Authoritative Name Servers</title></info> <para> Each zone is served by at least @@ -389,8 +382,7 @@ <command>dig</command> (<xref linkend="diagnostic_tools"/>). </para> - <sect3> - <title>The Primary Master</title> + <section xml:id="primary_master"><info><title>The Primary Master</title></info> <para> The authoritative server where the master copy of the zone @@ -409,10 +401,10 @@ by humans at all, but may instead be the result of <emphasis>dynamic update</emphasis> operations. </para> - </sect3> + </section> + + <section xml:id="slave_server"><info><title>Slave Servers</title></info> - <sect3> - <title>Slave Servers</title> <para> The other authoritative servers, the <emphasis>slave</emphasis> servers (also known as <emphasis>secondary</emphasis> servers) @@ -425,10 +417,9 @@ to transfer it from another slave. In other words, a slave server may itself act as a master to a subordinate slave server. </para> - </sect3> + </section> - <sect3> - <title>Stealth Servers</title> + <section xml:id="stealth_server"><info><title>Stealth Servers</title></info> <para> Usually all of the zone's authoritative servers are listed in @@ -463,12 +454,10 @@ with the outside world. </para> - </sect3> + </section> - </sect2> - <sect2> - - <title>Caching Name Servers</title> + </section> + <section xml:id="cache_servers"><info><title>Caching Name Servers</title></info> <!-- - Terminology here is inconsistent. Probably ought to @@ -503,8 +492,7 @@ Time To Live (TTL) field associated with each resource record. </para> - <sect3> - <title>Forwarding</title> + <section xml:id="forwarder"><info><title>Forwarding</title></info> <para> Even a caching name server does not necessarily perform @@ -529,12 +517,11 @@ that can do it, and that server would query the Internet <acronym>DNS</acronym> servers on the internal server's behalf. </para> - </sect3> + </section> - </sect2> + </section> - <sect2> - <title>Name Servers in Multiple Roles</title> + <section xml:id="multi_role"><info><title>Name Servers in Multiple Roles</title></info> <para> The <acronym>BIND</acronym> name server can @@ -559,17 +546,14 @@ be placed inside a firewall. </para> - </sect2> - </sect1> + </section> + </section> </chapter> - <chapter id="Bv9ARM.ch02"> - <title><acronym>BIND</acronym> Resource Requirements</title> - - <sect1> - <title>Hardware requirements</title> + <chapter xml:id="Bv9ARM.ch02"><info><title><acronym>BIND</acronym> Resource Requirements</title></info> + <section xml:id="hw_req"><info><title>Hardware requirements</title></info> <para> <acronym>DNS</acronym> hardware requirements have traditionally been quite modest. @@ -585,9 +569,8 @@ full utilization of multiprocessor systems for installations that need it. </para> - </sect1> - <sect1> - <title>CPU Requirements</title> + </section> + <section xml:id="cpu_req"><info><title>CPU Requirements</title></info> <para> CPU requirements for <acronym>BIND</acronym> 9 range from i486-class machines @@ -595,10 +578,8 @@ machines if you intend to process many dynamic updates and DNSSEC signed zones, serving many thousands of queries per second. </para> - </sect1> - - <sect1> - <title>Memory Requirements</title> + </section> + <section xml:id="mem_req"><info><title>Memory Requirements</title></info> <para> The memory of the server has to be large enough to fit the cache and zones loaded off disk. The <command>max-cache-size</command> @@ -611,7 +592,7 @@ limit the amount of memory used by the mechanism. It is still good practice to have enough memory to load - all zone and cache data into memory — unfortunately, the best + all zone and cache data into memory — unfortunately, the best way to determine this for a given installation is to watch the name server in operation. After a few weeks the server process should reach @@ -622,10 +603,10 @@ - Add something here about leaving overhead for attacks? - How much overhead? Percentage? --> - </sect1> + </section> + + <section xml:id="intensive_env"><info><title>Name Server Intensive Environment Issues</title></info> - <sect1> - <title>Name Server Intensive Environment Issues</title> <para> For name server intensive environments, there are two alternative configurations that may be used. The first is where clients and @@ -639,10 +620,10 @@ this has the disadvantage of making many more external queries, as none of the name servers share their cached data. </para> - </sect1> + </section> + + <section xml:id="supported_os"><info><title>Supported Operating Systems</title></info> - <sect1> - <title>Supported Operating Systems</title> <para> ISC <acronym>BIND</acronym> 9 compiles and runs on a large number @@ -653,21 +634,21 @@ directory of the BIND 9 source distribution. </para> - </sect1> + </section> </chapter> - <chapter id="Bv9ARM.ch03"> - <title>Name Server Configuration</title> + <chapter xml:id="Bv9ARM.ch03"><info><title>Name Server Configuration</title></info> + <para> In this chapter we provide some suggested configurations along with guidelines for their use. We suggest reasonable values for certain option settings. </para> - <sect1 id="sample_configuration"> - <title>Sample Configurations</title> - <sect2> - <title>A Caching-only Name Server</title> + <section xml:id="sample_configuration"><info><title>Sample Configurations</title></info> + + <section xml:id="cache_only_sample"><info><title>A Caching-only Name Server</title></info> + <para> The following sample configuration is appropriate for a caching-only name server for use by clients internal to a corporation. All @@ -696,10 +677,10 @@ zone "0.0.127.in-addr.arpa" { }; </programlisting> - </sect2> + </section> + + <section xml:id="auth_only_sample"><info><title>An Authoritative-only Name Server</title></info> - <sect2> - <title>An Authoritative-only Name Server</title> <para> This sample configuration is for an authoritative-only server that is the master server for "<filename>example.com</filename>" @@ -745,11 +726,11 @@ zone "eng.example.com" { }; </programlisting> - </sect2> - </sect1> + </section> + </section> + + <section xml:id="load_balancing"><info><title>Load Balancing</title></info> - <sect1> - <title>Load Balancing</title> <!-- - Add explanation of why load balancing is fragile at best - and completely pointless in the general case. @@ -897,21 +878,18 @@ zone "eng.example.com" { <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>. </para> - </sect1> + </section> - <sect1> - <title>Name Server Operations</title> + <section xml:id="ns_operations"><info><title>Name Server Operations</title></info> - <sect2> - <title>Tools for Use With the Name Server Daemon</title> + <section xml:id="tools"><info><title>Tools for Use With the Name Server Daemon</title></info> <para> This section describes several indispensable diagnostic, administrative and monitoring tools available to the system administrator for controlling and debugging the name server daemon. </para> - <sect3 id="diagnostic_tools"> - <title>Diagnostic Tools</title> + <section xml:id="diagnostic_tools"><info><title>Diagnostic Tools</title></info> <para> The <command>dig</command>, <command>host</command>, and <command>nslookup</command> programs are all command @@ -922,7 +900,7 @@ zone "eng.example.com" { <variablelist> <varlistentry> - <term id="dig"><command>dig</command></term> + <term xml:id="dig"><command>dig</command></term> <listitem> <para> The domain information groper (<command>dig</command>) @@ -934,15 +912,15 @@ zone "eng.example.com" { accessible from the command line. </para> - <cmdsynopsis label="Usage"> + <cmdsynopsis label="Usage" sepchar=" "> <command>dig</command> - <arg>@<replaceable>server</replaceable></arg> - <arg choice="plain"><replaceable>domain</replaceable></arg> - <arg><replaceable>query-type</replaceable></arg> - <arg><replaceable>query-class</replaceable></arg> - <arg>+<replaceable>query-option</replaceable></arg> - <arg>-<replaceable>dig-option</replaceable></arg> - <arg>%<replaceable>comment</replaceable></arg> + <arg choice="opt" rep="norepeat">@<replaceable>server</replaceable></arg> + <arg choice="plain" rep="norepeat"><replaceable>domain</replaceable></arg> + <arg choice="opt" rep="norepeat"><replaceable>query-type</replaceable></arg> + <arg choice="opt" rep="norepeat"><replaceable>query-class</replaceable></arg> + <arg choice="opt" rep="norepeat">+<replaceable>query-option</replaceable></arg> + <arg choice="opt" rep="norepeat">-<replaceable>dig-option</replaceable></arg> + <arg choice="opt" rep="norepeat">%<replaceable>comment</replaceable></arg> </cmdsynopsis> <para> The usual simple use of <command>dig</command> will take the form @@ -969,19 +947,19 @@ zone "eng.example.com" { functionality can be extended with the use of options. </para> - <cmdsynopsis label="Usage"> + <cmdsynopsis label="Usage" sepchar=" "> <command>host</command> - <arg>-aCdlnrsTwv</arg> - <arg>-c <replaceable>class</replaceable></arg> - <arg>-N <replaceable>ndots</replaceable></arg> - <arg>-t <replaceable>type</replaceable></arg> - <arg>-W <replaceable>timeout</replaceable></arg> - <arg>-R <replaceable>retries</replaceable></arg> - <arg>-m <replaceable>flag</replaceable></arg> - <arg>-4</arg> - <arg>-6</arg> - <arg choice="plain"><replaceable>hostname</replaceable></arg> - <arg><replaceable>server</replaceable></arg> + <arg choice="opt" rep="norepeat">-aCdlnrsTwv</arg> + <arg choice="opt" rep="norepeat">-c <replaceable>class</replaceable></arg> + <arg choice="opt" rep="norepeat">-N <replaceable>ndots</replaceable></arg> + <arg choice="opt" rep="norepeat">-t <replaceable>type</replaceable></arg> + <arg choice="opt" rep="norepeat">-W <replaceable>timeout</replaceable></arg> + <arg choice="opt" rep="norepeat">-R <replaceable>retries</replaceable></arg> + <arg choice="opt" rep="norepeat">-m <replaceable>flag</replaceable></arg> + <arg choice="opt" rep="norepeat">-4</arg> + <arg choice="opt" rep="norepeat">-6</arg> + <arg choice="plain" rep="norepeat"><replaceable>hostname</replaceable></arg> + <arg choice="opt" rep="norepeat"><replaceable>server</replaceable></arg> </cmdsynopsis> <para> For more information and a list of available commands and @@ -1003,12 +981,12 @@ zone "eng.example.com" { the name and requested information for a host or domain. </para> - <cmdsynopsis label="Usage"> + <cmdsynopsis label="Usage" sepchar=" "> <command>nslookup</command> - <arg rep="repeat">-option</arg> - <group> - <arg><replaceable>host-to-find</replaceable></arg> - <arg>- <arg>server</arg></arg> + <arg rep="repeat" choice="opt">-option</arg> + <group choice="opt" rep="norepeat"> + <arg choice="opt" rep="norepeat"><replaceable>host-to-find</replaceable></arg> + <arg choice="opt" rep="norepeat">- <arg choice="opt" rep="norepeat">server</arg></arg> </group> </cmdsynopsis> <para> @@ -1036,16 +1014,15 @@ zone "eng.example.com" { </varlistentry> </variablelist> - </sect3> + </section> - <sect3 id="admin_tools"> - <title>Administrative Tools</title> + <section xml:id="admin_tools"><info><title>Administrative Tools</title></info> <para> Administrative tools play an integral part in the management of a server. </para> <variablelist> - <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application"> + <varlistentry xml:id="named-checkconf" xreflabel="Named Configuration Checking application"> <term><command>named-checkconf</command></term> <listitem> @@ -1053,15 +1030,15 @@ zone "eng.example.com" { The <command>named-checkconf</command> program checks the syntax of a <filename>named.conf</filename> file. </para> - <cmdsynopsis label="Usage"> + <cmdsynopsis label="Usage" sepchar=" "> <command>named-checkconf</command> - <arg>-jvz</arg> - <arg>-t <replaceable>directory</replaceable></arg> - <arg><replaceable>filename</replaceable></arg> + <arg choice="opt" rep="norepeat">-jvz</arg> + <arg choice="opt" rep="norepeat">-t <replaceable>directory</replaceable></arg> + <arg choice="opt" rep="norepeat"><replaceable>filename</replaceable></arg> </cmdsynopsis> </listitem> </varlistentry> - <varlistentry id="named-checkzone" xreflabel="Zone Checking application"> + <varlistentry xml:id="named-checkzone" xreflabel="Zone Checking application"> <term><command>named-checkzone</command></term> <listitem> @@ -1070,22 +1047,22 @@ zone "eng.example.com" { checks a master file for syntax and consistency. </para> - <cmdsynopsis label="Usage"> + <cmdsynopsis label="Usage" sepchar=" "> <command>named-checkzone</command> - <arg>-djqvD</arg> - <arg>-c <replaceable>class</replaceable></arg> - <arg>-o <replaceable>output</replaceable></arg> - <arg>-t <replaceable>directory</replaceable></arg> - <arg>-w <replaceable>directory</replaceable></arg> - <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg> - <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg> - <arg>-W <replaceable>(ignore|warn)</replaceable></arg> - <arg choice="plain"><replaceable>zone</replaceable></arg> - <arg><replaceable>filename</replaceable></arg> + <arg choice="opt" rep="norepeat">-djqvD</arg> + <arg choice="opt" rep="norepeat">-c <replaceable>class</replaceable></arg> + <arg choice="opt" rep="norepeat">-o <replaceable>output</replaceable></arg> + <arg choice="opt" rep="norepeat">-t <replaceable>directory</replaceable></arg> + <arg choice="opt" rep="norepeat">-w <replaceable>directory</replaceable></arg> + <arg choice="opt" rep="norepeat">-k <replaceable>(ignore|warn|fail)</replaceable></arg> + <arg choice="opt" rep="norepeat">-n <replaceable>(ignore|warn|fail)</replaceable></arg> + <arg choice="opt" rep="norepeat">-W <replaceable>(ignore|warn)</replaceable></arg> + <arg choice="plain" rep="norepeat"><replaceable>zone</replaceable></arg> + <arg choice="opt" rep="norepeat"><replaceable>filename</replaceable></arg> </cmdsynopsis> </listitem> </varlistentry> - <varlistentry id="named-compilezone" xreflabel="Zone Compilation application"> + <varlistentry xml:id="named-compilezone" xreflabel="Zone Compilation application"> <term><command>named-compilezone</command></term> <listitem> <para> @@ -1095,7 +1072,7 @@ zone "eng.example.com" { </para> </listitem> </varlistentry> - <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application"> + <varlistentry xml:id="rndc" xreflabel="Remote Name Daemon Control application"> <term><command>rndc</command></term> <listitem> @@ -1114,14 +1091,14 @@ zone "eng.example.com" { options it will display a usage message as follows: </para> - <cmdsynopsis label="Usage"> + <cmdsynopsis label="Usage" sepchar=" "> <command>rndc</command> - <arg>-c <replaceable>config</replaceable></arg> - <arg>-s <replaceable>server</replaceable></arg> - <arg>-p <replaceable>port</replaceable></arg> - <arg>-y <replaceable>key</replaceable></arg> - <arg choice="plain"><replaceable>command</replaceable></arg> - <arg rep="repeat"><replaceable>command</replaceable></arg> + <arg choice="opt" rep="norepeat">-c <replaceable>config</replaceable></arg> + <arg choice="opt" rep="norepeat">-s <replaceable>server</replaceable></arg> + <arg choice="opt" rep="norepeat">-p <replaceable>port</replaceable></arg> + <arg choice="opt" rep="norepeat">-y <replaceable>key</replaceable></arg> + <arg choice="plain" rep="norepeat"><replaceable>command</replaceable></arg> + <arg rep="repeat" choice="opt"><replaceable>command</replaceable></arg> </cmdsynopsis> <para>See <xref linkend="man.rndc"/> for details of @@ -1289,11 +1266,10 @@ controls { </varlistentry> </variablelist> - </sect3> - </sect2> - <sect2> + </section> + </section> - <title>Signals</title> + <section xml:id="signals"><info><title>Signals</title></info> <para> Certain UNIX signals cause the name server to take specific actions, as described in the following table. These signals can @@ -1338,16 +1314,13 @@ controls { </tbody> </tgroup> </informaltable> - </sect2> - </sect1> + </section> + </section> </chapter> - <chapter id="Bv9ARM.ch04"> - <title>Advanced DNS Features</title> + <chapter xml:id="Bv9ARM.ch04"><info><title>Advanced DNS Features</title></info> - <sect1 id="notify"> - - <title>Notify</title> + <section xml:id="notify"><info><title>Notify</title></info> <para> <acronym>DNS</acronym> NOTIFY is a mechanism that allows master servers to notify their slave servers of changes to a zone's data. In @@ -1365,18 +1338,17 @@ controls { protocol is specified in RFC 1996. </para> - <note> + <note><simpara> As a slave zone can also be a master to other slaves, <command>named</command>, by default, sends <command>NOTIFY</command> messages for every zone it loads. Specifying <command>notify master-only;</command> will cause <command>named</command> to only send <command>NOTIFY</command> for master zones that it loads. - </note> + </simpara></note> - </sect1> + </section> - <sect1 id="dynamic_update"> - <title>Dynamic Update</title> + <section xml:id="dynamic_update"><info><title>Dynamic Update</title></info> <para> Dynamic Update is a method for adding, replacing or deleting @@ -1418,8 +1390,7 @@ controls { signatures and an explicit server policy. </para> - <sect2 id="journal"> - <title>The journal file</title> + <section xml:id="journal"><info><title>The journal file</title></info> <para> All changes made to a zone using dynamic update are stored @@ -1462,7 +1433,7 @@ controls { <para> The zone files of dynamic zones cannot normally be edited by hand because they are not guaranteed to contain the most recent - dynamic changes — those are only in the journal file. + dynamic changes — those are only in the journal file. The only way to ensure that the zone file of a dynamic zone is up to date is to run <command>rndc stop</command>. </para> @@ -1488,12 +1459,11 @@ controls { <command>rndc sync -clean</command>. </para> - </sect2> + </section> - </sect1> + </section> - <sect1 id="incremental_zone_transfers"> - <title>Incremental Zone Transfers (IXFR)</title> + <section xml:id="incremental_zone_transfers"><info><title>Incremental Zone Transfers (IXFR)</title></info> <para> The incremental zone transfer (IXFR) protocol is a way for @@ -1521,10 +1491,10 @@ controls { IXFR, see the description of the <command>request-ixfr</command> clause of the <command>server</command> statement. </para> - </sect1> + </section> + + <section xml:id="split_dns"><info><title>Split DNS</title></info> - <sect1> - <title>Split DNS</title> <para> Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a @@ -1552,139 +1522,138 @@ controls { on the Internet. Split DNS can also be used to allow mail from outside back in to the internal network. </para> - <sect2> - <title>Example split DNS setup</title> - <para> - Let's say a company named <emphasis>Example, Inc.</emphasis> - (<literal>example.com</literal>) - has several corporate sites that have an internal network with - reserved - Internet Protocol (IP) space and an external demilitarized zone (DMZ), - or "outside" section of a network, that is available to the public. - </para> - <para> - <emphasis>Example, Inc.</emphasis> wants its internal clients - to be able to resolve external hostnames and to exchange mail with - people on the outside. The company also wants its internal resolvers - to have access to certain internal-only zones that are not available - at all outside of the internal network. - </para> - <para> - In order to accomplish this, the company will set up two sets - of name servers. One set will be on the inside network (in the - reserved - IP space) and the other set will be on bastion hosts, which are - "proxy" - hosts that can talk to both sides of its network, in the DMZ. - </para> - <para> - The internal servers will be configured to forward all queries, - except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>, - and <filename>site2.example.com</filename>, to the servers - in the - DMZ. These internal servers will have complete sets of information - for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>, <filename>site1.internal</filename>, - and <filename>site2.internal</filename>. - </para> - <para> - To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains, - the internal name servers must be configured to disallow all queries - to these domains from any external hosts, including the bastion - hosts. - </para> - <para> - The external servers, which are on the bastion hosts, will - be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones. - This could include things such as the host records for public servers - (<filename>www.example.com</filename> and <filename>ftp.example.com</filename>), - and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>). - </para> - <para> - In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones - should have special MX records that contain wildcard (`*') records - pointing to the bastion hosts. This is needed because external mail - servers do not have any other way of looking up how to deliver mail - to those internal hosts. With the wildcard records, the mail will - be delivered to the bastion host, which can then forward it on to - internal hosts. - </para> - <para> - Here's an example of a wildcard MX record: - </para> - <programlisting>* IN MX 10 external1.example.com.</programlisting> - <para> - Now that they accept mail on behalf of anything in the internal - network, the bastion hosts will need to know how to deliver mail - to internal hosts. In order for this to work properly, the resolvers - on - the bastion hosts will need to be configured to point to the internal - name servers for DNS resolution. - </para> - <para> - Queries for internal hostnames will be answered by the internal - servers, and queries for external hostnames will be forwarded back - out to the DNS servers on the bastion hosts. - </para> - <para> - In order for all this to work properly, internal clients will - need to be configured to query <emphasis>only</emphasis> the internal - name servers for DNS queries. This could also be enforced via - selective - filtering on the network. - </para> - <para> - If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s - internal clients will now be able to: - </para> - <itemizedlist> - <listitem> - <simpara> - Look up any hostnames in the <literal>site1</literal> - and - <literal>site2.example.com</literal> zones. - </simpara> - </listitem> - <listitem> - <simpara> - Look up any hostnames in the <literal>site1.internal</literal> and - <literal>site2.internal</literal> domains. - </simpara> - </listitem> - <listitem> - <simpara>Look up any hostnames on the Internet.</simpara> - </listitem> - <listitem> - <simpara>Exchange mail with both internal and external people.</simpara> - </listitem> - </itemizedlist> - <para> - Hosts on the Internet will be able to: - </para> - <itemizedlist> - <listitem> - <simpara> - Look up any hostnames in the <literal>site1</literal> - and - <literal>site2.example.com</literal> zones. - </simpara> - </listitem> - <listitem> - <simpara> - Exchange mail with anyone in the <literal>site1</literal> and - <literal>site2.example.com</literal> zones. - </simpara> - </listitem> - </itemizedlist> + <section xml:id="split_dns_sample"><info><title>Example split DNS setup</title></info> + <para> + Let's say a company named <emphasis>Example, Inc.</emphasis> + (<literal>example.com</literal>) + has several corporate sites that have an internal network with + reserved + Internet Protocol (IP) space and an external demilitarized zone (DMZ), + or "outside" section of a network, that is available to the public. + </para> + <para> + <emphasis>Example, Inc.</emphasis> wants its internal clients + to be able to resolve external hostnames and to exchange mail with + people on the outside. The company also wants its internal resolvers + to have access to certain internal-only zones that are not available + at all outside of the internal network. + </para> + <para> + In order to accomplish this, the company will set up two sets + of name servers. One set will be on the inside network (in the + reserved + IP space) and the other set will be on bastion hosts, which are + "proxy" + hosts that can talk to both sides of its network, in the DMZ. + </para> + <para> + The internal servers will be configured to forward all queries, + except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>, + and <filename>site2.example.com</filename>, to the servers + in the + DMZ. These internal servers will have complete sets of information + for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>, <filename>site1.internal</filename>, + and <filename>site2.internal</filename>. + </para> + <para> + To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains, + the internal name servers must be configured to disallow all queries + to these domains from any external hosts, including the bastion + hosts. + </para> + <para> + The external servers, which are on the bastion hosts, will + be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones. + This could include things such as the host records for public servers + (<filename>www.example.com</filename> and <filename>ftp.example.com</filename>), + and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>). + </para> + <para> + In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones + should have special MX records that contain wildcard (`*') records + pointing to the bastion hosts. This is needed because external mail + servers do not have any other way of looking up how to deliver mail + to those internal hosts. With the wildcard records, the mail will + be delivered to the bastion host, which can then forward it on to + internal hosts. + </para> + <para> + Here's an example of a wildcard MX record: + </para> + <programlisting>* IN MX 10 external1.example.com.</programlisting> + <para> + Now that they accept mail on behalf of anything in the internal + network, the bastion hosts will need to know how to deliver mail + to internal hosts. In order for this to work properly, the resolvers + on + the bastion hosts will need to be configured to point to the internal + name servers for DNS resolution. + </para> + <para> + Queries for internal hostnames will be answered by the internal + servers, and queries for external hostnames will be forwarded back + out to the DNS servers on the bastion hosts. + </para> + <para> + In order for all this to work properly, internal clients will + need to be configured to query <emphasis>only</emphasis> the internal + name servers for DNS queries. This could also be enforced via + selective + filtering on the network. + </para> + <para> + If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s + internal clients will now be able to: + </para> + <itemizedlist> + <listitem> + <simpara> + Look up any hostnames in the <literal>site1</literal> + and + <literal>site2.example.com</literal> zones. + </simpara> + </listitem> + <listitem> + <simpara> + Look up any hostnames in the <literal>site1.internal</literal> and + <literal>site2.internal</literal> domains. + </simpara> + </listitem> + <listitem> + <simpara>Look up any hostnames on the Internet.</simpara> + </listitem> + <listitem> + <simpara>Exchange mail with both internal and external people.</simpara> + </listitem> + </itemizedlist> + <para> + Hosts on the Internet will be able to: + </para> + <itemizedlist> + <listitem> + <simpara> + Look up any hostnames in the <literal>site1</literal> + and + <literal>site2.example.com</literal> zones. + </simpara> + </listitem> + <listitem> + <simpara> + Exchange mail with anyone in the <literal>site1</literal> and + <literal>site2.example.com</literal> zones. + </simpara> + </listitem> + </itemizedlist> - <para> - Here is an example configuration for the setup we just - described above. Note that this is only configuration information; - for information on how to configure your zone files, see <xref linkend="sample_configuration"/>. - </para> + <para> + Here is an example configuration for the setup we just + described above. Note that this is only configuration information; + for information on how to configure your zone files, see <xref linkend="sample_configuration"/>. + </para> - <para> - Internal DNS server config: - </para> + <para> + Internal DNS server config: + </para> <programlisting> @@ -1748,9 +1717,9 @@ zone "site2.internal" { }; </programlisting> - <para> - External (bastion host) DNS server config: - </para> + <para> + External (bastion host) DNS server config: + </para> <programlisting> acl internals { 172.16.72.0/24; 192.168.1.0/24; }; @@ -1787,10 +1756,10 @@ zone "site2.example.com" { }; </programlisting> - <para> - In the <filename>resolv.conf</filename> (or equivalent) on - the bastion host(s): - </para> + <para> + In the <filename>resolv.conf</filename> (or equivalent) on + the bastion host(s): + </para> <programlisting> search ... @@ -1799,277 +1768,279 @@ nameserver 172.16.72.3 nameserver 172.16.72.4 </programlisting> - </sect2> - </sect1> - <sect1 id="tsig"> - <title>TSIG</title> + </section> + </section> + <section xml:id="tsig"><info><title>TSIG</title></info> + <para> - This is a short guide to setting up Transaction SIGnatures - (TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes - to the configuration file as well as what changes are required for - different features, including the process of creating transaction - keys and using transaction signatures with <acronym>BIND</acronym>. + TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS + messages, originally specified in RFC 2845. It allows DNS messages + to be cryptographically signed using a shared secret. TSIG can + be used in any DNS transaction, as a way to restrict access to + certain server functions (e.g., recursive queries) to authorized + clients when IP-based access control is insufficient or needs to + be overridden, or as a way to ensure message authenticity when it + is critical to the integrity of the server, such as with dynamic + UPDATE messages or zone transfers from a master to a slave server. </para> <para> - <acronym>BIND</acronym> primarily supports TSIG for server - to server communication. - This includes zone transfer, notify, and recursive query messages. - Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support - for TSIG. + This is a guide to setting up TSIG in <acronym>BIND</acronym>. + It describes the configuration syntax and the process of creating + TSIG keys. </para> - <para> - TSIG can also be useful for dynamic update. A primary - server for a dynamic zone should control access to the dynamic - update service, but IP-based access control is insufficient. - The cryptographic access control provided by TSIG - is far superior. The <command>nsupdate</command> - program supports TSIG via the <option>-k</option> and - <option>-y</option> command line options or inline by use - of the <command>key</command>. + <command>named</command> supports TSIG for server-to-server + communication, and some of the tools included with + <acronym>BIND</acronym> support it for sending messages to + <command>named</command>: + <itemizedlist> + <listitem> + <xref linkend="man.nsupdate"/> supports TSIG via the + <option>-k</option>, <option>-l</option> and + <option>-y</option> command line options, or via + the <command>key</command> command when running + interactively. + </listitem> + <listitem> + <xref linkend="man.dig"/> supports TSIG via the + <option>-k</option> and <option>-y</option> command + line options. + </listitem> + </itemizedlist> </para> - <sect2> - <title>Generate Shared Keys for Each Pair of Hosts</title> + <section><info><title>Generating a Shared Key</title></info> <para> - A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>. - An arbitrary key name is chosen: "host1-host2.". The key name must - be the same on both hosts. + TSIG keys can be generated using the <command>ddns-confgen</command> + command; the output of the command is a <command>key</command> directive + suitable for inclusion in <filename>named.conf</filename>. The + key name and algorithm can be specified by command line parameters; + the defaults are "ddns-key" and HMAC-SHA256, respectively. By + default, the output of <command>ddns-confgen</command> also includes + additional configuration text for setting up dynamic DNS in + <command>named</command>; the <option>-q</option> suppresses + this. See <xref linkend="man.ddns-confgen"/> for further details. </para> - <sect3> - <title>Automatic Generation</title> - <para> - The following command will generate a 128-bit (16 byte) HMAC-SHA256 - key as described above. Longer keys are better, but shorter keys - are easier to read. Note that the maximum key length is the digest - length, here 256 bits. - </para> - <para> - <userinput>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</userinput> - </para> - <para> - The key is in the file <filename>Khost1-host2.+163+00000.private</filename>. - Nothing directly uses this file, but the base-64 encoded string - following "<literal>Key:</literal>" - can be extracted from the file and used as a shared secret: - </para> - <programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting> - <para> - The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can - be used as the shared secret. - </para> - </sect3> - <sect3> - <title>Manual Generation</title> - <para> - The shared secret is simply a random sequence of bits, encoded - in base-64. Most ASCII strings are valid base-64 strings (assuming - the length is a multiple of 4 and only valid characters are used), - so the shared secret can be manually generated. - </para> - <para> - Also, a known string can be run through <command>mmencode</command> or - a similar program to generate base-64 encoded data. - </para> - </sect3> - </sect2> - <sect2> - <title>Copying the Shared Secret to Both Machines</title> <para> - This is beyond the scope of DNS. A secure transport mechanism - should be used. This could be secure FTP, ssh, telephone, etc. + Any string which is a valid DNS name can be used as a key name. + For example, a key to be shared between servers called + <emphasis>host1</emphasis> and <emphasis>host2</emphasis> could + be called "host1-host2.", and this key could be generated using: </para> - </sect2> - <sect2> - <title>Informing the Servers of the Key's Existence</title> +<programlisting> + $ ddns-confgen -q -k host1-host2. > host1-host2.key +</programlisting> <para> - Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis> - are - both servers. The following is added to each server's <filename>named.conf</filename> file: + This key may then be copied to both hosts. The key name and secret + must be identical on both hosts. + (Note: copying a shared secret from one server to another is beyond + the scope of the DNS. A secure transport mechanism should be used: + secure FTP, SSL, ssh, telephone, encrypted email, etc.) </para> + </section> + <section><info><title>Loading A New Key</title></info> + <para> + For a key shared between servers called + <emphasis>host1</emphasis> and <emphasis>host2</emphasis>, + the following could be added to each server's + <filename>named.conf</filename> file: + </para> <programlisting> -key host1-host2. { - algorithm hmac-sha256; - secret "La/E5CjG9O+os1jq0a2jdA=="; +key "host1-host2." { + algorithm hmac-sha256; + secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY="; }; </programlisting> - <para> - The secret is the one generated above. Since this is a secret, it - is recommended that either <filename>named.conf</filename> be - non-world readable, or the key directive be added to a non-world - readable file that is included by <filename>named.conf</filename>. + (This is the same key generated above using + <command>ddns-confgen</command>.) </para> <para> - At this point, the key is recognized. This means that if the - server receives a message signed by this key, it can verify the - signature. If the signature is successfully verified, the - response is signed by the same key. + Since this text contains a secret, it + is recommended that either <filename>named.conf</filename> not be + world-readable, or that the <command>key</command> directive + be stored in a file which is not world-readable, and which is + included in <filename>named.conf</filename> via the + <command>include</command> directive. + </para> + <para> + Once a key has been added to <filename>named.conf</filename> and the + server has been restarted or reconfigured, the server can recognize + the key. If the server receives a message signed by the + key, it will be able to verify the signature. If the signature + is valid, the response will be signed using the same key. </para> - </sect2> - - <sect2> - <title>Instructing the Server to Use the Key</title> <para> - Since keys are shared between two hosts only, the server must - be told when keys are to be used. The following is added to the <filename>named.conf</filename> file - for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is - 10.1.2.3: + TSIG keys that are known to a server can be listed using the + command <command>rndc tsig-list</command>. </para> + </section> + <section><info><title>Instructing the Server to Use a Key</title></info> + <para> + A server sending a request to another server must be told whether + to use a key, and if so, which key to use. + </para> + <para> + For example, a key may be specified for each server in the + <command>masters</command> statement in the definition of a + slave zone; in this case, all SOA QUERY messages, NOTIFY + messages, and zone transfer requests (AXFR or IXFR) will be + signed using the specified key. Keys may also be specified + in the <command>also-notify</command> statement of a master + or slave zone, causing NOTIFY messages to be signed using + the specified key. + </para> + <para> + Keys can also be specified in a <command>server</command> + directive. Adding the following on <emphasis>host1</emphasis>, + if the IP address of <emphasis>host2</emphasis> is 10.1.2.3, would + cause <emphasis>all</emphasis> requests from <emphasis>host1</emphasis> + to <emphasis>host2</emphasis>, including normal DNS queries, to be + signed using the <command>host1-host2.</command> key: + </para> <programlisting> server 10.1.2.3 { - keys { host1-host2. ;}; + keys { host1-host2. ;}; }; </programlisting> - <para> - Multiple keys may be present, but only the first is used. - This directive does not contain any secrets, so it may be in a - world-readable - file. + Multiple keys may be present in the <command>keys</command> + statement, but only the first one is used. As this directive does + not contain secrets, it can be used in a world-readable file. </para> <para> - If <emphasis>host1</emphasis> sends a message that is a request - to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will - expect any responses to signed messages to be signed with the same - key. + Requests sent by <emphasis>host2</emphasis> to <emphasis>host1</emphasis> + would <emphasis>not</emphasis> be signed, unless a similar + <command>server</command> directive were in <emphasis>host2</emphasis>'s + configuration file. </para> <para> - A similar statement must be present in <emphasis>host2</emphasis>'s - configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to - sign request messages to <emphasis>host1</emphasis>. + Whenever any server sends a TSIG-signed DNS request, it will expect + the response to be signed with the same key. If a response is not + signed, or if the signature is not valid, the response will be + rejected. </para> - </sect2> - <sect2> - <title>TSIG Key Based Access Control</title> + </section> + + <section><info><title>TSIG-Based Access Control</title></info> <para> - <acronym>BIND</acronym> allows IP addresses and ranges - to be specified in ACL - definitions and - <command>allow-{ query | transfer | update }</command> - directives. - This has been extended to allow TSIG keys also. The above key would - be denoted <command>key host1-host2.</command> + TSIG keys may be specified in ACL definitions and ACL directives + such as <command>allow-query</command>, <command>allow-transfer</command> + and <command>allow-update</command>. + The above key would be denoted in an ACL element as + <command>key host1-host2.</command> </para> <para> - An example of an <command>allow-update</command> directive would be: + An example of an <command>allow-update</command> directive using + a TSIG key: </para> - <programlisting> -allow-update { key host1-host2. ;}; +allow-update { !{ !localnets; any; }; key host1-host2. ;}; </programlisting> - <para> - This allows dynamic updates to succeed only if the request - was signed by a key named "<command>host1-host2.</command>". + This allows dynamic updates to succeed only if the UPDATE + request comes from an address in <command>localnets</command>, + <emphasis>and</emphasis> if it is signed using the + <command>host1-host2.</command> key. </para> - <para> See <xref linkend="dynamic_update_policies"/> for a discussion of the more flexible <command>update-policy</command> statement. </para> + </section> - </sect2> - <sect2> - <title>Errors</title> - + <section><info><title>Errors</title></info> <para> - The processing of TSIG signed messages can result in - several errors. If a signed message is sent to a non-TSIG aware - server, a FORMERR (format error) will be returned, since the server will not - understand the record. This is a result of misconfiguration, - since the server must be explicitly configured to send a TSIG - signed message to a specific server. + Processing of TSIG-signed messages can result in several errors: + <itemizedlist> + <listitem> + If a TSIG-aware server receives a message signed by an + unknown key, the response will be unsigned, with the TSIG + extended error code set to BADKEY. + </listitem> + <listitem> + If a TSIG-aware server receives a message from a known key + but with an invalid signature, the response will be unsigned, + with the TSIG extended error code set to BADSIG. + </listitem> + <listitem> + If a TSIG-aware server receives a message with a time + outside of the allowed range, the response will be signed, with + the TSIG extended error code set to BADTIME, and the time values + will be adjusted so that the response can be successfully + verified. + </listitem> + </itemizedlist> + In all of the above cases, the server will return a response code + of NOTAUTH (not authenticated). </para> + </section> + </section> - <para> - If a TSIG aware server receives a message signed by an - unknown key, the response will be unsigned with the TSIG - extended error code set to BADKEY. If a TSIG aware server - receives a message with a signature that does not validate, the - response will be unsigned with the TSIG extended error code set - to BADSIG. If a TSIG aware server receives a message with a time - outside of the allowed range, the response will be signed with - the TSIG extended error code set to BADTIME, and the time values - will be adjusted so that the response can be successfully - verified. In any of these cases, the message's rcode (response code) is set to - NOTAUTH (not authenticated). - </para> + <section xml:id="tkey"><info><title>TKEY</title></info> - </sect2> - </sect1> - <sect1> - <title>TKEY</title> - - <para><command>TKEY</command> - is a mechanism for automatically generating a shared secret - between two hosts. There are several "modes" of - <command>TKEY</command> that specify how the key is generated - or assigned. <acronym>BIND</acronym> 9 implements only one of - these modes, the Diffie-Hellman key exchange. Both hosts are - required to have a Diffie-Hellman KEY record (although this - record is not required to be present in a zone). The - <command>TKEY</command> process must use signed messages, - signed either by TSIG or SIG(0). The result of - <command>TKEY</command> is a shared secret that can be used to - sign messages with TSIG. <command>TKEY</command> can also be - used to delete shared secrets that it had previously - generated. + <para> + TKEY (Transaction KEY) is a mechanism for automatically negotiating + a shared secret between two hosts, originally specified in RFC 2930. </para> - <para> - The <command>TKEY</command> process is initiated by a - client - or server by sending a signed <command>TKEY</command> - query - (including any appropriate KEYs) to a TKEY-aware server. The - server response, if it indicates success, will contain a - <command>TKEY</command> record and any appropriate keys. - After - this exchange, both participants have enough information to - determine the shared secret; the exact process depends on the - <command>TKEY</command> mode. When using the - Diffie-Hellman - <command>TKEY</command> mode, Diffie-Hellman keys are - exchanged, - and the shared secret is derived by both participants. + There are several TKEY "modes" that specify how a key is to be + generated or assigned. <acronym>BIND</acronym> 9 implements only + one of these modes: Diffie-Hellman key exchange. Both hosts are + required to have a KEY record with algorithm DH (though this + record is not required to be present in a zone). + </para> + <para> + The TKEY process is initiated by a client or server by sending + a query of type TKEY to a TKEY-aware server. The query must include + an appropriate KEY record in the additional section, and + must be signed using either TSIG or SIG(0) with a previously + established key. The server's response, if successful, will + contain a TKEY record in its answer section. After this transaction, + both participants will have enough information to calculate a + shared secret using Diffie-Hellman key exchange. The shared secret + can then be used by to sign subsequent transactions between the + two servers. + </para> + <para> + TSIG keys known by the server, including TKEY-negotiated keys, can + be listed using <command>rndc tsig-list</command>. + </para> + <para> + TKEY-negotiated keys can be deleted from a server using + <command>rndc tsig-delete</command>. This can also be done via + the TKEY protocol itself, by sending an authenticated TKEY query + specifying the "key deletion" mode. </para> - </sect1> - <sect1> - <title>SIG(0)</title> + </section> + <section xml:id="sig0"><info><title>SIG(0)</title></info> <para> - <acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0) - transaction signatures as specified in RFC 2535 and RFC 2931. - SIG(0) - uses public/private keys to authenticate messages. Access control + <acronym>BIND</acronym> partially supports DNSSEC SIG(0) + transaction signatures as specified in RFC 2535 and RFC 2931. + SIG(0) uses public/private keys to authenticate messages. Access control is performed in the same manner as TSIG keys; privileges can be - granted or denied based on the key name. + granted or denied in ACL directives based on the key name. </para> - <para> When a SIG(0) signed message is received, it will only be - verified if the key is known and trusted by the server; the server - will not attempt to locate and/or validate the key. + verified if the key is known and trusted by the server. The + server will not attempt to recursively fetch or validate the + key. </para> - <para> - SIG(0) signing of multiple-message TCP streams is not - supported. + SIG(0) signing of multiple-message TCP streams is not supported. </para> - <para> The only tool shipped with <acronym>BIND</acronym> 9 that generates SIG(0) signed messages is <command>nsupdate</command>. </para> + </section> - </sect1> - <sect1 id="DNSSEC"> - <title>DNSSEC</title> - + <section xml:id="DNSSEC"><info><title>DNSSEC</title></info> <para> Cryptographic authentication of DNS information is possible through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions, @@ -2107,8 +2078,7 @@ allow-update { key host1-host2. ;}; zone key of another zone above this one in the DNS tree. </para> - <sect2> - <title>Generating Keys</title> + <section xml:id="dnssec_keys"><info><title>Generating Keys</title></info> <para> The <command>dnssec-keygen</command> program is used to @@ -2170,9 +2140,8 @@ allow-update { key host1-host2. ;}; <command>$INCLUDE</command> statements. </para> - </sect2> - <sect2> - <title>Signing the Zone</title> + </section> + <section xml:id="dnssec_signing"><info><title>Signing the Zone</title></info> <para> The <command>dnssec-signzone</command> program is used @@ -2218,10 +2187,9 @@ allow-update { key host1-host2. ;}; secure entry point to the zone. </para> - </sect2> + </section> - <sect2> - <title>Configuring Servers</title> + <section xml:id="dnssec_config"><info><title>Configuring Servers</title></info> <para> To enable <command>named</command> to respond appropriately @@ -2343,10 +2311,10 @@ options { }; </programlisting> - <note> + <note><simpara> None of the keys listed in this example are valid. In particular, the root key is not valid. - </note> + </simpara></note> <para> When DNSSEC validation is enabled and properly configured, @@ -2383,19 +2351,17 @@ options { This referred to the zone, not the response.) </para> </note> - </sect2> - - </sect1> + </section> - <xi:include href="dnssec.xml"/> + </section> - <xi:include href="managed-keys.xml"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="dnssec.xml"/> - <xi:include href="pkcs11.xml"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="managed-keys.xml"/> - <sect1> - <title>IPv6 Support in <acronym>BIND</acronym> 9</title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pkcs11.xml"/> + <section xml:id="ipv6"><info><title>IPv6 Support in <acronym>BIND</acronym> 9</title></info> <para> <acronym>BIND</acronym> 9 fully supports all currently defined forms of IPv6 name to address and address to name @@ -2435,8 +2401,7 @@ options { see <xref linkend="ipv6addresses"/>. </para> - <sect2> - <title>Address Lookups Using AAAA Records</title> + <section><info><title>Address Lookups Using AAAA Records</title></info> <para> The IPv6 AAAA record is a parallel to the IPv4 A record, @@ -2455,9 +2420,8 @@ host 3600 IN AAAA 2001:db8::1 a AAAA, with <literal>::ffff:192.168.42.1</literal> as the address. </para> - </sect2> - <sect2> - <title>Address to Name Lookups Using Nibble Format</title> + </section> + <section><info><title>Address to Name Lookups Using Nibble Format</title></info> <para> When looking up an address in nibble format, the address @@ -2475,14 +2439,14 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. host.example.com. ) </programlisting> - </sect2> - </sect1> + </section> + </section> </chapter> - <chapter id="Bv9ARM.ch05"> - <title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title> - <sect1> - <title>The Lightweight Resolver Library</title> + <chapter xml:id="Bv9ARM.ch05"><info><title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title></info> + + <section xml:id="lightweight_resolver"><info><title>The Lightweight Resolver Library</title></info> + <para> Traditionally applications have been linked with a stub resolver library that sends recursive DNS queries to a local caching name @@ -2503,9 +2467,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. a simple UDP-based protocol, the "lightweight resolver protocol" that is distinct from and simpler than the full DNS protocol. </para> - </sect1> - <sect1 id="lwresd"> - <title>Running a Resolver Daemon</title> + </section> + <section xml:id="lwresd"><info><title>Running a Resolver Daemon</title></info> <para> To use the lightweight resolver interface, the system must @@ -2555,11 +2518,10 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. <command>lwres</command> statement in <filename>named.conf</filename>. </para> - </sect1> + </section> </chapter> - <chapter id="Bv9ARM.ch06"> - <title><acronym>BIND</acronym> 9 Configuration Reference</title> + <chapter xml:id="Bv9ARM.ch06"><info><title><acronym>BIND</acronym> 9 Configuration Reference</title></info> <para> <acronym>BIND</acronym> 9 configuration is broadly similar @@ -2578,8 +2540,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. using the shell script <filename>contrib/named-bootconf/named-bootconf.sh</filename>. </para> - <sect1 id="configuration_file_elements"> - <title>Configuration File Elements</title> + <section xml:id="configuration_file_elements"><info><title>Configuration File Elements</title></info> + <para> Following is a list of elements used throughout the <acronym>BIND</acronym> configuration file documentation: @@ -2943,10 +2905,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. </tbody> </tgroup> </informaltable> - <sect2 id="address_match_lists"> - <title>Address Match Lists</title> - <sect3> - <title>Syntax</title> + <section xml:id="address_match_lists"><info><title>Address Match Lists</title></info> + + <section><info><title>Syntax</title></info> <programlisting><varname>address_match_list</varname> = address_match_list_element ; <optional> address_match_list_element; ... </optional> @@ -2954,9 +2915,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. key key_id | acl_name | { address_match_list } ) </programlisting> - </sect3> - <sect3> - <title>Definition and Usage</title> + </section> + <section><info><title>Definition and Usage</title></info> + <para> Address match lists are primarily used to determine access control for various server operations. They are also used in @@ -3052,11 +3013,10 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. that problem by having 1.2.3.13 blocked by the negation, but all other 1.2.3.* hosts fall through. </para> - </sect3> - </sect2> + </section> + </section> - <sect2> - <title>Comment Syntax</title> + <section xml:id="comment_syntax"><info><title>Comment Syntax</title></info> <para> The <acronym>BIND</acronym> 9 comment syntax allows for @@ -3066,8 +3026,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. in the C, C++, or shell/perl style. </para> - <sect3> - <title>Syntax</title> + <section><info><title>Syntax</title></info> <para> <programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting> @@ -3075,9 +3034,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells # and perl</programlisting> </para> - </sect3> - <sect3> - <title>Definition and Usage</title> + </section> + <section><info><title>Definition and Usage</title></info> + <para> Comments may appear anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration file. @@ -3142,12 +3101,11 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. statement. </para> </warning> - </sect3> - </sect2> - </sect1> + </section> + </section> + </section> - <sect1 id="Configuration_File_Grammar"> - <title>Configuration File Grammar</title> + <section xml:id="Configuration_File_Grammar"><info><title>Configuration File Grammar</title></info> <para> A <acronym>BIND</acronym> 9 configuration consists of @@ -3330,18 +3288,16 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. configuration. </para> - <sect2> - <title><command>acl</command> Statement Grammar</title> + <section xml:id="acl_grammar"><info><title><command>acl</command> Statement Grammar</title></info> <programlisting><command>acl</command> acl-name { address_match_list }; </programlisting> - </sect2> - <sect2 id="acl"> - <title><command>acl</command> Statement Definition and - Usage</title> + </section> + <section xml:id="acl"><info><title><command>acl</command> Statement Definition and + Usage</title></info> <para> The <command>acl</command> statement assigns a symbolic @@ -3415,9 +3371,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. </tgroup> </informaltable> - </sect2> - <sect2> - <title><command>controls</command> Statement Grammar</title> + </section> + <section xml:id="controls_grammar"><info><title><command>controls</command> Statement Grammar</title></info> <programlisting><command>controls</command> { [ inet ( ip_addr | * ) [ port ip_port ] @@ -3430,11 +3385,10 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. }; </programlisting> - </sect2> + </section> - <sect2 id="controls_statement_definition_and_usage"> - <title><command>controls</command> Statement Definition and - Usage</title> + <section xml:id="controls_statement_definition_and_usage"><info><title><command>controls</command> Statement Definition and + Usage</title></info> <para> The <command>controls</command> statement declares control @@ -3551,14 +3505,12 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. <command>controls { };</command>. </para> - </sect2> - <sect2> - <title><command>include</command> Statement Grammar</title> + </section> + <section xml:id="include_grammar"><info><title><command>include</command> Statement Grammar</title></info> + <programlisting><command>include</command> <replaceable>filename</replaceable>;</programlisting> - </sect2> - <sect2> - <title><command>include</command> Statement Definition and - Usage</title> + </section> + <section xml:id="include_statement"><info><title><command>include</command> Statement Definition and Usage</title></info> <para> The <command>include</command> statement inserts the @@ -3571,9 +3523,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. that are readable only by the name server. </para> - </sect2> - <sect2> - <title><command>key</command> Statement Grammar</title> + </section> + <section xml:id="key_grammar"><info><title><command>key</command> Statement Grammar</title></info> <programlisting><command>key</command> <replaceable>key_id</replaceable> { algorithm <replaceable>algorithm_id</replaceable>; @@ -3581,10 +3532,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. }; </programlisting> - </sect2> + </section> - <sect2> - <title><command>key</command> Statement Definition and Usage</title> + <section xml:id="key_statement"><info><title><command>key</command> Statement Definition and Usage</title></info> <para> The <command>key</command> statement defines a shared @@ -3629,9 +3579,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. encoded string. </para> - </sect2> - <sect2> - <title><command>logging</command> Statement Grammar</title> + </section> + <section xml:id="logging_grammar"><info><title><command>logging</command> Statement Grammar</title></info> <programlisting><command>logging</command> { [ <command>channel</command> <replaceable>channel_name</replaceable> { @@ -3654,11 +3603,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. }; </programlisting> - </sect2> + </section> - <sect2> - <title><command>logging</command> Statement Definition and - Usage</title> + <section xml:id="logging_statement"><info><title><command>logging</command> Statement Definition and Usage</title></info> <para> The <command>logging</command> statement configures a @@ -3693,8 +3640,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. was specified. </para> - <sect3> - <title>The <command>channel</command> Phrase</title> + <section xml:id="channel"><info><title>The <command>channel</command> Phrase</title></info> <para> All log output goes to one or more <emphasis>channels</emphasis>; @@ -3950,10 +3896,9 @@ channel null { the default logging by pointing categories at channels you have defined. </para> - </sect3> + </section> - <sect3 id="the_category_phrase"> - <title>The <command>category</command> Phrase</title> + <section xml:id="the_category_phrase"><info><title>The <command>category</command> Phrase</title></info> <para> There are many categories, so you can send the logs you want @@ -3997,358 +3942,10 @@ category notify { null; }; of the types of log information they contain. More categories may be added in future <acronym>BIND</acronym> releases. </para> - <informaltable colsep="0" rowsep="0"> - <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table"> - <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/> - <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/> - <tbody> - <row rowsep="0"> - <entry colname="1"> - <para><command>default</command></para> - </entry> - <entry colname="2"> - <para> - The default category defines the logging - options for those categories where no specific - configuration has been - defined. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>general</command></para> - </entry> - <entry colname="2"> - <para> - The catch-all. Many things still aren't - classified into categories, and they all end up here. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>database</command></para> - </entry> - <entry colname="2"> - <para> - Messages relating to the databases used - internally by the name server to store zone and cache - data. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>security</command></para> - </entry> - <entry colname="2"> - <para> - Approval and denial of requests. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>config</command></para> - </entry> - <entry colname="2"> - <para> - Configuration file parsing and processing. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>resolver</command></para> - </entry> - <entry colname="2"> - <para> - DNS resolution, such as the recursive - lookups performed on behalf of clients by a caching name - server. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>xfer-in</command></para> - </entry> - <entry colname="2"> - <para> - Zone transfers the server is receiving. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>xfer-out</command></para> - </entry> - <entry colname="2"> - <para> - Zone transfers the server is sending. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>notify</command></para> - </entry> - <entry colname="2"> - <para> - The NOTIFY protocol. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>client</command></para> - </entry> - <entry colname="2"> - <para> - Processing of client requests. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>unmatched</command></para> - </entry> - <entry colname="2"> - <para> - Messages that <command>named</command> was unable to determine the - class of or for which there was no matching <command>view</command>. - A one line summary is also logged to the <command>client</command> category. - This category is best sent to a file or stderr, by - default it is sent to - the <command>null</command> channel. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>network</command></para> - </entry> - <entry colname="2"> - <para> - Network operations. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>update</command></para> - </entry> - <entry colname="2"> - <para> - Dynamic updates. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>update-security</command></para> - </entry> - <entry colname="2"> - <para> - Approval and denial of update requests. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>queries</command></para> - </entry> - <entry colname="2"> - <para> - Specify where queries should be logged to. - </para> - <para> - At startup, specifying the category <command>queries</command> will also - enable query logging unless <command>querylog</command> option has been - specified. - </para> - - <para> - The query log entry reports the client's IP - address and port number, and the query name, - class and type. Next it reports whether the - Recursion Desired flag was set (+ if set, - - if not set), if the query was signed (S), - EDNS was in use (E), if TCP was used (T), if - DO (DNSSEC Ok) was set (D), or if CD (Checking - Disabled) was set (C). After this the - destination address the query was sent to is - reported. - </para> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="logging-categories.xml"/> + </section> + <section xml:id="query_errors"><info><title>The <command>query-errors</command> Category</title></info> - <para> - <computeroutput>client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</computeroutput> - </para> - <para> - <computeroutput>client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</computeroutput> - </para> - <para> - (The first part of this log message, showing the - client address/port number and query name, is - repeated in all subsequent log messages related - to the same query.) - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>query-errors</command></para> - </entry> - <entry colname="2"> - <para> - Information about queries that resulted in some - failure. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>dispatch</command></para> - </entry> - <entry colname="2"> - <para> - Dispatching of incoming packets to the - server modules where they are to be processed. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>dnssec</command></para> - </entry> - <entry colname="2"> - <para> - DNSSEC and TSIG protocol processing. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>lame-servers</command></para> - </entry> - <entry colname="2"> - <para> - Lame servers. These are misconfigurations - in remote servers, discovered by BIND 9 when trying to - query those servers during resolution. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>delegation-only</command></para> - </entry> - <entry colname="2"> - <para> - Delegation only. Logs queries that have been - forced to NXDOMAIN as the result of a - delegation-only zone or a - <command>delegation-only</command> in a - forward, hint or stub zone declaration. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>edns-disabled</command></para> - </entry> - <entry colname="2"> - <para> - Log queries that have been forced to use plain - DNS due to timeouts. This is often due to - the remote servers not being RFC 1034 compliant - (not always returning FORMERR or similar to - EDNS queries and other extensions to the DNS - when they are not understood). In other words, this is - targeted at servers that fail to respond to - DNS queries that they don't understand. - </para> - <para> - Note: the log message can also be due to - packet loss. Before reporting servers for - non-RFC 1034 compliance they should be re-tested - to determine the nature of the non-compliance. - This testing should prevent or reduce the - number of false-positive reports. - </para> - <para> - Note: eventually <command>named</command> will have to stop - treating such timeouts as due to RFC 1034 non - compliance and start treating it as plain - packet loss. Falsely classifying packet - loss as due to RFC 1034 non compliance impacts - on DNSSEC validation which requires EDNS for - the DNSSEC records to be returned. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>RPZ</command></para> - </entry> - <entry colname="2"> - <para> - Information about errors in response policy zone files, - rewritten responses, and at the highest - <command>debug</command> levels, mere rewriting - attempts. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>rate-limit</command></para> - </entry> - <entry colname="2"> - <para> - (Only available when <acronym>BIND</acronym> 9 is - configured with the <userinput>--enable-rrl</userinput> - option at compile time.) - </para> - <para> - The start, periodic, and final notices of the - rate limiting of a stream of responses are logged at - <command>info</command> severity in this category. - These messages include a hash value of the domain name - of the response and the name itself, - except when there is insufficient memory to record - the name for the final notice - The final notice is normally delayed until about one - minute after rate limit stops. - A lack of memory can hurry the final notice, - in which case it starts with an asterisk (*). - Various internal events are logged at debug 1 level - and higher. - </para> - <para> - Rate limiting of individual requests - is logged in the <command>query-errors</command> category. - </para> - </entry> - </row> - <row rowsep="0"> - <entry colname="1"> - <para><command>cname</command></para> - </entry> - <entry colname="2"> - <para> - Logs nameservers that are skipped due to them being - a CNAME rather than A / AAAA records. - </para> - </entry> - </row> - </tbody> - </tgroup> - </informaltable> - </sect3> - <sect3> - <title>The <command>query-errors</command> Category</title> <para> The <command>query-errors</command> category is specifically intended for debugging purposes: To identify @@ -4572,11 +4169,10 @@ badresp:1,adberr:0,findfail:0,valfail:0] This is because any unexpected results can be difficult to debug in the recursion case. </para> - </sect3> - </sect2> + </section> + </section> - <sect2> - <title><command>lwres</command> Statement Grammar</title> + <section xml:id="lwres_grammar"><info><title><command>lwres</command> Statement Grammar</title></info> <para> This is the grammar of the <command>lwres</command> @@ -4592,9 +4188,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] }; </programlisting> - </sect2> - <sect2> - <title><command>lwres</command> Statement Definition and Usage</title> + </section> + <section xml:id="lwres_statement"><info><title><command>lwres</command> Statement Definition and Usage</title></info> <para> The <command>lwres</command> statement configures the @@ -4647,29 +4242,27 @@ badresp:1,adberr:0,findfail:0,valfail:0] number of dots in a relative domain name that should result in an exact match lookup before search path elements are appended. </para> - </sect2> - <sect2> - <title><command>masters</command> Statement Grammar</title> + </section> + <section xml:id="masters_grammar"><info><title><command>masters</command> Statement Grammar</title></info> <programlisting> <command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </programlisting> - </sect2> + </section> + + <section xml:id="masters_statement"><info><title><command>masters</command> Statement Definition and + Usage</title></info> - <sect2> - <title><command>masters</command> Statement Definition and - Usage</title> <para><command>masters</command> lists allow for a common set of masters to be easily used by multiple stub and slave zones in their <command>masters</command> or <command>also-notify</command> lists. </para> - </sect2> + </section> - <sect2> - <title><command>options</command> Statement Grammar</title> + <section xml:id="options_grammar"><info><title><command>options</command> Statement Grammar</title></info> <para> This is the grammar of the <command>options</command> @@ -4720,6 +4313,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional> <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional> <optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional> + <optional> auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>off</constant>; </optional> <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional> <optional> dnssec-validation (<replaceable>yes_or_no</replaceable> | <constant>auto</constant>); </optional> <optional> dnssec-lookaside ( <replaceable>auto</replaceable> | @@ -4791,7 +4385,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional> <optional> fetches-per-server <replaceable>number</replaceable> <optional><replaceable>(drop | fail)</replaceable></optional>; </optional> <optional> fetch-quota-params <replaceable>number fixedpoint fixedpoint fixedpoint</replaceable> ; </optional> - <optional> fetches-per-zone<replaceable>number</replaceable> <optional><replaceable>(drop | fail)</replaceable></optional>; </optional> + <optional> fetches-per-zone <replaceable>number</replaceable> <optional><replaceable>(drop | fail)</replaceable></optional>; </optional> <optional> serial-query-rate <replaceable>number</replaceable>; </optional> <optional> serial-queries <replaceable>number</replaceable>; </optional> <optional> tcp-listen-queue <replaceable>number</replaceable>; </optional> @@ -4809,9 +4403,9 @@ badresp:1,adberr:0,findfail:0,valfail:0] <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional> <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional> <optional> notify-to-soa <replaceable>yes_or_no</replaceable> ; </optional> - <optional> also-notify { <replaceable>ip_addr</replaceable> - <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>keyname</replaceable></optional> ; - <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>keyname</replaceable></optional> ; ... </optional> }; </optional> + <optional> also-notify <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> + <optional>port <replaceable>ip_port</replaceable></optional> + <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional> <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional> <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional> <optional> coresize <replaceable>size_spec</replaceable> ; </optional> @@ -4828,6 +4422,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] <optional> lame-ttl <replaceable>number</replaceable>; </optional> <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional> <optional> max-cache-ttl <replaceable>number</replaceable>; </optional> + <optional> serial-update-method <constant>increment</constant>|<constant>unixtime</constant>|<constant>date</constant>; </optional> <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional> <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional> <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional> @@ -4853,7 +4448,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] <optional> clients { <replaceable>address_match_list</replaceable> }; </optional> <optional> mapped { <replaceable>address_match_list</replaceable> }; </optional> <optional> exclude { <replaceable>address_match_list</replaceable> }; </optional> - <optional> suffix IPv6-address; </optional> + <optional> suffix <replaceable>IPv6-address</replaceable>; </optional> <optional> recursive-only <replaceable>yes_or_no</replaceable>; </optional> <optional> break-dnssec <replaceable>yes_or_no</replaceable>; </optional> }; </optional>; @@ -4912,11 +4507,10 @@ badresp:1,adberr:0,findfail:0,valfail:0] }; </programlisting> - </sect2> + </section> - <sect2 id="options"> - <title><command>options</command> Statement Definition and - Usage</title> + <section xml:id="options"><info><title><command>options</command> Statement Definition and + Usage</title></info> <para> The <command>options</command> statement sets up global @@ -5209,7 +4803,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] The PID file is used by programs that want to send signals to the running name server. Specifying <command>pid-file none</command> disables the - use of a PID file — no file will be written and any + use of a PID file — no file will be written and any existing one will be removed. Note that <command>none</command> is a keyword, not a filename, and therefore is not enclosed in @@ -5356,12 +4950,14 @@ badresp:1,adberr:0,findfail:0,valfail:0] If specified, the listed type (A or AAAA) will be emitted before other glue in the additional section of a query response. - The default is not to prefer any type (NONE). + The default is to prefer A records when responding + to queries that arrived via IPv4 and AAAA when + responding to queries that arrived via IPv6. </para> </listitem> </varlistentry> - <varlistentry id="root_delegation_only"> + <varlistentry xml:id="root_delegation_only"> <term><command>root-delegation-only</command></term> <listitem> <para> @@ -5459,8 +5055,7 @@ options { installed along with <acronym>BIND</acronym> 9, and is current as of the release date. If the DLV key expires, a new copy of <filename>bind.keys</filename> can be downloaded - from <ulink url="https://www.isc.org/solutions/dlv/" - >https://www.isc.org/solutions/dlv/</ulink>. + from <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/solutions/dlv/">https://www.isc.org/solutions/dlv/</link>. </para> <para> (To prevent problems if <filename>bind.keys</filename> is @@ -5581,6 +5176,26 @@ options { </varlistentry> <varlistentry> + <term><command>dnssec-loadkeys-interval</command></term> + <listitem> + <para> + When a zone is configured with <command>auto-dnssec + maintain;</command> its key repository must be checked + periodically to see if any new keys have been added + or any existing keys' timing metadata has been updated + (see <xref linkend="man.dnssec-keygen"/> and + <xref linkend="man.dnssec-settime"/>). The + <command>dnssec-loadkeys-interval</command> option + sets the frequency of automatic repository checks, in + minutes. The default is <literal>60</literal> (1 hour), + the minimum is <literal>1</literal> (1 minute), and the + maximum is <literal>1440</literal> (24 hours); any higher + value is silently reduced. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term><command>dnssec-update-mode</command></term> <listitem> <para> @@ -5615,6 +5230,31 @@ options { </varlistentry> <varlistentry> + <term><command>serial-update-method</command></term> + <listitem> + <para> + Zones configured for dynamic DNS may use this + option to set the update method that will be used for + the zone serial number in the SOA record. + </para> + <para> + With the default setting of + <command>serial-update-method increment;</command>, the + SOA serial number will be incremented by one each time + the zone is updated. + </para> + <para> + When set to + <command>serial-update-method unixtime;</command>, the + SOA serial number will be set to the number of seconds + since the UNIX epoch, unless the serial number is + already greater than or equal to that value, in which + case it is simply incremented by one. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term><command>zone-statistics</command></term> <listitem> <para> @@ -5649,8 +5289,7 @@ options { </varlistentry> </variablelist> - <sect3 id="boolean_options"> - <title>Boolean Options</title> + <section xml:id="boolean_options"><info><title>Boolean Options</title></info> <variablelist> @@ -6110,7 +5749,6 @@ options { queries. Caching may still occur as an effect the server's internal operation, such as NOTIFY address lookups. - See also <command>fetch-glue</command> above. </para> </listitem> </varlistentry> @@ -6430,6 +6068,49 @@ options { </varlistentry> <varlistentry> + <term><command>auto-dnssec</command></term> + <listitem> + <para> + Zones configured for dynamic DNS may use this + option to allow varying levels of automatic DNSSEC key + management. There are three possible settings: + </para> + <para> + <command>auto-dnssec allow;</command> permits + keys to be updated and the zone fully re-signed + whenever the user issues the command <command>rndc sign + <replaceable>zonename</replaceable></command>. + </para> + <para> + <command>auto-dnssec maintain;</command> includes the + above, but also automatically adjusts the zone's DNSSEC + keys on schedule, according to the keys' timing metadata + (see <xref linkend="man.dnssec-keygen"/> and + <xref linkend="man.dnssec-settime"/>). The command + <command>rndc sign + <replaceable>zonename</replaceable></command> causes + <command>named</command> to load keys from the key + repository and sign the zone with all keys that are + active. + <command>rndc loadkeys + <replaceable>zonename</replaceable></command> causes + <command>named</command> to load keys from the key + repository and schedule key maintenance events to occur + in the future, but it does not sign the full zone + immediately. Note: once keys have been loaded for a + zone the first time, the repository will be searched + for changes periodically, regardless of whether + <command>rndc loadkeys</command> is used. The recheck + interval is defined by + <command>dnssec-loadkeys-interval</command>.) + </para> + <para> + The default setting is <command>auto-dnssec off</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term><command>dnssec-enable</command></term> <listitem> <para> @@ -6717,26 +6398,6 @@ options { </varlistentry> <varlistentry> - <term><command>dnssec-loadkeys-interval</command></term> - <listitem> - <para> - When a zone is configured with <command>auto-dnssec - maintain;</command> its key repository must be checked - periodically to see if any new keys have been added - or any existing keys' timing metadata has been updated - (see <xref linkend="man.dnssec-keygen"/> and - <xref linkend="man.dnssec-settime"/>). The - <command>dnssec-loadkeys-interval</command> option - sets the frequency of automatic repository checks, in - minutes. The default is <literal>60</literal> (1 hour), - the minimum is <literal>1</literal> (1 minute), and the - maximum is <literal>1440</literal> (24 hours); any higher - value is silently reduced. - </para> - </listitem> - </varlistentry> - - <varlistentry> <term><command>try-tcp-refresh</command></term> <listitem> <para> @@ -6777,10 +6438,10 @@ options { </variablelist> - </sect3> + </section> + + <section xml:id="forwarding"><info><title>Forwarding</title></info> - <sect3> - <title>Forwarding</title> <para> The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -6800,7 +6461,7 @@ options { This option is only meaningful if the forwarders list is not empty. A value of <varname>first</varname>, the default, causes the server to query the forwarders - first — and + first — and if that doesn't answer the question, the server will then look for the answer itself. If <varname>only</varname> is @@ -6831,10 +6492,10 @@ options { or have a different <command>forward only/first</command> behavior, or not forward at all, see <xref linkend="zone_statement_grammar"/>. </para> - </sect3> + </section> + + <section xml:id="dual_stack"><info><title>Dual-stack Servers</title></info> - <sect3> - <title>Dual-stack Servers</title> <para> Dual-stack servers are used as servers of last resort to work around @@ -6860,10 +6521,10 @@ options { </listitem> </varlistentry> </variablelist> - </sect3> + </section> + + <section xml:id="access_control"><info><title>Access Control</title></info> - <sect3 id="access_control"> - <title>Access Control</title> <para> Access to the server can be restricted based on the IP address @@ -7171,10 +6832,10 @@ options { </varlistentry> </variablelist> - </sect3> + </section> + + <section xml:id="interfaces"><info><title>Interfaces</title></info> - <sect3> - <title>Interfaces</title> <para> The interfaces and ports that the server will answer queries from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes @@ -7267,10 +6928,10 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; }; invoked. If <command>-6</command> is specified then <command>named</command> will listen on port 53 on all IPv6 interfaces by default. </para> - </sect3> + </section> + + <section xml:id="query_address"><info><title>Query Address</title></info> - <sect3 id="query_address"> - <title>Query Address</title> <para> If the server doesn't know the answer to a question, it will query other name servers. <command>query-source</command> specifies @@ -7420,10 +7081,10 @@ avoid-v6-udp-ports {}; <command>notify-source</command>. </para> </note> - </sect3> + </section> + + <section xml:id="zone_transfers"><info><title>Zone Transfers</title></info> - <sect3 id="zone_transfers"> - <title>Zone Transfers</title> <para> <acronym>BIND</acronym> has mechanisms in place to facilitate zone transfers @@ -7686,14 +7347,14 @@ avoid-v6-udp-ports {}; <command>use-alt-transfer-source</command> is set. </para> - <note> + <note><simpara> If you do not wish the alternate transfer source to be used, you should set <command>use-alt-transfer-source</command> appropriately and you should not depend upon getting an answer back to the first refresh query. - </note> + </simpara></note> </listitem> </varlistentry> @@ -7760,10 +7421,10 @@ avoid-v6-udp-ports {}; </variablelist> - </sect3> + </section> + + <section xml:id="port_lists"><info><title>UDP Port Lists</title></info> - <sect3> - <title>UDP Port Lists</title> <para> <command>use-v4-udp-ports</command>, <command>avoid-v4-udp-ports</command>, @@ -7805,10 +7466,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; sense; they are provided for backward compatibility and to possibly simplify the port specification. </para> - </sect3> + </section> - <sect3> - <title>Operating System Resource Limits</title> + <section xml:id="resource_limits"><info><title>Operating System Resource Limits</title></info> <para> The server's usage of many system resources can be limited. @@ -7889,10 +7549,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </variablelist> - </sect3> + </section> - <sect3 id="server_resource_limits"> - <title>Server Resource Limits</title> + <section xml:id="server_resource_limits"><info><title>Server Resource Limits</title></info> <para> The following options set limits on the server's @@ -7988,8 +7647,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </listitem> </varlistentry> - <varlistentry id="clients-per-query"> - <term><command>clients-per-query</command></term> + <varlistentry xml:id="clients-per-query"> + <term xml:id="cpq_term"><command>clients-per-query</command></term> <term><command>max-clients-per-query</command></term> <listitem> <para>These set the @@ -8023,7 +7682,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </listitem> </varlistentry> - <varlistentry id="fetches-per-zone"> + <varlistentry xml:id="fetches-per-zone"> <term><command>fetches-per-zone</command></term> <listitem> <para> @@ -8081,7 +7740,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </listitem> </varlistentry> - <varlistentry id="fetches-per-server"> + <varlistentry xml:id="fetches-per-server"> <term><command>fetches-per-server</command></term> <listitem> <para> @@ -8234,10 +7893,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </variablelist> - </sect3> + </section> - <sect3> - <title>Periodic Task Intervals</title> + <section xml:id="intervals"><info><title>Periodic Task Intervals</title></info> <variablelist> @@ -8312,10 +7970,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </variablelist> - </sect3> + </section> - <sect3 id="topology"> - <title>Topology</title> + <section xml:id="topology"><info><title>Topology</title></info> <para> All other things being equal, when the server chooses a name @@ -8360,11 +8017,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; is not implemented in <acronym>BIND</acronym> 9. </simpara> </note> - </sect3> - - <sect3 id="the_sortlist_statement"> + </section> - <title>The <command>sortlist</command> Statement</title> + <section xml:id="the_sortlist_statement"><info><title>The <command>sortlist</command> Statement</title></info> <para> The response to a DNS query may consist of multiple resource @@ -8476,9 +8131,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; }; </programlisting> - </sect3> - <sect3 id="rrset_ordering"> - <title id="rrset_ordering_title">RRset Ordering</title> + </section> + <section xml:id="rrset_ordering"><info><title xml:id="rrset_ordering_title">RRset Ordering</title></info> + <para> When multiple records are returned in an answer it may be useful to configure the order of the records placed into the @@ -8571,7 +8226,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </para> <para> If multiple <command>rrset-order</command> statements - appear, they are not combined — the last one applies. + appear, they are not combined — the last one applies. </para> <para> By default, all records are returned in random order. @@ -8586,10 +8241,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; the "configure" command line. </simpara> </note> - </sect3> + </section> - <sect3 id="tuning"> - <title>Tuning</title> + <section xml:id="tuning"><info><title>Tuning</title></info> <variablelist> @@ -8670,8 +8324,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <para> Specifies the number of days into the future when DNSSEC signatures automatically generated as a - result of dynamic updates (<xref - linkend="dynamic_update"/>) will expire. There + result of dynamic updates (<xref linkend="dynamic_update"/>) will expire. There is an optional second field which specifies how long before expiry that the signatures will be regenerated. If not specified, the signatures will @@ -8869,7 +8522,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </listitem> </varlistentry> - <varlistentry id="max-recursion-depth"> + <varlistentry xml:id="max-recursion-depth"> <term><command>max-recursion-depth</command></term> <listitem> <para> @@ -8885,7 +8538,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </listitem> </varlistentry> - <varlistentry id="max-recursion-queries"> + <varlistentry xml:id="max-recursion-queries"> <term><command>max-recursion-queries</command></term> <listitem> <para> @@ -8927,10 +8580,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </varlistentry> </variablelist> - </sect3> + </section> - <sect3 id="builtin"> - <title>Built-in server information zones</title> + <section xml:id="builtin"><info><title>Built-in server information zones</title></info> <para> The server provides some helpful diagnostic information @@ -9012,10 +8664,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </variablelist> - </sect3> + </section> + + <section xml:id="empty"><info><title>Built-in Empty Zones</title></info> - <sect3 id="empty"> - <title>Built-in Empty Zones</title> <para> Named has some built-in empty zones (SOA and NS records only). These are for zones that should normally be answered locally @@ -9154,12 +8806,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; to be deployed to channel the query load away from the infrastructure servers. </para> - <note> + <note><simpara> The real parent servers for these zones should disable all empty zone under the parent zone they serve. For the real root servers, this is all built-in empty zones. This will enable them to return referrals to deeper in the tree. - </note> + </simpara></note> <variablelist> <varlistentry> <term><command>empty-server</command></term> @@ -9203,10 +8855,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </listitem> </varlistentry> </variablelist> - </sect3> + </section> + + <section xml:id="acache"><info><title>Additional Section Caching</title></info> - <sect3 id="acache"> - <title>Additional Section Caching</title> <para> The additional section cache, also called <command>acache</command>, @@ -9318,10 +8970,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </variablelist> - </sect3> + </section> + + <section xml:id="content_filtering"><info><title>Content Filtering</title></info> - <sect3> - <title>Content Filtering</title> <para> <acronym>BIND</acronym> 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -9378,9 +9030,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; to get access to an internal node of your local network that couldn't be externally accessed otherwise. See the paper available at - <ulink url="http://portal.acm.org/citation.cfm?id=1315245.1315298"> + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://portal.acm.org/citation.cfm?id=1315245.1315298"> http://portal.acm.org/citation.cfm?id=1315245.1315298 - </ulink> + </link> for more details about the attacks. </para> @@ -9455,10 +9107,10 @@ deny-answer-aliases { "example.net"; }; Filtering out DNS records containing this address spuriously can break such applications. </para> - </sect3> + </section> + + <section xml:id="rpz"><info><title>Response Policy Zone (RPZ) Rewriting</title></info> - <sect3> - <title>Response Policy Zone (RPZ) Rewriting</title> <para> <acronym>BIND</acronym> 9 includes a limited mechanism to modify DNS responses for requests @@ -9723,10 +9375,10 @@ ns.domain.com.rpz-nsdname CNAME . Responses rewritten by RPZ are counted in the <command>RPZRewrites</command> statistics. </para> - </sect3> + </section> + + <section xml:id="rrl"><info><title>Response Rate Limiting</title></info> - <sect3> - <title>Response Rate Limiting</title> <para> This feature is only available when <acronym>BIND</acronym> 9 is compiled with the <userinput>--enable-rrl</userinput> @@ -9963,11 +9615,10 @@ ns.domain.com.rpz-nsdname CNAME . Responses that truncated by rate limits are included in <command>RateSlipped</command> and <command>RespTruncated</command>. </para> - </sect3> - </sect2> + </section> + </section> - <sect2 id="server_statement_grammar"> - <title><command>server</command> Statement Grammar</title> + <section xml:id="server_statement_grammar"><info><title><command>server</command> Statement Grammar</title></info> <programlisting><command>server</command> <replaceable>ip_addr[/prefixlen]</replaceable> { <optional> bogus <replaceable>yes_or_no</replaceable> ; </optional> @@ -9994,11 +9645,10 @@ ns.domain.com.rpz-nsdname CNAME . }; </programlisting> - </sect2> + </section> - <sect2 id="server_statement_definition_and_usage"> - <title><command>server</command> Statement Definition and - Usage</title> + <section xml:id="server_statement_definition_and_usage"><info><title><command>server</command> Statement Definition and + Usage</title></info> <para> The <command>server</command> statement defines @@ -10183,10 +9833,9 @@ ns.domain.com.rpz-nsdname CNAME . <command>request-nsid</command> set at the view or option level. </para> - </sect2> + </section> - <sect2 id="statschannels"> - <title><command>statistics-channels</command> Statement Grammar</title> + <section xml:id="statschannels"><info><title><command>statistics-channels</command> Statement Grammar</title></info> <programlisting><command>statistics-channels</command> { [ inet ( ip_addr | * ) [ port ip_port ] @@ -10194,11 +9843,10 @@ ns.domain.com.rpz-nsdname CNAME . [ inet ...; ] }; </programlisting> - </sect2> + </section> - <sect2> - <title><command>statistics-channels</command> Statement Definition and - Usage</title> + <section xml:id="statistics_channels"><info><title><command>statistics-channels</command> Statement Definition and + Usage</title></info> <para> The <command>statistics-channels</command> statement @@ -10255,10 +9903,8 @@ ns.domain.com.rpz-nsdname CNAME . <para> If the statistics channel is configured to listen on 127.0.0.1 port 8888, then the statistics are accessible in XML format at - <ulink url="http://127.0.0.1:8888/" - >http://127.0.0.1:8888/</ulink> or - <ulink url="http://127.0.0.1:8888/xml" - >http://127.0.0.1:8888/xml</ulink>. A CSS file is + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://127.0.0.1:8888/">http://127.0.0.1:8888/</link> or + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://127.0.0.1:8888/xml">http://127.0.0.1:8888/xml</link>. A CSS file is included which can format the XML statistics into tables when viewed with a stylesheet-capable browser. When <acronym>BIND</acronym> 9 is configured with --enable-newstats, @@ -10272,19 +9918,16 @@ ns.domain.com.rpz-nsdname CNAME . <para> Applications that depend on a particular XML schema can request - <ulink url="http://127.0.0.1:8888/xml/v2" - >http://127.0.0.1:8888/xml/v2</ulink> for version 2 + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://127.0.0.1:8888/xml/v2">http://127.0.0.1:8888/xml/v2</link> for version 2 of the statistics XML schema or - <ulink url="http://127.0.0.1:8888/xml/v3" - >http://127.0.0.1:8888/xml/v3</ulink> for version 3. + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://127.0.0.1:8888/xml/v3">http://127.0.0.1:8888/xml/v3</link> for version 3. If the requested schema is supported by the server, then it will respond; if not, it will return a "page not found" error. </para> - </sect2> + </section> - <sect2 id="trusted-keys"> - <title><command>trusted-keys</command> Statement Grammar</title> + <section xml:id="trusted-keys"><info><title><command>trusted-keys</command> Statement Grammar</title></info> <programlisting><command>trusted-keys</command> { <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; @@ -10292,14 +9935,13 @@ ns.domain.com.rpz-nsdname CNAME . }; </programlisting> - </sect2> - <sect2> - <title><command>trusted-keys</command> Statement Definition - and Usage</title> + </section> + <section xml:id="trusted_keys"><info><title><command>trusted-keys</command> Statement Definition + and Usage</title></info> + <para> The <command>trusted-keys</command> statement defines - DNSSEC security roots. DNSSEC is described in <xref - linkend="DNSSEC"/>. A security root is defined when the + DNSSEC security roots. DNSSEC is described in <xref linkend="DNSSEC"/>. A security root is defined when the public key for a non-authoritative zone is known, but cannot be securely obtained through DNS, either because it is the DNS root zone or because its parent zone is @@ -10332,10 +9974,9 @@ ns.domain.com.rpz-nsdname CNAME . level are inherited by all views, but keys defined in a view are only used within that view. </para> - </sect2> + </section> - <sect2> - <title><command>managed-keys</command> Statement Grammar</title> + <section xml:id="managed_keys"><info><title><command>managed-keys</command> Statement Grammar</title></info> <programlisting><command>managed-keys</command> { <replaceable>name</replaceable> initial-key <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key-data</replaceable> ; @@ -10343,10 +9984,10 @@ ns.domain.com.rpz-nsdname CNAME . }; </programlisting> - </sect2> - <sect2 id="managed-keys"> - <title><command>managed-keys</command> Statement Definition - and Usage</title> + </section> + <section xml:id="managed-keys"><info><title><command>managed-keys</command> Statement Definition + and Usage</title></info> + <para> The <command>managed-keys</command> statement, like <command>trusted-keys</command>, defines DNSSEC @@ -10458,10 +10099,9 @@ ns.domain.com.rpz-nsdname CNAME . maintenance process is built into <command>named</command>, and can be overridden from <command>bindkeys-file</command>. </para> - </sect2> + </section> - <sect2 id="view_statement_grammar"> - <title><command>view</command> Statement Grammar</title> + <section xml:id="view_statement_grammar"><info><title><command>view</command> Statement Grammar</title></info> <programlisting><command>view</command> <replaceable>view_name</replaceable> <optional><replaceable>class</replaceable></optional> { @@ -10473,9 +10113,8 @@ ns.domain.com.rpz-nsdname CNAME . }; </programlisting> - </sect2> - <sect2> - <title><command>view</command> Statement Definition and Usage</title> + </section> + <section xml:id="view_statement"><info><title><command>view</command> Statement Definition and Usage</title></info> <para> The <command>view</command> statement is a powerful @@ -10511,7 +10150,7 @@ ns.domain.com.rpz-nsdname CNAME . means that only recursive requests from matching clients will match that view. The order of the <command>view</command> statements is - significant — + significant — a client request will be resolved in the context of the first <command>view</command> that it matches. </para> @@ -10601,10 +10240,9 @@ view "external" { }; </programlisting> - </sect2> - <sect2 id="zone_statement_grammar"> - <title><command>zone</command> - Statement Grammar</title> + </section> + <section xml:id="zone_statement_grammar"><info><title><command>zone</command> + Statement Grammar</title></info> <programlisting><command>zone</command> <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> { type master; @@ -10616,8 +10254,6 @@ view "external" { <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional> <optional> dnssec-loadkeys-interval <replaceable>number</replaceable>; </optional> <optional> update-policy <replaceable>local</replaceable> | { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional> - <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; - <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional> <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional> <optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional> <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional> @@ -10757,7 +10393,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional> <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional> - <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional> + <optional> zone-statistics <replaceable>full</replaceable> | <replaceable>terse</replaceable> | <replaceable>none</replaceable>; </optional> <optional> database <replaceable>string</replaceable> ; </optional> <optional> min-refresh-time <replaceable>number</replaceable> ; </optional> <optional> max-refresh-time <replaceable>number</replaceable> ; </optional> @@ -10771,7 +10407,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional> <optional> server-addresses { <optional> <replaceable>ip_addr</replaceable> ; ... </optional> }; </optional> <optional> server-names { <optional> <replaceable>namelist</replaceable> </optional> }; </optional> - <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional> + <optional> zone-statistics <replaceable>full</replaceable> | <replaceable>terse</replaceable> | <replaceable>none</replaceable>; </optional> }; zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> { @@ -10794,11 +10430,21 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea </programlisting> - </sect2> - <sect2> - <title><command>zone</command> Statement Definition and Usage</title> - <sect3> - <title>Zone Types</title> + </section> + <section xml:id="zone_statement"><info><title><command>zone</command> Statement Definition and Usage</title></info> + + <section xml:id="zone_types"><info><title>Zone Types</title></info> + + <para> + The <command>type</command> keyword is required + for the <command>zone</command> configuration. Its + acceptable values include: <varname>delegation-only</varname>, + <varname>forward</varname>, <varname>hint</varname>, + <varname>master</varname>, <varname>redirect</varname>, + <varname>slave</varname>, <varname>static-stub</varname>, + and <varname>stub</varname>. + </para> + <informaltable colsep="0" rowsep="0"> <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table"> <!--colspec colname="1" colnum="1" colsep="0" colwidth="1.108in"/--> @@ -11115,10 +10761,10 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea </tbody> </tgroup> </informaltable> - </sect3> + </section> + + <section xml:id="class"><info><title>Class</title></info> - <sect3> - <title>Class</title> <para> The zone's name may optionally be followed by a class. If a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>), @@ -11137,10 +10783,9 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea Another MIT development is Chaosnet, a LAN protocol created in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class. </para> - </sect3> - <sect3> + </section> - <title>Zone Options</title> + <section xml:id="zone_options"><info><title>Zone Options</title></info> <variablelist> @@ -11328,6 +10973,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea </varlistentry> <varlistentry> + <term><command>dnssec-loadkeys-interval</command></term> + <listitem> + <para> + See the description of + <command>dnssec-loadkeys-interval</command> in <xref linkend="options"/>. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term><command>dnssec-update-mode</command></term> <listitem> <para> @@ -11573,11 +11228,9 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea <term><command>zone-statistics</command></term> <listitem> <para> - If <userinput>yes</userinput>, the server will keep - statistical - information for this zone, which can be dumped to the - <command>statistics-file</command> defined in - the server options. + See the description of + <command>zone-statistics</command> in + <xref linkend="options"/>. </para> </listitem> </varlistentry> @@ -11811,41 +11464,9 @@ example.com. NS ns2.example.net. <term><command>auto-dnssec</command></term> <listitem> <para> - Zones configured for dynamic DNS may also use this - option to allow varying levels of automatic DNSSEC key - management. There are three possible settings: - </para> - <para> - <command>auto-dnssec allow;</command> permits - keys to be updated and the zone fully re-signed - whenever the user issues the command <command>rndc sign - <replaceable>zonename</replaceable></command>. - </para> - <para> - <command>auto-dnssec maintain;</command> includes the - above, but also automatically adjusts the zone's DNSSEC - keys on schedule, according to the keys' timing metadata - (see <xref linkend="man.dnssec-keygen"/> and - <xref linkend="man.dnssec-settime"/>). The command - <command>rndc sign - <replaceable>zonename</replaceable></command> causes - <command>named</command> to load keys from the key - repository and sign the zone with all keys that are - active. - <command>rndc loadkeys - <replaceable>zonename</replaceable></command> causes - <command>named</command> to load keys from the key - repository and schedule key maintenance events to occur - in the future, but it does not sign the full zone - immediately. Note: once keys have been loaded for a - zone the first time, the repository will be searched - for changes periodically, regardless of whether - <command>rndc loadkeys</command> is used. The recheck - interval is defined by - <command>dnssec-loadkeys-interval</command>.) - </para> - <para> - The default setting is <command>auto-dnssec off</command>. + See the description of + <command>auto-dnssec</command> in + <xref linkend="options"/>. </para> </listitem> </varlistentry> @@ -11854,23 +11475,9 @@ example.com. NS ns2.example.net. <term><command>serial-update-method</command></term> <listitem> <para> - Zones configured for dynamic DNS may use this - option to set the update method that will be used for - the zone serial number in the SOA record. - </para> - <para> - With the default setting of - <command>serial-update-method increment;</command>, the - SOA serial number will be incremented by one each time - the zone is updated. - </para> - <para> - When set to - <command>serial-update-method unixtime;</command>, the - SOA serial number will be set to the number of seconds - since the UNIX epoch, unless the serial number is - already greater than or equal to that value, in which - case it is simply incremented by one. + See the description of + <command>serial-update-method</command> in + <xref linkend="options"/>. </para> </listitem> </varlistentry> @@ -11921,9 +11528,9 @@ example.com. NS ns2.example.net. </variablelist> - </sect3> - <sect3 id="dynamic_update_policies"> - <title>Dynamic Update Policies</title> + </section> + <section xml:id="dynamic_update_policies"><info><title>Dynamic Update Policies</title></info> + <para><acronym>BIND</acronym> 9 supports two alternative methods of granting clients the right to perform dynamic updates to a zone, configured by the @@ -12111,7 +11718,7 @@ example.com. NS ns2.example.net. The <replaceable>name</replaceable> field is subject to DNS wildcard expansion, and this rule matches when the name being updated - name is a valid expansion of the wildcard. + is a valid expansion of the wildcard. </para> </entry> </row> @@ -12327,13 +11934,13 @@ example.com. NS ns2.example.net. all records associated with a name, the rules are checked for each existing record type. </para> - </sect3> - </sect2> - </sect1> - <sect1> - <title>Zone File</title> - <sect2 id="types_of_resource_records_and_when_to_use_them"> - <title>Types of Resource Records and When to Use Them</title> + </section> + </section> + </section> + <section xml:id="zone_file"><info><title>Zone File</title></info> + + <section xml:id="types_of_resource_records_and_when_to_use_them"><info><title>Types of Resource Records and When to Use Them</title></info> + <para> This section, largely borrowed from RFC 1034, describes the concept of a Resource Record (RR) and explains when each is used. @@ -12341,8 +11948,7 @@ example.com. NS ns2.example.net. identified and implemented in the DNS. These are also included. </para> - <sect3> - <title>Resource Records</title> + <section><info><title>Resource Records</title></info> <para> A domain name identifies a node. Each node has a set of @@ -12524,6 +12130,18 @@ example.com. NS ns2.example.net. <row rowsep="0"> <entry colname="1"> <para> + AVC + </para> + </entry> + <entry colname="2"> + <para> + Application Visibility and Control record. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para> CAA </para> </entry> @@ -12590,6 +12208,19 @@ example.com. NS ns2.example.net. <row rowsep="0"> <entry colname="1"> <para> + CSYNC + </para> + </entry> + <entry colname="2"> + <para> + Child-to-Parent Synchronization in DNS as described + in RFC 7477. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para> DHCID </para> </entry> @@ -12968,6 +12599,18 @@ example.com. NS ns2.example.net. <row rowsep="0"> <entry colname="1"> <para> + NINFO + </para> + </entry> + <entry colname="2"> + <para> + Contains zone status information. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para> NIMLOC </para> </entry> @@ -13138,6 +12781,18 @@ example.com. NS ns2.example.net. <row rowsep="0"> <entry colname="1"> <para> + RKEY + </para> + </entry> + <entry colname="2"> + <para> + Resource key. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para> RP </para> </entry> @@ -13194,6 +12849,30 @@ example.com. NS ns2.example.net. <row rowsep="0"> <entry colname="1"> <para> + SINK + </para> + </entry> + <entry colname="2"> + <para> + The kitchen sink record. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para> + SMIMEA + </para> + </entry> + <entry colname="2"> + <para> + The S/MIME Security Certificate Association. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para> SOA </para> </entry> @@ -13246,6 +12925,30 @@ example.com. NS ns2.example.net. <row rowsep="0"> <entry colname="1"> <para> + TA + </para> + </entry> + <entry colname="2"> + <para> + Trust Anchor. Experimental. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para> + TALINK + </para> + </entry> + <entry colname="2"> + <para> + Trust Anchor Link. Experimental. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para> TLSA </para> </entry> @@ -13445,9 +13148,9 @@ example.com. NS ns2.example.net. frequently used as "pointers" to other data in the DNS. </para> - </sect3> - <sect3> - <title>Textual expression of RRs</title> + </section> + <section xml:id="rr_text"><info><title>Textual expression of RRs</title></info> + <para> RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -13644,11 +13347,10 @@ example.com. NS ns2.example.net. This example shows two addresses for <literal>XX.LCS.MIT.EDU</literal>, each of a different class. </para> - </sect3> - </sect2> + </section> + </section> - <sect2> - <title>Discussion of MX Records</title> + <section xml:id="mx_records"><info><title>Discussion of MX Records</title></info> <para> As described above, domain servers store information as a @@ -13669,13 +13371,13 @@ example.com. NS ns2.example.net. chosen randomly. If no servers at a given priority are responding, the mail transport agent will fall back to the next largest priority. - Priority numbers do not have any absolute meaning — they are + Priority numbers do not have any absolute meaning — they are relevant only respective to other MX records for that domain name. The domain name given is the machine to which the mail will be delivered. It <emphasis>must</emphasis> have an associated address record - (A or AAAA) — CNAME is not sufficient. + (A or AAAA) — CNAME is not sufficient. </para> <para> For a given domain, if there is both a CNAME record and an @@ -13829,9 +13531,9 @@ example.com. NS ns2.example.net. any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will be attempted. </para> - </sect2> - <sect2 id="Setting_TTLs"> - <title>Setting TTLs</title> + </section> + <section xml:id="Setting_TTLs"><info><title>Setting TTLs</title></info> + <para> The time-to-live of the RR field is a 32-bit integer represented in units of seconds, and is primarily used by resolvers when they @@ -13900,9 +13602,9 @@ example.com. NS ns2.example.net. All of these TTLs default to units of seconds, though units can be explicitly specified, for example, <literal>1h30m</literal>. </para> - </sect2> - <sect2> - <title>Inverse Mapping in IPv4</title> + </section> + <section xml:id="ipv4_reverse"><info><title>Inverse Mapping in IPv4</title></info> + <para> Reverse name resolution (that is, translation from IP address to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain @@ -13953,15 +13655,15 @@ example.com. NS ns2.example.net. <note> <para> The <command>$ORIGIN</command> lines in the examples - are for providing context to the examples only — they do not + are for providing context to the examples only — they do not necessarily appear in the actual usage. They are only used here to indicate that the example is relative to the listed origin. </para> </note> - </sect2> - <sect2> - <title>Other Zone File Directives</title> + </section> + <section xml:id="zone_directives"><info><title>Other Zone File Directives</title></info> + <para> The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -13974,8 +13676,8 @@ example.com. NS ns2.example.net. Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>, and <command>$TTL.</command> </para> - <sect3> - <title>The <command>@</command> (at-sign)</title> + <section xml:id="atsign"><info><title>The <command>@</command> (at-sign)</title></info> + <para> When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -13983,9 +13685,9 @@ example.com. NS ns2.example.net. <<varname>zone_name</varname>> (followed by trailing dot). </para> - </sect3> - <sect3> - <title>The <command>$ORIGIN</command> Directive</title> + </section> + <section xml:id="origin_directive"><info><title>The <command>$ORIGIN</command> Directive</title></info> + <para> Syntax: <command>$ORIGIN</command> <replaceable>domain-name</replaceable> @@ -14015,9 +13717,9 @@ WWW CNAME MAIN-SERVER WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. </programlisting> - </sect3> - <sect3> - <title>The <command>$INCLUDE</command> Directive</title> + </section> + <section xml:id="include_directive"><info><title>The <command>$INCLUDE</command> Directive</title></info> + <para> Syntax: <command>$INCLUDE</command> <replaceable>filename</replaceable> @@ -14049,9 +13751,9 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. feature, or both. </para> </note> - </sect3> - <sect3> - <title>The <command>$TTL</command> Directive</title> + </section> + <section xml:id="ttl_directive"><info><title>The <command>$TTL</command> Directive</title></info> + <para> Syntax: <command>$TTL</command> <replaceable>default-ttl</replaceable> @@ -14066,10 +13768,10 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. <para><command>$TTL</command> is defined in RFC 2308. </para> - </sect3> - </sect2> - <sect2> - <title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title> + </section> + </section> + <section xml:id="generate_directive"><info><title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title></info> + <para> Syntax: <command>$GENERATE</command> <replaceable>range</replaceable> @@ -14267,10 +13969,10 @@ HOST-127.EXAMPLE. MX 0 . <para> BIND 8 does not support the optional TTL and CLASS fields. </para> - </sect2> + </section> + + <section xml:id="zonefile_format"><info><title>Additional File Formats</title></info> - <sect2 id="zonefile_format"> - <title>Additional File Formats</title> <para> In addition to the standard textual format, BIND 9 supports the ability to read or dump to zone files in @@ -14309,11 +14011,11 @@ HOST-127.EXAMPLE. MX 0 . portable backup of the file, it is recommended to convert the file to the standard textual representation. </para> - </sect2> - </sect1> + </section> + </section> + + <section xml:id="statistics"><info><title>BIND9 Statistics</title></info> - <sect1 id="statistics"> - <title>BIND9 Statistics</title> <para> <acronym>BIND</acronym> 9 maintains lots of statistics information and provides several interfaces for users to @@ -14442,13 +14144,18 @@ HOST-127.EXAMPLE. MX 0 . A subset of Name Server Statistics is collected and shown per zone for which the server has the authority when <command>zone-statistics</command> is set to - <userinput>yes</userinput>. - These statistics counters are shown with their zone and view - names. - In some cases the view names are omitted for the default view. + <userinput>full</userinput> (or <userinput>yes</userinput> + for backward compatibility. See the description of + <command>zone-statistics</command> in <xref linkend="options"/> + for further details. </para> <para> + These statistics counters are shown with their zone and + view names. The view name is omitted when the server is + not configured with explicit views.</para> + + <para> There are currently two user interfaces to get access to the statistics. One is in the plain text format dumped to the file specified @@ -14459,8 +14166,8 @@ HOST-127.EXAMPLE. MX 0 . (see <xref linkend="statschannels"/>.) </para> - <sect3 id="statsfile"> - <title>The Statistics File</title> + <section xml:id="statsfile"><info><title>The Statistics File</title></info> + <para> The text format statistics dump begins with a line, like: </para> @@ -14496,10 +14203,10 @@ HOST-127.EXAMPLE. MX 0 . <para> <command>--- Statistics Dump --- (973798949)</command> </para> - </sect3> + </section> + + <section xml:id="statistics_counters"><info><title>Statistics Counters</title></info> - <sect2 id="statistics_counters"> - <title>Statistics Counters</title> <para> The following tables summarize statistics counters that <acronym>BIND</acronym> 9 provides. @@ -14517,8 +14224,7 @@ HOST-127.EXAMPLE. MX 0 . <acronym>BIND</acronym> 8 statistics, if applicable. </para> - <sect3> - <title>Name Server Statistics Counters</title> + <section xml:id="stats_counters"><info><title>Name Server Statistics Counters</title></info> <informaltable colsep="0" rowsep="0"> <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table"> @@ -14577,7 +14283,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>ReqEdns0</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14590,7 +14296,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>ReqBadEDNSVer</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14603,7 +14309,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>ReqTSIG</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14616,7 +14322,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>ReqSIG0</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14629,7 +14335,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>ReqBadSIG</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14720,7 +14426,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>RespTruncated</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14733,7 +14439,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>RespEDNS0</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14746,7 +14452,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>RespTSIG</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14759,7 +14465,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>RespSIG0</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14772,7 +14478,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>QrySuccess</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14791,7 +14497,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>QryAuthAns</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14817,7 +14523,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>QryReferral</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14834,7 +14540,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>QryNxrrset</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14932,7 +14638,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>QryDropped</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14947,7 +14653,7 @@ HOST-127.EXAMPLE. MX 0 . <command>max-clients-per-query</command> options (see the description about - <xref linkend="clients-per-query"/>.) + <xref endterm="cpq_term" linkend="clients-per-query"/>.) This corresponds to the <command>dropped</command> counter of previous versions of @@ -14960,7 +14666,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>QryFailure</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14985,7 +14691,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>XfrReqDone</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -14998,7 +14704,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>UpdateReqFwd</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15011,7 +14717,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>UpdateRespFwd</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15024,7 +14730,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>UpdateFwdFail</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15037,7 +14743,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>UpdateDone</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15050,7 +14756,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>UpdateFail</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15063,7 +14769,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>UpdateBadPrereq</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15076,7 +14782,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>RPZRewrites</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15089,7 +14795,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>RateDropped</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15102,7 +14808,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>RateSlipped</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15113,10 +14819,9 @@ HOST-127.EXAMPLE. MX 0 . </tbody> </tgroup> </informaltable> - </sect3> + </section> - <sect3> - <title>Zone Maintenance Statistics Counters</title> + <section xml:id="zone_stats"><info><title>Zone Maintenance Statistics Counters</title></info> <informaltable colsep="0" rowsep="0"> <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table"> @@ -15269,10 +14974,9 @@ HOST-127.EXAMPLE. MX 0 . </tbody> </tgroup> </informaltable> - </sect3> + </section> - <sect3> - <title>Resolver Statistics Counters</title> + <section xml:id="resolver_stats"><info><title>Resolver Statistics Counters</title></info> <informaltable colsep="0" rowsep="0"> <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table"> @@ -15407,7 +15111,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>EDNS0Fail</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15440,7 +15144,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>Truncated</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15479,7 +15183,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>QueryAbort</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15492,7 +15196,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>QuerySockFail</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15508,7 +15212,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>QueryTimeout</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15547,7 +15251,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>GlueFetchv4Fail</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15560,7 +15264,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>GlueFetchv6Fail</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15573,7 +15277,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>ValAttempt</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15586,7 +15290,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>ValOk</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15599,7 +15303,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>ValNegOk</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15612,7 +15316,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>ValFail</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15625,7 +15329,7 @@ HOST-127.EXAMPLE. MX 0 . <para><command>QryRTTnn</command></para> </entry> <entry colname="2"> - <para><command></command></para> + <para><command/></para> </entry> <entry colname="3"> <para> @@ -15655,10 +15359,9 @@ HOST-127.EXAMPLE. MX 0 . </tgroup> </informaltable> - </sect3> + </section> - <sect3> - <title>Socket I/O Statistics Counters</title> + <section xml:id="socket_stats"><info><title>Socket I/O Statistics Counters</title></info> <para> Socket I/O statistics counters are defined per socket @@ -15813,9 +15516,10 @@ HOST-127.EXAMPLE. MX 0 . </tbody> </tgroup> </informaltable> - </sect3> - <sect3> - <title>Compatibility with <emphasis>BIND</emphasis> 8 Counters</title> + </section> + + <section xml:id="bind8_compatibility"><info><title>Compatibility with <emphasis>BIND</emphasis> 8 Counters</title></info> + <para> Most statistics counters that were available in <command>BIND</command> 8 are also supported in @@ -15866,15 +15570,15 @@ HOST-127.EXAMPLE. MX 0 . </listitem> </varlistentry> </variablelist> - </sect3> - </sect2> - </sect1> + </section> + </section> + </section> </chapter> - <chapter id="Bv9ARM.ch07"> - <title><acronym>BIND</acronym> 9 Security Considerations</title> - <sect1 id="Access_Control_Lists"> - <title>Access Control Lists</title> + <chapter xml:id="Bv9ARM.ch07"><info><title><acronym>BIND</acronym> 9 Security Considerations</title></info> + + <section xml:id="Access_Control_Lists"><info><title>Access Control Lists</title></info> + <para> Access Control Lists (ACLs) are address match lists that you can set up and nickname for future use in <command>allow-notify</command>, @@ -15931,9 +15635,9 @@ zone "example.com" { This allows recursive queries of the server from the outside unless recursion has been previously disabled. </para> - </sect1> - <sect1> - <title><command>Chroot</command> and <command>Setuid</command></title> + </section> + <section xml:id="chroot_and_setuid"><info><title><command>Chroot</command> and <command>Setuid</command></title></info> + <para> On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment (using @@ -15957,8 +15661,7 @@ zone "example.com" { <userinput>/usr/local/sbin/named -u 202 -t /var/named</userinput> </para> - <sect2> - <title>The <command>chroot</command> Environment</title> + <section xml:id="chroot"><info><title>The <command>chroot</command> Environment</title></info> <para> In order for a <command>chroot</command> environment @@ -15984,10 +15687,9 @@ zone "example.com" { <filename>/dev/log</filename>, and <filename>/etc/localtime</filename>. </para> - </sect2> + </section> - <sect2> - <title>Using the <command>setuid</command> Function</title> + <section xml:id="setuid"><info><title>Using the <command>setuid</command> Function</title></info> <para> Prior to running the <command>named</command> daemon, @@ -16000,16 +15702,15 @@ zone "example.com" { to which you want <acronym>BIND</acronym> to write. </para> - <note> - Note that if the <command>named</command> daemon is running as an + <note><simpara> + If the <command>named</command> daemon is running as an unprivileged user, it will not be able to bind to new restricted ports if the server is reloaded. - </note> - </sect2> - </sect1> + </simpara></note> + </section> + </section> - <sect1 id="dynamic_update_security"> - <title>Dynamic Update Security</title> + <section xml:id="dynamic_update_security"><info><title>Dynamic Update Security</title></info> <para> Access to the dynamic @@ -16051,15 +15752,14 @@ zone "example.com" { all. </para> - </sect1> + </section> </chapter> - <chapter id="Bv9ARM.ch08"> - <title>Troubleshooting</title> - <sect1> - <title>Common Problems</title> - <sect2> - <title>It's not working; how can I figure out what's wrong?</title> + <chapter xml:id="Bv9ARM.ch08"><info><title>Troubleshooting</title></info> + + <section xml:id="common_problems"><info><title>Common Problems</title></info> + + <section><info><title>It's not working; how can I figure out what's wrong?</title></info> <para> The best solution to solving installation and @@ -16069,13 +15769,12 @@ zone "example.com" { what went wrong and how to fix the problem. </para> - </sect2> - </sect1> - <sect1> - <title>Incrementing and Changing the Serial Number</title> + </section> + </section> + <section><info><title>Incrementing and Changing the Serial Number</title></info> <para> - Zone serial numbers are just numbers — they aren't + Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that represents a date, usually of the form YYYYMMDDRR. Occasionally they will make a mistake and set them to a @@ -16100,9 +15799,8 @@ zone "example.com" { it to be, and reload the zone again. </para> - </sect1> - <sect1> - <title>Where Can I Get Help?</title> + </section> + <section xml:id="more_help"><info><title>Where Can I Get Help?</title></info> <para> The Internet Systems Consortium @@ -16120,125 +15818,120 @@ zone "example.com" { <para> To discuss arrangements for support, contact - <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="mailto:info@isc.org">info@isc.org</link> or visit the <acronym>ISC</acronym> web page at - <ulink url="http://www.isc.org/services/support/" - >http://www.isc.org/services/support/</ulink> + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/services/support/">http://www.isc.org/services/support/</link> to read more. </para> - </sect1> + </section> </chapter> - <appendix id="Bv9ARM.ch09"> - <title>Release Notes</title> - <xi:include href="notes.xml"/> + <appendix xml:id="Bv9ARM.ch09"><info><title>Release Notes</title></info> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes.xml"/> </appendix> - <appendix id="Bv9ARM.ch10"> - <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title> - <sect1 id="historical_dns_information"> - <para> - Although the "official" beginning of the Domain Name - System occurred in 1984 with the publication of RFC 920, the - core of the new system was described in 1983 in RFCs 882 and - 883. From 1984 to 1987, the ARPAnet (the precursor to today's - Internet) became a testbed of experimentation for developing the - new naming/addressing scheme in a rapidly expanding, - operational network environment. New RFCs were written and - published in 1987 that modified the original documents to - incorporate improvements based on the working model. RFC 1034, - "Domain Names-Concepts and Facilities", and RFC 1035, "Domain - Names-Implementation and Specification" were published and - became the standards upon which all <acronym>DNS</acronym> implementations are - built. - </para> + <appendix xml:id="Bv9ARM.ch10"><info><title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title></info> + <para xml:id="historical_dns_information"> + Although the "official" beginning of the Domain Name + System occurred in 1984 with the publication of RFC 920, the + core of the new system was described in 1983 in RFCs 882 and + 883. From 1984 to 1987, the ARPAnet (the precursor to today's + Internet) became a testbed of experimentation for developing the + new naming/addressing scheme in a rapidly expanding, + operational network environment. New RFCs were written and + published in 1987 that modified the original documents to + incorporate improvements based on the working model. RFC 1034, + "Domain Names-Concepts and Facilities", and RFC 1035, "Domain + Names-Implementation and Specification" were published and + became the standards upon which all <acronym>DNS</acronym> implementations are + built. + </para> - <para> - The first working domain name server, called "Jeeves", was - written in 1983-84 by Paul Mockapetris for operation on DEC - Tops-20 - machines located at the University of Southern California's - Information - Sciences Institute (USC-ISI) and SRI International's Network - Information - Center (SRI-NIC). A <acronym>DNS</acronym> server for - Unix machines, the Berkeley Internet - Name Domain (<acronym>BIND</acronym>) package, was - written soon after by a group of - graduate students at the University of California at Berkeley - under - a grant from the US Defense Advanced Research Projects - Administration - (DARPA). - </para> - <para> - Versions of <acronym>BIND</acronym> through - 4.8.3 were maintained by the Computer - Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark - Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym> - project team. After that, additional work on the software package - was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment - Corporation - employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985 - to 1987. Many other people also contributed to <acronym>BIND</acronym> development - during that time: Doug Kingston, Craig Partridge, Smoot - Carl-Mitchell, - Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently - handled by Mike Karels and Øivind Kure. - </para> - <para> - <acronym>BIND</acronym> versions 4.9 and 4.9.1 were - released by Digital Equipment - Corporation (now Compaq Computer Corporation). Paul Vixie, then - a DEC employee, became <acronym>BIND</acronym>'s - primary caretaker. He was assisted - by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan - Beecher, Andrew - Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat - Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe - Wolfhugel, and others. - </para> - <para> - In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by - Vixie Enterprises. Paul - Vixie became <acronym>BIND</acronym>'s principal - architect/programmer. - </para> - <para> - <acronym>BIND</acronym> versions from 4.9.3 onward - have been developed and maintained - by the Internet Systems Consortium and its predecessor, - the Internet Software Consortium, with support being provided - by ISC's sponsors. - </para> - <para> - As co-architects/programmers, Bob Halley and - Paul Vixie released the first production-ready version of - <acronym>BIND</acronym> version 8 in May 1997. - </para> - <para> - BIND version 9 was released in September 2000 and is a - major rewrite of nearly all aspects of the underlying - BIND architecture. - </para> - <para> - BIND versions 4 and 8 are officially deprecated. - No additional development is done - on BIND version 4 or BIND version 8. - </para> - <para> - <acronym>BIND</acronym> development work is made - possible today by the sponsorship - of several corporations, and by the tireless work efforts of - numerous individuals. - </para> - </sect1> + <para> + The first working domain name server, called "Jeeves", was + written in 1983-84 by Paul Mockapetris for operation on DEC + Tops-20 + machines located at the University of Southern California's + Information + Sciences Institute (USC-ISI) and SRI International's Network + Information + Center (SRI-NIC). A <acronym>DNS</acronym> server for + Unix machines, the Berkeley Internet + Name Domain (<acronym>BIND</acronym>) package, was + written soon after by a group of + graduate students at the University of California at Berkeley + under + a grant from the US Defense Advanced Research Projects + Administration + (DARPA). + </para> + <para> + Versions of <acronym>BIND</acronym> through + 4.8.3 were maintained by the Computer + Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark + Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym> + project team. After that, additional work on the software package + was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment + Corporation + employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985 + to 1987. Many other people also contributed to <acronym>BIND</acronym> development + during that time: Doug Kingston, Craig Partridge, Smoot + Carl-Mitchell, + Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently + handled by Mike Karels and Øivind Kure. + </para> + <para> + <acronym>BIND</acronym> versions 4.9 and 4.9.1 were + released by Digital Equipment + Corporation (now Compaq Computer Corporation). Paul Vixie, then + a DEC employee, became <acronym>BIND</acronym>'s + primary caretaker. He was assisted + by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan + Beecher, Andrew + Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat + Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe + Wolfhugel, and others. + </para> + <para> + In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by + Vixie Enterprises. Paul + Vixie became <acronym>BIND</acronym>'s principal + architect/programmer. + </para> + <para> + <acronym>BIND</acronym> versions from 4.9.3 onward + have been developed and maintained + by the Internet Systems Consortium and its predecessor, + the Internet Software Consortium, with support being provided + by ISC's sponsors. + </para> + <para> + As co-architects/programmers, Bob Halley and + Paul Vixie released the first production-ready version of + <acronym>BIND</acronym> version 8 in May 1997. + </para> + <para> + BIND version 9 was released in September 2000 and is a + major rewrite of nearly all aspects of the underlying + BIND architecture. + </para> + <para> + BIND versions 4 and 8 are officially deprecated. + No additional development is done + on BIND version 4 or BIND version 8. + </para> + <para> + <acronym>BIND</acronym> development work is made + possible today by the sponsorship + of several corporations, and by the tireless work efforts of + numerous individuals. + </para> </appendix> - <appendix id="Bv9ARM.ch11"> - <title>General <acronym>DNS</acronym> Reference Information</title> - <sect1 id="ipv6addresses"> - <title>IPv6 addresses (AAAA)</title> + <appendix xml:id="Bv9ARM.ch11"><info><title>General <acronym>DNS</acronym> Reference Information</title></info> + + <section xml:id="ipv6addresses"><info><title>IPv6 addresses (AAAA)</title></info> + <para> IPv6 addresses are 128-bit identifiers for interfaces and sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate @@ -16293,11 +15986,11 @@ zone "example.com" { string of zeros that can fit, and can be used only once in an address. </para> - </sect1> - <sect1 id="bibliography"> - <title>Bibliography (and Suggested Reading)</title> - <sect2 id="rfcs"> - <title>Request for Comments (RFCs)</title> + </section> + <section xml:id="bibliography"><info><title>Bibliography (and Suggested Reading)</title></info> + + <section xml:id="rfcs"><info><title>Request for Comments (RFCs)</title></info> + <para> Specification documents for the Internet protocol suite, including the <acronym>DNS</acronym>, are published as part of @@ -16307,886 +16000,537 @@ zone "example.com" { Engineering Steering Group (IESG). RFCs can be obtained online via FTP at: </para> <para> - <ulink url="ftp://www.isi.edu/in-notes/"> + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="ftp://www.isi.edu/in-notes/"> ftp://www.isi.edu/in-notes/RFC<replaceable>xxxx</replaceable>.txt - </ulink> + </link> </para> <para> (where <replaceable>xxxx</replaceable> is the number of the RFC). RFCs are also available via the Web at: </para> <para> - <ulink url="http://www.ietf.org/rfc/" - >http://www.ietf.org/rfc/</ulink>. + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.ietf.org/rfc/">http://www.ietf.org/rfc/</link>. </para> <bibliography> - <bibliodiv> + <bibliodiv><info><title>Standards</title></info> <!-- one of (BIBLIOENTRY BIBLIOMIXED) --> - <title>Standards</title> + <biblioentry> <abbrev>RFC974</abbrev> - <author> - <surname>Partridge</surname> - <firstname>C.</firstname> - </author> - <title>Mail Routing and the Domain System</title> + <author><personname><surname>Partridge</surname><firstname>C.</firstname></personname></author> + <citetitle>Mail Routing and the Domain System</citetitle> <pubdate>January 1986</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1034</abbrev> - <author> - <surname>Mockapetris</surname> - <firstname>P.V.</firstname> - </author> - <title>Domain Names — Concepts and Facilities</title> + <author><personname><surname>Mockapetris</surname><firstname>P.V.</firstname></personname></author> + <citetitle>Domain Names — Concepts and Facilities</citetitle> <pubdate>November 1987</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1035</abbrev> - <author> - <surname>Mockapetris</surname> - <firstname>P. V.</firstname> - </author> <title>Domain Names — Implementation and - Specification</title> + <author><personname><surname>Mockapetris</surname><firstname>P. V.</firstname></personname></author> <citetitle>Domain Names — Implementation and + Specification</citetitle> <pubdate>November 1987</pubdate> </biblioentry> </bibliodiv> - <bibliodiv id="proposed_standards" xreflabel="Proposed Standards"> + <bibliodiv xml:id="proposed_standards" xreflabel="Proposed Standards"><info><title>Proposed Standards</title></info> - <title>Proposed Standards</title> <!-- one of (BIBLIOENTRY BIBLIOMIXED) --> <biblioentry> <abbrev>RFC2181</abbrev> - <author> - <surname>Elz</surname> - <firstname>R., R. Bush</firstname> - </author> - <title>Clarifications to the <acronym>DNS</acronym> - Specification</title> + <author><personname><surname>Elz</surname><firstname>R., R. Bush</firstname></personname></author> + <citetitle>Clarifications to the <acronym>DNS</acronym> + Specification</citetitle> <pubdate>July 1997</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2308</abbrev> - <author> - <surname>Andrews</surname> - <firstname>M.</firstname> - </author> - <title>Negative Caching of <acronym>DNS</acronym> - Queries</title> + <author><personname><surname>Andrews</surname><firstname>M.</firstname></personname></author> + <citetitle>Negative Caching of <acronym>DNS</acronym> + Queries</citetitle> <pubdate>March 1998</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1995</abbrev> - <author> - <surname>Ohta</surname> - <firstname>M.</firstname> - </author> - <title>Incremental Zone Transfer in <acronym>DNS</acronym></title> + <author><personname><surname>Ohta</surname><firstname>M.</firstname></personname></author> + <citetitle>Incremental Zone Transfer in <acronym>DNS</acronym></citetitle> <pubdate>August 1996</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1996</abbrev> - <author> - <surname>Vixie</surname> - <firstname>P.</firstname> - </author> - <title>A Mechanism for Prompt Notification of Zone Changes</title> + <author><personname><surname>Vixie</surname><firstname>P.</firstname></personname></author> + <citetitle>A Mechanism for Prompt Notification of Zone Changes</citetitle> <pubdate>August 1996</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2136</abbrev> <authorgroup> - <author> - <surname>Vixie</surname> - <firstname>P.</firstname> - </author> - <author> - <firstname>S.</firstname> - <surname>Thomson</surname> - </author> - <author> - <firstname>Y.</firstname> - <surname>Rekhter</surname> - </author> - <author> - <firstname>J.</firstname> - <surname>Bound</surname> - </author> + <author><personname><surname>Vixie</surname><firstname>P.</firstname></personname></author> + <author><personname><firstname>S.</firstname><surname>Thomson</surname></personname></author> + <author><personname><firstname>Y.</firstname><surname>Rekhter</surname></personname></author> + <author><personname><firstname>J.</firstname><surname>Bound</surname></personname></author> </authorgroup> - <title>Dynamic Updates in the Domain Name System</title> + <citetitle>Dynamic Updates in the Domain Name System</citetitle> <pubdate>April 1997</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2671</abbrev> <authorgroup> - <author> - <firstname>P.</firstname> - <surname>Vixie</surname> - </author> + <author><personname><firstname>P.</firstname><surname>Vixie</surname></personname></author> </authorgroup> - <title>Extension Mechanisms for DNS (EDNS0)</title> + <citetitle>Extension Mechanisms for DNS (EDNS0)</citetitle> <pubdate>August 1997</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2672</abbrev> <authorgroup> - <author> - <firstname>M.</firstname> - <surname>Crawford</surname> - </author> + <author><personname><firstname>M.</firstname><surname>Crawford</surname></personname></author> </authorgroup> - <title>Non-Terminal DNS Name Redirection</title> + <citetitle>Non-Terminal DNS Name Redirection</citetitle> <pubdate>August 1999</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2845</abbrev> <authorgroup> - <author> - <surname>Vixie</surname> - <firstname>P.</firstname> - </author> - <author> - <firstname>O.</firstname> - <surname>Gudmundsson</surname> - </author> - <author> - <firstname>D.</firstname> - <surname>Eastlake</surname> - <lineage>3rd</lineage> - </author> - <author> - <firstname>B.</firstname> - <surname>Wellington</surname> - </author> + <author><personname><surname>Vixie</surname><firstname>P.</firstname></personname></author> + <author><personname><firstname>O.</firstname><surname>Gudmundsson</surname></personname></author> + <author><personname><firstname>D.</firstname><surname>Eastlake</surname><lineage>3rd</lineage></personname></author> + <author><personname><firstname>B.</firstname><surname>Wellington</surname></personname></author> </authorgroup> - <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title> + <citetitle>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</citetitle> <pubdate>May 2000</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2930</abbrev> <authorgroup> - <author> - <firstname>D.</firstname> - <surname>Eastlake</surname> - <lineage>3rd</lineage> - </author> + <author><personname><firstname>D.</firstname><surname>Eastlake</surname><lineage>3rd</lineage></personname></author> </authorgroup> - <title>Secret Key Establishment for DNS (TKEY RR)</title> + <citetitle>Secret Key Establishment for DNS (TKEY RR)</citetitle> <pubdate>September 2000</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2931</abbrev> <authorgroup> - <author> - <firstname>D.</firstname> - <surname>Eastlake</surname> - <lineage>3rd</lineage> - </author> + <author><personname><firstname>D.</firstname><surname>Eastlake</surname><lineage>3rd</lineage></personname></author> </authorgroup> - <title>DNS Request and Transaction Signatures (SIG(0)s)</title> + <citetitle>DNS Request and Transaction Signatures (SIG(0)s)</citetitle> <pubdate>September 2000</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3007</abbrev> <authorgroup> - <author> - <firstname>B.</firstname> - <surname>Wellington</surname> - </author> + <author><personname><firstname>B.</firstname><surname>Wellington</surname></personname></author> </authorgroup> - <title>Secure Domain Name System (DNS) Dynamic Update</title> + <citetitle>Secure Domain Name System (DNS) Dynamic Update</citetitle> <pubdate>November 2000</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3645</abbrev> <authorgroup> - <author> - <firstname>S.</firstname> - <surname>Kwan</surname> - </author> - <author> - <firstname>P.</firstname> - <surname>Garg</surname> - </author> - <author> - <firstname>J.</firstname> - <surname>Gilroy</surname> - </author> - <author> - <firstname>L.</firstname> - <surname>Esibov</surname> - </author> - <author> - <firstname>J.</firstname> - <surname>Westhead</surname> - </author> - <author> - <firstname>R.</firstname> - <surname>Hall</surname> - </author> + <author><personname><firstname>S.</firstname><surname>Kwan</surname></personname></author> + <author><personname><firstname>P.</firstname><surname>Garg</surname></personname></author> + <author><personname><firstname>J.</firstname><surname>Gilroy</surname></personname></author> + <author><personname><firstname>L.</firstname><surname>Esibov</surname></personname></author> + <author><personname><firstname>J.</firstname><surname>Westhead</surname></personname></author> + <author><personname><firstname>R.</firstname><surname>Hall</surname></personname></author> </authorgroup> - <title>Generic Security Service Algorithm for Secret + <citetitle>Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS - (GSS-TSIG)</title> + (GSS-TSIG)</citetitle> <pubdate>October 2003</pubdate> </biblioentry> </bibliodiv> - <bibliodiv> - <title><acronym>DNS</acronym> Security Proposed Standards</title> + <bibliodiv><info><title><acronym>DNS</acronym> Security Proposed Standards</title></info> + <biblioentry> <abbrev>RFC3225</abbrev> <authorgroup> - <author> - <firstname>D.</firstname> - <surname>Conrad</surname> - </author> + <author><personname><firstname>D.</firstname><surname>Conrad</surname></personname></author> </authorgroup> - <title>Indicating Resolver Support of DNSSEC</title> + <citetitle>Indicating Resolver Support of DNSSEC</citetitle> <pubdate>December 2001</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3833</abbrev> <authorgroup> - <author> - <firstname>D.</firstname> - <surname>Atkins</surname> - </author> - <author> - <firstname>R.</firstname> - <surname>Austein</surname> - </author> + <author><personname><firstname>D.</firstname><surname>Atkins</surname></personname></author> + <author><personname><firstname>R.</firstname><surname>Austein</surname></personname></author> </authorgroup> - <title>Threat Analysis of the Domain Name System (DNS)</title> + <citetitle>Threat Analysis of the Domain Name System (DNS)</citetitle> <pubdate>August 2004</pubdate> </biblioentry> <biblioentry> <abbrev>RFC4033</abbrev> <authorgroup> - <author> - <firstname>R.</firstname> - <surname>Arends</surname> - </author> - <author> - <firstname>R.</firstname> - <surname>Austein</surname> - </author> - <author> - <firstname>M.</firstname> - <surname>Larson</surname> - </author> - <author> - <firstname>D.</firstname> - <surname>Massey</surname> - </author> - <author> - <firstname>S.</firstname> - <surname>Rose</surname> - </author> + <author><personname><firstname>R.</firstname><surname>Arends</surname></personname></author> + <author><personname><firstname>R.</firstname><surname>Austein</surname></personname></author> + <author><personname><firstname>M.</firstname><surname>Larson</surname></personname></author> + <author><personname><firstname>D.</firstname><surname>Massey</surname></personname></author> + <author><personname><firstname>S.</firstname><surname>Rose</surname></personname></author> </authorgroup> - <title>DNS Security Introduction and Requirements</title> + <citetitle>DNS Security Introduction and Requirements</citetitle> <pubdate>March 2005</pubdate> </biblioentry> <biblioentry> <abbrev>RFC4034</abbrev> <authorgroup> - <author> - <firstname>R.</firstname> - <surname>Arends</surname> - </author> - <author> - <firstname>R.</firstname> - <surname>Austein</surname> - </author> - <author> - <firstname>M.</firstname> - <surname>Larson</surname> - </author> - <author> - <firstname>D.</firstname> - <surname>Massey</surname> - </author> - <author> - <firstname>S.</firstname> - <surname>Rose</surname> - </author> + <author><personname><firstname>R.</firstname><surname>Arends</surname></personname></author> + <author><personname><firstname>R.</firstname><surname>Austein</surname></personname></author> + <author><personname><firstname>M.</firstname><surname>Larson</surname></personname></author> + <author><personname><firstname>D.</firstname><surname>Massey</surname></personname></author> + <author><personname><firstname>S.</firstname><surname>Rose</surname></personname></author> </authorgroup> - <title>Resource Records for the DNS Security Extensions</title> + <citetitle>Resource Records for the DNS Security Extensions</citetitle> <pubdate>March 2005</pubdate> </biblioentry> <biblioentry> <abbrev>RFC4035</abbrev> <authorgroup> - <author> - <firstname>R.</firstname> - <surname>Arends</surname> - </author> - <author> - <firstname>R.</firstname> - <surname>Austein</surname> - </author> - <author> - <firstname>M.</firstname> - <surname>Larson</surname> - </author> - <author> - <firstname>D.</firstname> - <surname>Massey</surname> - </author> - <author> - <firstname>S.</firstname> - <surname>Rose</surname> - </author> + <author><personname><firstname>R.</firstname><surname>Arends</surname></personname></author> + <author><personname><firstname>R.</firstname><surname>Austein</surname></personname></author> + <author><personname><firstname>M.</firstname><surname>Larson</surname></personname></author> + <author><personname><firstname>D.</firstname><surname>Massey</surname></personname></author> + <author><personname><firstname>S.</firstname><surname>Rose</surname></personname></author> </authorgroup> - <title>Protocol Modifications for the DNS - Security Extensions</title> + <citetitle>Protocol Modifications for the DNS + Security Extensions</citetitle> <pubdate>March 2005</pubdate> </biblioentry> </bibliodiv> - <bibliodiv> - <title>Other Important RFCs About <acronym>DNS</acronym> - Implementation</title> + <bibliodiv><info><title>Other Important RFCs About <acronym>DNS</acronym> + Implementation</title></info> + <biblioentry> <abbrev>RFC1535</abbrev> - <author> - <surname>Gavron</surname> - <firstname>E.</firstname> - </author> - <title>A Security Problem and Proposed Correction With Widely - Deployed <acronym>DNS</acronym> Software.</title> + <author><personname><surname>Gavron</surname><firstname>E.</firstname></personname></author> + <citetitle>A Security Problem and Proposed Correction With Widely + Deployed <acronym>DNS</acronym> Software.</citetitle> <pubdate>October 1993</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1536</abbrev> <authorgroup> - <author> - <surname>Kumar</surname> - <firstname>A.</firstname> - </author> - <author> - <firstname>J.</firstname> - <surname>Postel</surname> - </author> - <author> - <firstname>C.</firstname> - <surname>Neuman</surname> - </author> - <author> - <firstname>P.</firstname> - <surname>Danzig</surname> - </author> - <author> - <firstname>S.</firstname> - <surname>Miller</surname> - </author> + <author><personname><surname>Kumar</surname><firstname>A.</firstname></personname></author> + <author><personname><firstname>J.</firstname><surname>Postel</surname></personname></author> + <author><personname><firstname>C.</firstname><surname>Neuman</surname></personname></author> + <author><personname><firstname>P.</firstname><surname>Danzig</surname></personname></author> + <author><personname><firstname>S.</firstname><surname>Miller</surname></personname></author> </authorgroup> - <title>Common <acronym>DNS</acronym> Implementation - Errors and Suggested Fixes</title> + <citetitle>Common <acronym>DNS</acronym> Implementation + Errors and Suggested Fixes</citetitle> <pubdate>October 1993</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1982</abbrev> <authorgroup> - <author> - <surname>Elz</surname> - <firstname>R.</firstname> - </author> - <author> - <firstname>R.</firstname> - <surname>Bush</surname> - </author> + <author><personname><surname>Elz</surname><firstname>R.</firstname></personname></author> + <author><personname><firstname>R.</firstname><surname>Bush</surname></personname></author> </authorgroup> - <title>Serial Number Arithmetic</title> + <citetitle>Serial Number Arithmetic</citetitle> <pubdate>August 1996</pubdate> </biblioentry> <biblioentry> <abbrev>RFC4074</abbrev> <authorgroup> - <author> - <surname>Morishita</surname> - <firstname>Y.</firstname> - </author> - <author> - <firstname>T.</firstname> - <surname>Jinmei</surname> - </author> + <author><personname><surname>Morishita</surname><firstname>Y.</firstname></personname></author> + <author><personname><firstname>T.</firstname><surname>Jinmei</surname></personname></author> </authorgroup> - <title>Common Misbehaviour Against <acronym>DNS</acronym> - Queries for IPv6 Addresses</title> + <citetitle>Common Misbehaviour Against <acronym>DNS</acronym> + Queries for IPv6 Addresses</citetitle> <pubdate>May 2005</pubdate> </biblioentry> </bibliodiv> - <bibliodiv> - <title>Resource Record Types</title> + <bibliodiv><info><title>Resource Record Types</title></info> + <biblioentry> <abbrev>RFC1183</abbrev> <authorgroup> - <author> - <surname>Everhart</surname> - <firstname>C.F.</firstname> - </author> - <author> - <firstname>L. A.</firstname> - <surname>Mamakos</surname> - </author> - <author> - <firstname>R.</firstname> - <surname>Ullmann</surname> - </author> - <author> - <firstname>P.</firstname> - <surname>Mockapetris</surname> - </author> + <author><personname><surname>Everhart</surname><firstname>C.F.</firstname></personname></author> + <author><personname><firstname>L. A.</firstname><surname>Mamakos</surname></personname></author> + <author><personname><firstname>R.</firstname><surname>Ullmann</surname></personname></author> + <author><personname><firstname>P.</firstname><surname>Mockapetris</surname></personname></author> </authorgroup> - <title>New <acronym>DNS</acronym> RR Definitions</title> + <citetitle>New <acronym>DNS</acronym> RR Definitions</citetitle> <pubdate>October 1990</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1706</abbrev> <authorgroup> - <author> - <surname>Manning</surname> - <firstname>B.</firstname> - </author> - <author> - <firstname>R.</firstname> - <surname>Colella</surname> - </author> + <author><personname><surname>Manning</surname><firstname>B.</firstname></personname></author> + <author><personname><firstname>R.</firstname><surname>Colella</surname></personname></author> </authorgroup> - <title><acronym>DNS</acronym> NSAP Resource Records</title> + <citetitle><acronym>DNS</acronym> NSAP Resource Records</citetitle> <pubdate>October 1994</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2168</abbrev> <authorgroup> - <author> - <surname>Daniel</surname> - <firstname>R.</firstname> - </author> - <author> - <firstname>M.</firstname> - <surname>Mealling</surname> - </author> + <author><personname><surname>Daniel</surname><firstname>R.</firstname></personname></author> + <author><personname><firstname>M.</firstname><surname>Mealling</surname></personname></author> </authorgroup> - <title>Resolution of Uniform Resource Identifiers using - the Domain Name System</title> + <citetitle>Resolution of Uniform Resource Identifiers using + the Domain Name System</citetitle> <pubdate>June 1997</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1876</abbrev> <authorgroup> - <author> - <surname>Davis</surname> - <firstname>C.</firstname> - </author> - <author> - <firstname>P.</firstname> - <surname>Vixie</surname> - </author> - <author> - <firstname>T.</firstname> - <firstname>Goodwin</firstname> - </author> - <author> - <firstname>I.</firstname> - <surname>Dickinson</surname> - </author> + <author><personname><surname>Davis</surname><firstname>C.</firstname></personname></author> + <author><personname><firstname>P.</firstname><surname>Vixie</surname></personname></author> + <author><personname><firstname>T.</firstname><firstname>Goodwin</firstname></personname></author> + <author><personname><firstname>I.</firstname><surname>Dickinson</surname></personname></author> </authorgroup> - <title>A Means for Expressing Location Information in the + <citetitle>A Means for Expressing Location Information in the Domain - Name System</title> + Name System</citetitle> <pubdate>January 1996</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2052</abbrev> <authorgroup> - <author> - <surname>Gulbrandsen</surname> - <firstname>A.</firstname> - </author> - <author> - <firstname>P.</firstname> - <surname>Vixie</surname> - </author> + <author><personname><surname>Gulbrandsen</surname><firstname>A.</firstname></personname></author> + <author><personname><firstname>P.</firstname><surname>Vixie</surname></personname></author> </authorgroup> - <title>A <acronym>DNS</acronym> RR for Specifying the + <citetitle>A <acronym>DNS</acronym> RR for Specifying the Location of - Services.</title> + Services.</citetitle> <pubdate>October 1996</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2163</abbrev> - <author> - <surname>Allocchio</surname> - <firstname>A.</firstname> - </author> - <title>Using the Internet <acronym>DNS</acronym> to + <author><personname><surname>Allocchio</surname><firstname>A.</firstname></personname></author> + <citetitle>Using the Internet <acronym>DNS</acronym> to Distribute MIXER - Conformant Global Address Mapping</title> + Conformant Global Address Mapping</citetitle> <pubdate>January 1998</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2230</abbrev> - <author> - <surname>Atkinson</surname> - <firstname>R.</firstname> - </author> - <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title> + <author><personname><surname>Atkinson</surname><firstname>R.</firstname></personname></author> + <citetitle>Key Exchange Delegation Record for the <acronym>DNS</acronym></citetitle> <pubdate>October 1997</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2536</abbrev> - <author> - <surname>Eastlake</surname> - <firstname>D.</firstname> - <lineage>3rd</lineage> - </author> - <title>DSA KEYs and SIGs in the Domain Name System (DNS)</title> + <author><personname><surname>Eastlake</surname><firstname>D.</firstname><lineage>3rd</lineage></personname></author> + <citetitle>DSA KEYs and SIGs in the Domain Name System (DNS)</citetitle> <pubdate>March 1999</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2537</abbrev> - <author> - <surname>Eastlake</surname> - <firstname>D.</firstname> - <lineage>3rd</lineage> - </author> - <title>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</title> + <author><personname><surname>Eastlake</surname><firstname>D.</firstname><lineage>3rd</lineage></personname></author> + <citetitle>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</citetitle> <pubdate>March 1999</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2538</abbrev> <authorgroup> - <author> - <surname>Eastlake</surname> - <firstname>D.</firstname> - <lineage>3rd</lineage> - </author> - <author> - <surname>Gudmundsson</surname> - <firstname>O.</firstname> - </author> + <author><personname><surname>Eastlake</surname><firstname>D.</firstname><lineage>3rd</lineage></personname></author> + <author><personname><surname>Gudmundsson</surname><firstname>O.</firstname></personname></author> </authorgroup> - <title>Storing Certificates in the Domain Name System (DNS)</title> + <citetitle>Storing Certificates in the Domain Name System (DNS)</citetitle> <pubdate>March 1999</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2539</abbrev> <authorgroup> - <author> - <surname>Eastlake</surname> - <firstname>D.</firstname> - <lineage>3rd</lineage> - </author> + <author><personname><surname>Eastlake</surname><firstname>D.</firstname><lineage>3rd</lineage></personname></author> </authorgroup> - <title>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</title> + <citetitle>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</citetitle> <pubdate>March 1999</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2540</abbrev> <authorgroup> - <author> - <surname>Eastlake</surname> - <firstname>D.</firstname> - <lineage>3rd</lineage> - </author> + <author><personname><surname>Eastlake</surname><firstname>D.</firstname><lineage>3rd</lineage></personname></author> </authorgroup> - <title>Detached Domain Name System (DNS) Information</title> + <citetitle>Detached Domain Name System (DNS) Information</citetitle> <pubdate>March 1999</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2782</abbrev> - <author> - <surname>Gulbrandsen</surname> - <firstname>A.</firstname> - </author> - <author> - <surname>Vixie</surname> - <firstname>P.</firstname> - </author> - <author> - <surname>Esibov</surname> - <firstname>L.</firstname> - </author> - <title>A DNS RR for specifying the location of services (DNS SRV)</title> + <author><personname><surname>Gulbrandsen</surname><firstname>A.</firstname></personname></author> + <author><personname><surname>Vixie</surname><firstname>P.</firstname></personname></author> + <author><personname><surname>Esibov</surname><firstname>L.</firstname></personname></author> + <citetitle>A DNS RR for specifying the location of services (DNS SRV)</citetitle> <pubdate>February 2000</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2915</abbrev> - <author> - <surname>Mealling</surname> - <firstname>M.</firstname> - </author> - <author> - <surname>Daniel</surname> - <firstname>R.</firstname> - </author> - <title>The Naming Authority Pointer (NAPTR) DNS Resource Record</title> + <author><personname><surname>Mealling</surname><firstname>M.</firstname></personname></author> + <author><personname><surname>Daniel</surname><firstname>R.</firstname></personname></author> + <citetitle>The Naming Authority Pointer (NAPTR) DNS Resource Record</citetitle> <pubdate>September 2000</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3110</abbrev> - <author> - <surname>Eastlake</surname> - <firstname>D.</firstname> - <lineage>3rd</lineage> - </author> - <title>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</title> + <author><personname><surname>Eastlake</surname><firstname>D.</firstname><lineage>3rd</lineage></personname></author> + <citetitle>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</citetitle> <pubdate>May 2001</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3123</abbrev> - <author> - <surname>Koch</surname> - <firstname>P.</firstname> - </author> - <title>A DNS RR Type for Lists of Address Prefixes (APL RR)</title> + <author><personname><surname>Koch</surname><firstname>P.</firstname></personname></author> + <citetitle>A DNS RR Type for Lists of Address Prefixes (APL RR)</citetitle> <pubdate>June 2001</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3596</abbrev> <authorgroup> - <author> - <surname>Thomson</surname> - <firstname>S.</firstname> - </author> - <author> - <firstname>C.</firstname> - <surname>Huitema</surname> - </author> - <author> - <firstname>V.</firstname> - <surname>Ksinant</surname> - </author> - <author> - <firstname>M.</firstname> - <surname>Souissi</surname> - </author> + <author><personname><surname>Thomson</surname><firstname>S.</firstname></personname></author> + <author><personname><firstname>C.</firstname><surname>Huitema</surname></personname></author> + <author><personname><firstname>V.</firstname><surname>Ksinant</surname></personname></author> + <author><personname><firstname>M.</firstname><surname>Souissi</surname></personname></author> </authorgroup> - <title><acronym>DNS</acronym> Extensions to support IP - version 6</title> + <citetitle><acronym>DNS</acronym> Extensions to support IP + version 6</citetitle> <pubdate>October 2003</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3597</abbrev> - <author> - <surname>Gustafsson</surname> - <firstname>A.</firstname> - </author> - <title>Handling of Unknown DNS Resource Record (RR) Types</title> + <author><personname><surname>Gustafsson</surname><firstname>A.</firstname></personname></author> + <citetitle>Handling of Unknown DNS Resource Record (RR) Types</citetitle> <pubdate>September 2003</pubdate> </biblioentry> </bibliodiv> - <bibliodiv> - <title><acronym>DNS</acronym> and the Internet</title> + <bibliodiv><info><title><acronym>DNS</acronym> and the Internet</title></info> + <biblioentry> <abbrev>RFC1101</abbrev> - <author> - <surname>Mockapetris</surname> - <firstname>P. V.</firstname> - </author> - <title><acronym>DNS</acronym> Encoding of Network Names - and Other Types</title> + <author><personname><surname>Mockapetris</surname><firstname>P. V.</firstname></personname></author> + <citetitle><acronym>DNS</acronym> Encoding of Network Names + and Other Types</citetitle> <pubdate>April 1989</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1123</abbrev> - <author> - <surname>Braden</surname> - <surname>R.</surname> - </author> - <title>Requirements for Internet Hosts - Application and - Support</title> + <author><personname><surname>Braden</surname><surname>R.</surname></personname></author> + <citetitle>Requirements for Internet Hosts - Application and + Support</citetitle> <pubdate>October 1989</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1591</abbrev> - <author> - <surname>Postel</surname> - <firstname>J.</firstname> - </author> - <title>Domain Name System Structure and Delegation</title> + <author><personname><surname>Postel</surname><firstname>J.</firstname></personname></author> + <citetitle>Domain Name System Structure and Delegation</citetitle> <pubdate>March 1994</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2317</abbrev> <authorgroup> - <author> - <surname>Eidnes</surname> - <firstname>H.</firstname> - </author> - <author> - <firstname>G.</firstname> - <surname>de Groot</surname> - </author> - <author> - <firstname>P.</firstname> - <surname>Vixie</surname> - </author> + <author><personname><surname>Eidnes</surname><firstname>H.</firstname></personname></author> + <author><personname><firstname>G.</firstname><surname>de Groot</surname></personname></author> + <author><personname><firstname>P.</firstname><surname>Vixie</surname></personname></author> </authorgroup> - <title>Classless IN-ADDR.ARPA Delegation</title> + <citetitle>Classless IN-ADDR.ARPA Delegation</citetitle> <pubdate>March 1998</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2826</abbrev> <authorgroup> - <author> - <surname>Internet Architecture Board</surname> - </author> + <author><personname><surname>Internet Architecture Board</surname></personname></author> </authorgroup> - <title>IAB Technical Comment on the Unique DNS Root</title> + <citetitle>IAB Technical Comment on the Unique DNS Root</citetitle> <pubdate>May 2000</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2929</abbrev> <authorgroup> - <author> - <surname>Eastlake</surname> - <firstname>D.</firstname> - <lineage>3rd</lineage> - </author> - <author> - <surname>Brunner-Williams</surname> - <firstname>E.</firstname> - </author> - <author> - <surname>Manning</surname> - <firstname>B.</firstname> - </author> + <author><personname><surname>Eastlake</surname><firstname>D.</firstname><lineage>3rd</lineage></personname></author> + <author><personname><surname>Brunner-Williams</surname><firstname>E.</firstname></personname></author> + <author><personname><surname>Manning</surname><firstname>B.</firstname></personname></author> </authorgroup> - <title>Domain Name System (DNS) IANA Considerations</title> + <citetitle>Domain Name System (DNS) IANA Considerations</citetitle> <pubdate>September 2000</pubdate> </biblioentry> </bibliodiv> - <bibliodiv> - <title><acronym>DNS</acronym> Operations</title> + <bibliodiv><info><title><acronym>DNS</acronym> Operations</title></info> + <biblioentry> <abbrev>RFC1033</abbrev> - <author> - <surname>Lottor</surname> - <firstname>M.</firstname> - </author> - <title>Domain administrators operations guide.</title> + <author><personname><surname>Lottor</surname><firstname>M.</firstname></personname></author> + <citetitle>Domain administrators operations guide.</citetitle> <pubdate>November 1987</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1537</abbrev> - <author> - <surname>Beertema</surname> - <firstname>P.</firstname> - </author> - <title>Common <acronym>DNS</acronym> Data File - Configuration Errors</title> + <author><personname><surname>Beertema</surname><firstname>P.</firstname></personname></author> + <citetitle>Common <acronym>DNS</acronym> Data File + Configuration Errors</citetitle> <pubdate>October 1993</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1912</abbrev> - <author> - <surname>Barr</surname> - <firstname>D.</firstname> - </author> - <title>Common <acronym>DNS</acronym> Operational and - Configuration Errors</title> + <author><personname><surname>Barr</surname><firstname>D.</firstname></personname></author> + <citetitle>Common <acronym>DNS</acronym> Operational and + Configuration Errors</citetitle> <pubdate>February 1996</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2010</abbrev> <authorgroup> - <author> - <surname>Manning</surname> - <firstname>B.</firstname> - </author> - <author> - <firstname>P.</firstname> - <surname>Vixie</surname> - </author> + <author><personname><surname>Manning</surname><firstname>B.</firstname></personname></author> + <author><personname><firstname>P.</firstname><surname>Vixie</surname></personname></author> </authorgroup> - <title>Operational Criteria for Root Name Servers.</title> + <citetitle>Operational Criteria for Root Name Servers.</citetitle> <pubdate>October 1996</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2219</abbrev> <authorgroup> - <author> - <surname>Hamilton</surname> - <firstname>M.</firstname> - </author> - <author> - <firstname>R.</firstname> - <surname>Wright</surname> - </author> + <author><personname><surname>Hamilton</surname><firstname>M.</firstname></personname></author> + <author><personname><firstname>R.</firstname><surname>Wright</surname></personname></author> </authorgroup> - <title>Use of <acronym>DNS</acronym> Aliases for - Network Services.</title> + <citetitle>Use of <acronym>DNS</acronym> Aliases for + Network Services.</citetitle> <pubdate>October 1997</pubdate> </biblioentry> </bibliodiv> - <bibliodiv> - <title>Internationalized Domain Names</title> + <bibliodiv><info><title>Internationalized Domain Names</title></info> + <biblioentry> <abbrev>RFC2825</abbrev> <authorgroup> - <author> - <surname>IAB</surname> - </author> - <author> - <surname>Daigle</surname> - <firstname>R.</firstname> - </author> + <author><personname><surname>IAB</surname></personname></author> + <author><personname><surname>Daigle</surname><firstname>R.</firstname></personname></author> </authorgroup> - <title>A Tangled Web: Issues of I18N, Domain Names, - and the Other Internet protocols</title> + <citetitle>A Tangled Web: Issues of I18N, Domain Names, + and the Other Internet protocols</citetitle> <pubdate>May 2000</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3490</abbrev> <authorgroup> - <author> - <surname>Faltstrom</surname> - <firstname>P.</firstname> - </author> - <author> - <surname>Hoffman</surname> - <firstname>P.</firstname> - </author> - <author> - <surname>Costello</surname> - <firstname>A.</firstname> - </author> + <author><personname><surname>Faltstrom</surname><firstname>P.</firstname></personname></author> + <author><personname><surname>Hoffman</surname><firstname>P.</firstname></personname></author> + <author><personname><surname>Costello</surname><firstname>A.</firstname></personname></author> </authorgroup> - <title>Internationalizing Domain Names in Applications (IDNA)</title> + <citetitle>Internationalizing Domain Names in Applications (IDNA)</citetitle> <pubdate>March 2003</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3491</abbrev> <authorgroup> - <author> - <surname>Hoffman</surname> - <firstname>P.</firstname> - </author> - <author> - <surname>Blanchet</surname> - <firstname>M.</firstname> - </author> + <author><personname><surname>Hoffman</surname><firstname>P.</firstname></personname></author> + <author><personname><surname>Blanchet</surname><firstname>M.</firstname></personname></author> </authorgroup> - <title>Nameprep: A Stringprep Profile for Internationalized Domain Names</title> + <citetitle>Nameprep: A Stringprep Profile for Internationalized Domain Names</citetitle> <pubdate>March 2003</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3492</abbrev> <authorgroup> - <author> - <surname>Costello</surname> - <firstname>A.</firstname> - </author> + <author><personname><surname>Costello</surname><firstname>A.</firstname></personname></author> </authorgroup> - <title>Punycode: A Bootstring encoding of Unicode + <citetitle>Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in - Applications (IDNA)</title> + Applications (IDNA)</citetitle> <pubdate>March 2003</pubdate> </biblioentry> </bibliodiv> - <bibliodiv> - <title>Other <acronym>DNS</acronym>-related RFCs</title> + <bibliodiv><info><title>Other <acronym>DNS</acronym>-related RFCs</title></info> + <note> <para> Note: the following list of RFCs, although @@ -17196,165 +16540,108 @@ zone "example.com" { </note> <biblioentry> <abbrev>RFC1464</abbrev> - <author> - <surname>Rosenbaum</surname> - <firstname>R.</firstname> - </author> - <title>Using the Domain Name System To Store Arbitrary String - Attributes</title> + <author><personname><surname>Rosenbaum</surname><firstname>R.</firstname></personname></author> + <citetitle>Using the Domain Name System To Store Arbitrary String + Attributes</citetitle> <pubdate>May 1993</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1713</abbrev> - <author> - <surname>Romao</surname> - <firstname>A.</firstname> - </author> - <title>Tools for <acronym>DNS</acronym> Debugging</title> + <author><personname><surname>Romao</surname><firstname>A.</firstname></personname></author> + <citetitle>Tools for <acronym>DNS</acronym> Debugging</citetitle> <pubdate>November 1994</pubdate> </biblioentry> <biblioentry> <abbrev>RFC1794</abbrev> - <author> - <surname>Brisco</surname> - <firstname>T.</firstname> - </author> - <title><acronym>DNS</acronym> Support for Load - Balancing</title> + <author><personname><surname>Brisco</surname><firstname>T.</firstname></personname></author> + <citetitle><acronym>DNS</acronym> Support for Load + Balancing</citetitle> <pubdate>April 1995</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2240</abbrev> - <author> - <surname>Vaughan</surname> - <firstname>O.</firstname> - </author> - <title>A Legal Basis for Domain Name Allocation</title> + <author><personname><surname>Vaughan</surname><firstname>O.</firstname></personname></author> + <citetitle>A Legal Basis for Domain Name Allocation</citetitle> <pubdate>November 1997</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2345</abbrev> <authorgroup> - <author> - <surname>Klensin</surname> - <firstname>J.</firstname> - </author> - <author> - <firstname>T.</firstname> - <surname>Wolf</surname> - </author> - <author> - <firstname>G.</firstname> - <surname>Oglesby</surname> - </author> + <author><personname><surname>Klensin</surname><firstname>J.</firstname></personname></author> + <author><personname><firstname>T.</firstname><surname>Wolf</surname></personname></author> + <author><personname><firstname>G.</firstname><surname>Oglesby</surname></personname></author> </authorgroup> - <title>Domain Names and Company Name Retrieval</title> + <citetitle>Domain Names and Company Name Retrieval</citetitle> <pubdate>May 1998</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2352</abbrev> - <author> - <surname>Vaughan</surname> - <firstname>O.</firstname> - </author> - <title>A Convention For Using Legal Names as Domain Names</title> + <author><personname><surname>Vaughan</surname><firstname>O.</firstname></personname></author> + <citetitle>A Convention For Using Legal Names as Domain Names</citetitle> <pubdate>May 1998</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3071</abbrev> <authorgroup> - <author> - <surname>Klensin</surname> - <firstname>J.</firstname> - </author> + <author><personname><surname>Klensin</surname><firstname>J.</firstname></personname></author> </authorgroup> - <title>Reflections on the DNS, RFC 1591, and Categories of Domains</title> + <citetitle>Reflections on the DNS, RFC 1591, and Categories of Domains</citetitle> <pubdate>February 2001</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3258</abbrev> <authorgroup> - <author> - <surname>Hardie</surname> - <firstname>T.</firstname> - </author> + <author><personname><surname>Hardie</surname><firstname>T.</firstname></personname></author> </authorgroup> - <title>Distributing Authoritative Name Servers via - Shared Unicast Addresses</title> + <citetitle>Distributing Authoritative Name Servers via + Shared Unicast Addresses</citetitle> <pubdate>April 2002</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3901</abbrev> <authorgroup> - <author> - <surname>Durand</surname> - <firstname>A.</firstname> - </author> - <author> - <firstname>J.</firstname> - <surname>Ihren</surname> - </author> + <author><personname><surname>Durand</surname><firstname>A.</firstname></personname></author> + <author><personname><firstname>J.</firstname><surname>Ihren</surname></personname></author> </authorgroup> - <title>DNS IPv6 Transport Operational Guidelines</title> + <citetitle>DNS IPv6 Transport Operational Guidelines</citetitle> <pubdate>September 2004</pubdate> </biblioentry> </bibliodiv> - <bibliodiv> - <title>Obsolete and Unimplemented Experimental RFC</title> + <bibliodiv><info><title>Obsolete and Unimplemented Experimental RFC</title></info> + <biblioentry> <abbrev>RFC1712</abbrev> <authorgroup> - <author> - <surname>Farrell</surname> - <firstname>C.</firstname> - </author> - <author> - <firstname>M.</firstname> - <surname>Schulze</surname> - </author> - <author> - <firstname>S.</firstname> - <surname>Pleitner</surname> - </author> - <author> - <firstname>D.</firstname> - <surname>Baldoni</surname> - </author> + <author><personname><surname>Farrell</surname><firstname>C.</firstname></personname></author> + <author><personname><firstname>M.</firstname><surname>Schulze</surname></personname></author> + <author><personname><firstname>S.</firstname><surname>Pleitner</surname></personname></author> + <author><personname><firstname>D.</firstname><surname>Baldoni</surname></personname></author> </authorgroup> - <title><acronym>DNS</acronym> Encoding of Geographical - Location</title> + <citetitle><acronym>DNS</acronym> Encoding of Geographical + Location</citetitle> <pubdate>November 1994</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2673</abbrev> <authorgroup> - <author> - <surname>Crawford</surname> - <firstname>M.</firstname> - </author> + <author><personname><surname>Crawford</surname><firstname>M.</firstname></personname></author> </authorgroup> - <title>Binary Labels in the Domain Name System</title> + <citetitle>Binary Labels in the Domain Name System</citetitle> <pubdate>August 1999</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2874</abbrev> <authorgroup> - <author> - <surname>Crawford</surname> - <firstname>M.</firstname> - </author> - <author> - <surname>Huitema</surname> - <firstname>C.</firstname> - </author> + <author><personname><surname>Crawford</surname><firstname>M.</firstname></personname></author> + <author><personname><surname>Huitema</surname><firstname>C.</firstname></personname></author> </authorgroup> - <title>DNS Extensions to Support IPv6 Address Aggregation - and Renumbering</title> + <citetitle>DNS Extensions to Support IPv6 Address Aggregation + and Renumbering</citetitle> <pubdate>July 2000</pubdate> </biblioentry> </bibliodiv> - <bibliodiv> - <title>Obsoleted DNS Security RFCs</title> + <bibliodiv><info><title>Obsoleted DNS Security RFCs</title></info> + <note> <para> Most of these have been consolidated into RFC4033, @@ -17364,152 +16651,101 @@ zone "example.com" { <biblioentry> <abbrev>RFC2065</abbrev> <authorgroup> - <author> - <surname>Eastlake</surname> - <lineage>3rd</lineage> - <firstname>D.</firstname> - </author> - <author> - <firstname>C.</firstname> - <surname>Kaufman</surname> - </author> + <author><personname><surname>Eastlake</surname><lineage>3rd</lineage><firstname>D.</firstname></personname></author> + <author><personname><firstname>C.</firstname><surname>Kaufman</surname></personname></author> </authorgroup> - <title>Domain Name System Security Extensions</title> + <citetitle>Domain Name System Security Extensions</citetitle> <pubdate>January 1997</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2137</abbrev> - <author> - <surname>Eastlake</surname> - <lineage>3rd</lineage> - <firstname>D.</firstname> - </author> - <title>Secure Domain Name System Dynamic Update</title> + <author><personname><surname>Eastlake</surname><lineage>3rd</lineage><firstname>D.</firstname></personname></author> + <citetitle>Secure Domain Name System Dynamic Update</citetitle> <pubdate>April 1997</pubdate> </biblioentry> <biblioentry> <abbrev>RFC2535</abbrev> <authorgroup> - <author> - <surname>Eastlake</surname> - <lineage>3rd</lineage> - <firstname>D.</firstname> - </author> + <author><personname><surname>Eastlake</surname><lineage>3rd</lineage><firstname>D.</firstname></personname></author> </authorgroup> - <title>Domain Name System Security Extensions</title> + <citetitle>Domain Name System Security Extensions</citetitle> <pubdate>March 1999</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3008</abbrev> <authorgroup> - <author> - <surname>Wellington</surname> - <firstname>B.</firstname> - </author> + <author><personname><surname>Wellington</surname><firstname>B.</firstname></personname></author> </authorgroup> - <title>Domain Name System Security (DNSSEC) - Signing Authority</title> + <citetitle>Domain Name System Security (DNSSEC) + Signing Authority</citetitle> <pubdate>November 2000</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3090</abbrev> <authorgroup> - <author> - <surname>Lewis</surname> - <firstname>E.</firstname> - </author> + <author><personname><surname>Lewis</surname><firstname>E.</firstname></personname></author> </authorgroup> - <title>DNS Security Extension Clarification on Zone Status</title> + <citetitle>DNS Security Extension Clarification on Zone Status</citetitle> <pubdate>March 2001</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3445</abbrev> <authorgroup> - <author> - <surname>Massey</surname> - <firstname>D.</firstname> - </author> - <author> - <surname>Rose</surname> - <firstname>S.</firstname> - </author> + <author><personname><surname>Massey</surname><firstname>D.</firstname></personname></author> + <author><personname><surname>Rose</surname><firstname>S.</firstname></personname></author> </authorgroup> - <title>Limiting the Scope of the KEY Resource Record (RR)</title> + <citetitle>Limiting the Scope of the KEY Resource Record (RR)</citetitle> <pubdate>December 2002</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3655</abbrev> <authorgroup> - <author> - <surname>Wellington</surname> - <firstname>B.</firstname> - </author> - <author> - <surname>Gudmundsson</surname> - <firstname>O.</firstname> - </author> + <author><personname><surname>Wellington</surname><firstname>B.</firstname></personname></author> + <author><personname><surname>Gudmundsson</surname><firstname>O.</firstname></personname></author> </authorgroup> - <title>Redefinition of DNS Authenticated Data (AD) bit</title> + <citetitle>Redefinition of DNS Authenticated Data (AD) bit</citetitle> <pubdate>November 2003</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3658</abbrev> <authorgroup> - <author> - <surname>Gudmundsson</surname> - <firstname>O.</firstname> - </author> + <author><personname><surname>Gudmundsson</surname><firstname>O.</firstname></personname></author> </authorgroup> - <title>Delegation Signer (DS) Resource Record (RR)</title> + <citetitle>Delegation Signer (DS) Resource Record (RR)</citetitle> <pubdate>December 2003</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3755</abbrev> <authorgroup> - <author> - <surname>Weiler</surname> - <firstname>S.</firstname> - </author> + <author><personname><surname>Weiler</surname><firstname>S.</firstname></personname></author> </authorgroup> - <title>Legacy Resolver Compatibility for Delegation Signer (DS)</title> + <citetitle>Legacy Resolver Compatibility for Delegation Signer (DS)</citetitle> <pubdate>May 2004</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3757</abbrev> <authorgroup> - <author> - <surname>Kolkman</surname> - <firstname>O.</firstname> - </author> - <author> - <surname>Schlyter</surname> - <firstname>J.</firstname> - </author> - <author> - <surname>Lewis</surname> - <firstname>E.</firstname> - </author> + <author><personname><surname>Kolkman</surname><firstname>O.</firstname></personname></author> + <author><personname><surname>Schlyter</surname><firstname>J.</firstname></personname></author> + <author><personname><surname>Lewis</surname><firstname>E.</firstname></personname></author> </authorgroup> - <title>Domain Name System KEY (DNSKEY) Resource Record - (RR) Secure Entry Point (SEP) Flag</title> + <citetitle>Domain Name System KEY (DNSKEY) Resource Record + (RR) Secure Entry Point (SEP) Flag</citetitle> <pubdate>April 2004</pubdate> </biblioentry> <biblioentry> <abbrev>RFC3845</abbrev> <authorgroup> - <author> - <surname>Schlyter</surname> - <firstname>J.</firstname> - </author> + <author><personname><surname>Schlyter</surname><firstname>J.</firstname></personname></author> </authorgroup> - <title>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</title> + <citetitle>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</citetitle> <pubdate>August 2004</pubdate> </biblioentry> </bibliodiv> </bibliography> - </sect2> - <sect2 id="internet_drafts"> - <title>Internet Drafts</title> + </section> + <section xml:id="internet_drafts"><info><title>Internet Drafts</title></info> + <para> Internet Drafts (IDs) are rough-draft working documents of the Internet Engineering Task Force. They are, in essence, RFCs @@ -17520,71 +16756,59 @@ zone "example.com" { they are "works in progress." IDs have a lifespan of six months after which they are deleted unless updated by their authors. </para> - </sect2> - <sect2> - <title>Other Documents About <acronym>BIND</acronym></title> + </section> + <section xml:id="more_about_bind"><info><title>Other Documents About <acronym>BIND</acronym></title></info> + <para/> <bibliography> <biblioentry> <authorgroup> - <author> - <surname>Albitz</surname> - <firstname>Paul</firstname> - </author> - <author> - <firstname>Cricket</firstname> - <surname>Liu</surname> - </author> + <author><personname><surname>Albitz</surname><firstname>Paul</firstname></personname></author> + <author><personname><firstname>Cricket</firstname><surname>Liu</surname></personname></author> </authorgroup> - <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title> + <citetitle><acronym>DNS</acronym> and <acronym>BIND</acronym></citetitle> <copyright> <year>1998</year> <holder>Sebastopol, CA: O'Reilly and Associates</holder> </copyright> </biblioentry> </bibliography> - </sect2> - </sect1> + </section> + </section> </appendix> - <appendix id="Bv9ARM.ch12"> - <title>BIND 9 DNS Library Support</title> - <xi:include href="libdns.xml"/> + <appendix xml:id="Bv9ARM.ch12"><info><title>BIND 9 DNS Library Support</title></info> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libdns.xml"/> </appendix> - <reference id="Bv9ARM.ch13"> - <title>Manual pages</title> - <xi:include href="../../bin/dig/dig.docbook"/> - <xi:include href="../../bin/dig/host.docbook"/> - <xi:include href="../../bin/python/dnssec-checkds.docbook"/> - <xi:include href="../../bin/python/dnssec-coverage.docbook"/> - <xi:include href="../../bin/dnssec/dnssec-dsfromkey.docbook"/> - <xi:include href="../../bin/dnssec/dnssec-keyfromlabel.docbook"/> - <xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/> - <xi:include href="../../bin/dnssec/dnssec-revoke.docbook"/> - <xi:include href="../../bin/dnssec/dnssec-settime.docbook"/> - <xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/> - <xi:include href="../../bin/dnssec/dnssec-verify.docbook"/> - <xi:include href="../../bin/check/named-checkconf.docbook"/> - <xi:include href="../../bin/check/named-checkzone.docbook"/> - <xi:include href="../../bin/named/named.docbook"/> - <xi:include href="../../bin/tools/named-journalprint.docbook"/> - <!-- named.conf.docbook and others? --> - <xi:include href="../../bin/nsupdate/nsupdate.docbook"/> - <xi:include href="../../bin/rndc/rndc.docbook"/> - <xi:include href="../../bin/rndc/rndc.conf.docbook"/> - <xi:include href="../../bin/confgen/rndc-confgen.docbook"/> - <xi:include href="../../bin/confgen/ddns-confgen.docbook"/> - <xi:include href="../../bin/tools/arpaname.docbook"/> - <xi:include href="../../bin/tools/genrandom.docbook"/> - <xi:include href="../../bin/tools/isc-hmac-fixup.docbook"/> - <xi:include href="../../bin/tools/nsec3hash.docbook"/> + <reference xml:id="Bv9ARM.ch13"><info><title>Manual pages</title></info> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dig/dig.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dig/host.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/python/dnssec-checkds.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/python/dnssec-coverage.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-dsfromkey.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-importkey.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-keyfromlabel.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-keygen.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-revoke.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-settime.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-signzone.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-verify.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/check/named-checkconf.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/check/named-checkzone.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/named/named.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/named/named.conf.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/named/lwresd.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/named-journalprint.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/nsupdate/nsupdate.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/rndc/rndc.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/rndc/rndc.conf.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/confgen/rndc-confgen.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/confgen/ddns-confgen.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/arpaname.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/genrandom.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/isc-hmac-fixup.docbook"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/nsec3hash.docbook"/> </reference> </book> - -<!-- - - Local variables: - - mode: sgml - - End: - --> diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index 2d25f2702990..ea1407325e45 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Chapter 1. Introduction</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="next" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements"> @@ -39,23 +38,23 @@ </table> <hr> </div> -<div class="chapter" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch01"></a>Chapter 1. Introduction</h2></div></div></div> +<div class="chapter"> +<div class="titlepage"><div><div><h1 class="title"> +<a name="Bv9ARM.ch01"></a>Chapter 1. Introduction</h1></div></div></div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563509">Scope of Document</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563533">Organization of This Document</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564629">Conventions Used in This Document</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564810">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt> +<dl class="toc"> +<dt><span class="section"><a href="Bv9ARM.ch01.html#doc_scope">Scope of Document</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#organization">Organization of This Document</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#conventions">Conventions Used in This Document</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_overview">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564832">DNS Fundamentals</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564934">Domains and Domain Names</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567271">Zones</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567348">Authoritative Name Servers</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567589">Caching Name Servers</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567651">Name Servers in Multiple Roles</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_fundamentals">DNS Fundamentals</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#domain_names">Domains and Domain Names</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#zones">Zones</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#auth_servers">Authoritative Name Servers</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#cache_servers">Caching Name Servers</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#multi_role">Name Servers in Multiple Roles</a></span></dt> </dl></dd> </dl> </div> @@ -69,9 +68,9 @@ group of distributed hierarchical databases. </p> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2563509"></a>Scope of Document</h2></div></div></div> +<a name="doc_scope"></a>Scope of Document</h2></div></div></div> <p> The Berkeley Internet Name Domain (<acronym class="acronym">BIND</acronym>) implements a @@ -83,9 +82,9 @@ </p> <p>This version of the manual corresponds to BIND version 9.9.</p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2563533"></a>Organization of This Document</h2></div></div></div> +<a name="organization"></a>Organization of This Document</h2></div></div></div> <p> In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span> @@ -112,17 +111,17 @@ System. </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2564629"></a>Conventions Used in This Document</h2></div></div></div> +<a name="conventions"></a>Conventions Used in This Document</h2></div></div></div> <p> In this document, we use the following general typographic conventions: </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="3.000in" class="1"> +<col width="2.625in" class="2"> </colgroup> <tbody> <tr> @@ -182,8 +181,8 @@ <acronym class="acronym">BIND</acronym> configuration file:</p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="3.000in" class="1"> +<col width="2.625in" class="2"> </colgroup> <tbody> <tr> @@ -239,9 +238,9 @@ <p> </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2564810"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div> +<a name="dns_overview"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div> <p> The purpose of this document is to explain the installation and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet @@ -249,9 +248,9 @@ begin by reviewing the fundamentals of the Domain Name System (<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>. </p> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2564832"></a>DNS Fundamentals</h3></div></div></div> +<a name="dns_fundamentals"></a>DNS Fundamentals</h3></div></div></div> <p> The Domain Name System (DNS) is a hierarchical, distributed database. It stores information for mapping Internet host names to @@ -265,15 +264,15 @@ more <span class="emphasis"><em>name servers</em></span> and interprets the responses. The <acronym class="acronym">BIND</acronym> 9 software distribution contains a - name server, <span><strong class="command">named</strong></span>, and a resolver - library, <span><strong class="command">liblwres</strong></span>. The older - <span><strong class="command">libbind</strong></span> resolver library is also available + name server, <span class="command"><strong>named</strong></span>, and a resolver + library, <span class="command"><strong>liblwres</strong></span>. The older + <span class="command"><strong>libbind</strong></span> resolver library is also available from ISC as a separate download. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2564934"></a>Domains and Domain Names</h3></div></div></div> +<a name="domain_names"></a>Domains and Domain Names</h3></div></div></div> <p> The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to organizational or administrative boundaries. Each node of the tree, @@ -309,17 +308,17 @@ The data associated with each domain name is stored in the form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s). Some of the supported resource record types are described in - <a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called “Types of Resource Records and When to Use Them”</a>. + <a class="xref" href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called “Types of Resource Records and When to Use Them”</a>. </p> <p> For more detailed information about the design of the DNS and the DNS protocol, please refer to the standards documents listed in - <a href="Bv9ARM.ch11.html#rfcs" title="Request for Comments (RFCs)">the section called “Request for Comments (RFCs)”</a>. + <a class="xref" href="Bv9ARM.ch11.html#rfcs" title="Request for Comments (RFCs)">the section called “Request for Comments (RFCs)”</a>. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2567271"></a>Zones</h3></div></div></div> +<a name="zones"></a>Zones</h3></div></div></div> <p> To properly operate a name server, it is important to understand the difference between a <span class="emphasis"><em>zone</em></span> @@ -370,9 +369,9 @@ actually asking for slave service for some collection of zones. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2567348"></a>Authoritative Name Servers</h3></div></div></div> +<a name="auth_servers"></a>Authoritative Name Servers</h3></div></div></div> <p> Each zone is served by at least one <span class="emphasis"><em>authoritative name server</em></span>, @@ -385,11 +384,11 @@ Responses from authoritative servers have the "authoritative answer" (AA) bit set in the response packets. This makes them easy to identify when debugging DNS configurations using tools like - <span><strong class="command">dig</strong></span> (<a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called “Diagnostic Tools”</a>). + <span class="command"><strong>dig</strong></span> (<a class="xref" href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called “Diagnostic Tools”</a>). </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2567371"></a>The Primary Master</h4></div></div></div> +<a name="primary_master"></a>The Primary Master</h4></div></div></div> <p> The authoritative server where the master copy of the zone data is maintained is called the @@ -407,9 +406,9 @@ <span class="emphasis"><em>dynamic update</em></span> operations. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2567401"></a>Slave Servers</h4></div></div></div> +<a name="slave_server"></a>Slave Servers</h4></div></div></div> <p> The other authoritative servers, the <span class="emphasis"><em>slave</em></span> servers (also known as <span class="emphasis"><em>secondary</em></span> servers) @@ -423,9 +422,9 @@ may itself act as a master to a subordinate slave server. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2567422"></a>Stealth Servers</h4></div></div></div> +<a name="stealth_server"></a>Stealth Servers</h4></div></div></div> <p> Usually all of the zone's authoritative servers are listed in NS records in the parent zone. These NS records constitute @@ -458,9 +457,9 @@ </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2567589"></a>Caching Name Servers</h3></div></div></div> +<a name="cache_servers"></a>Caching Name Servers</h3></div></div></div> <p> The resolver libraries provided by most operating systems are <span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not @@ -485,9 +484,9 @@ the cache of a caching name server is controlled by the Time To Live (TTL) field associated with each resource record. </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2567624"></a>Forwarding</h4></div></div></div> +<a name="forwarder"></a>Forwarding</h4></div></div></div> <p> Even a caching name server does not necessarily perform the complete recursive lookup itself. Instead, it can @@ -512,9 +511,9 @@ </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2567651"></a>Name Servers in Multiple Roles</h3></div></div></div> +<a name="multi_role"></a>Name Servers in Multiple Roles</h3></div></div></div> <p> The <acronym class="acronym">BIND</acronym> name server can simultaneously act as @@ -556,6 +555,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index 3500ab4d6456..8f65b88b8e1c 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Chapter 2. BIND Resource Requirements</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction"> <link rel="next" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration"> @@ -39,22 +38,22 @@ </table> <hr> </div> -<div class="chapter" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch02"></a>Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</h2></div></div></div> +<div class="chapter"> +<div class="titlepage"><div><div><h1 class="title"> +<a name="Bv9ARM.ch02"></a>Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</h1></div></div></div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567685">Hardware requirements</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567712">CPU Requirements</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567793">Memory Requirements</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567819">Name Server Intensive Environment Issues</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567830">Supported Operating Systems</a></span></dt> +<dl class="toc"> +<dt><span class="section"><a href="Bv9ARM.ch02.html#hw_req">Hardware requirements</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch02.html#cpu_req">CPU Requirements</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch02.html#mem_req">Memory Requirements</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch02.html#intensive_env">Name Server Intensive Environment Issues</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch02.html#supported_os">Supported Operating Systems</a></span></dt> </dl> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2567685"></a>Hardware requirements</h2></div></div></div> +<a name="hw_req"></a>Hardware requirements</h2></div></div></div> <p> <acronym class="acronym">DNS</acronym> hardware requirements have traditionally been quite modest. @@ -71,9 +70,9 @@ multiprocessor systems for installations that need it. </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2567712"></a>CPU Requirements</h2></div></div></div> +<a name="cpu_req"></a>CPU Requirements</h2></div></div></div> <p> CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from i486-class machines @@ -82,18 +81,18 @@ signed zones, serving many thousands of queries per second. </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2567793"></a>Memory Requirements</h2></div></div></div> +<a name="mem_req"></a>Memory Requirements</h2></div></div></div> <p> The memory of the server has to be large enough to fit the - cache and zones loaded off disk. The <span><strong class="command">max-cache-size</strong></span> + cache and zones loaded off disk. The <span class="command"><strong>max-cache-size</strong></span> option can be used to limit the amount of memory used by the cache, at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym> traffic. Additionally, if additional section caching - (<a href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called “Additional Section Caching”</a>) is enabled, - the <span><strong class="command">max-acache-size</strong></span> option can be used to + (<a class="xref" href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called “Additional Section Caching”</a>) is enabled, + the <span class="command"><strong>max-acache-size</strong></span> option can be used to limit the amount of memory used by the mechanism. It is still good practice to have enough memory to load @@ -105,9 +104,9 @@ fast as they are being inserted. </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2567819"></a>Name Server Intensive Environment Issues</h2></div></div></div> +<a name="intensive_env"></a>Name Server Intensive Environment Issues</h2></div></div></div> <p> For name server intensive environments, there are two alternative configurations that may be used. The first is where clients and @@ -122,9 +121,9 @@ as none of the name servers share their cached data. </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2567830"></a>Supported Operating Systems</h2></div></div></div> +<a name="supported_os"></a>Supported Operating Systems</h2></div></div></div> <p> ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large number @@ -154,6 +153,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 0131e301179e..fa809476210d 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Chapter 3. Name Server Configuration</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements"> <link rel="next" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features"> @@ -39,22 +38,22 @@ </table> <hr> </div> -<div class="chapter" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h2></div></div></div> +<div class="chapter"> +<div class="titlepage"><div><div><h1 class="title"> +<a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h1></div></div></div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt> +<dl class="toc"> +<dt><span class="section"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567998">A Caching-only Name Server</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568014">An Authoritative-only Name Server</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch03.html#cache_only_sample">A Caching-only Name Server</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch03.html#auth_only_sample">An Authoritative-only Name Server</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568037">Load Balancing</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568391">Name Server Operations</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch03.html#load_balancing">Load Balancing</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch03.html#ns_operations">Name Server Operations</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568396">Tools for Use With the Name Server Daemon</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2569449">Signals</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch03.html#tools">Tools for Use With the Name Server Daemon</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch03.html#signals">Signals</a></span></dt> </dl></dd> </dl> </div> @@ -63,17 +62,17 @@ with guidelines for their use. We suggest reasonable values for certain option settings. </p> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="sample_configuration"></a>Sample Configurations</h2></div></div></div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2567998"></a>A Caching-only Name Server</h3></div></div></div> +<a name="cache_only_sample"></a>A Caching-only Name Server</h3></div></div></div> <p> The following sample configuration is appropriate for a caching-only name server for use by clients internal to a corporation. All queries - from outside clients are refused using the <span><strong class="command">allow-query</strong></span> + from outside clients are refused using the <span class="command"><strong>allow-query</strong></span> option. Alternatively, the same effect could be achieved using suitable firewall rules. @@ -96,9 +95,9 @@ zone "0.0.127.in-addr.arpa" { }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2568014"></a>An Authoritative-only Name Server</h3></div></div></div> +<a name="auth_only_sample"></a>An Authoritative-only Name Server</h3></div></div></div> <p> This sample configuration is for an authoritative-only server that is the master server for "<code class="filename">example.com</code>" @@ -144,9 +143,9 @@ zone "eng.example.com" { </pre> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2568037"></a>Load Balancing</h2></div></div></div> +<a name="load_balancing"></a>Load Balancing</h2></div></div></div> <p> A primitive form of load balancing can be achieved in the <acronym class="acronym">DNS</acronym> by using multiple records @@ -160,11 +159,11 @@ zone "eng.example.com" { </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> -<col> -<col> -<col> +<col width="0.875in" class="1"> +<col width="0.500in" class="2"> +<col width="0.750in" class="3"> +<col width="0.750in" class="4"> +<col width="2.028in" class="5"> </colgroup> <tbody> <tr> @@ -282,38 +281,38 @@ zone "eng.example.com" { </p> <p> For more detail on ordering responses, check the - <span><strong class="command">rrset-order</strong></span> sub-statement in the - <span><strong class="command">options</strong></span> statement, see - <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>. + <span class="command"><strong>rrset-order</strong></span> sub-statement in the + <span class="command"><strong>options</strong></span> statement, see + <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">RRset Ordering</a>. </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2568391"></a>Name Server Operations</h2></div></div></div> -<div class="sect2" lang="en"> +<a name="ns_operations"></a>Name Server Operations</h2></div></div></div> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2568396"></a>Tools for Use With the Name Server Daemon</h3></div></div></div> +<a name="tools"></a>Tools for Use With the Name Server Daemon</h3></div></div></div> <p> This section describes several indispensable diagnostic, administrative and monitoring tools available to the system administrator for controlling and debugging the name server daemon. </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div> <p> - The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and - <span><strong class="command">nslookup</strong></span> programs are all command + The <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span>, and + <span class="command"><strong>nslookup</strong></span> programs are all command line tools for manually querying name servers. They differ in style and output format. </p> -<div class="variablelist"><dl> -<dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><a name="dig"></a><span class="command"><strong>dig</strong></span></span></dt> <dd> <p> - The domain information groper (<span><strong class="command">dig</strong></span>) + The domain information groper (<span class="command"><strong>dig</strong></span>) is the most versatile and complete of these lookup tools. It has two modes: simple interactive mode for a single query, and batch mode which executes a @@ -324,21 +323,21 @@ zone "eng.example.com" { </p> <div class="cmdsynopsis"><p><code class="command">dig</code> [@<em class="replaceable"><code>server</code></em>] <em class="replaceable"><code>domain</code></em> [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div> <p> - The usual simple use of <span><strong class="command">dig</strong></span> will take the form + The usual simple use of <span class="command"><strong>dig</strong></span> will take the form </p> -<p> - <span><strong class="command">dig @server domain query-type query-class</strong></span> +<p class="simpara"> + <span class="command"><strong>dig @server domain query-type query-class</strong></span> </p> <p> For more information and a list of available commands and - options, see the <span><strong class="command">dig</strong></span> man + options, see the <span class="command"><strong>dig</strong></span> man page. </p> </dd> -<dt><span class="term"><span><strong class="command">host</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>host</strong></span></span></dt> <dd> <p> - The <span><strong class="command">host</strong></span> utility emphasizes + The <span class="command"><strong>host</strong></span> utility emphasizes simplicity and ease of use. By default, it converts between host names and Internet addresses, but its @@ -348,13 +347,13 @@ zone "eng.example.com" { <div class="cmdsynopsis"><p><code class="command">host</code> [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6] <em class="replaceable"><code>hostname</code></em> [<em class="replaceable"><code>server</code></em>]</p></div> <p> For more information and a list of available commands and - options, see the <span><strong class="command">host</strong></span> man + options, see the <span class="command"><strong>host</strong></span> man page. </p> </dd> -<dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>nslookup</strong></span></span></dt> <dd> -<p><span><strong class="command">nslookup</strong></span> +<p><span class="command"><strong>nslookup</strong></span> has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various @@ -382,144 +381,143 @@ zone "eng.example.com" { </p> <p> Due to its arcane user interface and frequently inconsistent - behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>. - Use <span><strong class="command">dig</strong></span> instead. + behavior, we do not recommend the use of <span class="command"><strong>nslookup</strong></span>. + Use <span class="command"><strong>dig</strong></span> instead. </p> </dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="admin_tools"></a>Administrative Tools</h4></div></div></div> <p> Administrative tools play an integral part in the management of a server. </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt> -<a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span> +<a name="named-checkconf"></a><span class="term"><span class="command"><strong>named-checkconf</strong></span></span> </dt> <dd> <p> - The <span><strong class="command">named-checkconf</strong></span> program + The <span class="command"><strong>named-checkconf</strong></span> program checks the syntax of a <code class="filename">named.conf</code> file. </p> <div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div> </dd> <dt> -<a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span> +<a name="named-checkzone"></a><span class="term"><span class="command"><strong>named-checkzone</strong></span></span> </dt> <dd> <p> - The <span><strong class="command">named-checkzone</strong></span> program + The <span class="command"><strong>named-checkzone</strong></span> program checks a master file for syntax and consistency. </p> <div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>] <em class="replaceable"><code>zone</code></em> [<em class="replaceable"><code>filename</code></em>]</p></div> </dd> <dt> -<a name="named-compilezone"></a><span class="term"><span><strong class="command">named-compilezone</strong></span></span> +<a name="named-compilezone"></a><span class="term"><span class="command"><strong>named-compilezone</strong></span></span> </dt> <dd><p> - Similar to <span><strong class="command">named-checkzone,</strong></span> but + Similar to <span class="command"><strong>named-checkzone,</strong></span> but it always dumps the zone content to a specified file (typically in a different format). </p></dd> <dt> -<a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span> +<a name="rndc"></a><span class="term"><span class="command"><strong>rndc</strong></span></span> </dt> <dd> <p> The remote name daemon control - (<span><strong class="command">rndc</strong></span>) program allows the + (<span class="command"><strong>rndc</strong></span>) program allows the system administrator to control the operation of a name server. - Since <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span> - supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span> - utility except <span><strong class="command">ndc start</strong></span> and - <span><strong class="command">ndc restart</strong></span>, which were also - not supported in <span><strong class="command">ndc</strong></span>'s + Since <acronym class="acronym">BIND</acronym> 9.2, <span class="command"><strong>rndc</strong></span> + supports all the commands of the BIND 8 <span class="command"><strong>ndc</strong></span> + utility except <span class="command"><strong>ndc start</strong></span> and + <span class="command"><strong>ndc restart</strong></span>, which were also + not supported in <span class="command"><strong>ndc</strong></span>'s channel mode. - If you run <span><strong class="command">rndc</strong></span> without any + If you run <span class="command"><strong>rndc</strong></span> without any options it will display a usage message as follows: </p> <div class="cmdsynopsis"><p><code class="command">rndc</code> [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>] <em class="replaceable"><code>command</code></em> [<em class="replaceable"><code>command</code></em>...]</p></div> -<p>See <a href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for details of - the available <span><strong class="command">rndc</strong></span> commands. +<p>See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for details of + the available <span class="command"><strong>rndc</strong></span> commands. </p> <p> - <span><strong class="command">rndc</strong></span> requires a configuration file, + <span class="command"><strong>rndc</strong></span> requires a configuration file, since all communication with the server is authenticated with digital signatures that rely on a shared secret, and there is no way to provide that secret other than with a configuration file. The default location for the - <span><strong class="command">rndc</strong></span> configuration file is + <span class="command"><strong>rndc</strong></span> configuration file is <code class="filename">/etc/rndc.conf</code>, but an alternate location can be specified with the <code class="option">-c</code> option. If the configuration file is not found, - <span><strong class="command">rndc</strong></span> will also look in + <span class="command"><strong>rndc</strong></span> will also look in <code class="filename">/etc/rndc.key</code> (or whatever <code class="varname">sysconfdir</code> was defined when the <acronym class="acronym">BIND</acronym> build was configured). The <code class="filename">rndc.key</code> file is generated by - running <span><strong class="command">rndc-confgen -a</strong></span> as + running <span class="command"><strong>rndc-confgen -a</strong></span> as described in - <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and - Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and + <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span class="command"><strong>controls</strong></span> Statement Definition and Usage”</a>. </p> <p> The format of the configuration file is similar to that of <code class="filename">named.conf</code>, but limited to - only four statements, the <span><strong class="command">options</strong></span>, - <span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and - <span><strong class="command">include</strong></span> + only four statements, the <span class="command"><strong>options</strong></span>, + <span class="command"><strong>key</strong></span>, <span class="command"><strong>server</strong></span> and + <span class="command"><strong>include</strong></span> statements. These statements are what associate the secret keys to the servers with which they are meant to be shared. The order of statements is not significant. </p> <p> - The <span><strong class="command">options</strong></span> statement has + The <span class="command"><strong>options</strong></span> statement has three clauses: - <span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>, - and <span><strong class="command">default-port</strong></span>. - <span><strong class="command">default-server</strong></span> takes a + <span class="command"><strong>default-server</strong></span>, <span class="command"><strong>default-key</strong></span>, + and <span class="command"><strong>default-port</strong></span>. + <span class="command"><strong>default-server</strong></span> takes a host name or address argument and represents the server that will be contacted if no <code class="option">-s</code> option is provided on the command line. - <span><strong class="command">default-key</strong></span> takes - the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement. - <span><strong class="command">default-port</strong></span> specifies the + <span class="command"><strong>default-key</strong></span> takes + the name of a key as its argument, as defined by a <span class="command"><strong>key</strong></span> statement. + <span class="command"><strong>default-port</strong></span> specifies the port to which - <span><strong class="command">rndc</strong></span> should connect if no + <span class="command"><strong>rndc</strong></span> should connect if no port is given on the command line or in a - <span><strong class="command">server</strong></span> statement. + <span class="command"><strong>server</strong></span> statement. </p> <p> - The <span><strong class="command">key</strong></span> statement defines a + The <span class="command"><strong>key</strong></span> statement defines a key to be used - by <span><strong class="command">rndc</strong></span> when authenticating + by <span class="command"><strong>rndc</strong></span> when authenticating with - <span><strong class="command">named</strong></span>. Its syntax is + <span class="command"><strong>named</strong></span>. Its syntax is identical to the - <span><strong class="command">key</strong></span> statement in <code class="filename">named.conf</code>. + <span class="command"><strong>key</strong></span> statement in <code class="filename">named.conf</code>. The keyword <strong class="userinput"><code>key</code></strong> is followed by a key name, which must be a valid domain name, though it need not actually be hierarchical; thus, a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid name. - The <span><strong class="command">key</strong></span> statement has two + The <span class="command"><strong>key</strong></span> statement has two clauses: - <span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>. + <span class="command"><strong>algorithm</strong></span> and <span class="command"><strong>secret</strong></span>. While the configuration parser will accept any string as the argument to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>" @@ -527,18 +525,18 @@ zone "eng.example.com" { as specified in RFC 3548. </p> <p> - The <span><strong class="command">server</strong></span> statement + The <span class="command"><strong>server</strong></span> statement associates a key - defined using the <span><strong class="command">key</strong></span> + defined using the <span class="command"><strong>key</strong></span> statement with a server. The keyword <strong class="userinput"><code>server</code></strong> is followed by a - host name or address. The <span><strong class="command">server</strong></span> statement - has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>. - The <span><strong class="command">key</strong></span> clause specifies the + host name or address. The <span class="command"><strong>server</strong></span> statement + has two clauses: <span class="command"><strong>key</strong></span> and <span class="command"><strong>port</strong></span>. + The <span class="command"><strong>key</strong></span> clause specifies the name of the key to be used when communicating with this server, and the - <span><strong class="command">port</strong></span> clause can be used to - specify the port <span><strong class="command">rndc</strong></span> should + <span class="command"><strong>port</strong></span> clause can be used to + specify the port <span class="command"><strong>rndc</strong></span> should connect to on the server. </p> @@ -580,15 +578,15 @@ controls { <code class="literal">rndc_key</code>. </p> <p> - Running the <span><strong class="command">rndc-confgen</strong></span> + Running the <span class="command"><strong>rndc-confgen</strong></span> program will conveniently create a <code class="filename">rndc.conf</code> file for you, and also display the - corresponding <span><strong class="command">controls</strong></span> + corresponding <span class="command"><strong>controls</strong></span> statement that you need to add to <code class="filename">named.conf</code>. Alternatively, - you can run <span><strong class="command">rndc-confgen -a</strong></span> + you can run <span class="command"><strong>rndc-confgen -a</strong></span> to set up a <code class="filename">rndc.key</code> file and not modify @@ -598,23 +596,23 @@ controls { </dl></div> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2569449"></a>Signals</h3></div></div></div> +<a name="signals"></a>Signals</h3></div></div></div> <p> Certain UNIX signals cause the name server to take specific actions, as described in the following table. These signals can - be sent using the <span><strong class="command">kill</strong></span> command. + be sent using the <span class="command"><strong>kill</strong></span> command. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.125in" class="1"> +<col width="4.000in" class="2"> </colgroup> <tbody> <tr> <td> - <p><span><strong class="command">SIGHUP</strong></span></p> + <p><span class="command"><strong>SIGHUP</strong></span></p> </td> <td> <p> @@ -625,7 +623,7 @@ controls { </tr> <tr> <td> - <p><span><strong class="command">SIGTERM</strong></span></p> + <p><span class="command"><strong>SIGTERM</strong></span></p> </td> <td> <p> @@ -635,7 +633,7 @@ controls { </tr> <tr> <td> - <p><span><strong class="command">SIGINT</strong></span></p> + <p><span class="command"><strong>SIGINT</strong></span></p> </td> <td> <p> @@ -665,6 +663,6 @@ controls { </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 429f7b59f3c3..fc56caf65b4b 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Chapter 4. Advanced DNS Features</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration"> <link rel="next" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver"> @@ -39,100 +38,101 @@ </table> <hr> </div> -<div class="chapter" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch04"></a>Chapter 4. Advanced DNS Features</h2></div></div></div> +<div class="chapter"> +<div class="titlepage"><div><div><h1 class="title"> +<a name="Bv9ARM.ch04"></a>Chapter 4. Advanced DNS Features</h1></div></div></div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt> -<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564237">Split DNS</a></span></dt> -<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564256">Example split DNS setup</a></span></dt></dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt> +<dl class="toc"> +<dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt> +<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd> +<dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns">Split DNS</a></span></dt> +<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example split DNS setup</a></span></dt></dl></dd> +<dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570560">Generate Shared Keys for Each Pair of Hosts</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570701">Copying the Shared Secret to Both Machines</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570712">Informing the Servers of the Key's Existence</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570748">Instructing the Server to Use the Key</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570806">TSIG Key Based Access Control</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570855">Errors</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generating a Shared Key</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading A New Key</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.7">Instructing the Server to Use a Key</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.8">TSIG-Based Access Control</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">Errors</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570869">TKEY</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570918">SIG(0)</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#tkey">TKEY</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571054">Generating Keys</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571270">Signing the Zone</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571351">Configuring Servers</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610615">Converting from insecure to secure</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610652">Dynamic DNS update method</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563653">Fully automatic zone signing</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563900">Private-type records</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563938">DNSKEY rollovers</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563950">Dynamic DNS update method</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564052">Automatic key rollovers</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564078">NSEC3PARAM rollovers via UPDATE</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564088">Converting from NSEC to NSEC3</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569832">Converting from NSEC3 to NSEC</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569845">Converting from secure to insecure</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569882">Periodic re-signing</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569892">NSEC3 and OPTOUT</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.3">Converting from insecure to secure</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.8">Dynamic DNS update method</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.16">Fully automatic zone signing</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.25">Private-type records</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.32">DNSKEY rollovers</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">Dynamic DNS update method</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.39">Automatic key rollovers</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">NSEC3PARAM rollovers via UPDATE</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">Converting from NSEC to NSEC3</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC3 to NSEC</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.47">Converting from secure to insecure</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.51">Periodic re-signing</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.53">NSEC3 and OPTOUT</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610129">Validating Resolver</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610151">Authoritative Server</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.3">Validating Resolver</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Authoritative Server</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2613326">Prerequisites</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611166">Building BIND 9 with PKCS#11</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2613408">PKCS #11 Tools</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2613438">Using the HSM</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2637735">Specifying the engine on the command line</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2637781">Running named with automatic zone re-signing</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.4">Prerequisites</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.5">Building BIND 9 with PKCS#11</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.6">PKCS #11 Tools</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.7">Using the HSM</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.8">Specifying the engine on the command line</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.9">Running named with automatic zone re-signing</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571571">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#ipv6">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571837">Address Lookups Using AAAA Records</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571859">Address to Name Lookups Using Nibble Format</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.6">Address Lookups Using AAAA Records</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Address to Name Lookups Using Nibble Format</a></span></dt> </dl></dd> </dl> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="notify"></a>Notify</h2></div></div></div> <p> <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master servers to notify their slave servers of changes to a zone's data. In - response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the + response to a <span class="command"><strong>NOTIFY</strong></span> from a master server, the slave will check to see that its version of the zone is the current version and, if not, initiate a zone transfer. </p> <p> For more information about <acronym class="acronym">DNS</acronym> - <span><strong class="command">NOTIFY</strong></span>, see the description of the - <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and - the description of the zone option <span><strong class="command">also-notify</strong></span> in - <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span> + <span class="command"><strong>NOTIFY</strong></span>, see the description of the + <span class="command"><strong>notify</strong></span> option in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and + the description of the zone option <span class="command"><strong>also-notify</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span class="command"><strong>NOTIFY</strong></span> protocol is specified in RFC 1996. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> - As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>, - by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone - it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will - cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master +<p> + As a slave zone can also be a master to other slaves, <span class="command"><strong>named</strong></span>, + by default, sends <span class="command"><strong>NOTIFY</strong></span> messages for every zone + it loads. Specifying <span class="command"><strong>notify master-only;</strong></span> will + cause <span class="command"><strong>named</strong></span> to only send <span class="command"><strong>NOTIFY</strong></span> for master zones that it loads. - </div> + </p> +</div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="dynamic_update"></a>Dynamic Update</h2></div></div></div> <p> @@ -143,22 +143,22 @@ </p> <p> Dynamic update is enabled by including an - <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span> - clause in the <span><strong class="command">zone</strong></span> statement. + <span class="command"><strong>allow-update</strong></span> or an <span class="command"><strong>update-policy</strong></span> + clause in the <span class="command"><strong>zone</strong></span> statement. </p> <p> - If the zone's <span><strong class="command">update-policy</strong></span> is set to + If the zone's <span class="command"><strong>update-policy</strong></span> is set to <strong class="userinput"><code>local</code></strong>, updates to the zone will be permitted for the key <code class="varname">local-ddns</code>, - which will be generated by <span><strong class="command">named</strong></span> at startup. - See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details. + which will be generated by <span class="command"><strong>named</strong></span> at startup. + See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details. </p> <p> Dynamic updates using Kerberos signed requests can be made using the TKEY/GSS protocol by setting either the - <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively - by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span> - and <span><strong class="command">tkey-domain</strong></span> options. Once enabled, + <span class="command"><strong>tkey-gssapi-keytab</strong></span> option, or alternatively + by setting both the <span class="command"><strong>tkey-gssapi-credential</strong></span> + and <span class="command"><strong>tkey-domain</strong></span> options. Once enabled, Kerberos signed requests will be matched against the update policies for the zone, using the Kerberos principal as the signer for the request. @@ -170,7 +170,7 @@ zone key. Update authorization is based on transaction signatures and an explicit server policy. </p> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="journal"></a>The journal file</h3></div></div></div> <p> @@ -212,37 +212,37 @@ hand because they are not guaranteed to contain the most recent dynamic changes — those are only in the journal file. The only way to ensure that the zone file of a dynamic zone - is up to date is to run <span><strong class="command">rndc stop</strong></span>. + is up to date is to run <span class="command"><strong>rndc stop</strong></span>. </p> <p> If you have to make changes to a dynamic zone manually, the following procedure will work: Disable dynamic updates to the zone using - <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>. + <span class="command"><strong>rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>. This will update the zone's master file with the changes stored in its <code class="filename">.jnl</code> file. Edit the zone file. Run - <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span> + <span class="command"><strong>rndc thaw <em class="replaceable"><code>zone</code></em></strong></span> to reload the changed zone and re-enable dynamic updates. </p> <p> - <span><strong class="command">rndc sync <em class="replaceable"><code>zone</code></em></strong></span> + <span class="command"><strong>rndc sync <em class="replaceable"><code>zone</code></em></strong></span> will update the zone file with changes from the journal file without stopping dynamic updates; this may be useful for viewing the current zone state. To remove the <code class="filename">.jnl</code> file after updating the zone file, use - <span><strong class="command">rndc sync -clean</strong></span>. + <span class="command"><strong>rndc sync -clean</strong></span>. </p> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div> <p> The incremental zone transfer (IXFR) protocol is a way for slave servers to transfer only changed data, instead of having to transfer the entire zone. The IXFR protocol is specified in RFC - 1995. See <a href="Bv9ARM.ch11.html#proposed_standards">Proposed Standards</a>. + 1995. See <a class="xref" href="Bv9ARM.ch11.html#proposed_standards" title="Proposed Standards">Proposed Standards</a>. </p> <p> When acting as a master, <acronym class="acronym">BIND</acronym> 9 @@ -252,20 +252,20 @@ whose data was obtained by IXFR. For manually maintained master zones, and for slave zones obtained by performing a full zone transfer (AXFR), IXFR is supported only if the option - <span><strong class="command">ixfr-from-differences</strong></span> is set + <span class="command"><strong>ixfr-from-differences</strong></span> is set to <strong class="userinput"><code>yes</code></strong>. </p> <p> When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will attempt to use IXFR unless it is explicitly disabled. For more information about disabling - IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause - of the <span><strong class="command">server</strong></span> statement. + IXFR, see the description of the <span class="command"><strong>request-ixfr</strong></span> clause + of the <span class="command"><strong>server</strong></span> statement. </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2564237"></a>Split DNS</h2></div></div></div> +<a name="split_dns"></a>Split DNS</h2></div></div></div> <p> Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a @@ -293,126 +293,126 @@ on the Internet. Split DNS can also be used to allow mail from outside back in to the internal network. </p> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2564256"></a>Example split DNS setup</h3></div></div></div> -<p> - Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span> - (<code class="literal">example.com</code>) - has several corporate sites that have an internal network with - reserved - Internet Protocol (IP) space and an external demilitarized zone (DMZ), - or "outside" section of a network, that is available to the public. - </p> +<a name="split_dns_sample"></a>Example split DNS setup</h3></div></div></div> +<p> + Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span> + (<code class="literal">example.com</code>) + has several corporate sites that have an internal network with + reserved + Internet Protocol (IP) space and an external demilitarized zone (DMZ), + or "outside" section of a network, that is available to the public. + </p> <p> - <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients - to be able to resolve external hostnames and to exchange mail with - people on the outside. The company also wants its internal resolvers - to have access to certain internal-only zones that are not available - at all outside of the internal network. - </p> + <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients + to be able to resolve external hostnames and to exchange mail with + people on the outside. The company also wants its internal resolvers + to have access to certain internal-only zones that are not available + at all outside of the internal network. + </p> <p> - In order to accomplish this, the company will set up two sets - of name servers. One set will be on the inside network (in the - reserved - IP space) and the other set will be on bastion hosts, which are - "proxy" - hosts that can talk to both sides of its network, in the DMZ. - </p> + In order to accomplish this, the company will set up two sets + of name servers. One set will be on the inside network (in the + reserved + IP space) and the other set will be on bastion hosts, which are + "proxy" + hosts that can talk to both sides of its network, in the DMZ. + </p> <p> - The internal servers will be configured to forward all queries, - except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>, - and <code class="filename">site2.example.com</code>, to the servers - in the - DMZ. These internal servers will have complete sets of information - for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>, - and <code class="filename">site2.internal</code>. - </p> + The internal servers will be configured to forward all queries, + except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>, + and <code class="filename">site2.example.com</code>, to the servers + in the + DMZ. These internal servers will have complete sets of information + for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>, + and <code class="filename">site2.internal</code>. + </p> <p> - To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains, - the internal name servers must be configured to disallow all queries - to these domains from any external hosts, including the bastion - hosts. - </p> + To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains, + the internal name servers must be configured to disallow all queries + to these domains from any external hosts, including the bastion + hosts. + </p> <p> - The external servers, which are on the bastion hosts, will - be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones. - This could include things such as the host records for public servers - (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>), - and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>). - </p> + The external servers, which are on the bastion hosts, will + be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones. + This could include things such as the host records for public servers + (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>), + and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>). + </p> <p> - In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones - should have special MX records that contain wildcard (`*') records - pointing to the bastion hosts. This is needed because external mail - servers do not have any other way of looking up how to deliver mail - to those internal hosts. With the wildcard records, the mail will - be delivered to the bastion host, which can then forward it on to - internal hosts. - </p> + In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones + should have special MX records that contain wildcard (`*') records + pointing to the bastion hosts. This is needed because external mail + servers do not have any other way of looking up how to deliver mail + to those internal hosts. With the wildcard records, the mail will + be delivered to the bastion host, which can then forward it on to + internal hosts. + </p> <p> - Here's an example of a wildcard MX record: - </p> + Here's an example of a wildcard MX record: + </p> <pre class="programlisting">* IN MX 10 external1.example.com.</pre> <p> - Now that they accept mail on behalf of anything in the internal - network, the bastion hosts will need to know how to deliver mail - to internal hosts. In order for this to work properly, the resolvers - on - the bastion hosts will need to be configured to point to the internal - name servers for DNS resolution. - </p> + Now that they accept mail on behalf of anything in the internal + network, the bastion hosts will need to know how to deliver mail + to internal hosts. In order for this to work properly, the resolvers + on + the bastion hosts will need to be configured to point to the internal + name servers for DNS resolution. + </p> <p> - Queries for internal hostnames will be answered by the internal - servers, and queries for external hostnames will be forwarded back - out to the DNS servers on the bastion hosts. - </p> + Queries for internal hostnames will be answered by the internal + servers, and queries for external hostnames will be forwarded back + out to the DNS servers on the bastion hosts. + </p> <p> - In order for all this to work properly, internal clients will - need to be configured to query <span class="emphasis"><em>only</em></span> the internal - name servers for DNS queries. This could also be enforced via - selective - filtering on the network. - </p> + In order for all this to work properly, internal clients will + need to be configured to query <span class="emphasis"><em>only</em></span> the internal + name servers for DNS queries. This could also be enforced via + selective + filtering on the network. + </p> <p> - If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s - internal clients will now be able to: - </p> -<div class="itemizedlist"><ul type="disc"> -<li> - Look up any hostnames in the <code class="literal">site1</code> - and - <code class="literal">site2.example.com</code> zones. - </li> -<li> - Look up any hostnames in the <code class="literal">site1.internal</code> and - <code class="literal">site2.internal</code> domains. - </li> -<li>Look up any hostnames on the Internet.</li> -<li>Exchange mail with both internal and external people.</li> + If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s + internal clients will now be able to: + </p> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"> + Look up any hostnames in the <code class="literal">site1</code> + and + <code class="literal">site2.example.com</code> zones. + </li> +<li class="listitem"> + Look up any hostnames in the <code class="literal">site1.internal</code> and + <code class="literal">site2.internal</code> domains. + </li> +<li class="listitem">Look up any hostnames on the Internet.</li> +<li class="listitem">Exchange mail with both internal and external people.</li> </ul></div> <p> - Hosts on the Internet will be able to: - </p> -<div class="itemizedlist"><ul type="disc"> -<li> - Look up any hostnames in the <code class="literal">site1</code> - and - <code class="literal">site2.example.com</code> zones. - </li> -<li> - Exchange mail with anyone in the <code class="literal">site1</code> and - <code class="literal">site2.example.com</code> zones. - </li> + Hosts on the Internet will be able to: + </p> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"> + Look up any hostnames in the <code class="literal">site1</code> + and + <code class="literal">site2.example.com</code> zones. + </li> +<li class="listitem"> + Exchange mail with anyone in the <code class="literal">site1</code> and + <code class="literal">site2.example.com</code> zones. + </li> </ul></div> <p> - Here is an example configuration for the setup we just - described above. Note that this is only configuration information; - for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>. - </p> + Here is an example configuration for the setup we just + described above. Note that this is only configuration information; + for information on how to configure your zone files, see <a class="xref" href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>. + </p> <p> - Internal DNS server config: - </p> + Internal DNS server config: + </p> <pre class="programlisting"> acl internals { 172.16.72.0/24; 192.168.1.0/24; }; @@ -475,8 +475,8 @@ zone "site2.internal" { }; </pre> <p> - External (bastion host) DNS server config: - </p> + External (bastion host) DNS server config: + </p> <pre class="programlisting"> acl internals { 172.16.72.0/24; 192.168.1.0/24; }; @@ -512,9 +512,9 @@ zone "site2.example.com" { }; </pre> <p> - In the <code class="filename">resolv.conf</code> (or equivalent) on - the bastion host(s): - </p> + In the <code class="filename">resolv.conf</code> (or equivalent) on + the bastion host(s): + </p> <pre class="programlisting"> search ... nameserver 172.16.72.2 @@ -523,262 +523,286 @@ nameserver 172.16.72.4 </pre> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="tsig"></a>TSIG</h2></div></div></div> <p> - This is a short guide to setting up Transaction SIGnatures - (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes - to the configuration file as well as what changes are required for - different features, including the process of creating transaction - keys and using transaction signatures with <acronym class="acronym">BIND</acronym>. + TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS + messages, originally specified in RFC 2845. It allows DNS messages + to be cryptographically signed using a shared secret. TSIG can + be used in any DNS transaction, as a way to restrict access to + certain server functions (e.g., recursive queries) to authorized + clients when IP-based access control is insufficient or needs to + be overridden, or as a way to ensure message authenticity when it + is critical to the integrity of the server, such as with dynamic + UPDATE messages or zone transfers from a master to a slave server. </p> <p> - <acronym class="acronym">BIND</acronym> primarily supports TSIG for server - to server communication. - This includes zone transfer, notify, and recursive query messages. - Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support - for TSIG. + This is a guide to setting up TSIG in <acronym class="acronym">BIND</acronym>. + It describes the configuration syntax and the process of creating + TSIG keys. </p> <p> - TSIG can also be useful for dynamic update. A primary - server for a dynamic zone should control access to the dynamic - update service, but IP-based access control is insufficient. - The cryptographic access control provided by TSIG - is far superior. The <span><strong class="command">nsupdate</strong></span> - program supports TSIG via the <code class="option">-k</code> and - <code class="option">-y</code> command line options or inline by use - of the <span><strong class="command">key</strong></span>. + <span class="command"><strong>named</strong></span> supports TSIG for server-to-server + communication, and some of the tools included with + <acronym class="acronym">BIND</acronym> support it for sending messages to + <span class="command"><strong>named</strong></span>: + </p> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"> +<a class="xref" href="man.nsupdate.html" title="nsupdate"><span class="refentrytitle"><span class="application">nsupdate</span></span>(1)</a> supports TSIG via the + <code class="option">-k</code>, <code class="option">-l</code> and + <code class="option">-y</code> command line options, or via + the <span class="command"><strong>key</strong></span> command when running + interactively. + </li> +<li class="listitem"> +<a class="xref" href="man.dig.html" title="dig"><span class="refentrytitle">dig</span>(1)</a> supports TSIG via the + <code class="option">-k</code> and <code class="option">-y</code> command + line options. + </li> +</ul></div> +<p> </p> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2570560"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div> -<p> - A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>. - An arbitrary key name is chosen: "host1-host2.". The key name must - be the same on both hosts. +<a name="id-1.5.6.5"></a>Generating a Shared Key</h3></div></div></div> +<p> + TSIG keys can be generated using the <span class="command"><strong>ddns-confgen</strong></span> + command; the output of the command is a <span class="command"><strong>key</strong></span> directive + suitable for inclusion in <code class="filename">named.conf</code>. The + key name and algorithm can be specified by command line parameters; + the defaults are "ddns-key" and HMAC-SHA256, respectively. By + default, the output of <span class="command"><strong>ddns-confgen</strong></span> also includes + additional configuration text for setting up dynamic DNS in + <span class="command"><strong>named</strong></span>; the <code class="option">-q</code> suppresses + this. See <a class="xref" href="man.ddns-confgen.html" title="ddns-confgen"><span class="refentrytitle"><span class="application">ddns-confgen</span></span>(8)</a> for further details. </p> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2570577"></a>Automatic Generation</h4></div></div></div> -<p> - The following command will generate a 128-bit (16 byte) HMAC-SHA256 - key as described above. Longer keys are better, but shorter keys - are easier to read. Note that the maximum key length is the digest - length, here 256 bits. - </p> -<p> - <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong> - </p> -<p> - The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>. - Nothing directly uses this file, but the base-64 encoded string - following "<code class="literal">Key:</code>" - can be extracted from the file and used as a shared secret: - </p> -<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre> -<p> - The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can - be used as the shared secret. - </p> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2570683"></a>Manual Generation</h4></div></div></div> <p> - The shared secret is simply a random sequence of bits, encoded - in base-64. Most ASCII strings are valid base-64 strings (assuming - the length is a multiple of 4 and only valid characters are used), - so the shared secret can be manually generated. - </p> -<p> - Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or - a similar program to generate base-64 encoded data. - </p> -</div> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2570701"></a>Copying the Shared Secret to Both Machines</h3></div></div></div> + Any string which is a valid DNS name can be used as a key name. + For example, a key to be shared between servers called + <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span> could + be called "host1-host2.", and this key could be generated using: + </p> +<pre class="programlisting"> + $ ddns-confgen -q -k host1-host2. > host1-host2.key +</pre> <p> - This is beyond the scope of DNS. A secure transport mechanism - should be used. This could be secure FTP, ssh, telephone, etc. + This key may then be copied to both hosts. The key name and secret + must be identical on both hosts. + (Note: copying a shared secret from one server to another is beyond + the scope of the DNS. A secure transport mechanism should be used: + secure FTP, SSL, ssh, telephone, encrypted email, etc.) </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2570712"></a>Informing the Servers of the Key's Existence</h3></div></div></div> +<a name="id-1.5.6.6"></a>Loading A New Key</h3></div></div></div> <p> - Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span> - are - both servers. The following is added to each server's <code class="filename">named.conf</code> file: + For a key shared between servers called + <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>, + the following could be added to each server's + <code class="filename">named.conf</code> file: </p> <pre class="programlisting"> -key host1-host2. { - algorithm hmac-sha256; - secret "La/E5CjG9O+os1jq0a2jdA=="; +key "host1-host2." { + algorithm hmac-sha256; + secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY="; }; </pre> <p> - The secret is the one generated above. Since this is a secret, it - is recommended that either <code class="filename">named.conf</code> be - non-world readable, or the key directive be added to a non-world - readable file that is included by <code class="filename">named.conf</code>. + (This is the same key generated above using + <span class="command"><strong>ddns-confgen</strong></span>.) + </p> +<p> + Since this text contains a secret, it + is recommended that either <code class="filename">named.conf</code> not be + world-readable, or that the <span class="command"><strong>key</strong></span> directive + be stored in a file which is not world-readable, and which is + included in <code class="filename">named.conf</code> via the + <span class="command"><strong>include</strong></span> directive. </p> <p> - At this point, the key is recognized. This means that if the - server receives a message signed by this key, it can verify the - signature. If the signature is successfully verified, the - response is signed by the same key. + Once a key has been added to <code class="filename">named.conf</code> and the + server has been restarted or reconfigured, the server can recognize + the key. If the server receives a message signed by the + key, it will be able to verify the signature. If the signature + is valid, the response will be signed using the same key. + </p> +<p> + TSIG keys that are known to a server can be listed using the + command <span class="command"><strong>rndc tsig-list</strong></span>. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2570748"></a>Instructing the Server to Use the Key</h3></div></div></div> +<a name="id-1.5.6.7"></a>Instructing the Server to Use a Key</h3></div></div></div> +<p> + A server sending a request to another server must be told whether + to use a key, and if so, which key to use. + </p> +<p> + For example, a key may be specified for each server in the + <span class="command"><strong>masters</strong></span> statement in the definition of a + slave zone; in this case, all SOA QUERY messages, NOTIFY + messages, and zone transfer requests (AXFR or IXFR) will be + signed using the specified key. Keys may also be specified + in the <span class="command"><strong>also-notify</strong></span> statement of a master + or slave zone, causing NOTIFY messages to be signed using + the specified key. + </p> <p> - Since keys are shared between two hosts only, the server must - be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file - for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is - 10.1.2.3: + Keys can also be specified in a <span class="command"><strong>server</strong></span> + directive. Adding the following on <span class="emphasis"><em>host1</em></span>, + if the IP address of <span class="emphasis"><em>host2</em></span> is 10.1.2.3, would + cause <span class="emphasis"><em>all</em></span> requests from <span class="emphasis"><em>host1</em></span> + to <span class="emphasis"><em>host2</em></span>, including normal DNS queries, to be + signed using the <span class="command"><strong>host1-host2.</strong></span> key: </p> <pre class="programlisting"> server 10.1.2.3 { - keys { host1-host2. ;}; + keys { host1-host2. ;}; }; </pre> <p> - Multiple keys may be present, but only the first is used. - This directive does not contain any secrets, so it may be in a - world-readable - file. + Multiple keys may be present in the <span class="command"><strong>keys</strong></span> + statement, but only the first one is used. As this directive does + not contain secrets, it can be used in a world-readable file. </p> <p> - If <span class="emphasis"><em>host1</em></span> sends a message that is a request - to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will - expect any responses to signed messages to be signed with the same - key. + Requests sent by <span class="emphasis"><em>host2</em></span> to <span class="emphasis"><em>host1</em></span> + would <span class="emphasis"><em>not</em></span> be signed, unless a similar + <span class="command"><strong>server</strong></span> directive were in <span class="emphasis"><em>host2</em></span>'s + configuration file. </p> <p> - A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s - configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to - sign request messages to <span class="emphasis"><em>host1</em></span>. + Whenever any server sends a TSIG-signed DNS request, it will expect + the response to be signed with the same key. If a response is not + signed, or if the signature is not valid, the response will be + rejected. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2570806"></a>TSIG Key Based Access Control</h3></div></div></div> +<a name="id-1.5.6.8"></a>TSIG-Based Access Control</h3></div></div></div> <p> - <acronym class="acronym">BIND</acronym> allows IP addresses and ranges - to be specified in ACL - definitions and - <span><strong class="command">allow-{ query | transfer | update }</strong></span> - directives. - This has been extended to allow TSIG keys also. The above key would - be denoted <span><strong class="command">key host1-host2.</strong></span> + TSIG keys may be specified in ACL definitions and ACL directives + such as <span class="command"><strong>allow-query</strong></span>, <span class="command"><strong>allow-transfer</strong></span> + and <span class="command"><strong>allow-update</strong></span>. + The above key would be denoted in an ACL element as + <span class="command"><strong>key host1-host2.</strong></span> </p> <p> - An example of an <span><strong class="command">allow-update</strong></span> directive would be: + An example of an <span class="command"><strong>allow-update</strong></span> directive using + a TSIG key: </p> <pre class="programlisting"> -allow-update { key host1-host2. ;}; +allow-update { !{ !localnets; any; }; key host1-host2. ;}; </pre> <p> - This allows dynamic updates to succeed only if the request - was signed by a key named "<span><strong class="command">host1-host2.</strong></span>". + This allows dynamic updates to succeed only if the UPDATE + request comes from an address in <span class="command"><strong>localnets</strong></span>, + <span class="emphasis"><em>and</em></span> if it is signed using the + <span class="command"><strong>host1-host2.</strong></span> key. </p> <p> - See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of - the more flexible <span><strong class="command">update-policy</strong></span> statement. + See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of + the more flexible <span class="command"><strong>update-policy</strong></span> statement. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2570855"></a>Errors</h3></div></div></div> -<p> - The processing of TSIG signed messages can result in - several errors. If a signed message is sent to a non-TSIG aware - server, a FORMERR (format error) will be returned, since the server will not - understand the record. This is a result of misconfiguration, - since the server must be explicitly configured to send a TSIG - signed message to a specific server. - </p> -<p> - If a TSIG aware server receives a message signed by an - unknown key, the response will be unsigned with the TSIG - extended error code set to BADKEY. If a TSIG aware server - receives a message with a signature that does not validate, the - response will be unsigned with the TSIG extended error code set - to BADSIG. If a TSIG aware server receives a message with a time - outside of the allowed range, the response will be signed with - the TSIG extended error code set to BADTIME, and the time values - will be adjusted so that the response can be successfully - verified. In any of these cases, the message's rcode (response code) is set to - NOTAUTH (not authenticated). +<a name="id-1.5.6.9"></a>Errors</h3></div></div></div> +<p> + Processing of TSIG-signed messages can result in several errors: + </p> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"> + If a TSIG-aware server receives a message signed by an + unknown key, the response will be unsigned, with the TSIG + extended error code set to BADKEY. + </li> +<li class="listitem"> + If a TSIG-aware server receives a message from a known key + but with an invalid signature, the response will be unsigned, + with the TSIG extended error code set to BADSIG. + </li> +<li class="listitem"> + If a TSIG-aware server receives a message with a time + outside of the allowed range, the response will be signed, with + the TSIG extended error code set to BADTIME, and the time values + will be adjusted so that the response can be successfully + verified. + </li> +</ul></div> +<p> + In all of the above cases, the server will return a response code + of NOTAUTH (not authenticated). </p> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2570869"></a>TKEY</h2></div></div></div> -<p><span><strong class="command">TKEY</strong></span> - is a mechanism for automatically generating a shared secret - between two hosts. There are several "modes" of - <span><strong class="command">TKEY</strong></span> that specify how the key is generated - or assigned. <acronym class="acronym">BIND</acronym> 9 implements only one of - these modes, the Diffie-Hellman key exchange. Both hosts are - required to have a Diffie-Hellman KEY record (although this - record is not required to be present in a zone). The - <span><strong class="command">TKEY</strong></span> process must use signed messages, - signed either by TSIG or SIG(0). The result of - <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to - sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also be - used to delete shared secrets that it had previously - generated. +<a name="tkey"></a>TKEY</h2></div></div></div> +<p> + TKEY (Transaction KEY) is a mechanism for automatically negotiating + a shared secret between two hosts, originally specified in RFC 2930. + </p> +<p> + There are several TKEY "modes" that specify how a key is to be + generated or assigned. <acronym class="acronym">BIND</acronym> 9 implements only + one of these modes: Diffie-Hellman key exchange. Both hosts are + required to have a KEY record with algorithm DH (though this + record is not required to be present in a zone). </p> <p> - The <span><strong class="command">TKEY</strong></span> process is initiated by a - client - or server by sending a signed <span><strong class="command">TKEY</strong></span> - query - (including any appropriate KEYs) to a TKEY-aware server. The - server response, if it indicates success, will contain a - <span><strong class="command">TKEY</strong></span> record and any appropriate keys. - After - this exchange, both participants have enough information to - determine the shared secret; the exact process depends on the - <span><strong class="command">TKEY</strong></span> mode. When using the - Diffie-Hellman - <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are - exchanged, - and the shared secret is derived by both participants. + The TKEY process is initiated by a client or server by sending + a query of type TKEY to a TKEY-aware server. The query must include + an appropriate KEY record in the additional section, and + must be signed using either TSIG or SIG(0) with a previously + established key. The server's response, if successful, will + contain a TKEY record in its answer section. After this transaction, + both participants will have enough information to calculate a + shared secret using Diffie-Hellman key exchange. The shared secret + can then be used by to sign subsequent transactions between the + two servers. + </p> +<p> + TSIG keys known by the server, including TKEY-negotiated keys, can + be listed using <span class="command"><strong>rndc tsig-list</strong></span>. + </p> +<p> + TKEY-negotiated keys can be deleted from a server using + <span class="command"><strong>rndc tsig-delete</strong></span>. This can also be done via + the TKEY protocol itself, by sending an authenticated TKEY query + specifying the "key deletion" mode. </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2570918"></a>SIG(0)</h2></div></div></div> +<a name="sig0"></a>SIG(0)</h2></div></div></div> <p> - <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0) - transaction signatures as specified in RFC 2535 and RFC 2931. - SIG(0) - uses public/private keys to authenticate messages. Access control + <acronym class="acronym">BIND</acronym> partially supports DNSSEC SIG(0) + transaction signatures as specified in RFC 2535 and RFC 2931. + SIG(0) uses public/private keys to authenticate messages. Access control is performed in the same manner as TSIG keys; privileges can be - granted or denied based on the key name. + granted or denied in ACL directives based on the key name. </p> <p> When a SIG(0) signed message is received, it will only be - verified if the key is known and trusted by the server; the server - will not attempt to locate and/or validate the key. + verified if the key is known and trusted by the server. The + server will not attempt to recursively fetch or validate the + key. </p> <p> - SIG(0) signing of multiple-message TCP streams is not - supported. + SIG(0) signing of multiple-message TCP streams is not supported. </p> <p> The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that - generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>. + generates SIG(0) signed messages is <span class="command"><strong>nsupdate</strong></span>. </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="DNSSEC"></a>DNSSEC</h2></div></div></div> <p> @@ -814,11 +838,11 @@ allow-update { key host1-host2. ;}; either be statically configured with this zone's zone key or the zone key of another zone above this one in the DNS tree. </p> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2571054"></a>Generating Keys</h3></div></div></div> +<a name="dnssec_keys"></a>Generating Keys</h3></div></div></div> <p> - The <span><strong class="command">dnssec-keygen</strong></span> program is used to + The <span class="command"><strong>dnssec-keygen</strong></span> program is used to generate keys. </p> <p> @@ -826,7 +850,7 @@ allow-update { key host1-host2. ;}; zone keys will sign all other records in the zone, as well as the zone keys of any secure delegated zones. Zone keys must have the same name as the zone, a name type of - <span><strong class="command">ZONE</strong></span>, and must be usable for + <span class="command"><strong>ZONE</strong></span>, and must be usable for authentication. It is recommended that zone keys use a cryptographic algorithm designated as "mandatory to implement" by the IETF; currently @@ -860,21 +884,21 @@ allow-update { key host1-host2. ;}; a different key tag), repeat the above command. </p> <p> - The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used + The <span class="command"><strong>dnssec-keyfromlabel</strong></span> program is used to get a key pair from a crypto hardware and build the key - files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>. + files. Its usage is similar to <span class="command"><strong>dnssec-keygen</strong></span>. </p> <p> The public keys should be inserted into the zone file by including the <code class="filename">.key</code> files using - <span><strong class="command">$INCLUDE</strong></span> statements. + <span class="command"><strong>$INCLUDE</strong></span> statements. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2571270"></a>Signing the Zone</h3></div></div></div> +<a name="dnssec_signing"></a>Signing the Zone</h3></div></div></div> <p> - The <span><strong class="command">dnssec-signzone</strong></span> program is used + The <span class="command"><strong>dnssec-signzone</strong></span> program is used to sign a zone. </p> <p> @@ -904,7 +928,7 @@ allow-update { key host1-host2. ;}; as the input file for the zone. </p> -<p><span><strong class="command">dnssec-signzone</strong></span> +<p><span class="command"><strong>dnssec-signzone</strong></span> will also produce a keyset and dsset files and optionally a dlvset file. These are used to provide the parent zone administrators with the <code class="literal">DNSKEYs</code> (or their @@ -912,50 +936,50 @@ allow-update { key host1-host2. ;}; secure entry point to the zone. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2571351"></a>Configuring Servers</h3></div></div></div> +<a name="dnssec_config"></a>Configuring Servers</h3></div></div></div> <p> - To enable <span><strong class="command">named</strong></span> to respond appropriately + To enable <span class="command"><strong>named</strong></span> to respond appropriately to DNS requests from DNSSEC aware clients, - <span><strong class="command">dnssec-enable</strong></span> must be set to yes. + <span class="command"><strong>dnssec-enable</strong></span> must be set to yes. (This is the default setting.) </p> <p> - To enable <span><strong class="command">named</strong></span> to validate answers from - other servers, the <span><strong class="command">dnssec-enable</strong></span> option + To enable <span class="command"><strong>named</strong></span> to validate answers from + other servers, the <span class="command"><strong>dnssec-enable</strong></span> option must be set to <strong class="userinput"><code>yes</code></strong>, and the - <span><strong class="command">dnssec-validation</strong></span> options must be set to + <span class="command"><strong>dnssec-validation</strong></span> options must be set to <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>. </p> <p> - If <span><strong class="command">dnssec-validation</strong></span> is set to + If <span class="command"><strong>dnssec-validation</strong></span> is set to <strong class="userinput"><code>auto</code></strong>, then a default trust anchor for the DNS root zone will be used. If it is set to <strong class="userinput"><code>yes</code></strong>, however, then at least one trust anchor must be configured - with a <span><strong class="command">trusted-keys</strong></span> or - <span><strong class="command">managed-keys</strong></span> statement in + with a <span class="command"><strong>trusted-keys</strong></span> or + <span class="command"><strong>managed-keys</strong></span> statement in <code class="filename">named.conf</code>, or DNSSEC validation will not occur. The default setting is <strong class="userinput"><code>yes</code></strong>. </p> <p> - <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs + <span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs for zones that are used to form the first link in the cryptographic chain of trust. All keys listed in - <span><strong class="command">trusted-keys</strong></span> (and corresponding zones) + <span class="command"><strong>trusted-keys</strong></span> (and corresponding zones) are deemed to exist and only the listed keys will be used to validated the DNSKEY RRset that they are from. </p> <p> - <span><strong class="command">managed-keys</strong></span> are trusted keys which are + <span class="command"><strong>managed-keys</strong></span> are trusted keys which are automatically kept up to date via RFC 5011 trust anchor maintenance. </p> <p> - <span><strong class="command">trusted-keys</strong></span> and - <span><strong class="command">managed-keys</strong></span> are described in more detail + <span class="command"><strong>trusted-keys</strong></span> and + <span class="command"><strong>managed-keys</strong></span> are described in more detail later in this document. </p> <p> @@ -970,7 +994,7 @@ allow-update { key host1-host2. ;}; more public keys for the root. This allows answers from outside the organization to be validated. It will also have several keys for parts of the namespace the organization - controls. These are here to ensure that <span><strong class="command">named</strong></span> + controls. These are here to ensure that <span class="command"><strong>named</strong></span> is immune to compromises in the DNSSEC components of the security of parent zones. </p> @@ -1028,9 +1052,11 @@ options { </pre> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> +<p> None of the keys listed in this example are valid. In particular, the root key is not valid. - </div> + </p> +</div> <p> When DNSSEC validation is enabled and properly configured, the resolver will reject any answers from signed, secure zones @@ -1067,24 +1093,24 @@ options { </div> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div> <p>As of BIND 9.7.0 it is possible to change a dynamic zone from insecure to signed and back again. A secure zone can use either NSEC or NSEC3 chains.</p> -<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> -<a name="id2610615"></a>Converting from insecure to secure</h3></div></div></div></div> +<div class="section"><div class="titlepage"><div><div><h3 class="title"> +<a name="id-1.5.10.3"></a>Converting from insecure to secure</h3></div></div></div></div> <p>Changing a zone from insecure to secure can be done in two - ways: using a dynamic DNS update, or the - <span><strong class="command">auto-dnssec</strong></span> zone option.</p> -<p>For either method, you need to configure - <span><strong class="command">named</strong></span> so that it can see the + ways: using a dynamic DNS update, or the + <span class="command"><strong>auto-dnssec</strong></span> zone option.</p> +<p>For either method, you need to configure + <span class="command"><strong>named</strong></span> so that it can see the <code class="filename">K*</code> files which contain the public and private parts of the keys that will be used to sign the zone. These files - will have been generated by - <span><strong class="command">dnssec-keygen</strong></span>. You can do this by placing them - in the key-directory, as specified in + will have been generated by + <span class="command"><strong>dnssec-keygen</strong></span>. You can do this by placing them + in the key-directory, as specified in <code class="filename">named.conf</code>:</p> <pre class="programlisting"> zone example.net { @@ -1099,8 +1125,8 @@ options { with the ZSK, and the DNSKEY RRset to be signed with the KSK as well. An NSEC chain will be generated as part of the initial signing process.</p> -<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> -<a name="id2610652"></a>Dynamic DNS update method</h3></div></div></div></div> +<div class="section"><div class="titlepage"><div><div><h3 class="title"> +<a name="id-1.5.10.8"></a>Dynamic DNS update method</h3></div></div></div></div> <p>To insert the keys via dynamic update:</p> <pre class="screen"> % nsupdate @@ -1110,8 +1136,8 @@ options { > send </pre> <p>While the update request will complete almost immediately, - the zone will not be completely signed until - <span><strong class="command">named</strong></span> has had time to walk the zone and + the zone will not be completely signed until + <span class="command"><strong>named</strong></span> has had time to walk the zone and generate the NSEC and RRSIG records. The NSEC record at the apex will be added last, to signal that there is a complete NSEC chain.</p> @@ -1128,49 +1154,49 @@ options { > send </pre> <p>Again, this update request will complete almost - immediately; however, the record won't show up until - <span><strong class="command">named</strong></span> has had a chance to build/remove the + immediately; however, the record won't show up until + <span class="command"><strong>named</strong></span> has had a chance to build/remove the relevant chain. A private type record will be created to record the state of the operation (see below for more details), and will be removed once the operation completes.</p> <p>While the initial signing and NSEC/NSEC3 chain generation is happening, other updates are possible as well.</p> -<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> -<a name="id2563653"></a>Fully automatic zone signing</h3></div></div></div></div> -<p>To enable automatic signing, add the - <span><strong class="command">auto-dnssec</strong></span> option to the zone statement in - <code class="filename">named.conf</code>. - <span><strong class="command">auto-dnssec</strong></span> has two possible arguments: - <code class="constant">allow</code> or +<div class="section"><div class="titlepage"><div><div><h3 class="title"> +<a name="id-1.5.10.16"></a>Fully automatic zone signing</h3></div></div></div></div> +<p>To enable automatic signing, add the + <span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in + <code class="filename">named.conf</code>. + <span class="command"><strong>auto-dnssec</strong></span> has two possible arguments: + <code class="constant">allow</code> or <code class="constant">maintain</code>.</p> -<p>With - <span><strong class="command">auto-dnssec allow</strong></span>, - <span><strong class="command">named</strong></span> can search the key directory for keys +<p>With + <span class="command"><strong>auto-dnssec allow</strong></span>, + <span class="command"><strong>named</strong></span> can search the key directory for keys matching the zone, insert them into the zone, and use them to - sign the zone. It will do so only when it receives an - <span><strong class="command">rndc sign <zonename></strong></span>.</p> + sign the zone. It will do so only when it receives an + <span class="command"><strong>rndc sign <zonename></strong></span>.</p> <p> - <span><strong class="command">auto-dnssec maintain</strong></span> includes the above + <span class="command"><strong>auto-dnssec maintain</strong></span> includes the above functionality, but will also automatically adjust the zone's DNSKEY records on schedule according to the keys' timing metadata. - (See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and - <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.) + (See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and + <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.) </p> <p> - <span><strong class="command">named</strong></span> will periodically search the key directory + <span class="command"><strong>named</strong></span> will periodically search the key directory for keys matching the zone, and if the keys' metadata indicates that any change should be made the zone, such as adding, removing, or revoking a key, then that action will be carried out. By default, the key directory is checked for changes every 60 minutes; this period can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up - to a maximum of 24 hours. The <span><strong class="command">rndc loadkeys</strong></span> forces - <span><strong class="command">named</strong></span> to check for key updates immediately. + to a maximum of 24 hours. The <span class="command"><strong>rndc loadkeys</strong></span> forces + <span class="command"><strong>named</strong></span> to check for key updates immediately. </p> <p> If keys are present in the key directory the first time the zone - is loaded, the zone will be signed immediately, without waiting for an - <span><strong class="command">rndc sign</strong></span> or <span><strong class="command">rndc loadkeys</strong></span> + is loaded, the zone will be signed immediately, without waiting for an + <span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span> command. (Those commands can still be used when there are unscheduled key changes, however.) </p> @@ -1178,7 +1204,7 @@ options { When new keys are added to a zone, the TTL is set to match that of any existing DNSKEY RRset. If there is no existing DNSKEY RRset, then the TTL will be set to the TTL specified when the key was - created (using the <span><strong class="command">dnssec-keygen -L</strong></span> option), if + created (using the <span class="command"><strong>dnssec-keygen -L</strong></span> option), if any, or to the SOA TTL. </p> <p> @@ -1191,15 +1217,15 @@ options { the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM record will appear in the zone. </p> -<p>Using the - <span><strong class="command">auto-dnssec</strong></span> option requires the zone to be - configured to allow dynamic updates, by adding an - <span><strong class="command">allow-update</strong></span> or - <span><strong class="command">update-policy</strong></span> statement to the zone +<p>Using the + <span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be + configured to allow dynamic updates, by adding an + <span class="command"><strong>allow-update</strong></span> or + <span class="command"><strong>update-policy</strong></span> statement to the zone configuration. If this has not been done, the configuration will fail.</p> -<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> -<a name="id2563900"></a>Private-type records</h3></div></div></div></div> +<div class="section"><div class="titlepage"><div><div><h3 class="title"> +<a name="id-1.5.10.25"></a>Private-type records</h3></div></div></div></div> <p>The state of the signing process is signaled by private-type records (with a default type value of 65534). When signing is complete, these records will have a nonzero value for @@ -1239,18 +1265,18 @@ options { </p></div> <p> </p> -<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> -<a name="id2563938"></a>DNSKEY rollovers</h3></div></div></div></div> +<div class="section"><div class="titlepage"><div><div><h3 class="title"> +<a name="id-1.5.10.32"></a>DNSKEY rollovers</h3></div></div></div></div> <p>As with insecure-to-secure conversions, rolling DNSSEC - keys can be done in two ways: using a dynamic DNS update, or the - <span><strong class="command">auto-dnssec</strong></span> zone option.</p> -<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> -<a name="id2563950"></a>Dynamic DNS update method</h3></div></div></div></div> + keys can be done in two ways: using a dynamic DNS update, or the + <span class="command"><strong>auto-dnssec</strong></span> zone option.</p> +<div class="section"><div class="titlepage"><div><div><h3 class="title"> +<a name="id-1.5.10.34"></a>Dynamic DNS update method</h3></div></div></div></div> <p> To perform key rollovers via dynamic update, you need to add - the <code class="filename">K*</code> files for the new keys so that - <span><strong class="command">named</strong></span> can find them. You can then add the new - DNSKEY RRs via dynamic update. - <span><strong class="command">named</strong></span> will then cause the zone to be signed + the <code class="filename">K*</code> files for the new keys so that + <span class="command"><strong>named</strong></span> can find them. You can then add the new + DNSKEY RRs via dynamic update. + <span class="command"><strong>named</strong></span> will then cause the zone to be signed with the new keys. When the signing is complete the private type records will be updated so that the last octet is non zero.</p> @@ -1263,15 +1289,15 @@ options { be able to verify at least one signature when you remove the old DNSKEY.</p> <p>The old DNSKEY can be removed via UPDATE. Take care to - specify the correct key. - <span><strong class="command">named</strong></span> will clean out any signatures generated + specify the correct key. + <span class="command"><strong>named</strong></span> will clean out any signatures generated by the old key after the update completes.</p> -<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> -<a name="id2564052"></a>Automatic key rollovers</h3></div></div></div></div> +<div class="section"><div class="titlepage"><div><div><h3 class="title"> +<a name="id-1.5.10.39"></a>Automatic key rollovers</h3></div></div></div></div> <p>When a new key reaches its activation date (as set by - <span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>), - if the <span><strong class="command">auto-dnssec</strong></span> zone option is set to - <code class="constant">maintain</code>, <span><strong class="command">named</strong></span> will + <span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>), + if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to + <code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will automatically carry out the key rollover. If the key's algorithm has not previously been used to sign the zone, then the zone will be fully signed as quickly as possible. However, if the new key @@ -1281,83 +1307,82 @@ options { signature validity periods expire. By default, this rollover completes in 30 days, after which it will be safe to remove the old key from the DNSKEY RRset.</p> -<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> -<a name="id2564078"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div> +<div class="section"><div class="titlepage"><div><div><h3 class="title"> +<a name="id-1.5.10.41"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div> <p>Add the new NSEC3PARAM record via dynamic update. When the new NSEC3 chain has been generated, the NSEC3PARAM flag field will be zero. At this point you can remove the old NSEC3PARAM record. The old chain will be removed after the update request completes.</p> -<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> -<a name="id2564088"></a>Converting from NSEC to NSEC3</h3></div></div></div></div> +<div class="section"><div class="titlepage"><div><div><h3 class="title"> +<a name="id-1.5.10.43"></a>Converting from NSEC to NSEC3</h3></div></div></div></div> <p>To do this, you just need to add an NSEC3PARAM record. When the conversion is complete, the NSEC chain will have been removed and the NSEC3PARAM record will have a zero flag field. The NSEC3 chain will be generated before the NSEC chain is destroyed.</p> -<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> -<a name="id2569832"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div> -<p>To do this, use <span><strong class="command">nsupdate</strong></span> to +<div class="section"><div class="titlepage"><div><div><h3 class="title"> +<a name="id-1.5.10.45"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div> +<p>To do this, use <span class="command"><strong>nsupdate</strong></span> to remove all NSEC3PARAM records with a zero flag field. The NSEC chain will be generated before the NSEC3 chain is removed.</p> -<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> -<a name="id2569845"></a>Converting from secure to insecure</h3></div></div></div></div> +<div class="section"><div class="titlepage"><div><div><h3 class="title"> +<a name="id-1.5.10.47"></a>Converting from secure to insecure</h3></div></div></div></div> <p>To convert a signed zone to unsigned using dynamic DNS, delete all the DNSKEY records from the zone apex using - <span><strong class="command">nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains, + <span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains, and associated NSEC3PARAM records will be removed automatically. This will take place after the update request completes.</p> -<p> This requires the - <span><strong class="command">dnssec-secure-to-insecure</strong></span> option to be set to - <strong class="userinput"><code>yes</code></strong> in +<p> This requires the + <span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to + <strong class="userinput"><code>yes</code></strong> in <code class="filename">named.conf</code>.</p> -<p>In addition, if the <span><strong class="command">auto-dnssec maintain</strong></span> +<p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span> zone statement is used, it should be removed or changed to - <span><strong class="command">allow</strong></span> instead (or it will re-sign). + <span class="command"><strong>allow</strong></span> instead (or it will re-sign). </p> -<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> -<a name="id2569882"></a>Periodic re-signing</h3></div></div></div></div> +<div class="section"><div class="titlepage"><div><div><h3 class="title"> +<a name="id-1.5.10.51"></a>Periodic re-signing</h3></div></div></div></div> <p>In any secure zone which supports dynamic updates, named will periodically re-sign RRsets which have not been re-signed as a result of some update action. The signature lifetimes will be adjusted so as to spread the re-sign load over time rather than all at once.</p> -<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> -<a name="id2569892"></a>NSEC3 and OPTOUT</h3></div></div></div></div> +<div class="section"><div class="titlepage"><div><div><h3 class="title"> +<a name="id-1.5.10.53"></a>NSEC3 and OPTOUT</h3></div></div></div></div> <p> - <span><strong class="command">named</strong></span> only supports creating new NSEC3 chains + <span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains where all the NSEC3 records in the zone have the same OPTOUT - state. - <span><strong class="command">named</strong></span> supports UPDATES to zones where the NSEC3 - records in the chain have mixed OPTOUT state. - <span><strong class="command">named</strong></span> does not support changing the OPTOUT + state. + <span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3 + records in the chain have mixed OPTOUT state. + <span class="command"><strong>named</strong></span> does not support changing the OPTOUT state of an individual NSEC3 record, the entire chain needs to be changed if the OPTOUT state of an individual NSEC3 needs to be changed.</p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div> <p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust - anchor management. Using this feature allows - <span><strong class="command">named</strong></span> to keep track of changes to critical + anchor management. Using this feature allows + <span class="command"><strong>named</strong></span> to keep track of changes to critical DNSSEC keys without any need for the operator to make changes to configuration files.</p> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2610129"></a>Validating Resolver</h3></div></div></div> +<a name="id-1.5.11.3"></a>Validating Resolver</h3></div></div></div> <p>To configure a validating resolver to use RFC 5011 to - maintain a trust anchor, configure the trust anchor using a - <span><strong class="command">managed-keys</strong></span> statement. Information about - this can be found in - <a href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition - and Usage">the section called “<span><strong class="command">managed-keys</strong></span> Statement Definition + maintain a trust anchor, configure the trust anchor using a + <span class="command"><strong>managed-keys</strong></span> statement. Information about + this can be found in + <a class="xref" href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called “<span class="command"><strong>managed-keys</strong></span> Statement Definition and Usage”</a>.</p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2610151"></a>Authoritative Server</h3></div></div></div> +<a name="id-1.5.11.4"></a>Authoritative Server</h3></div></div></div> <p>To set up an authoritative zone for RFC 5011 trust anchor maintenance, generate two (or more) key signing keys (KSKs) for the zone. Sign the zone with one of them; this is the "active" @@ -1373,21 +1398,21 @@ options { timer has completed, the active KSK can be revoked, and the zone can be "rolled over" to the newly accepted key.</p> <p>The easiest way to place a stand-by key in a zone is to - use the "smart signing" features of - <span><strong class="command">dnssec-keygen</strong></span> and - <span><strong class="command">dnssec-signzone</strong></span>. If a key with a publication + use the "smart signing" features of + <span class="command"><strong>dnssec-keygen</strong></span> and + <span class="command"><strong>dnssec-signzone</strong></span>. If a key with a publication date in the past, but an activation date which is unset or in - the future, " - <span><strong class="command">dnssec-signzone -S</strong></span>" will include the DNSKEY + the future, " + <span class="command"><strong>dnssec-signzone -S</strong></span>" will include the DNSKEY record in the zone, but will not sign with it:</p> <pre class="screen"> $ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong> $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong> </pre> -<p>To revoke a key, the new command - <span><strong class="command">dnssec-revoke</strong></span> has been added. This adds the - REVOKED bit to the key flags and re-generates the - <code class="filename">K*.key</code> and +<p>To revoke a key, the new command + <span class="command"><strong>dnssec-revoke</strong></span> has been added. This adds the + REVOKED bit to the key flags and re-generates the + <code class="filename">K*.key</code> and <code class="filename">K*.private</code> files.</p> <p>After revoking the active key, the zone must be signed with both the revoked KSK and the new active KSK. (Smart @@ -1405,8 +1430,8 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code>< "<code class="filename">Kexample.com.+005+10128</code>".</p> <p>If two keys have ID's exactly 128 apart, and one is revoked, then the two key ID's will collide, causing several - problems. To prevent this, - <span><strong class="command">dnssec-keygen</strong></span> will not generate a new key if + problems. To prevent this, + <span class="command"><strong>dnssec-keygen</strong></span> will not generate a new key if another key is present which may collide. This checking will only occur if the new keys are written to the same directory which holds all other keys in use for that zone.</p> @@ -1419,7 +1444,7 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code>< keys with their original unrevoked key ID's.</p> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="pkcs11"></a>PKCS #11 (Cryptoki) support</h2></div></div></div> <p>PKCS #11 (Public Key Cryptography Standard #11) defines a @@ -1429,9 +1454,9 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code>< cryptographic acceleration board, tested under Solaris x86, and the AEP Keyper network-attached key storage device, tested with Debian Linux, Solaris x86 and Windows Server 2003.</p> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2613326"></a>Prerequisites</h3></div></div></div> +<a name="id-1.5.12.4"></a>Prerequisites</h3></div></div></div> <p>See the HSM vendor documentation for information about installing, initializing, testing and troubleshooting the HSM.</p> @@ -1450,12 +1475,12 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code>< the patched OpenSSL, one of which must be chosen at configuration time. The correct choice depends on the HSM hardware:</p> -<div class="itemizedlist"><ul type="disc"> -<li><p>Use 'crypto-accelerator' with HSMs that have hardware +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"><p>Use 'crypto-accelerator' with HSMs that have hardware cryptographic acceleration features, such as the SCA 6000 board. This causes OpenSSL to run all supported cryptographic operations in the HSM.</p></li> -<li><p>Use 'sign-only' with HSMs that are designed to +<li class="listitem"><p>Use 'sign-only' with HSMs that are designed to function primarily as secure key storage devices, but lack hardware acceleration. These devices are highly secure, but are not necessarily any faster at cryptography than the @@ -1469,16 +1494,16 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code>< <p> The modified OpenSSL code is included in the BIND 9 release, in the form of a context diff against the latest versions of - OpenSSL. OpenSSL 0.9.8, 1.0.0, and 1.0.1 are supported; there are - separate diffs for each version. In the examples to follow, - we use OpenSSL 0.9.8, but the same methods work with OpenSSL - 1.0.0 and 1.0.1. + OpenSSL. OpenSSL 0.9.8, 1.0.0, 1.0.1 and 1.0.2 are supported; + there are separate diffs for each version. In the examples to + follow, we use OpenSSL 0.9.8, but the same methods work with + OpenSSL 1.0.0 through 1.0.2. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> - The latest OpenSSL versions at the time of the BIND release - are 0.9.8y, 1.0.0k and 1.0.1e. - ISC will provide an updated patch as new versions of OpenSSL + The OpenSSL patches as of this writing (January 2016) + support versions 0.9.8zh, 1.0.0t, 1.0.1q and 1.0.2f. + ISC will provide updated patches as new versions of OpenSSL are released. The version number in the following examples is expected to change.</div> <p> @@ -1488,7 +1513,7 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code>< library.</p> <p>Obtain OpenSSL 0.9.8s:</p> <pre class="screen"> -$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8s.tar.gz</a></code></strong> +$ <strong class="userinput"><code>wget <a class="link" href="" target="_top">http://www.openssl.org/source/openssl-0.9.8s.tar.gz</a></code></strong> </pre> <p>Extract the tarball:</p> <pre class="screen"> @@ -1508,9 +1533,9 @@ $ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8s \ elsewhere on the system. In the following examples, we choose to install into "/opt/pkcs11/usr". We will use this location when we configure BIND 9.</p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2610828"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div> +<a name="id-1.5.12.4.18"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div> <p>The AEP Keyper is a highly secure key storage device, but does not provide hardware cryptographic acceleration. It can carry out cryptographic operations, but it is probably @@ -1535,14 +1560,14 @@ $ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \ --pk11-flavor=sign-only \ --prefix=/opt/pkcs11/usr</code></strong> </pre> -<p>After configuring, run "<span><strong class="command">make</strong></span>" - and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make +<p>After configuring, run "<span class="command"><strong>make</strong></span>" + and "<span class="command"><strong>make test</strong></span>". If "<span class="command"><strong>make test</strong></span>" fails with "pthread_atfork() not found", you forgot to add the -pthread above.</p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2610898"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div> +<a name="id-1.5.12.4.19"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div> <p>The SCA-6000 PKCS #11 provider is installed as a system library, libpkcs11. It is a true crypto accelerator, up to 4 times faster than any CPU, so the flavor shall be @@ -1558,13 +1583,13 @@ $ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \ </pre> <p>(For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)</p> -<p>After configuring, run - <span><strong class="command">make</strong></span> and - <span><strong class="command">make test</strong></span>.</p> +<p>After configuring, run + <span class="command"><strong>make</strong></span> and + <span class="command"><strong>make test</strong></span>.</p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2611015"></a>Building OpenSSL for SoftHSM</h4></div></div></div> +<a name="id-1.5.12.4.20"></a>Building OpenSSL for SoftHSM</h4></div></div></div> <p>SoftHSM is a software library provided by the OpenDNSSEC project (http://www.opendnssec.org) which provides a PKCS#11 interface to a virtual HSM, implemented in the form of encrypted @@ -1597,11 +1622,11 @@ $ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \ --pk11-flavor=sign-only \ --prefix=/opt/pkcs11/usr</code></strong> </pre> -<p>After configuring, run "<span><strong class="command">make</strong></span>" - and "<span><strong class="command">make test</strong></span>".</p> +<p>After configuring, run "<span class="command"><strong>make</strong></span>" + and "<span class="command"><strong>make test</strong></span>".</p> </div> <p>Once you have built OpenSSL, run - "<span><strong class="command">apps/openssl engine pkcs11</strong></span>" to confirm + "<span class="command"><strong>apps/openssl engine pkcs11</strong></span>" to confirm that PKCS #11 support was compiled in correctly. The output should be one of the following lines, depending on the flavor selected:</p> @@ -1613,23 +1638,23 @@ $ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \ (pkcs11) PKCS #11 engine support (crypto accelerator) </pre> <p>Next, run - "<span><strong class="command">apps/openssl engine pkcs11 -t</strong></span>". This will + "<span class="command"><strong>apps/openssl engine pkcs11 -t</strong></span>". This will attempt to initialize the PKCS #11 engine. If it is able to do so successfully, it will report - “<span class="quote"><code class="literal">[ available ]</code></span>”.</p> + <span class="quote">“<span class="quote"><code class="literal">[ available ]</code></span>”</span>.</p> <p>If the output is correct, run - "<span><strong class="command">make install</strong></span>" which will install the - modified OpenSSL suite to + "<span class="command"><strong>make install</strong></span>" which will install the + modified OpenSSL suite to <code class="filename">/opt/pkcs11/usr</code>.</p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2611166"></a>Building BIND 9 with PKCS#11</h3></div></div></div> +<a name="id-1.5.12.5"></a>Building BIND 9 with PKCS#11</h3></div></div></div> <p>When building BIND 9, the location of the custom-built OpenSSL library must be specified via configure.</p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2611175"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div> +<a name="id-1.5.12.5.3"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div> <p>To link with the PKCS #11 provider, threads must be enabled in the BIND 9 build.</p> <p>The PKCS #11 library for the AEP Keyper is currently @@ -1643,9 +1668,9 @@ $ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \ --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong> </pre> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2611275"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div> +<a name="id-1.5.12.5.4"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div> <p>To link with the PKCS #11 provider, threads must be enabled in the BIND 9 build.</p> <pre class="screen"> @@ -1661,9 +1686,9 @@ $ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-thre same as the --prefix argument to the OpenSSL Configure).</p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2611312"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div> +<a name="id-1.5.12.5.5"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div> <pre class="screen"> $ <strong class="userinput"><code>cd ../bind9</code></strong> $ <strong class="userinput"><code>./configure --enable-threads \ @@ -1672,22 +1697,22 @@ $ <strong class="userinput"><code>./configure --enable-threads \ </pre> </div> <p>After configuring, run - "<span><strong class="command">make</strong></span>", - "<span><strong class="command">make test</strong></span>" and - "<span><strong class="command">make install</strong></span>".</p> + "<span class="command"><strong>make</strong></span>", + "<span class="command"><strong>make test</strong></span>" and + "<span class="command"><strong>make install</strong></span>".</p> <p>(Note: If "make test" fails in the "pkcs11" system test, you may have forgotten to set the SOFTHSM_CONF environment variable.)</p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2613408"></a>PKCS #11 Tools</h3></div></div></div> +<a name="id-1.5.12.6"></a>PKCS #11 Tools</h3></div></div></div> <p>BIND 9 includes a minimal set of tools to operate the - HSM, including - <span><strong class="command">pkcs11-keygen</strong></span> to generate a new key pair - within the HSM, - <span><strong class="command">pkcs11-list</strong></span> to list objects currently - available, and - <span><strong class="command">pkcs11-destroy</strong></span> to remove objects.</p> + HSM, including + <span class="command"><strong>pkcs11-keygen</strong></span> to generate a new key pair + within the HSM, + <span class="command"><strong>pkcs11-list</strong></span> to list objects currently + available, and + <span class="command"><strong>pkcs11-destroy</strong></span> to remove objects.</p> <p>In UNIX/Linux builds, these tools are built only if BIND 9 is configured with the --with-pkcs11 option. (NOTE: If --with-pkcs11 is set to "yes", rather than to the path of the @@ -1696,9 +1721,9 @@ $ <strong class="userinput"><code>./configure --enable-threads \ PKCS11_PROVIDER environment variable to specify the path to the provider.)</p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2613438"></a>Using the HSM</h3></div></div></div> +<a name="id-1.5.12.7"></a>Using the HSM</h3></div></div></div> <p>First, we must set up the runtime environment so the OpenSSL and PKCS #11 libraries can be loaded:</p> <pre class="screen"> @@ -1707,22 +1732,22 @@ $ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${L <p>When operating an AEP Keyper, it is also necessary to specify the location of the "machine" file, which stores information about the Keyper for use by PKCS #11 provider - library. If the machine file is in + library. If the machine file is in <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>, use:</p> <pre class="screen"> $ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong> </pre> <p>These environment variables must be set whenever running - any tool that uses the HSM, including - <span><strong class="command">pkcs11-keygen</strong></span>, - <span><strong class="command">pkcs11-list</strong></span>, - <span><strong class="command">pkcs11-destroy</strong></span>, - <span><strong class="command">dnssec-keyfromlabel</strong></span>, - <span><strong class="command">dnssec-signzone</strong></span>, - <span><strong class="command">dnssec-keygen</strong></span>(which will use the HSM for - random number generation), and - <span><strong class="command">named</strong></span>.</p> + any tool that uses the HSM, including + <span class="command"><strong>pkcs11-keygen</strong></span>, + <span class="command"><strong>pkcs11-list</strong></span>, + <span class="command"><strong>pkcs11-destroy</strong></span>, + <span class="command"><strong>dnssec-keyfromlabel</strong></span>, + <span class="command"><strong>dnssec-signzone</strong></span>, + <span class="command"><strong>dnssec-keygen</strong></span>(which will use the HSM for + random number generation), and + <span class="command"><strong>named</strong></span>.</p> <p>We can now create and use keys in the HSM. In this case, we will create a 2048 bit key and give it the label "sample-ksk":</p> @@ -1769,9 +1794,9 @@ $ <strong class="userinput"><code>dnssec-keygen example.net</code></strong> rolled more frequently, if you wish, to compensate for a reduction in key security.</p> <p>Now you can sign the zone. (Note: If not using the -S - option to - <span><strong class="command">dnssec-signzone</strong></span>, it will be necessary to add - the contents of both + option to + <span class="command"><strong>dnssec-signzone</strong></span>, it will be necessary to add + the contents of both <code class="filename">K*.key</code> files to the zone master file before signing it.)</p> <pre class="screen"> @@ -1784,12 +1809,12 @@ Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by example.net.signed </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2637735"></a>Specifying the engine on the command line</h3></div></div></div> -<p>The OpenSSL engine can be specified in - <span><strong class="command">named</strong></span> and all of the BIND - <span><strong class="command">dnssec-*</strong></span> tools by using the "-E +<a name="id-1.5.12.8"></a>Specifying the engine on the command line</h3></div></div></div> +<p>The OpenSSL engine can be specified in + <span class="command"><strong>named</strong></span> and all of the BIND + <span class="command"><strong>dnssec-*</strong></span> tools by using the "-E <engine>" command line option. If BIND 9 is built with the --with-pkcs11 option, this option defaults to "pkcs11". Specifying the engine will generally not be necessary unless @@ -1801,19 +1826,19 @@ example.net.signed <pre class="screen"> $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong> </pre> -<p>This causes - <span><strong class="command">dnssec-signzone</strong></span> to run as if it were compiled +<p>This causes + <span class="command"><strong>dnssec-signzone</strong></span> to run as if it were compiled without the --with-pkcs11 option.</p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2637781"></a>Running named with automatic zone re-signing</h3></div></div></div> -<p>If you want - <span><strong class="command">named</strong></span> to dynamically re-sign zones using HSM +<a name="id-1.5.12.9"></a>Running named with automatic zone re-signing</h3></div></div></div> +<p>If you want + <span class="command"><strong>named</strong></span> to dynamically re-sign zones using HSM keys, and/or to to sign new records inserted via nsupdate, then named must have access to the HSM PIN. This can be accomplished by placing the PIN into the openssl.cnf file (in the above - examples, + examples, <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).</p> <p>The location of the openssl.cnf file can be overridden by setting the OPENSSL_CONF environment variable before running @@ -1841,9 +1866,9 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s </div> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2571571"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div> +<a name="ipv6"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div> <p> <acronym class="acronym">BIND</acronym> 9 fully supports all currently defined forms of IPv6 name to address and address to name @@ -1877,11 +1902,11 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s </p> <p> For an overview of the format and structure of IPv6 addresses, - see <a href="Bv9ARM.ch11.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>. + see <a class="xref" href="Bv9ARM.ch11.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>. </p> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2571837"></a>Address Lookups Using AAAA Records</h3></div></div></div> +<a name="id-1.5.13.6"></a>Address Lookups Using AAAA Records</h3></div></div></div> <p> The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the deprecated A6 record, specifies the entire @@ -1898,9 +1923,9 @@ host 3600 IN AAAA 2001:db8::1 the address. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2571859"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div> +<a name="id-1.5.13.7"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div> <p> When looking up an address in nibble format, the address components are simply reversed, just as in IPv4, and @@ -1935,6 +1960,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 55d3be0c80bd..17ddab0c8072 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Chapter 5. The BIND 9 Lightweight Resolver</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features"> <link rel="next" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference"> @@ -39,19 +38,19 @@ </table> <hr> </div> -<div class="chapter" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch05"></a>Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</h2></div></div></div> +<div class="chapter"> +<div class="titlepage"><div><div><h1 class="title"> +<a name="Bv9ARM.ch05"></a>Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</h1></div></div></div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2571892">The Lightweight Resolver Library</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt> +<dl class="toc"> +<dt><span class="section"><a href="Bv9ARM.ch05.html#lightweight_resolver">The Lightweight Resolver Library</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt> </dl> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2571892"></a>The Lightweight Resolver Library</h2></div></div></div> +<a name="lightweight_resolver"></a>The Lightweight Resolver Library</h2></div></div></div> <p> Traditionally applications have been linked with a stub resolver library that sends recursive DNS queries to a local caching name @@ -73,14 +72,14 @@ that is distinct from and simpler than the full DNS protocol. </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="lwresd"></a>Running a Resolver Daemon</h2></div></div></div> <p> To use the lightweight resolver interface, the system must - run the resolver daemon <span><strong class="command">lwresd</strong></span> or a + run the resolver daemon <span class="command"><strong>lwresd</strong></span> or a local - name server configured with a <span><strong class="command">lwres</strong></span> + name server configured with a <span class="command"><strong>lwres</strong></span> statement. </p> <p> @@ -88,7 +87,7 @@ make UDP requests to the IPv4 loopback address (127.0.0.1) on port 921. The - address can be overridden by <span><strong class="command">lwserver</strong></span> + address can be overridden by <span class="command"><strong>lwserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code>. </p> @@ -98,27 +97,27 @@ NIS, etc. </p> <p> - The <span><strong class="command">lwresd</strong></span> daemon is essentially a + The <span class="command"><strong>lwresd</strong></span> daemon is essentially a caching-only name server that responds to requests using the lightweight resolver protocol rather than the DNS protocol. Because it needs to run on each host, it is designed to require no or minimal configuration. Unless configured otherwise, it uses the name servers listed on - <span><strong class="command">nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code> + <span class="command"><strong>nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code> as forwarders, but is also capable of doing the resolution autonomously if none are specified. </p> <p> - The <span><strong class="command">lwresd</strong></span> daemon may also be + The <span class="command"><strong>lwresd</strong></span> daemon may also be configured with a <code class="filename">named.conf</code> style configuration file, in <code class="filename">/etc/lwresd.conf</code> by default. A name server may also be configured to act as a lightweight resolver daemon using the - <span><strong class="command">lwres</strong></span> statement in <code class="filename">named.conf</code>. + <span class="command"><strong>lwres</strong></span> statement in <code class="filename">named.conf</code>. </p> </div> </div> @@ -139,6 +138,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 1d353986f4c1..51e7f755eeac 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Chapter 6. BIND 9 Configuration Reference</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver"> <link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations"> @@ -39,71 +38,72 @@ </table> <hr> </div> -<div class="chapter" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div> +<div class="chapter"> +<div class="titlepage"><div><div><h1 class="title"> +<a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h1></div></div></div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> +<dl class="toc"> +<dt><span class="section"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573374">Comment Syntax</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#comment_syntax">Comment Syntax</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574035"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#acl_grammar"><span class="command"><strong>acl</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#acl"><span class="command"><strong>acl</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574225"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_grammar"><span class="command"><strong>controls</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span class="command"><strong>controls</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574584"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574601"><span><strong class="command">include</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#include_grammar"><span class="command"><strong>include</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#include_statement"><span class="command"><strong>include</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#key_grammar"><span class="command"><strong>key</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#key_statement"><span class="command"><strong>key</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_grammar"><span class="command"><strong>logging</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_statement"><span class="command"><strong>logging</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#lwres_grammar"><span class="command"><strong>lwres</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#lwres_statement"><span class="command"><strong>lwres</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_grammar"><span class="command"><strong>masters</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_statement"><span class="command"><strong>masters</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574761"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574785"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574875"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575001"><span><strong class="command">logging</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#options_grammar"><span class="command"><strong>options</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#options"><span class="command"><strong>options</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577236"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577309"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577373"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577417"><span><strong class="command">masters</strong></span> Statement Definition and - Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577438"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and - Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span class="command"><strong>server</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span class="command"><strong>server</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590832"><span><strong class="command">statistics-channels</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591139"><span><strong class="command">trusted-keys</strong></span> Statement Definition +<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591186"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition +<dt><span class="section"><a href="Bv9ARM.ch06.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591553"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span> +<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593398"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement"><span class="command"><strong>zone</strong></span> Statement Definition and Usage</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2597084">Zone File</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_file">Zone File</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600002">Discussion of MX Records</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600549">Inverse Mapping in IPv4</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600812">Other Zone File Directives</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2601017"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#mx_records">Discussion of MX Records</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#ipv4_reverse">Inverse Mapping in IPv4</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_directives">Other Zone File Directives</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#generate_directive"><acronym class="acronym">BIND</acronym> Master File Extension: the <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt> +</dl></dd> +<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt> +<dd><dl> +<dt><span class="section"><a href="Bv9ARM.ch06.html#statsfile">The Statistics File</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt> -<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd> </dl> </div> <p> @@ -122,7 +122,7 @@ using the shell script <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>. </p> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div> <p> @@ -131,8 +131,8 @@ </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.855in" class="1"> +<col width="3.770in" class="2"> </colgroup> <tbody> <tr> @@ -144,7 +144,7 @@ <td> <p> The name of an <code class="varname">address_match_list</code> as - defined by the <span><strong class="command">acl</strong></span> statement. + defined by the <span class="command"><strong>acl</strong></span> statement. </p> </td> </tr> @@ -160,7 +160,7 @@ <code class="varname">ip_addr</code>, <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>, or <code class="varname">acl_name</code> elements, see - <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>. + <a class="xref" href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>. </p> </td> </tr> @@ -215,8 +215,8 @@ <td> <p> One to four integers valued 0 through - 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>, - <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>. + 255 separated by dots (`.'), such as <span class="command"><strong>123</strong></span>, + <span class="command"><strong>45.67</strong></span> or <span class="command"><strong>89.123.45.67</strong></span>. </p> </td> </tr> @@ -241,7 +241,7 @@ </td> <td> <p> - An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>. + An IPv6 address, such as <span class="command"><strong>2001:db8::1234</strong></span>. IPv6 scoped addresses that have ambiguity on their scope zones must be disambiguated by an appropriate zone ID with the percent character (`%') as @@ -253,9 +253,9 @@ currently only interface names as link identifiers are supported, assuming one-to-one mapping between interfaces and links. For example, a link-local - address <span><strong class="command">fe80::1</strong></span> on the link - attached to the interface <span><strong class="command">ne0</strong></span> - can be specified as <span><strong class="command">fe80::1%ne0</strong></span>. + address <span class="command"><strong>fe80::1</strong></span> on the link + attached to the interface <span class="command"><strong>ne0</strong></span> + can be specified as <span class="command"><strong>fe80::1%ne0</strong></span>. Note that on most systems link-local addresses always have the ambiguity, and need to be disambiguated. @@ -306,10 +306,10 @@ netmask. Trailing zeros in a <code class="varname">ip_addr</code> may omitted. - For example, <span><strong class="command">127/8</strong></span> is the - network <span><strong class="command">127.0.0.0</strong></span> with - netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is - network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>. + For example, <span class="command"><strong>127/8</strong></span> is the + network <span class="command"><strong>127.0.0.0</strong></span> with + netmask <span class="command"><strong>255.0.0.0</strong></span> and <span class="command"><strong>1.2.3.0/28</strong></span> is + network <span class="command"><strong>1.2.3.0</strong></span> with netmask <span class="command"><strong>255.255.255.240</strong></span>. </p> <p> When specifying a prefix involving a IPv6 scoped address @@ -417,7 +417,7 @@ Integers may take values 0 <= value <= 18446744073709551615, though certain parameters - (such as <span><strong class="command">max-journal-size</strong></span>) may + (such as <span class="command"><strong>max-journal-size</strong></span>) may use a more limited range within these extremes. In most cases, setting a value to 0 does not literally mean zero; it means "undefined" or @@ -488,39 +488,39 @@ </tr> </tbody> </table></div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2573073"></a>Syntax</h4></div></div></div> +<a name="id-1.7.4.4.2"></a>Syntax</h4></div></div></div> <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ; [<span class="optional"> address_match_list_element; ... </span>] <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] | key key_id | acl_name | { address_match_list } ) </pre> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2573100"></a>Definition and Usage</h4></div></div></div> +<a name="id-1.7.4.4.3"></a>Definition and Usage</h4></div></div></div> <p> Address match lists are primarily used to determine access control for various server operations. They are also used in - the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span> + the <span class="command"><strong>listen-on</strong></span> and <span class="command"><strong>sortlist</strong></span> statements. The elements which constitute an address match list can be any of the following: </p> -<div class="itemizedlist"><ul type="disc"> -<li>an IP address (IPv4 or IPv6)</li> -<li>an IP prefix (in `/' notation)</li> -<li> - a key ID, as defined by the <span><strong class="command">key</strong></span> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem">an IP address (IPv4 or IPv6)</li> +<li class="listitem">an IP prefix (in `/' notation)</li> +<li class="listitem"> + a key ID, as defined by the <span class="command"><strong>key</strong></span> statement </li> -<li>the name of an address match list defined with - the <span><strong class="command">acl</strong></span> statement +<li class="listitem">the name of an address match list defined with + the <span class="command"><strong>acl</strong></span> statement </li> -<li>a nested address match list enclosed in braces</li> +<li class="listitem">a nested address match list enclosed in braces</li> </ul></div> <p> Elements can be negated with a leading exclamation mark (`!'), @@ -544,25 +544,25 @@ </p> <p> The interpretation of a match depends on whether the list is being - used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a - <span><strong class="command">sortlist</strong></span>, and whether the element was negated. + used for access control, defining <span class="command"><strong>listen-on</strong></span> ports, or in a + <span class="command"><strong>sortlist</strong></span>, and whether the element was negated. </p> <p> When used as an access control list, a non-negated match allows access and a negated match denies access. If there is no match, access is denied. The clauses - <span><strong class="command">allow-notify</strong></span>, - <span><strong class="command">allow-recursion</strong></span>, - <span><strong class="command">allow-recursion-on</strong></span>, - <span><strong class="command">allow-query</strong></span>, - <span><strong class="command">allow-query-on</strong></span>, - <span><strong class="command">allow-query-cache</strong></span>, - <span><strong class="command">allow-query-cache-on</strong></span>, - <span><strong class="command">allow-transfer</strong></span>, - <span><strong class="command">allow-update</strong></span>, - <span><strong class="command">allow-update-forwarding</strong></span>, and - <span><strong class="command">blackhole</strong></span> all use address match - lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the + <span class="command"><strong>allow-notify</strong></span>, + <span class="command"><strong>allow-recursion</strong></span>, + <span class="command"><strong>allow-recursion-on</strong></span>, + <span class="command"><strong>allow-query</strong></span>, + <span class="command"><strong>allow-query-on</strong></span>, + <span class="command"><strong>allow-query-cache</strong></span>, + <span class="command"><strong>allow-query-cache-on</strong></span>, + <span class="command"><strong>allow-transfer</strong></span>, + <span class="command"><strong>allow-update</strong></span>, + <span class="command"><strong>allow-update-forwarding</strong></span>, and + <span class="command"><strong>blackhole</strong></span> all use address match + lists. Similarly, the <span class="command"><strong>listen-on</strong></span> option will cause the server to refuse queries on any of the machine's addresses which do not match the list. </p> @@ -575,18 +575,18 @@ defines a subset of another element in the list should come before the broader element, regardless of whether either is negated. For example, in - <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> + <span class="command"><strong>1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13 element is completely useless because the algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24 - element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes + element. Using <span class="command"><strong>! 1.2.3.13; 1.2.3/24</strong></span> fixes that problem by having 1.2.3.13 blocked by the negation, but all other 1.2.3.* hosts fall through. </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2573374"></a>Comment Syntax</h3></div></div></div> +<a name="comment_syntax"></a>Comment Syntax</h3></div></div></div> <p> The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for comments to appear @@ -594,9 +594,9 @@ file. To appeal to programmers of all kinds, they can be written in the C, C++, or shell/perl style. </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2573458"></a>Syntax</h4></div></div></div> +<a name="id-1.7.4.5.3"></a>Syntax</h4></div></div></div> <p> </p> <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre> @@ -610,9 +610,9 @@ <p> </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2573488"></a>Definition and Usage</h4></div></div></div> +<a name="id-1.7.4.5.4"></a>Definition and Usage</h4></div></div></div> <p> Comments may appear anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration file. @@ -684,7 +684,7 @@ </div> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div> <p> @@ -700,13 +700,13 @@ </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.336in" class="1"> +<col width="3.778in" class="2"> </colgroup> <tbody> <tr> <td> - <p><span><strong class="command">acl</strong></span></p> + <p><span class="command"><strong>acl</strong></span></p> </td> <td> <p> @@ -717,18 +717,18 @@ </tr> <tr> <td> - <p><span><strong class="command">controls</strong></span></p> + <p><span class="command"><strong>controls</strong></span></p> </td> <td> <p> declares control channels to be used - by the <span><strong class="command">rndc</strong></span> utility. + by the <span class="command"><strong>rndc</strong></span> utility. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">include</strong></span></p> + <p><span class="command"><strong>include</strong></span></p> </td> <td> <p> @@ -738,7 +738,7 @@ </tr> <tr> <td> - <p><span><strong class="command">key</strong></span></p> + <p><span class="command"><strong>key</strong></span></p> </td> <td> <p> @@ -749,7 +749,7 @@ </tr> <tr> <td> - <p><span><strong class="command">logging</strong></span></p> + <p><span class="command"><strong>logging</strong></span></p> </td> <td> <p> @@ -760,31 +760,31 @@ </tr> <tr> <td> - <p><span><strong class="command">lwres</strong></span></p> + <p><span class="command"><strong>lwres</strong></span></p> </td> <td> <p> - configures <span><strong class="command">named</strong></span> to - also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>). + configures <span class="command"><strong>named</strong></span> to + also act as a light-weight resolver daemon (<span class="command"><strong>lwresd</strong></span>). </p> </td> </tr> <tr> <td> - <p><span><strong class="command">masters</strong></span></p> + <p><span class="command"><strong>masters</strong></span></p> </td> <td> <p> defines a named masters list for inclusion in stub and slave zones' - <span><strong class="command">masters</strong></span> or - <span><strong class="command">also-notify</strong></span> lists. + <span class="command"><strong>masters</strong></span> or + <span class="command"><strong>also-notify</strong></span> lists. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">options</strong></span></p> + <p><span class="command"><strong>options</strong></span></p> </td> <td> <p> @@ -795,7 +795,7 @@ </tr> <tr> <td> - <p><span><strong class="command">server</strong></span></p> + <p><span class="command"><strong>server</strong></span></p> </td> <td> <p> @@ -806,18 +806,18 @@ </tr> <tr> <td> - <p><span><strong class="command">statistics-channels</strong></span></p> + <p><span class="command"><strong>statistics-channels</strong></span></p> </td> <td> <p> declares communication channels to get access to - <span><strong class="command">named</strong></span> statistics. + <span class="command"><strong>named</strong></span> statistics. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">trusted-keys</strong></span></p> + <p><span class="command"><strong>trusted-keys</strong></span></p> </td> <td> <p> @@ -827,7 +827,7 @@ </tr> <tr> <td> - <p><span><strong class="command">managed-keys</strong></span></p> + <p><span class="command"><strong>managed-keys</strong></span></p> </td> <td> <p> @@ -838,7 +838,7 @@ </tr> <tr> <td> - <p><span><strong class="command">view</strong></span></p> + <p><span class="command"><strong>view</strong></span></p> </td> <td> <p> @@ -848,7 +848,7 @@ </tr> <tr> <td> - <p><span><strong class="command">zone</strong></span></p> + <p><span class="command"><strong>zone</strong></span></p> </td> <td> <p> @@ -859,25 +859,25 @@ </tbody> </table></div> <p> - The <span><strong class="command">logging</strong></span> and - <span><strong class="command">options</strong></span> statements may only occur once + The <span class="command"><strong>logging</strong></span> and + <span class="command"><strong>options</strong></span> statements may only occur once per configuration. </p> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574035"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name { +<a name="acl_grammar"></a><span class="command"><strong>acl</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>acl</strong></span> acl-name { address_match_list }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and +<a name="acl"></a><span class="command"><strong>acl</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">acl</strong></span> statement assigns a symbolic + The <span class="command"><strong>acl</strong></span> statement assigns a symbolic name to an address match list. It gets its name from a primary use of address match lists: Access Control Lists (ACLs). </p> @@ -886,13 +886,13 @@ </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.130in" class="1"> +<col width="4.000in" class="2"> </colgroup> <tbody> <tr> <td> - <p><span><strong class="command">any</strong></span></p> + <p><span class="command"><strong>any</strong></span></p> </td> <td> <p> @@ -902,7 +902,7 @@ </tr> <tr> <td> - <p><span><strong class="command">none</strong></span></p> + <p><span class="command"><strong>none</strong></span></p> </td> <td> <p> @@ -912,44 +912,44 @@ </tr> <tr> <td> - <p><span><strong class="command">localhost</strong></span></p> + <p><span class="command"><strong>localhost</strong></span></p> </td> <td> <p> Matches the IPv4 and IPv6 addresses of all network interfaces on the system. When addresses are - added or removed, the <span><strong class="command">localhost</strong></span> + added or removed, the <span class="command"><strong>localhost</strong></span> ACL element is updated to reflect the changes. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">localnets</strong></span></p> + <p><span class="command"><strong>localnets</strong></span></p> </td> <td> <p> Matches any host on an IPv4 or IPv6 network for which the system has an interface. When addresses are added or removed, - the <span><strong class="command">localnets</strong></span> + the <span class="command"><strong>localnets</strong></span> ACL element is updated to reflect the changes. Some systems do not provide a way to determine the prefix lengths of local IPv6 addresses. - In such a case, <span><strong class="command">localnets</strong></span> + In such a case, <span class="command"><strong>localnets</strong></span> only matches the local - IPv6 addresses, just like <span><strong class="command">localhost</strong></span>. + IPv6 addresses, just like <span class="command"><strong>localhost</strong></span>. </p> </td> </tr> </tbody> </table></div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574225"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">controls</strong></span> { +<a name="controls_grammar"></a><span class="command"><strong>controls</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>controls</strong></span> { [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> } keys { <em class="replaceable"><code>key_list</code></em> }; ] @@ -960,70 +960,70 @@ }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and +<a name="controls_statement_definition_and_usage"></a><span class="command"><strong>controls</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">controls</strong></span> statement declares control + The <span class="command"><strong>controls</strong></span> statement declares control channels to be used by system administrators to control the operation of the name server. These control channels are - used by the <span><strong class="command">rndc</strong></span> utility to send + used by the <span class="command"><strong>rndc</strong></span> utility to send commands to and retrieve non-DNS results from a name server. </p> <p> - An <span><strong class="command">inet</strong></span> control channel is a TCP socket - listening at the specified <span><strong class="command">ip_port</strong></span> on the - specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6 - address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is + An <span class="command"><strong>inet</strong></span> control channel is a TCP socket + listening at the specified <span class="command"><strong>ip_port</strong></span> on the + specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6 + address. An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, - use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>. - If you will only use <span><strong class="command">rndc</strong></span> on the local host, + use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>. + If you will only use <span class="command"><strong>rndc</strong></span> on the local host, using the loopback address (<code class="literal">127.0.0.1</code> or <code class="literal">::1</code>) is recommended for maximum security. </p> <p> If no port is specified, port 953 is used. The asterisk - "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>. + "<code class="literal">*</code>" cannot be used for <span class="command"><strong>ip_port</strong></span>. </p> <p> The ability to issue commands over the control channel is - restricted by the <span><strong class="command">allow</strong></span> and - <span><strong class="command">keys</strong></span> clauses. + restricted by the <span class="command"><strong>allow</strong></span> and + <span class="command"><strong>keys</strong></span> clauses. Connections to the control channel are permitted based on the - <span><strong class="command">address_match_list</strong></span>. This is for simple - IP address based filtering only; any <span><strong class="command">key_id</strong></span> - elements of the <span><strong class="command">address_match_list</strong></span> + <span class="command"><strong>address_match_list</strong></span>. This is for simple + IP address based filtering only; any <span class="command"><strong>key_id</strong></span> + elements of the <span class="command"><strong>address_match_list</strong></span> are ignored. </p> <p> - A <span><strong class="command">unix</strong></span> control channel is a UNIX domain + A <span class="command"><strong>unix</strong></span> control channel is a UNIX domain socket listening at the specified path in the file system. - Access to the socket is specified by the <span><strong class="command">perm</strong></span>, - <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses. + Access to the socket is specified by the <span class="command"><strong>perm</strong></span>, + <span class="command"><strong>owner</strong></span> and <span class="command"><strong>group</strong></span> clauses. Note on some platforms (SunOS and Solaris) the permissions - (<span><strong class="command">perm</strong></span>) are applied to the parent directory + (<span class="command"><strong>perm</strong></span>) are applied to the parent directory as the permissions on the socket itself are ignored. </p> <p> The primary authorization mechanism of the command - channel is the <span><strong class="command">key_list</strong></span>, which - contains a list of <span><strong class="command">key_id</strong></span>s. - Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span> + channel is the <span class="command"><strong>key_list</strong></span>, which + contains a list of <span class="command"><strong>key_id</strong></span>s. + Each <span class="command"><strong>key_id</strong></span> in the <span class="command"><strong>key_list</strong></span> is authorized to execute commands over the control channel. - See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>) - for information about configuring keys in <span><strong class="command">rndc</strong></span>. + See <a class="xref" href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a class="xref" href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>) + for information about configuring keys in <span class="command"><strong>rndc</strong></span>. </p> <p> - If no <span><strong class="command">controls</strong></span> statement is present, - <span><strong class="command">named</strong></span> will set up a default + If no <span class="command"><strong>controls</strong></span> statement is present, + <span class="command"><strong>named</strong></span> will set up a default control channel listening on the loopback address 127.0.0.1 and its IPv6 counterpart ::1. - In this case, and also when the <span><strong class="command">controls</strong></span> statement - is present but does not have a <span><strong class="command">keys</strong></span> clause, - <span><strong class="command">named</strong></span> will attempt to load the command channel key + In this case, and also when the <span class="command"><strong>controls</strong></span> statement + is present but does not have a <span class="command"><strong>keys</strong></span> clause, + <span class="command"><strong>named</strong></span> will attempt to load the command channel key from the file <code class="filename">rndc.key</code> in <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code> was specified as when <acronym class="acronym">BIND</acronym> was built). @@ -1034,12 +1034,12 @@ The <code class="filename">rndc.key</code> feature was created to ease the transition of systems from <acronym class="acronym">BIND</acronym> 8, which did not have digital signatures on its command channel - messages and thus did not have a <span><strong class="command">keys</strong></span> clause. + messages and thus did not have a <span class="command"><strong>keys</strong></span> clause. It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8 configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged, - and still have <span><strong class="command">rndc</strong></span> work the same way - <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the + and still have <span class="command"><strong>rndc</strong></span> work the same way + <span class="command"><strong>ndc</strong></span> worked in BIND 8, simply by executing the command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is installed. </p> @@ -1055,10 +1055,10 @@ those things. The <code class="filename">rndc.key</code> file also has its permissions set such that only the owner of the file (the user that - <span><strong class="command">named</strong></span> is running as) can access it. + <span class="command"><strong>named</strong></span> is running as) can access it. If you desire greater flexibility in allowing other users to access - <span><strong class="command">rndc</strong></span> commands, then you need to create + <span class="command"><strong>rndc</strong></span> commands, then you need to create a <code class="filename">rndc.conf</code> file and make it group readable by a group @@ -1066,23 +1066,22 @@ </p> <p> To disable the command channel, use an empty - <span><strong class="command">controls</strong></span> statement: - <span><strong class="command">controls { };</strong></span>. + <span class="command"><strong>controls</strong></span> statement: + <span class="command"><strong>controls { };</strong></span>. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574584"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre> +<a name="include_grammar"></a><span class="command"><strong>include</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574601"></a><span><strong class="command">include</strong></span> Statement Definition and - Usage</h3></div></div></div> +<a name="include_statement"></a><span class="command"><strong>include</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">include</strong></span> statement inserts the - specified file at the point where the <span><strong class="command">include</strong></span> - statement is encountered. The <span><strong class="command">include</strong></span> + The <span class="command"><strong>include</strong></span> statement inserts the + specified file at the point where the <span class="command"><strong>include</strong></span> + statement is encountered. The <span class="command"><strong>include</strong></span> statement facilitates the administration of configuration files by permitting the reading or writing of some things but not @@ -1090,42 +1089,40 @@ that are readable only by the name server. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574761"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> { +<a name="key_grammar"></a><span class="command"><strong>key</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_id</code></em> { algorithm <em class="replaceable"><code>algorithm_id</code></em>; secret <em class="replaceable"><code>secret_string</code></em>; }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574785"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="key_statement"></a><span class="command"><strong>key</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">key</strong></span> statement defines a shared - secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) + The <span class="command"><strong>key</strong></span> statement defines a shared + secret key for use with TSIG (see <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) or the command channel - (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and - Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and + (see <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span class="command"><strong>controls</strong></span> Statement Definition and Usage”</a>). </p> <p> - The <span><strong class="command">key</strong></span> statement can occur at the + The <span class="command"><strong>key</strong></span> statement can occur at the top level - of the configuration file or inside a <span><strong class="command">view</strong></span> - statement. Keys defined in top-level <span><strong class="command">key</strong></span> + of the configuration file or inside a <span class="command"><strong>view</strong></span> + statement. Keys defined in top-level <span class="command"><strong>key</strong></span> statements can be used in all views. Keys intended for use in - a <span><strong class="command">controls</strong></span> statement - (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and - Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and + a <span class="command"><strong>controls</strong></span> statement + (see <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span class="command"><strong>controls</strong></span> Statement Definition and Usage”</a>) must be defined at the top level. </p> <p> The <em class="replaceable"><code>key_id</code></em>, also known as the key name, is a domain name uniquely identifying the key. It can - be used in a <span><strong class="command">server</strong></span> + be used in a <span class="command"><strong>server</strong></span> statement to cause requests sent to that server to be signed with this key, or in address match lists to verify that incoming requests have been signed with a key @@ -1146,46 +1143,45 @@ encoded string. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574875"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">logging</strong></span> { - [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> { - ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em> - [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ] - [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size_spec</code></em> ] - | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em> - | <span><strong class="command">stderr</strong></span> - | <span><strong class="command">null</strong></span> ); - [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> | +<a name="logging_grammar"></a><span class="command"><strong>logging</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>logging</strong></span> { + [ <span class="command"><strong>channel</strong></span> <em class="replaceable"><code>channel_name</code></em> { + ( <span class="command"><strong>file</strong></span> <em class="replaceable"><code>path_name</code></em> + [ <span class="command"><strong>versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span class="command"><strong>unlimited</strong></span> ) ] + [ <span class="command"><strong>size</strong></span> <em class="replaceable"><code>size_spec</code></em> ] + | <span class="command"><strong>syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em> + | <span class="command"><strong>stderr</strong></span> + | <span class="command"><strong>null</strong></span> ); + [ <span class="command"><strong>severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> | <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ] - [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] - [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] - [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] + [ <span class="command"><strong>print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] + [ <span class="command"><strong>print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] + [ <span class="command"><strong>print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] }; ] - [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> { + [ <span class="command"><strong>category</strong></span> <em class="replaceable"><code>category_name</code></em> { <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ] }; ] ... }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575001"></a><span><strong class="command">logging</strong></span> Statement Definition and - Usage</h3></div></div></div> +<a name="logging_statement"></a><span class="command"><strong>logging</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">logging</strong></span> statement configures a + The <span class="command"><strong>logging</strong></span> statement configures a wide - variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase + variety of logging options for the name server. Its <span class="command"><strong>channel</strong></span> phrase associates output methods, format options and severity levels with - a name that can then be used with the <span><strong class="command">category</strong></span> phrase + a name that can then be used with the <span class="command"><strong>category</strong></span> phrase to select how various classes of messages are logged. </p> <p> - Only one <span><strong class="command">logging</strong></span> statement is used to + Only one <span class="command"><strong>logging</strong></span> statement is used to define - as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement, + as many channels and categories as are wanted. If there is no <span class="command"><strong>logging</strong></span> statement, the logging configuration will be: </p> <pre class="programlisting">logging { @@ -1197,16 +1193,16 @@ In <acronym class="acronym">BIND</acronym> 9, the logging configuration is only established when the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was - established as soon as the <span><strong class="command">logging</strong></span> + established as soon as the <span class="command"><strong>logging</strong></span> statement was parsed. When the server is starting up, all logging messages regarding syntax errors in the configuration file go to the default channels, or to standard error if the "<code class="option">-g</code>" option was specified. </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2575053"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div> +<a name="channel"></a>The <span class="command"><strong>channel</strong></span> Phrase</h4></div></div></div> <p> All log output goes to one or more <span class="emphasis"><em>channels</em></span>; you can make as many of them as you want. @@ -1217,18 +1213,18 @@ particular syslog facility, to the standard error stream, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (the default is - <span><strong class="command">info</strong></span>), and whether to include a - <span><strong class="command">named</strong></span>-generated time stamp, the + <span class="command"><strong>info</strong></span>), and whether to include a + <span class="command"><strong>named</strong></span>-generated time stamp, the category name and/or severity level (the default is not to include any). </p> <p> - The <span><strong class="command">null</strong></span> destination clause + The <span class="command"><strong>null</strong></span> destination clause causes all messages sent to the channel to be discarded; in that case, other options for the channel are meaningless. </p> <p> - The <span><strong class="command">file</strong></span> destination clause directs + The <span class="command"><strong>file</strong></span> destination clause directs the channel to a disk file. It can include limitations both on how large the file is allowed to become, and how many @@ -1236,9 +1232,9 @@ of the file will be saved each time the file is opened. </p> <p> - If you use the <span><strong class="command">versions</strong></span> log file + If you use the <span class="command"><strong>versions</strong></span> log file option, then - <span><strong class="command">named</strong></span> will retain that many backup + <span class="command"><strong>named</strong></span> will retain that many backup versions of the file by renaming them when opening. For example, if you choose to keep three old versions @@ -1248,10 +1244,10 @@ <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is renamed to <code class="filename">lamers.log.0</code>. - You can say <span><strong class="command">versions unlimited</strong></span> to + You can say <span class="command"><strong>versions unlimited</strong></span> to not limit the number of versions. - If a <span><strong class="command">size</strong></span> option is associated with + If a <span class="command"><strong>size</strong></span> option is associated with the log file, then renaming is only done when the file being opened exceeds the indicated size. No backup versions are kept by default; any @@ -1259,14 +1255,14 @@ log file is simply appended. </p> <p> - The <span><strong class="command">size</strong></span> option for files is used + The <span class="command"><strong>size</strong></span> option for files is used to limit log - growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will - stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option + growth. If the file ever exceeds the size, then <span class="command"><strong>named</strong></span> will + stop writing to the file unless it has a <span class="command"><strong>versions</strong></span> option associated with it. If backup versions are kept, the files are rolled as described above and a new one begun. If there is no - <span><strong class="command">versions</strong></span> option, no more data will + <span class="command"><strong>versions</strong></span> option, no more data will be written to the log until some out-of-band mechanism removes or truncates the log to less than the @@ -1275,8 +1271,8 @@ file. </p> <p> - Example usage of the <span><strong class="command">size</strong></span> and - <span><strong class="command">versions</strong></span> options: + Example usage of the <span class="command"><strong>size</strong></span> and + <span class="command"><strong>versions</strong></span> options: </p> <pre class="programlisting">channel an_example_channel { file "example.log" versions 3 size 20m; @@ -1285,53 +1281,53 @@ }; </pre> <p> - The <span><strong class="command">syslog</strong></span> destination clause + The <span class="command"><strong>syslog</strong></span> destination clause directs the channel to the system log. Its argument is a - syslog facility as described in the <span><strong class="command">syslog</strong></span> man - page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>, - <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>, - <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>, - <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>, - <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>, - <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>, - <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and - <span><strong class="command">local7</strong></span>, however not all facilities + syslog facility as described in the <span class="command"><strong>syslog</strong></span> man + page. Known facilities are <span class="command"><strong>kern</strong></span>, <span class="command"><strong>user</strong></span>, + <span class="command"><strong>mail</strong></span>, <span class="command"><strong>daemon</strong></span>, <span class="command"><strong>auth</strong></span>, + <span class="command"><strong>syslog</strong></span>, <span class="command"><strong>lpr</strong></span>, <span class="command"><strong>news</strong></span>, + <span class="command"><strong>uucp</strong></span>, <span class="command"><strong>cron</strong></span>, <span class="command"><strong>authpriv</strong></span>, + <span class="command"><strong>ftp</strong></span>, <span class="command"><strong>local0</strong></span>, <span class="command"><strong>local1</strong></span>, + <span class="command"><strong>local2</strong></span>, <span class="command"><strong>local3</strong></span>, <span class="command"><strong>local4</strong></span>, + <span class="command"><strong>local5</strong></span>, <span class="command"><strong>local6</strong></span> and + <span class="command"><strong>local7</strong></span>, however not all facilities are supported on all operating systems. - How <span><strong class="command">syslog</strong></span> will handle messages + How <span class="command"><strong>syslog</strong></span> will handle messages sent to - this facility is described in the <span><strong class="command">syslog.conf</strong></span> man - page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that - only uses two arguments to the <span><strong class="command">openlog()</strong></span> function, + this facility is described in the <span class="command"><strong>syslog.conf</strong></span> man + page. If you have a system which uses a very old version of <span class="command"><strong>syslog</strong></span> that + only uses two arguments to the <span class="command"><strong>openlog()</strong></span> function, then this clause is silently ignored. </p> <p> On Windows machines syslog messages are directed to the EventViewer. </p> <p> - The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s + The <span class="command"><strong>severity</strong></span> clause works like <span class="command"><strong>syslog</strong></span>'s "priorities", except that they can also be used if you are writing - straight to a file rather than using <span><strong class="command">syslog</strong></span>. + straight to a file rather than using <span class="command"><strong>syslog</strong></span>. Messages which are not at least of the severity level given will not be selected for the channel; messages of higher severity levels will be accepted. </p> <p> - If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities + If you are using <span class="command"><strong>syslog</strong></span>, then the <span class="command"><strong>syslog.conf</strong></span> priorities will also determine what eventually passes through. For example, - defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but - only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will - cause messages of severity <span><strong class="command">info</strong></span> and - <span><strong class="command">notice</strong></span> to - be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing - messages of only <span><strong class="command">warning</strong></span> or higher, - then <span><strong class="command">syslogd</strong></span> would + defining a channel facility and severity as <span class="command"><strong>daemon</strong></span> and <span class="command"><strong>debug</strong></span> but + only logging <span class="command"><strong>daemon.warning</strong></span> via <span class="command"><strong>syslog.conf</strong></span> will + cause messages of severity <span class="command"><strong>info</strong></span> and + <span class="command"><strong>notice</strong></span> to + be dropped. If the situation were reversed, with <span class="command"><strong>named</strong></span> writing + messages of only <span class="command"><strong>warning</strong></span> or higher, + then <span class="command"><strong>syslogd</strong></span> would print all messages it received from the channel. </p> <p> - The <span><strong class="command">stderr</strong></span> destination clause + The <span class="command"><strong>stderr</strong></span> destination clause directs the channel to the server's standard error stream. This is intended for @@ -1344,11 +1340,11 @@ it is in debugging mode. If the server's global debug level is greater than zero, then debugging mode will be active. The global debug - level is set either by starting the <span><strong class="command">named</strong></span> server + level is set either by starting the <span class="command"><strong>named</strong></span> server with the <code class="option">-d</code> flag followed by a positive integer, - or by running <span><strong class="command">rndc trace</strong></span>. + or by running <span class="command"><strong>rndc trace</strong></span>. The global debug level - can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc + can be set to zero, and debugging mode turned off, by running <span class="command"><strong>rndc notrace</strong></span>. All debugging messages in the server have a debug level, and higher debug levels give more detailed output. Channels that specify a specific debug severity, for example: @@ -1361,26 +1357,26 @@ notrace</strong></span>. All debugging messages in the server have a debug <p> will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debugging - level. Channels with <span><strong class="command">dynamic</strong></span> + level. Channels with <span class="command"><strong>dynamic</strong></span> severity use the server's global debug level to determine what messages to print. </p> <p> - If <span><strong class="command">print-time</strong></span> has been turned on, + If <span class="command"><strong>print-time</strong></span> has been turned on, then - the date and time will be logged. <span><strong class="command">print-time</strong></span> may - be specified for a <span><strong class="command">syslog</strong></span> channel, + the date and time will be logged. <span class="command"><strong>print-time</strong></span> may + be specified for a <span class="command"><strong>syslog</strong></span> channel, but is usually - pointless since <span><strong class="command">syslog</strong></span> also logs + pointless since <span class="command"><strong>syslog</strong></span> also logs the date and - time. If <span><strong class="command">print-category</strong></span> is + time. If <span class="command"><strong>print-category</strong></span> is requested, then the - category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is - on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may + category of the message will be logged as well. Finally, if <span class="command"><strong>print-severity</strong></span> is + on, then the severity level of the message will be logged. The <span class="command"><strong>print-</strong></span> options may be used in any combination, and will always be printed in the following order: time, category, severity. Here is an example where all - three <span><strong class="command">print-</strong></span> options + three <span class="command"><strong>print-</strong></span> options are on: </p> <p> @@ -1388,9 +1384,9 @@ notrace</strong></span>. All debugging messages in the server have a debug </p> <p> There are four predefined channels that are used for - <span><strong class="command">named</strong></span>'s default logging as follows. + <span class="command"><strong>named</strong></span>'s default logging as follows. How they are - used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>. + used is described in <a class="xref" href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span class="command"><strong>category</strong></span> Phrase”</a>. </p> <pre class="programlisting">channel default_syslog { // send to syslog's daemon facility @@ -1420,7 +1416,7 @@ channel null { }; </pre> <p> - The <span><strong class="command">default_debug</strong></span> channel has the + The <span class="command"><strong>default_debug</strong></span> channel has the special property that it only produces output when the server's debug level is @@ -1430,9 +1426,9 @@ channel null { <p> For security reasons, when the "<code class="option">-u</code>" command line option is used, the <code class="filename">named.run</code> file - is created only after <span><strong class="command">named</strong></span> has + is created only after <span class="command"><strong>named</strong></span> has changed to the - new UID, and any debug output generated while <span><strong class="command">named</strong></span> is + new UID, and any debug output generated while <span class="command"><strong>named</strong></span> is starting up and still running as root is discarded. If you need to capture this output, you must run the server with the "<code class="option">-g</code>" option and redirect standard error to a file. @@ -1444,15 +1440,15 @@ channel null { defined. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div> +<a name="the_category_phrase"></a>The <span class="command"><strong>category</strong></span> Phrase</h4></div></div></div> <p> There are many categories, so you can send the logs you want to see wherever you want, without seeing logs you don't want. If you don't specify a list of channels for a category, then log messages - in that category will be sent to the <span><strong class="command">default</strong></span> category + in that category will be sent to the <span class="command"><strong>default</strong></span> category instead. If you don't specify a default category, the following "default default" is used: </p> @@ -1473,7 +1469,7 @@ category security { default_debug; };</pre> <p> - To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel: + To discard all messages in a category, specify the <span class="command"><strong>null</strong></span> channel: </p> <pre class="programlisting">category xfer-out { null; }; category notify { null; }; @@ -1485,364 +1481,376 @@ category notify { null; }; </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.150in" class="1"> +<col width="3.350in" class="2"> </colgroup> <tbody> <tr> <td> - <p><span><strong class="command">default</strong></span></p> - </td> + <p><span class="command"><strong>client</strong></span></p> + </td> <td> - <p> - The default category defines the logging - options for those categories where no specific - configuration has been - defined. - </p> - </td> + <p> + Processing of client requests. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">general</strong></span></p> - </td> + <p><span class="command"><strong>cname</strong></span></p> + </td> <td> - <p> - The catch-all. Many things still aren't - classified into categories, and they all end up here. - </p> - </td> + <p> + Logs nameservers that are skipped due to them being + a CNAME rather than A / AAAA records. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">database</strong></span></p> - </td> + <p><span class="command"><strong>config</strong></span></p> + </td> <td> - <p> - Messages relating to the databases used - internally by the name server to store zone and cache - data. - </p> - </td> + <p> + Configuration file parsing and processing. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">security</strong></span></p> - </td> + <p><span class="command"><strong>database</strong></span></p> + </td> <td> - <p> - Approval and denial of requests. - </p> - </td> + <p> + Messages relating to the databases used + internally by the name server to store zone and cache + data. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">config</strong></span></p> - </td> + <p><span class="command"><strong>default</strong></span></p> + </td> <td> - <p> - Configuration file parsing and processing. - </p> - </td> + <p> + The default category defines the logging + options for those categories where no specific + configuration has been + defined. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">resolver</strong></span></p> - </td> + <p><span class="command"><strong>delegation-only</strong></span></p> + </td> <td> - <p> - DNS resolution, such as the recursive - lookups performed on behalf of clients by a caching name - server. - </p> - </td> + <p> + Delegation only. Logs queries that have been + forced to NXDOMAIN as the result of a + delegation-only zone or a + <span class="command"><strong>delegation-only</strong></span> in a + forward, hint or stub zone declaration. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">xfer-in</strong></span></p> - </td> + <p><span class="command"><strong>dispatch</strong></span></p> + </td> <td> - <p> - Zone transfers the server is receiving. - </p> - </td> + <p> + Dispatching of incoming packets to the + server modules where they are to be processed. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">xfer-out</strong></span></p> - </td> + <p><span class="command"><strong>dnssec</strong></span></p> + </td> <td> - <p> - Zone transfers the server is sending. - </p> - </td> + <p> + DNSSEC and TSIG protocol processing. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">notify</strong></span></p> - </td> + <p><span class="command"><strong>edns-disabled</strong></span></p> + </td> <td> - <p> - The NOTIFY protocol. - </p> - </td> + <p> + Log queries that have been forced to use plain + DNS due to timeouts. This is often due to + the remote servers not being RFC 1034 compliant + (not always returning FORMERR or similar to + EDNS queries and other extensions to the DNS + when they are not understood). In other words, this is + targeted at servers that fail to respond to + DNS queries that they don't understand. + </p> + <p> + Note: the log message can also be due to + packet loss. Before reporting servers for + non-RFC 1034 compliance they should be re-tested + to determine the nature of the non-compliance. + This testing should prevent or reduce the + number of false-positive reports. + </p> + <p> + Note: eventually <span class="command"><strong>named</strong></span> will have to stop + treating such timeouts as due to RFC 1034 non + compliance and start treating it as plain + packet loss. Falsely classifying packet + loss as due to RFC 1034 non compliance impacts + on DNSSEC validation which requires EDNS for + the DNSSEC records to be returned. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">client</strong></span></p> - </td> + <p><span class="command"><strong>general</strong></span></p> + </td> <td> - <p> - Processing of client requests. - </p> - </td> + <p> + The catch-all. Many things still aren't + classified into categories, and they all end up here. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">unmatched</strong></span></p> - </td> + <p><span class="command"><strong>lame-servers</strong></span></p> + </td> <td> - <p> - Messages that <span><strong class="command">named</strong></span> was unable to determine the - class of or for which there was no matching <span><strong class="command">view</strong></span>. - A one line summary is also logged to the <span><strong class="command">client</strong></span> category. - This category is best sent to a file or stderr, by - default it is sent to - the <span><strong class="command">null</strong></span> channel. - </p> - </td> + <p> + Lame servers. These are misconfigurations + in remote servers, discovered by BIND 9 when trying to + query those servers during resolution. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">network</strong></span></p> - </td> + <p><span class="command"><strong>network</strong></span></p> + </td> <td> - <p> - Network operations. - </p> - </td> + <p> + Network operations. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">update</strong></span></p> - </td> + <p><span class="command"><strong>notify</strong></span></p> + </td> <td> - <p> - Dynamic updates. - </p> - </td> + <p> + The NOTIFY protocol. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">update-security</strong></span></p> - </td> + <p><span class="command"><strong>queries</strong></span></p> + </td> <td> - <p> - Approval and denial of update requests. - </p> - </td> + <p> + Specify where queries should be logged to. + </p> + <p> + At startup, specifying the category <span class="command"><strong>queries</strong></span> will also + enable query logging unless <span class="command"><strong>querylog</strong></span> option has been + specified. + </p> + + <p> + The query log entry reports the client's IP + address and port number, and the query name, + class and type. Next it reports whether the + Recursion Desired flag was set (+ if set, - + if not set), if the query was signed (S), + EDNS was in use (E), if TCP was used (T), if + DO (DNSSEC Ok) was set (D), or if CD (Checking + Disabled) was set (C). After this the + destination address the query was sent to is + reported. + </p> + + <p> + <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code> + </p> + <p> + <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code> + </p> + <p> + (The first part of this log message, showing the + client address/port number and query name, is + repeated in all subsequent log messages related + to the same query.) + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">queries</strong></span></p> - </td> + <p><span class="command"><strong>query-errors</strong></span></p> + </td> +<td> + <p> + Information about queries that resulted in some + failure. + </p> + </td> +</tr> +<tr> <td> - <p> - Specify where queries should be logged to. - </p> - <p> - At startup, specifying the category <span><strong class="command">queries</strong></span> will also - enable query logging unless <span><strong class="command">querylog</strong></span> option has been - specified. - </p> - - <p> - The query log entry reports the client's IP - address and port number, and the query name, - class and type. Next it reports whether the - Recursion Desired flag was set (+ if set, - - if not set), if the query was signed (S), - EDNS was in use (E), if TCP was used (T), if - DO (DNSSEC Ok) was set (D), or if CD (Checking - Disabled) was set (C). After this the - destination address the query was sent to is - reported. - </p> - - <p> - <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code> - </p> - <p> - <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code> - </p> - <p> - (The first part of this log message, showing the - client address/port number and query name, is - repeated in all subsequent log messages related - to the same query.) - </p> - </td> + <p><span class="command"><strong>rate-limit</strong></span></p> + </td> +<td> + <p> + (Only available when <acronym class="acronym">BIND</acronym> 9 is + configured with the <strong class="userinput"><code>--enable-rrl</code></strong> + option at compile time.) + </p> + <p> + The start, periodic, and final notices of the + rate limiting of a stream of responses are logged at + <span class="command"><strong>info</strong></span> severity in this category. + These messages include a hash value of the domain name + of the response and the name itself, + except when there is insufficient memory to record + the name for the final notice + The final notice is normally delayed until about one + minute after rate limit stops. + A lack of memory can hurry the final notice, + in which case it starts with an asterisk (*). + Various internal events are logged at debug 1 level + and higher. + </p> + <p> + Rate limiting of individual requests + is logged in the <span class="command"><strong>query-errors</strong></span> category. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">query-errors</strong></span></p> - </td> + <p><span class="command"><strong>resolver</strong></span></p> + </td> <td> - <p> - Information about queries that resulted in some - failure. - </p> - </td> + <p> + DNS resolution, such as the recursive + lookups performed on behalf of clients by a caching name + server. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">dispatch</strong></span></p> - </td> + <p><span class="command"><strong>rpz</strong></span></p> + </td> <td> - <p> - Dispatching of incoming packets to the - server modules where they are to be processed. - </p> - </td> + <p> + Information about errors in response policy zone files, + rewritten responses, and at the highest + <span class="command"><strong>debug</strong></span> levels, mere rewriting + attempts. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">dnssec</strong></span></p> - </td> + <p><span class="command"><strong>security</strong></span></p> + </td> <td> - <p> - DNSSEC and TSIG protocol processing. - </p> - </td> + <p> + Approval and denial of requests. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">lame-servers</strong></span></p> - </td> + <p><span class="command"><strong>spill</strong></span></p> + </td> <td> - <p> - Lame servers. These are misconfigurations - in remote servers, discovered by BIND 9 when trying to - query those servers during resolution. - </p> - </td> + <p> + Logs queries that have been terminated, either by dropping + or responding with SERVFAIL, as a result of a fetchlimit + quota being exceeded. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">delegation-only</strong></span></p> - </td> + <p><span class="command"><strong>unmatched</strong></span></p> + </td> <td> - <p> - Delegation only. Logs queries that have been - forced to NXDOMAIN as the result of a - delegation-only zone or a - <span><strong class="command">delegation-only</strong></span> in a - forward, hint or stub zone declaration. - </p> - </td> + <p> + Messages that <span class="command"><strong>named</strong></span> was unable to determine the + class of or for which there was no matching <span class="command"><strong>view</strong></span>. + A one line summary is also logged to the <span class="command"><strong>client</strong></span> category. + This category is best sent to a file or stderr, by + default it is sent to + the <span class="command"><strong>null</strong></span> channel. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">edns-disabled</strong></span></p> - </td> + <p><span class="command"><strong>update</strong></span></p> + </td> <td> - <p> - Log queries that have been forced to use plain - DNS due to timeouts. This is often due to - the remote servers not being RFC 1034 compliant - (not always returning FORMERR or similar to - EDNS queries and other extensions to the DNS - when they are not understood). In other words, this is - targeted at servers that fail to respond to - DNS queries that they don't understand. - </p> - <p> - Note: the log message can also be due to - packet loss. Before reporting servers for - non-RFC 1034 compliance they should be re-tested - to determine the nature of the non-compliance. - This testing should prevent or reduce the - number of false-positive reports. - </p> - <p> - Note: eventually <span><strong class="command">named</strong></span> will have to stop - treating such timeouts as due to RFC 1034 non - compliance and start treating it as plain - packet loss. Falsely classifying packet - loss as due to RFC 1034 non compliance impacts - on DNSSEC validation which requires EDNS for - the DNSSEC records to be returned. - </p> - </td> + <p> + Dynamic updates. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">RPZ</strong></span></p> - </td> + <p><span class="command"><strong>update-security</strong></span></p> + </td> <td> - <p> - Information about errors in response policy zone files, - rewritten responses, and at the highest - <span><strong class="command">debug</strong></span> levels, mere rewriting - attempts. - </p> - </td> + <p> + Approval and denial of update requests. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">rate-limit</strong></span></p> - </td> + <p><span class="command"><strong>xfer-in</strong></span></p> + </td> <td> - <p> - (Only available when <acronym class="acronym">BIND</acronym> 9 is - configured with the <strong class="userinput"><code>--enable-rrl</code></strong> - option at compile time.) - </p> - <p> - The start, periodic, and final notices of the - rate limiting of a stream of responses are logged at - <span><strong class="command">info</strong></span> severity in this category. - These messages include a hash value of the domain name - of the response and the name itself, - except when there is insufficient memory to record - the name for the final notice - The final notice is normally delayed until about one - minute after rate limit stops. - A lack of memory can hurry the final notice, - in which case it starts with an asterisk (*). - Various internal events are logged at debug 1 level - and higher. - </p> - <p> - Rate limiting of individual requests - is logged in the <span><strong class="command">query-errors</strong></span> category. - </p> - </td> + <p> + Zone transfers the server is receiving. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">cname</strong></span></p> - </td> + <p><span class="command"><strong>xfer-out</strong></span></p> + </td> <td> - <p> - Logs nameservers that are skipped due to them being - a CNAME rather than A / AAAA records. - </p> - </td> + <p> + Zone transfers the server is sending. + </p> + </td> </tr> </tbody> </table></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2576580"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div> +<a name="query_errors"></a>The <span class="command"><strong>query-errors</strong></span> Category</h4></div></div></div> <p> - The <span><strong class="command">query-errors</strong></span> category is + The <span class="command"><strong>query-errors</strong></span> category is specifically intended for debugging purposes: To identify why and how specific queries result in responses which indicate an error. Messages of this category are therefore only logged - with <span><strong class="command">debug</strong></span> levels. + with <span class="command"><strong>debug</strong></span> levels. </p> <p> At the debug levels of 1 or higher, each response with the @@ -1905,8 +1913,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.150in" class="1"> +<col width="3.350in" class="2"> </colgroup> <tbody> <tr> @@ -2061,14 +2069,14 @@ badresp:1,adberr:0,findfail:0,valfail:0] </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577236"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div> +<a name="lwres_grammar"></a><span class="command"><strong>lwres</strong></span> Statement Grammar</h3></div></div></div> <p> - This is the grammar of the <span><strong class="command">lwres</strong></span> + This is the grammar of the <span class="command"><strong>lwres</strong></span> statement in the <code class="filename">named.conf</code> file: </p> -<pre class="programlisting"><span><strong class="command">lwres</strong></span> { +<pre class="programlisting"><span class="command"><strong>lwres</strong></span> { [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>] @@ -2077,19 +2085,19 @@ badresp:1,adberr:0,findfail:0,valfail:0] }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577309"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="lwres_statement"></a><span class="command"><strong>lwres</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">lwres</strong></span> statement configures the + The <span class="command"><strong>lwres</strong></span> statement configures the name server to also act as a lightweight resolver server. (See - <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple - <span><strong class="command">lwres</strong></span> statements configuring + <a class="xref" href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple + <span class="command"><strong>lwres</strong></span> statements configuring lightweight resolver servers with different properties. </p> <p> - The <span><strong class="command">listen-on</strong></span> statement specifies a + The <span class="command"><strong>listen-on</strong></span> statement specifies a list of IPv4 addresses (and ports) that this instance of a lightweight resolver daemon @@ -2100,7 +2108,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] port 921. </p> <p> - The <span><strong class="command">view</strong></span> statement binds this + The <span class="command"><strong>view</strong></span> statement binds this instance of a lightweight resolver daemon to a view in the DNS namespace, so that the @@ -2111,49 +2119,49 @@ badresp:1,adberr:0,findfail:0,valfail:0] used, and if there is no default view, an error is triggered. </p> <p> - The <span><strong class="command">search</strong></span> statement is equivalent to + The <span class="command"><strong>search</strong></span> statement is equivalent to the - <span><strong class="command">search</strong></span> statement in + <span class="command"><strong>search</strong></span> statement in <code class="filename">/etc/resolv.conf</code>. It provides a list of domains which are appended to relative names in queries. </p> <p> - The <span><strong class="command">ndots</strong></span> statement is equivalent to + The <span class="command"><strong>ndots</strong></span> statement is equivalent to the - <span><strong class="command">ndots</strong></span> statement in + <span class="command"><strong>ndots</strong></span> statement in <code class="filename">/etc/resolv.conf</code>. It indicates the minimum number of dots in a relative domain name that should result in an exact match lookup before search path elements are appended. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577373"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div> +<a name="masters_grammar"></a><span class="command"><strong>masters</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"> -<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | +<span class="command"><strong>masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577417"></a><span><strong class="command">masters</strong></span> Statement Definition and +<a name="masters_statement"></a><span class="command"><strong>masters</strong></span> Statement Definition and Usage</h3></div></div></div> -<p><span><strong class="command">masters</strong></span> +<p><span class="command"><strong>masters</strong></span> lists allow for a common set of masters to be easily used by - multiple stub and slave zones in their <span><strong class="command">masters</strong></span> - or <span><strong class="command">also-notify</strong></span> lists. + multiple stub and slave zones in their <span class="command"><strong>masters</strong></span> + or <span class="command"><strong>also-notify</strong></span> lists. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577438"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div> +<a name="options_grammar"></a><span class="command"><strong>options</strong></span> Statement Grammar</h3></div></div></div> <p> - This is the grammar of the <span><strong class="command">options</strong></span> + This is the grammar of the <span class="command"><strong>options</strong></span> statement in the <code class="filename">named.conf</code> file: </p> -<pre class="programlisting"><span><strong class="command">options</strong></span> { +<pre class="programlisting"><span class="command"><strong>options</strong></span> { [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>] [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>] [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>] @@ -2197,6 +2205,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>] + [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>] [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>] [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | @@ -2268,7 +2277,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>] [<span class="optional"> fetches-per-server <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>] [<span class="optional"> fetch-quota-params <em class="replaceable"><code>number fixedpoint fixedpoint fixedpoint</code></em> ; </span>] - [<span class="optional"> fetches-per-zone<em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>] + [<span class="optional"> fetches-per-zone <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>] [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>] @@ -2286,9 +2295,9 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> - [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; - [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> + [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] + [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>] [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>] [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>] @@ -2305,6 +2314,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>|<code class="constant">date</code>; </span>] [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>] [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>] [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>] @@ -2330,7 +2340,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> suffix IPv6-address; </span>] + [<span class="optional"> suffix <em class="replaceable"><code>IPv6-address</code></em>; </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>] }; </span>]; @@ -2389,21 +2399,21 @@ badresp:1,adberr:0,findfail:0,valfail:0] }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and +<a name="options"></a><span class="command"><strong>options</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">options</strong></span> statement sets up global + The <span class="command"><strong>options</strong></span> statement sets up global options to be used by <acronym class="acronym">BIND</acronym>. This statement may appear only - once in a configuration file. If there is no <span><strong class="command">options</strong></span> + once in a configuration file. If there is no <span class="command"><strong>options</strong></span> statement, an options block with each option set to its default will be used. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>attach-cache</strong></span></span></dt> <dd> <p> Allows multiple views to share a single cache @@ -2415,15 +2425,15 @@ badresp:1,adberr:0,findfail:0,valfail:0] improve resolution efficiency by using this option. </p> <p> - The <span><strong class="command">attach-cache</strong></span> option - may also be specified in <span><strong class="command">view</strong></span> + The <span class="command"><strong>attach-cache</strong></span> option + may also be specified in <span class="command"><strong>view</strong></span> statements, in which case it overrides the - global <span><strong class="command">attach-cache</strong></span> option. + global <span class="command"><strong>attach-cache</strong></span> option. </p> <p> The <em class="replaceable"><code>cache_name</code></em> specifies the cache to be shared. - When the <span><strong class="command">named</strong></span> server configures + When the <span class="command"><strong>named</strong></span> server configures views which are supposed to share a cache, it creates a cache with the specified name for the first view of these sharing views. @@ -2434,7 +2444,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] One common configuration to share a cache would be to allow all views to share a single cache. This can be done by specifying - the <span><strong class="command">attach-cache</strong></span> as a global + the <span class="command"><strong>attach-cache</strong></span> as a global option with an arbitrary name. </p> <p> @@ -2443,7 +2453,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] retain their own caches. For example, if there are three views A, B, and C, and only A and B should share a cache, specify the - <span><strong class="command">attach-cache</strong></span> option as a view A (or + <span class="command"><strong>attach-cache</strong></span> option as a view A (or B)'s option, referring to the other view name: </p> <pre class="programlisting"> @@ -2466,14 +2476,14 @@ badresp:1,adberr:0,findfail:0,valfail:0] The current implementation requires the following configurable options be consistent among these views: - <span><strong class="command">check-names</strong></span>, - <span><strong class="command">cleaning-interval</strong></span>, - <span><strong class="command">dnssec-accept-expired</strong></span>, - <span><strong class="command">dnssec-validation</strong></span>, - <span><strong class="command">max-cache-ttl</strong></span>, - <span><strong class="command">max-ncache-ttl</strong></span>, - <span><strong class="command">max-cache-size</strong></span>, and - <span><strong class="command">zero-no-soa-ttl</strong></span>. + <span class="command"><strong>check-names</strong></span>, + <span class="command"><strong>cleaning-interval</strong></span>, + <span class="command"><strong>dnssec-accept-expired</strong></span>, + <span class="command"><strong>dnssec-validation</strong></span>, + <span class="command"><strong>max-cache-ttl</strong></span>, + <span class="command"><strong>max-ncache-ttl</strong></span>, + <span class="command"><strong>max-cache-size</strong></span>, and + <span class="command"><strong>zero-no-soa-ttl</strong></span>. </p> <p> Note that there may be other parameters that may @@ -2488,7 +2498,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] not cause disruption with a shared cache. </p> </dd> -<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt> <dd><p> The working directory of the server. Any non-absolute pathnames in the configuration file will be @@ -2503,7 +2513,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] was started. The directory specified should be an absolute path. </p></dd> -<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt> <dd><p> When performing dynamic update of secure zones, the directory where the public and private DNSSEC key files @@ -2514,7 +2524,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] <code class="filename">rndc.key</code> or <code class="filename">session.key</code>.) </p></dd> -<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>managed-keys-directory</strong></span></span></dt> <dd> <p> Specifies the directory in which to store the files that @@ -2522,7 +2532,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] directory. </p> <p> - If <span><strong class="command">named</strong></span> is not configured to use views, + If <span class="command"><strong>named</strong></span> is not configured to use views, then managed keys for the server will be tracked in a single file called <code class="filename">managed-keys.bind</code>. Otherwise, managed keys will be tracked in separate files, @@ -2531,23 +2541,23 @@ badresp:1,adberr:0,findfail:0,valfail:0] <code class="filename">.mkeys</code>. </p> </dd> -<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>named-xfer</strong></span></span></dt> <dd><p> <span class="emphasis"><em>This option is obsolete.</em></span> It was used in <acronym class="acronym">BIND</acronym> 8 to specify - the pathname to the <span><strong class="command">named-xfer</strong></span> + the pathname to the <span class="command"><strong>named-xfer</strong></span> program. In <acronym class="acronym">BIND</acronym> 9, no separate - <span><strong class="command">named-xfer</strong></span> program is needed; + <span class="command"><strong>named-xfer</strong></span> program is needed; its functionality is built into the name server. </p></dd> -<dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>tkey-gssapi-keytab</strong></span></span></dt> <dd><p> The KRB5 keytab file to use for GSS-TSIG updates. If this option is set and tkey-gssapi-credential is not set, then updates will be allowed with any key matching a principal in the specified keytab. </p></dd> -<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>tkey-gssapi-credential</strong></span></span></dt> <dd><p> The security credential with which the server should authenticate keys requested by the GSS-TSIG protocol. @@ -2558,128 +2568,128 @@ badresp:1,adberr:0,findfail:0,valfail:0] The location keytab file can be overridden using the tkey-gssapi-keytab option. Normally this principal is of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>". - To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must + To use GSS-TSIG, <span class="command"><strong>tkey-domain</strong></span> must also be set if a specific keytab is not set with tkey-gssapi-keytab. </p></dd> -<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>tkey-domain</strong></span></span></dt> <dd><p> The domain appended to the names of all shared keys - generated with <span><strong class="command">TKEY</strong></span>. When a - client requests a <span><strong class="command">TKEY</strong></span> exchange, + generated with <span class="command"><strong>TKEY</strong></span>. When a + client requests a <span class="command"><strong>TKEY</strong></span> exchange, it may or may not specify the desired name for the key. If present, the name of the shared key will be <code class="varname">client specified part</code> + <code class="varname">tkey-domain</code>. Otherwise, the name of the shared key will be <code class="varname">random hex digits</code> + <code class="varname">tkey-domain</code>. - In most cases, the <span><strong class="command">domainname</strong></span> + In most cases, the <span class="command"><strong>domainname</strong></span> should be the server's domain name, or an otherwise non-existent subdomain like "_tkey.<code class="varname">domainname</code>". If you are using GSS-TSIG, this variable must be defined, unless you specify a specific keytab using tkey-gssapi-keytab. </p></dd> -<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>tkey-dhkey</strong></span></span></dt> <dd><p> The Diffie-Hellman key used by the server to generate shared keys with clients using the Diffie-Hellman mode - of <span><strong class="command">TKEY</strong></span>. The server must be + of <span class="command"><strong>TKEY</strong></span>. The server must be able to load the public and private keys from files in the working directory. In most cases, the keyname should be the server's host name. </p></dd> -<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>cache-file</strong></span></span></dt> <dd><p> This is for testing only. Do not use. </p></dd> -<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dump-file</strong></span></span></dt> <dd><p> The pathname of the file the server dumps the database to when instructed to do so with - <span><strong class="command">rndc dumpdb</strong></span>. + <span class="command"><strong>rndc dumpdb</strong></span>. If not specified, the default is <code class="filename">named_dump.db</code>. </p></dd> -<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>memstatistics-file</strong></span></span></dt> <dd><p> The pathname of the file the server writes memory usage statistics to on exit. If not specified, the default is <code class="filename">named.memstats</code>. </p></dd> -<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>pid-file</strong></span></span></dt> <dd><p> The pathname of the file the server writes its process ID in. If not specified, the default is <code class="filename">/var/run/named/named.pid</code>. The PID file is used by programs that want to send signals to the running - name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the + name server. Specifying <span class="command"><strong>pid-file none</strong></span> disables the use of a PID file — no file will be written and any - existing one will be removed. Note that <span><strong class="command">none</strong></span> + existing one will be removed. Note that <span class="command"><strong>none</strong></span> is a keyword, not a filename, and therefore is not enclosed in double quotes. </p></dd> -<dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>recursing-file</strong></span></span></dt> <dd><p> The pathname of the file the server dumps the queries that are currently recursing when instructed - to do so with <span><strong class="command">rndc recursing</strong></span>. + to do so with <span class="command"><strong>rndc recursing</strong></span>. If not specified, the default is <code class="filename">named.recursing</code>. </p></dd> -<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>statistics-file</strong></span></span></dt> <dd><p> The pathname of the file the server appends statistics - to when instructed to do so using <span><strong class="command">rndc stats</strong></span>. + to when instructed to do so using <span class="command"><strong>rndc stats</strong></span>. If not specified, the default is <code class="filename">named.stats</code> in the server's current directory. The format of the file is described - in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. + in <a class="xref" href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>bindkeys-file</strong></span></span></dt> <dd><p> The pathname of a file to override the built-in trusted - keys provided by <span><strong class="command">named</strong></span>. - See the discussion of <span><strong class="command">dnssec-lookaside</strong></span> - and <span><strong class="command">dnssec-validation</strong></span> for details. + keys provided by <span class="command"><strong>named</strong></span>. + See the discussion of <span class="command"><strong>dnssec-lookaside</strong></span> + and <span class="command"><strong>dnssec-validation</strong></span> for details. If not specified, the default is <code class="filename">/etc/bind.keys</code>. </p></dd> -<dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>secroots-file</strong></span></span></dt> <dd><p> The pathname of the file the server dumps security roots to when instructed to do so with - <span><strong class="command">rndc secroots</strong></span>. + <span class="command"><strong>rndc secroots</strong></span>. If not specified, the default is <code class="filename">named.secroots</code>. </p></dd> -<dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>session-keyfile</strong></span></span></dt> <dd><p> The pathname of the file into which to write a TSIG - session key generated by <span><strong class="command">named</strong></span> for use by - <span><strong class="command">nsupdate -l</strong></span>. If not specified, the + session key generated by <span class="command"><strong>named</strong></span> for use by + <span class="command"><strong>nsupdate -l</strong></span>. If not specified, the default is <code class="filename">/var/run/named/session.key</code>. - (See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in + (See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in particular the discussion of the - <span><strong class="command">update-policy</strong></span> statement's + <span class="command"><strong>update-policy</strong></span> statement's <strong class="userinput"><code>local</code></strong> option for more information about this feature.) </p></dd> -<dt><span class="term"><span><strong class="command">session-keyname</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>session-keyname</strong></span></span></dt> <dd><p> The key name to use for the TSIG session key. If not specified, the default is "local-ddns". </p></dd> -<dt><span class="term"><span><strong class="command">session-keyalg</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>session-keyalg</strong></span></span></dt> <dd><p> The algorithm to use for the TSIG session key. Valid values are hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512 and hmac-md5. If not specified, the default is hmac-sha256. </p></dd> -<dt><span class="term"><span><strong class="command">port</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>port</strong></span></span></dt> <dd><p> The UDP/TCP port number the server uses for receiving and sending DNS protocol traffic. @@ -2689,7 +2699,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] communicate with the global DNS. </p></dd> -<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>random-device</strong></span></span></dt> <dd><p> The source of entropy to be used by the server. Entropy is primarily needed @@ -2703,20 +2713,22 @@ badresp:1,adberr:0,findfail:0,valfail:0] is <code class="filename">/dev/random</code> (or equivalent) when present, and none otherwise. The - <span><strong class="command">random-device</strong></span> option takes + <span class="command"><strong>random-device</strong></span> option takes effect during the initial configuration load at server startup time and is ignored on subsequent reloads. </p></dd> -<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>preferred-glue</strong></span></span></dt> <dd><p> If specified, the listed type (A or AAAA) will be emitted before other glue in the additional section of a query response. - The default is not to prefer any type (NONE). + The default is to prefer A records when responding + to queries that arrived via IPv4 and AAAA when + responding to queries that arrived via IPv6. </p></dd> <dt> -<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span> +<a name="root_delegation_only"></a><span class="term"><span class="command"><strong>root-delegation-only</strong></span></span> </dt> <dd> <p> @@ -2762,22 +2774,22 @@ options { }; </pre> </dd> -<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>disable-algorithms</strong></span></span></dt> <dd><p> Disable the specified DNSSEC algorithms at and below the specified name. - Multiple <span><strong class="command">disable-algorithms</strong></span> + Multiple <span class="command"><strong>disable-algorithms</strong></span> statements are allowed. Only the most specific will be applied. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-lookaside</strong></span></span></dt> <dd> <p> - When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the + When set, <span class="command"><strong>dnssec-lookaside</strong></span> provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the deepest - <span><strong class="command">dnssec-lookaside</strong></span>, and the normal DNSSEC + <span class="command"><strong>dnssec-lookaside</strong></span>, and the normal DNSSEC validation has left the key untrusted, the trust-anchor will be appended to the key name and a DLV record will be looked up to see if it can validate the key. If the DLV @@ -2785,61 +2797,61 @@ options { record does) the DNSKEY RRset is deemed to be trusted. </p> <p> - If <span><strong class="command">dnssec-lookaside</strong></span> is set to + If <span class="command"><strong>dnssec-lookaside</strong></span> is set to <strong class="userinput"><code>auto</code></strong>, then built-in default values for the DLV domain and trust anchor will be used, along with a built-in key for validation. </p> <p> - If <span><strong class="command">dnssec-lookaside</strong></span> is set to + If <span class="command"><strong>dnssec-lookaside</strong></span> is set to <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside is not used. </p> <p> The default DLV key is stored in the file <code class="filename">bind.keys</code>; - <span><strong class="command">named</strong></span> will load that key at - startup if <span><strong class="command">dnssec-lookaside</strong></span> is set to + <span class="command"><strong>named</strong></span> will load that key at + startup if <span class="command"><strong>dnssec-lookaside</strong></span> is set to <code class="constant">auto</code>. A copy of the file is installed along with <acronym class="acronym">BIND</acronym> 9, and is current as of the release date. If the DLV key expires, a new copy of <code class="filename">bind.keys</code> can be downloaded - from <a href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>. + from <a class="link" href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>. </p> <p> (To prevent problems if <code class="filename">bind.keys</code> is not found, the current key is also compiled in to - <span><strong class="command">named</strong></span>. Relying on this is not - recommended, however, as it requires <span><strong class="command">named</strong></span> + <span class="command"><strong>named</strong></span>. Relying on this is not + recommended, however, as it requires <span class="command"><strong>named</strong></span> to be recompiled with a new key when the DLV key expires.) </p> <p> - NOTE: <span><strong class="command">named</strong></span> only loads certain specific + NOTE: <span class="command"><strong>named</strong></span> only loads certain specific keys from <code class="filename">bind.keys</code>: those for the DLV zone and for the DNS root zone. The file cannot be used to store keys for other zones. </p> </dd> -<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-must-be-secure</strong></span></span></dt> <dd><p> Specify hierarchies which must be or may not be secure (signed and validated). If <strong class="userinput"><code>yes</code></strong>, - then <span><strong class="command">named</strong></span> will only accept answers if + then <span class="command"><strong>named</strong></span> will only accept answers if they are secure. If <strong class="userinput"><code>no</code></strong>, then normal DNSSEC validation applies allowing for insecure answers to be accepted. The specified domain must be under a - <span><strong class="command">trusted-keys</strong></span> or - <span><strong class="command">managed-keys</strong></span> statement, or - <span><strong class="command">dnssec-lookaside</strong></span> must be active. + <span class="command"><strong>trusted-keys</strong></span> or + <span class="command"><strong>managed-keys</strong></span> statement, or + <span class="command"><strong>dnssec-lookaside</strong></span> must be active. </p></dd> -<dt><span class="term"><span><strong class="command">dns64</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dns64</strong></span></span></dt> <dd> <p> - This directive instructs <span><strong class="command">named</strong></span> to + This directive instructs <span class="command"><strong>named</strong></span> to return mapped IPv4 addresses to AAAA queries when there are no AAAA records. It is intended to be used in conjunction with a NAT64. Each - <span><strong class="command">dns64</strong></span> defines one DNS64 prefix. + <span class="command"><strong>dns64</strong></span> defines one DNS64 prefix. Multiple DNS64 prefixes can be defined. </p> <p> @@ -2850,21 +2862,21 @@ options { Additionally a reverse IP6.ARPA zone will be created for the prefix to provide a mapping from the IP6.ARPA names to the corresponding IN-ADDR.ARPA names using synthesized - CNAMEs. <span><strong class="command">dns64-server</strong></span> and - <span><strong class="command">dns64-contact</strong></span> can be used to specify + CNAMEs. <span class="command"><strong>dns64-server</strong></span> and + <span class="command"><strong>dns64-contact</strong></span> can be used to specify the name of the server and contact for the zones. These are settable at the view / options level. These are not settable on a per-prefix basis. </p> <p> - Each <span><strong class="command">dns64</strong></span> supports an optional - <span><strong class="command">clients</strong></span> ACL that determines which + Each <span class="command"><strong>dns64</strong></span> supports an optional + <span class="command"><strong>clients</strong></span> ACL that determines which clients are affected by this directive. If not defined, it defaults to <strong class="userinput"><code>any;</code></strong>. </p> <p> - Each <span><strong class="command">dns64</strong></span> supports an optional - <span><strong class="command">mapped</strong></span> ACL that selects which + Each <span class="command"><strong>dns64</strong></span> supports an optional + <span class="command"><strong>mapped</strong></span> ACL that selects which IPv4 addresses are to be mapped in the corresponding A RRset. If not defined it defaults to <strong class="userinput"><code>any;</code></strong>. @@ -2873,15 +2885,15 @@ options { Normally, DNS64 won't apply to a domain name that owns one or more AAAA records; these records will simply be returned. The optional - <span><strong class="command">exclude</strong></span> ACL allows specification + <span class="command"><strong>exclude</strong></span> ACL allows specification of a list of IPv6 addresses that will be ignored if they appear in a domain name's AAAA records, and DNS64 will be applied to any A records the domain - name owns. If not defined, <span><strong class="command">exclude</strong></span> + name owns. If not defined, <span class="command"><strong>exclude</strong></span> defaults to none. </p> <p> - A optional <span><strong class="command">suffix</strong></span> can also + A optional <span class="command"><strong>suffix</strong></span> can also be defined to set the bits trailing the mapped IPv4 address bits. By default these bits are set to <strong class="userinput"><code>::</code></strong>. The bits @@ -2889,17 +2901,17 @@ options { must be zero. </p> <p> - If <span><strong class="command">recursive-only</strong></span> is set to - <span><strong class="command">yes</strong></span> the DNS64 synthesis will + If <span class="command"><strong>recursive-only</strong></span> is set to + <span class="command"><strong>yes</strong></span> the DNS64 synthesis will only happen for recursive queries. The default - is <span><strong class="command">no</strong></span>. + is <span class="command"><strong>no</strong></span>. </p> <p> - If <span><strong class="command">break-dnssec</strong></span> is set to - <span><strong class="command">yes</strong></span> the DNS64 synthesis will + If <span class="command"><strong>break-dnssec</strong></span> is set to + <span class="command"><strong>yes</strong></span> the DNS64 synthesis will happen even if the result, if validated, would cause a DNSSEC validation failure. If this option - is set to <span><strong class="command">no</strong></span> (the default), the DO + is set to <span class="command"><strong>no</strong></span> (the default), the DO is set on the incoming query, and there are RRSIGs on the applicable records, then synthesis will not happen. </p> @@ -2914,46 +2926,83 @@ options { }; </pre> </dd> -<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt> +<dd><p> + When a zone is configured with <span class="command"><strong>auto-dnssec + maintain;</strong></span> its key repository must be checked + periodically to see if any new keys have been added + or any existing keys' timing metadata has been updated + (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and + <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The + <span class="command"><strong>dnssec-loadkeys-interval</strong></span> option + sets the frequency of automatic repository checks, in + minutes. The default is <code class="literal">60</code> (1 hour), + the minimum is <code class="literal">1</code> (1 minute), and the + maximum is <code class="literal">1440</code> (24 hours); any higher + value is silently reduced. + </p></dd> +<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt> <dd> <p> If this option is set to its default value of <code class="literal">maintain</code> in a zone of type <code class="literal">master</code> which is DNSSEC-signed and configured to allow dynamic updates (see - <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and - if <span><strong class="command">named</strong></span> has access to the + <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and + if <span class="command"><strong>named</strong></span> has access to the private signing key(s) for the zone, then - <span><strong class="command">named</strong></span> will automatically sign all new + <span class="command"><strong>named</strong></span> will automatically sign all new or changed records and maintain signatures for the zone by regenerating RRSIG records whenever they approach their expiration date. </p> <p> If the option is changed to <code class="literal">no-resign</code>, - then <span><strong class="command">named</strong></span> will sign all new or + then <span class="command"><strong>named</strong></span> will sign all new or changed records, but scheduled maintenance of signatures is disabled. </p> <p> - With either of these settings, <span><strong class="command">named</strong></span> + With either of these settings, <span class="command"><strong>named</strong></span> will reject updates to a DNSSEC-signed zone when the signing keys are inactive or unavailable to - <span><strong class="command">named</strong></span>. (A planned third option, + <span class="command"><strong>named</strong></span>. (A planned third option, <code class="literal">external</code>, will disable all automatic signing and allow DNSSEC data to be submitted into a zone via dynamic update; this is not yet implemented.) </p> </dd> -<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt> +<dd> +<p> + Zones configured for dynamic DNS may use this + option to set the update method that will be used for + the zone serial number in the SOA record. + </p> +<p> + With the default setting of + <span class="command"><strong>serial-update-method increment;</strong></span>, the + SOA serial number will be incremented by one each time + the zone is updated. + </p> +<p> + When set to + <span class="command"><strong>serial-update-method unixtime;</strong></span>, the + SOA serial number will be set to the number of seconds + since the UNIX epoch, unless the serial number is + already greater than or equal to that value, in which + case it is simply incremented by one. + </p> +</dd> +<dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt> <dd> <p> If <strong class="userinput"><code>full</code></strong>, the server will collect statistical data on all zones (unless specifically turned off on a per-zone basis by specifying - <span><strong class="command">zone-statistics terse</strong></span> or - <span><strong class="command">zone-statistics none</strong></span> - in the <span><strong class="command">zone</strong></span> statement). + <span class="command"><strong>zone-statistics terse</strong></span> or + <span class="command"><strong>zone-statistics none</strong></span> + in the <span class="command"><strong>zone</strong></span> statement). The default is <strong class="userinput"><code>terse</code></strong>, providing minimal statistics on zones (including name and current serial number, but not query type @@ -2961,15 +3010,15 @@ options { </p> <p> These statistics may be accessed via the - <span><strong class="command">statistics-channel</strong></span> or - using <span><strong class="command">rndc stats</strong></span>, which + <span class="command"><strong>statistics-channel</strong></span> or + using <span class="command"><strong>rndc stats</strong></span>, which will dump them to the file listed - in the <span><strong class="command">statistics-file</strong></span>. See - also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. + in the <span class="command"><strong>statistics-file</strong></span>. See + also <a class="xref" href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. </p> <p> For backward compatibility with earlier versions - of BIND 9, the <span><strong class="command">zone-statistics</strong></span> + of BIND 9, the <span class="command"><strong>zone-statistics</strong></span> option can also accept <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>, which have the same effect as <strong class="userinput"><code>full</code></strong> and @@ -2977,20 +3026,20 @@ options { </p> </dd> </dl></div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="boolean_options"></a>Boolean Options</h4></div></div></div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">allow-new-zones</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>allow-new-zones</strong></span></span></dt> <dd><p> If <strong class="userinput"><code>yes</code></strong>, then zones can be - added at runtime via <span><strong class="command">rndc addzone</strong></span> - or deleted via <span><strong class="command">rndc delzone</strong></span>. + added at runtime via <span class="command"><strong>rndc addzone</strong></span> + or deleted via <span class="command"><strong>rndc delzone</strong></span>. The default is <strong class="userinput"><code>no</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>auth-nxdomain</strong></span></span></dt> <dd><p> - If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit + If <strong class="userinput"><code>yes</code></strong>, then the <span class="command"><strong>AA</strong></span> bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is <strong class="userinput"><code>no</code></strong>; @@ -2999,22 +3048,22 @@ options { are using very old DNS software, you may need to set it to <strong class="userinput"><code>yes</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>deallocate-on-exit</strong></span></span></dt> <dd><p> This option was used in <acronym class="acronym">BIND</acronym> 8 to enable checking for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs the checks. </p></dd> -<dt><span class="term"><span><strong class="command">memstatistics</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>memstatistics</strong></span></span></dt> <dd><p> Write memory statistics to the file specified by - <span><strong class="command">memstatistics-file</strong></span> at exit. + <span class="command"><strong>memstatistics-file</strong></span> at exit. The default is <strong class="userinput"><code>no</code></strong> unless '-m record' is specified on the command line in which case it is <strong class="userinput"><code>yes</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt> <dd> <p> If <strong class="userinput"><code>yes</code></strong>, then the @@ -3026,16 +3075,16 @@ options { according to zone type and concentrates the zone maintenance so that it all - happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and + happens in a short interval, once every <span class="command"><strong>heartbeat-interval</strong></span> and hopefully during the one call. It also suppresses some of the normal zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>. </p> <p> - The <span><strong class="command">dialup</strong></span> option - may also be specified in the <span><strong class="command">view</strong></span> and - <span><strong class="command">zone</strong></span> statements, - in which case it overrides the global <span><strong class="command">dialup</strong></span> + The <span class="command"><strong>dialup</strong></span> option + may also be specified in the <span class="command"><strong>view</strong></span> and + <span class="command"><strong>zone</strong></span> statements, + in which case it overrides the global <span class="command"><strong>dialup</strong></span> option. </p> <p> @@ -3048,7 +3097,7 @@ options { to verify the zone while the connection is active. The set of servers to which NOTIFY is sent can be controlled by - <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>. + <span class="command"><strong>notify</strong></span> and <span class="command"><strong>also-notify</strong></span>. </p> <p> If the @@ -3056,7 +3105,7 @@ options { the regular "zone up to date" (refresh) queries and only perform them when the - <span><strong class="command">heartbeat-interval</strong></span> expires in + <span class="command"><strong>heartbeat-interval</strong></span> expires in addition to sending NOTIFY requests. </p> @@ -3069,7 +3118,7 @@ options { suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong> which suppresses normal refresh processing and sends refresh queries - when the <span><strong class="command">heartbeat-interval</strong></span> + when the <span class="command"><strong>heartbeat-interval</strong></span> expires, and <strong class="userinput"><code>passive</code></strong> which just disables normal refresh @@ -3077,10 +3126,10 @@ options { </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> -<col> -<col> +<col width="1.150in" class="1"> +<col width="1.150in" class="2"> +<col width="1.150in" class="3"> +<col width="1.150in" class="4"> </colgroup> <tbody> <tr> @@ -3107,7 +3156,7 @@ options { </tr> <tr> <td> - <p><span><strong class="command">no</strong></span> (default)</p> + <p><span class="command"><strong>no</strong></span> (default)</p> </td> <td> <p> @@ -3127,7 +3176,7 @@ options { </tr> <tr> <td> - <p><span><strong class="command">yes</strong></span></p> + <p><span class="command"><strong>yes</strong></span></p> </td> <td> <p> @@ -3147,7 +3196,7 @@ options { </tr> <tr> <td> - <p><span><strong class="command">notify</strong></span></p> + <p><span class="command"><strong>notify</strong></span></p> </td> <td> <p> @@ -3167,7 +3216,7 @@ options { </tr> <tr> <td> - <p><span><strong class="command">refresh</strong></span></p> + <p><span class="command"><strong>refresh</strong></span></p> </td> <td> <p> @@ -3187,7 +3236,7 @@ options { </tr> <tr> <td> - <p><span><strong class="command">passive</strong></span></p> + <p><span class="command"><strong>passive</strong></span></p> </td> <td> <p> @@ -3207,7 +3256,7 @@ options { </tr> <tr> <td> - <p><span><strong class="command">notify-passive</strong></span></p> + <p><span class="command"><strong>notify-passive</strong></span></p> </td> <td> <p> @@ -3229,17 +3278,17 @@ options { </table></div> <p> Note that normal NOTIFY processing is not affected by - <span><strong class="command">dialup</strong></span>. + <span class="command"><strong>dialup</strong></span>. </p> </dd> -<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>fake-iquery</strong></span></span></dt> <dd><p> In <acronym class="acronym">BIND</acronym> 8, this option enabled simulating the obsolete DNS query type IQUERY. <acronym class="acronym">BIND</acronym> 9 never does IQUERY simulation. </p></dd> -<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>fetch-glue</strong></span></span></dt> <dd><p> This option is obsolete. In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong> @@ -3250,31 +3299,31 @@ options { idea and BIND 9 never does it. </p></dd> -<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>flush-zones-on-shutdown</strong></span></span></dt> <dd><p> When the nameserver exits due receiving SIGTERM, flush or do not flush any pending zone writes. The default is - <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>. + <span class="command"><strong>flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>has-old-clients</strong></span></span></dt> <dd><p> This option was incorrectly implemented in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9. To achieve the intended effect of - <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify - the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong> - and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead. + <span class="command"><strong>has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify + the two separate options <span class="command"><strong>auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong> + and <span class="command"><strong>rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead. </p></dd> -<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>host-statistics</strong></span></span></dt> <dd><p> In BIND 8, this enables keeping of statistics for every host that the name server interacts with. Not implemented in BIND 9. </p></dd> -<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>maintain-ixfr-base</strong></span></span></dt> <dd><p> <span class="emphasis"><em>This option is obsolete</em></span>. It was used in <acronym class="acronym">BIND</acronym> 8 to @@ -3282,9 +3331,9 @@ options { kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction log whenever possible. If you need to disable outgoing incremental zone - transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>. + transfers, use <span class="command"><strong>provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>minimal-responses</strong></span></span></dt> <dd><p> If <strong class="userinput"><code>yes</code></strong>, then when generating responses the server will only add records to the authority @@ -3293,7 +3342,7 @@ options { performance of the server. The default is <strong class="userinput"><code>no</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>multiple-cnames</strong></span></span></dt> <dd><p> This option was used in <acronym class="acronym">BIND</acronym> 8 to allow a domain name to have multiple CNAME records in violation of @@ -3301,18 +3350,18 @@ options { always strictly enforces the CNAME rules both in master files and dynamic updates. </p></dd> -<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt> <dd> <p> If <strong class="userinput"><code>yes</code></strong> (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for - changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are + changes, see <a class="xref" href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are sent to the servers listed in the zone's NS records (except the master server identified in the SOA MNAME field), and to any servers listed in the - <span><strong class="command">also-notify</strong></span> option. + <span class="command"><strong>also-notify</strong></span> option. </p> <p> If <strong class="userinput"><code>master-only</code></strong>, notifies are only @@ -3320,20 +3369,20 @@ options { for master zones. If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only to - servers explicitly listed using <span><strong class="command">also-notify</strong></span>. + servers explicitly listed using <span class="command"><strong>also-notify</strong></span>. If <strong class="userinput"><code>no</code></strong>, no notifies are sent. </p> <p> - The <span><strong class="command">notify</strong></span> option may also be - specified in the <span><strong class="command">zone</strong></span> + The <span class="command"><strong>notify</strong></span> option may also be + specified in the <span class="command"><strong>zone</strong></span> statement, - in which case it overrides the <span><strong class="command">options notify</strong></span> statement. + in which case it overrides the <span class="command"><strong>options notify</strong></span> statement. It would only be necessary to turn off this option if it caused slaves to crash. </p> </dd> -<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt> <dd><p> If <strong class="userinput"><code>yes</code></strong> do not check the nameservers in the NS RRset against the SOA MNAME. Normally a NOTIFY @@ -3344,7 +3393,7 @@ options { want the ultimate master to still send NOTIFY messages to all the nameservers listed in the NS RRset. </p></dd> -<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>recursion</strong></span></span></dt> <dd><p> If <strong class="userinput"><code>yes</code></strong>, and a DNS query requests recursion, then the server will attempt @@ -3355,26 +3404,25 @@ options { return a referral response. The default is <strong class="userinput"><code>yes</code></strong>. - Note that setting <span><strong class="command">recursion no</strong></span> does not prevent + Note that setting <span class="command"><strong>recursion no</strong></span> does not prevent clients from getting data from the server's cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur as an effect the server's internal operation, such as NOTIFY address lookups. - See also <span><strong class="command">fetch-glue</strong></span> above. </p></dd> -<dt><span class="term"><span><strong class="command">request-nsid</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>request-nsid</strong></span></span></dt> <dd><p> If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0) NSID (Name Server Identifier) option is sent with all queries to authoritative name servers during iterative resolution. If the authoritative server returns an NSID option in its response, then its contents are logged in - the <span><strong class="command">resolver</strong></span> category at level - <span><strong class="command">info</strong></span>. + the <span class="command"><strong>resolver</strong></span> category at level + <span class="command"><strong>info</strong></span>. The default is <strong class="userinput"><code>no</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>rfc2308-type1</strong></span></span></dt> <dd> <p> Setting this to <strong class="userinput"><code>yes</code></strong> will @@ -3390,55 +3438,52 @@ options { </p> </div> </dd> -<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>use-id-pool</strong></span></span></dt> <dd><p> <span class="emphasis"><em>This option is obsolete</em></span>. <acronym class="acronym">BIND</acronym> 9 always allocates query IDs from a pool. </p></dd> -<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>use-ixfr</strong></span></span></dt> <dd><p> <span class="emphasis"><em>This option is obsolete</em></span>. If you need to disable IXFR to a particular server or servers, see - the information on the <span><strong class="command">provide-ixfr</strong></span> option - in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and - Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and + the information on the <span class="command"><strong>provide-ixfr</strong></span> option + in <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called “<span class="command"><strong>server</strong></span> Statement Definition and Usage”</a>. See also - <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>. + <a class="xref" href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>provide-ixfr</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">provide-ixfr</strong></span> in - <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and - Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and + <span class="command"><strong>provide-ixfr</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called “<span class="command"><strong>server</strong></span> Statement Definition and Usage”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>request-ixfr</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">request-ixfr</strong></span> in - <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and - Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and + <span class="command"><strong>request-ixfr</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called “<span class="command"><strong>server</strong></span> Statement Definition and Usage”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>treat-cr-as-space</strong></span></span></dt> <dd><p> This option was used in <acronym class="acronym">BIND</acronym> 8 to make - the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way + the server treat carriage return ("<span class="command"><strong>\r</strong></span>") characters the same way as a space or tab character, to facilitate loading of zone files on a UNIX system that were generated - on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>" - and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines + on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span class="command"><strong>\n</strong></span>" + and NT/DOS "<span class="command"><strong>\r\n</strong></span>" newlines are always accepted, and the option is ignored. </p></dd> <dt> -<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span> +<span class="term"><span class="command"><strong>additional-from-auth</strong></span>, </span><span class="term"><span class="command"><strong>additional-from-cache</strong></span></span> </dt> <dd> <p> @@ -3473,7 +3518,7 @@ options { and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well, if known, even though they are not in the example.com zone. - Setting these options to <span><strong class="command">no</strong></span> + Setting these options to <span class="command"><strong>no</strong></span> disables this behavior and makes the server only search for additional data in the zone it answers from. @@ -3481,14 +3526,14 @@ options { <p> These options are intended for use in authoritative-only servers, or in authoritative-only views. Attempts to set - them to <span><strong class="command">no</strong></span> without also + them to <span class="command"><strong>no</strong></span> without also specifying - <span><strong class="command">recursion no</strong></span> will cause the + <span class="command"><strong>recursion no</strong></span> will cause the server to ignore the options and log a warning message. </p> <p> - Specifying <span><strong class="command">additional-from-cache no</strong></span> actually + Specifying <span class="command"><strong>additional-from-cache no</strong></span> actually disables the use of the cache not only for additional data lookups but also when looking up the answer. This is usually the @@ -3508,7 +3553,7 @@ options { upwards referral comes from the cache, the server will not be able to provide upwards - referrals when <span><strong class="command">additional-from-cache no</strong></span> + referrals when <span class="command"><strong>additional-from-cache no</strong></span> has been specified. Instead, it will respond to such queries with REFUSED. This should not cause any problems since @@ -3516,7 +3561,7 @@ options { process. </p> </dd> -<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>match-mapped-addresses</strong></span></span></dt> <dd> <p> If <strong class="userinput"><code>yes</code></strong>, then an @@ -3529,11 +3574,11 @@ options { connections, such as zone transfers, to be accepted on an IPv6 socket using mapped addresses. This caused address match lists designed for IPv4 to fail to match. However, - <span><strong class="command">named</strong></span> now solves this problem + <span class="command"><strong>named</strong></span> now solves this problem internally. The use of this option is discouraged. </p> </dd> -<dt><span class="term"><span><strong class="command">filter-aaaa-on-v4</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt> <dd> <p> This option is only available when @@ -3544,14 +3589,14 @@ options { to DNS clients unless they have connections to the IPv6 Internet. This is not recommended unless absolutely necessary. The default is <strong class="userinput"><code>no</code></strong>. - The <span><strong class="command">filter-aaaa-on-v4</strong></span> option - may also be specified in <span><strong class="command">view</strong></span> statements - to override the global <span><strong class="command">filter-aaaa-on-v4</strong></span> + The <span class="command"><strong>filter-aaaa-on-v4</strong></span> option + may also be specified in <span class="command"><strong>view</strong></span> statements + to override the global <span class="command"><strong>filter-aaaa-on-v4</strong></span> option. </p> <p> If <strong class="userinput"><code>yes</code></strong>, - the DNS client is at an IPv4 address, in <span><strong class="command">filter-aaaa</strong></span>, + the DNS client is at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>, and if the response does not include DNSSEC signatures, then all AAAA records are deleted from the response. This filtering applies to all responses and not only @@ -3584,7 +3629,7 @@ options { answer requests for AAAA records received via IPv4. </p> </dd> -<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt> <dd> <p> When <strong class="userinput"><code>yes</code></strong> and the server loads a new @@ -3608,40 +3653,80 @@ options { temporarily allocate memory to hold this complete difference set. </p> -<p><span><strong class="command">ixfr-from-differences</strong></span> - also accepts <span><strong class="command">master</strong></span> and - <span><strong class="command">slave</strong></span> at the view and options +<p><span class="command"><strong>ixfr-from-differences</strong></span> + also accepts <span class="command"><strong>master</strong></span> and + <span class="command"><strong>slave</strong></span> at the view and options levels which causes - <span><strong class="command">ixfr-from-differences</strong></span> to be enabled for - all <span><strong class="command">master</strong></span> or - <span><strong class="command">slave</strong></span> zones respectively. + <span class="command"><strong>ixfr-from-differences</strong></span> to be enabled for + all <span class="command"><strong>master</strong></span> or + <span class="command"><strong>slave</strong></span> zones respectively. It is off by default. </p> </dd> -<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt> <dd><p> This should be set when you have multiple masters for a zone and the - addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will + addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span class="command"><strong>named</strong></span> will not log - when the serial number on the master is less than what <span><strong class="command">named</strong></span> + when the serial number on the master is less than what <span class="command"><strong>named</strong></span> currently has. The default is <strong class="userinput"><code>no</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt> +<dd> +<p> + Zones configured for dynamic DNS may use this + option to allow varying levels of automatic DNSSEC key + management. There are three possible settings: + </p> +<p> + <span class="command"><strong>auto-dnssec allow;</strong></span> permits + keys to be updated and the zone fully re-signed + whenever the user issues the command <span class="command"><strong>rndc sign + <em class="replaceable"><code>zonename</code></em></strong></span>. + </p> +<p> + <span class="command"><strong>auto-dnssec maintain;</strong></span> includes the + above, but also automatically adjusts the zone's DNSSEC + keys on schedule, according to the keys' timing metadata + (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and + <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command + <span class="command"><strong>rndc sign + <em class="replaceable"><code>zonename</code></em></strong></span> causes + <span class="command"><strong>named</strong></span> to load keys from the key + repository and sign the zone with all keys that are + active. + <span class="command"><strong>rndc loadkeys + <em class="replaceable"><code>zonename</code></em></strong></span> causes + <span class="command"><strong>named</strong></span> to load keys from the key + repository and schedule key maintenance events to occur + in the future, but it does not sign the full zone + immediately. Note: once keys have been loaded for a + zone the first time, the repository will be searched + for changes periodically, regardless of whether + <span class="command"><strong>rndc loadkeys</strong></span> is used. The recheck + interval is defined by + <span class="command"><strong>dnssec-loadkeys-interval</strong></span>.) + </p> +<p> + The default setting is <span class="command"><strong>auto-dnssec off</strong></span>. + </p> +</dd> +<dt><span class="term"><span class="command"><strong>dnssec-enable</strong></span></span></dt> <dd><p> This indicates whether DNSSEC-related resource - records are to be returned by <span><strong class="command">named</strong></span>. + records are to be returned by <span class="command"><strong>named</strong></span>. If set to <strong class="userinput"><code>no</code></strong>, - <span><strong class="command">named</strong></span> will not return DNSSEC-related + <span class="command"><strong>named</strong></span> will not return DNSSEC-related resource records unless specifically queried for. The default is <strong class="userinput"><code>yes</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-validation</strong></span></span></dt> <dd> <p> - Enable DNSSEC validation in <span><strong class="command">named</strong></span>. - Note <span><strong class="command">dnssec-enable</strong></span> also needs to be + Enable DNSSEC validation in <span class="command"><strong>named</strong></span>. + Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be set to <strong class="userinput"><code>yes</code></strong> to be effective. If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation is disabled. If set to <strong class="userinput"><code>auto</code></strong>, @@ -3649,8 +3734,8 @@ options { trust-anchor for the DNS root zone is used. If set to <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled, but a trust anchor must be manually configured using - a <span><strong class="command">trusted-keys</strong></span> or - <span><strong class="command">managed-keys</strong></span> statement. The default + a <span class="command"><strong>trusted-keys</strong></span> or + <span class="command"><strong>managed-keys</strong></span> statement. The default is <strong class="userinput"><code>yes</code></strong>. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> @@ -3659,27 +3744,27 @@ options { Whenever the resolver sends out queries to an EDNS-compliant server, it always sets the DO bit indicating it can support DNSSEC responses even if - <span><strong class="command">dnssec-validation</strong></span> is off. + <span class="command"><strong>dnssec-validation</strong></span> is off. </p> </div> </dd> -<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-accept-expired</strong></span></span></dt> <dd><p> Accept expired signatures when verifying DNSSEC signatures. The default is <strong class="userinput"><code>no</code></strong>. Setting this option to <strong class="userinput"><code>yes</code></strong> - leaves <span><strong class="command">named</strong></span> vulnerable to + leaves <span class="command"><strong>named</strong></span> vulnerable to replay attacks. </p></dd> -<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>querylog</strong></span></span></dt> <dd><p> - Specify whether query logging should be started when <span><strong class="command">named</strong></span> + Specify whether query logging should be started when <span class="command"><strong>named</strong></span> starts. - If <span><strong class="command">querylog</strong></span> is not specified, + If <span class="command"><strong>querylog</strong></span> is not specified, then the query logging - is determined by the presence of the logging category <span><strong class="command">queries</strong></span>. + is determined by the presence of the logging category <span class="command"><strong>queries</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt> <dd> <p> This option is used to restrict the character set and syntax @@ -3688,17 +3773,17 @@ options { received from the network. The default varies according to usage area. For - <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. - For <span><strong class="command">slave</strong></span> zones the default - is <span><strong class="command">warn</strong></span>. - For answers received from the network (<span><strong class="command">response</strong></span>) - the default is <span><strong class="command">ignore</strong></span>. + <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>. + For <span class="command"><strong>slave</strong></span> zones the default + is <span class="command"><strong>warn</strong></span>. + For answers received from the network (<span class="command"><strong>response</strong></span>) + the default is <span class="command"><strong>ignore</strong></span>. </p> <p> The rules for legal hostnames and mail domains are derived from RFC 952 and RFC 821 as modified by RFC 1123. </p> -<p><span><strong class="command">check-names</strong></span> +<p><span class="command"><strong>check-names</strong></span> applies to the owner names of A, AAAA and MX records. It also applies to the domain names in the RDATA of NS, SOA, MX, and SRV records. @@ -3707,32 +3792,32 @@ options { (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT). </p> </dd> -<dt><span class="term"><span><strong class="command">check-dup-records</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-dup-records</strong></span></span></dt> <dd><p> Check master zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS. The - default is to <span><strong class="command">warn</strong></span>. Other possible - values are <span><strong class="command">fail</strong></span> and - <span><strong class="command">ignore</strong></span>. + default is to <span class="command"><strong>warn</strong></span>. Other possible + values are <span class="command"><strong>fail</strong></span> and + <span class="command"><strong>ignore</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt> <dd><p> Check whether the MX record appears to refer to a IP address. - The default is to <span><strong class="command">warn</strong></span>. Other possible - values are <span><strong class="command">fail</strong></span> and - <span><strong class="command">ignore</strong></span>. + The default is to <span class="command"><strong>warn</strong></span>. Other possible + values are <span class="command"><strong>fail</strong></span> and + <span class="command"><strong>ignore</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt> <dd><p> This option is used to check for non-terminal wildcards. The use of non-terminal wildcards is almost always as a result of a failure to understand the wildcard matching algorithm (RFC 1034). This option - affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check + affects master zones. The default (<span class="command"><strong>yes</strong></span>) is to check for non-terminal wildcards and issue a warning. </p></dd> -<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt> <dd> <p> Perform post load zone integrity checks on master @@ -3741,11 +3826,11 @@ options { address records exist for delegated zones. For MX and SRV records only in-zone hostnames are checked (for out-of-zone hostnames use - <span><strong class="command">named-checkzone</strong></span>). + <span class="command"><strong>named-checkzone</strong></span>). For NS records only names below top of zone are checked (for out-of-zone names and glue consistency - checks use <span><strong class="command">named-checkzone</strong></span>). - The default is <span><strong class="command">yes</strong></span>. + checks use <span class="command"><strong>named-checkzone</strong></span>). + The default is <span class="command"><strong>yes</strong></span>. </p> <p> The use of the SPF record for publishing Sender @@ -3755,48 +3840,48 @@ options { Policy Framework record exists (starts with "v=spf1") if there is an SPF record. Warnings are emitted if the TXT record does not exist and can be suppressed with - <span><strong class="command">check-spf</strong></span>. + <span class="command"><strong>check-spf</strong></span>. </p> </dd> -<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-mx-cname</strong></span></span></dt> <dd><p> - If <span><strong class="command">check-integrity</strong></span> is set then + If <span class="command"><strong>check-integrity</strong></span> is set then fail, warn or ignore MX records that refer - to CNAMES. The default is to <span><strong class="command">warn</strong></span>. + to CNAMES. The default is to <span class="command"><strong>warn</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-srv-cname</strong></span></span></dt> <dd><p> - If <span><strong class="command">check-integrity</strong></span> is set then + If <span class="command"><strong>check-integrity</strong></span> is set then fail, warn or ignore SRV records that refer - to CNAMES. The default is to <span><strong class="command">warn</strong></span>. + to CNAMES. The default is to <span class="command"><strong>warn</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt> <dd><p> When performing integrity checks, also check that - sibling glue exists. The default is <span><strong class="command">yes</strong></span>. + sibling glue exists. The default is <span class="command"><strong>yes</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt> <dd><p> - If <span><strong class="command">check-integrity</strong></span> is set then + If <span class="command"><strong>check-integrity</strong></span> is set then check that there is a TXT Sender Policy Framework record present (starts with "v=spf1") if there is an SPF record present. The default is - <span><strong class="command">warn</strong></span>. + <span class="command"><strong>warn</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt> <dd><p> When returning authoritative negative responses to SOA queries set the TTL of the SOA record returned in the authority section to zero. - The default is <span><strong class="command">yes</strong></span>. + The default is <span class="command"><strong>yes</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl-cache</strong></span></span></dt> <dd><p> When caching a negative response to a SOA query set the TTL to zero. - The default is <span><strong class="command">no</strong></span>. + The default is <span class="command"><strong>no</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt> <dd> <p> When set to the default value of <code class="literal">yes</code>, @@ -3811,7 +3896,7 @@ options { However, if this option is set to <code class="literal">no</code>, then the KSK bit is ignored; KSKs are treated as if they were ZSKs and are used to sign the entire zone. This is - similar to the <span><strong class="command">dnssec-signzone -z</strong></span> + similar to the <span class="command"><strong>dnssec-signzone -z</strong></span> command line option. </p> <p> @@ -3823,52 +3908,37 @@ options { for that algorithm. </p> </dd> -<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt> <dd> <p> - When this option and <span><strong class="command">update-check-ksk</strong></span> + When this option and <span class="command"><strong>update-check-ksk</strong></span> are both set to <code class="literal">yes</code>, only key-signing keys (that is, keys with the KSK bit set) will be used to sign the DNSKEY RRset at the zone apex. Zone-signing keys (keys without the KSK bit set) will be used to sign the remainder of the zone, but not the DNSKEY RRset. This is similar to the - <span><strong class="command">dnssec-signzone -x</strong></span> command line option. + <span class="command"><strong>dnssec-signzone -x</strong></span> command line option. </p> <p> - The default is <span><strong class="command">no</strong></span>. If - <span><strong class="command">update-check-ksk</strong></span> is set to + The default is <span class="command"><strong>no</strong></span>. If + <span class="command"><strong>update-check-ksk</strong></span> is set to <code class="literal">no</code>, this option is ignored. </p> </dd> -<dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt> -<dd><p> - When a zone is configured with <span><strong class="command">auto-dnssec - maintain;</strong></span> its key repository must be checked - periodically to see if any new keys have been added - or any existing keys' timing metadata has been updated - (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and - <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The - <span><strong class="command">dnssec-loadkeys-interval</strong></span> option - sets the frequency of automatic repository checks, in - minutes. The default is <code class="literal">60</code> (1 hour), - the minimum is <code class="literal">1</code> (1 minute), and the - maximum is <code class="literal">1440</code> (24 hours); any higher - value is silently reduced. - </p></dd> -<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt> <dd><p> Try to refresh the zone using TCP if UDP queries fail. For BIND 8 compatibility, the default is - <span><strong class="command">yes</strong></span>. + <span class="command"><strong>yes</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt> <dd> <p> Allow a dynamic zone to transition from secure to insecure (i.e., signed to unsigned) by deleting all - of the DNSKEY records. The default is <span><strong class="command">no</strong></span>. - If set to <span><strong class="command">yes</strong></span>, and if the DNSKEY RRset + of the DNSKEY records. The default is <span class="command"><strong>no</strong></span>. + If set to <span class="command"><strong>yes</strong></span>, and if the DNSKEY RRset at the zone apex is deleted, all RRSIG and NSEC records will be removed from the zone as well. </p> @@ -3881,17 +3951,17 @@ options { </p> <p> Note that if a zone has been configured with - <span><strong class="command">auto-dnssec maintain</strong></span> and the + <span class="command"><strong>auto-dnssec maintain</strong></span> and the private keys remain accessible in the key repository, then the zone will be automatically signed again the - next time <span><strong class="command">named</strong></span> is started. + next time <span class="command"><strong>named</strong></span> is started. </p> </dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2583480"></a>Forwarding</h4></div></div></div> +<a name="forwarding"></a>Forwarding</h4></div></div></div> <p> The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3902,8 +3972,8 @@ options { the server is not authoritative and does not have the answer in its cache. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt> <dd><p> This option is only meaningful if the forwarders list is not empty. A value of <code class="varname">first</code>, @@ -3915,7 +3985,7 @@ options { specified, the server will only query the forwarders. </p></dd> -<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt> <dd><p> Specifies the IP addresses to be used for forwarding. The default is the empty list (no @@ -3927,15 +3997,14 @@ options { for the global forwarding options to be overridden in a variety of ways. You can set particular domains to use different forwarders, - or have a different <span><strong class="command">forward only/first</strong></span> behavior, - or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone - Statement Grammar">the section called “<span><strong class="command">zone</strong></span> + or have a different <span class="command"><strong>forward only/first</strong></span> behavior, + or not forward at all, see <a class="xref" href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone Statement Grammar">the section called “<span class="command"><strong>zone</strong></span> Statement Grammar”</a>. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2583607"></a>Dual-stack Servers</h4></div></div></div> +<a name="dual_stack"></a>Dual-stack Servers</h4></div></div></div> <p> Dual-stack servers are used as servers of last resort to work around @@ -3943,64 +4012,64 @@ options { or IPv6 on the host machine. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>dual-stack-servers</strong></span></span></dt> <dd><p> Specifies host names or addresses of machines with access to both IPv4 and IPv6 transports. If a hostname is used, the server must be able to resolve the name using only the transport it has. If the machine is dual - stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless + stacked, then the <span class="command"><strong>dual-stack-servers</strong></span> have no effect unless access to a transport has been disabled on the command line - (e.g. <span><strong class="command">named -4</strong></span>). + (e.g. <span class="command"><strong>named -4</strong></span>). </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="access_control"></a>Access Control</h4></div></div></div> <p> Access to the server can be restricted based on the IP address - of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for + of the requesting system. See <a class="xref" href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for details on how to specify IP address lists. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt> <dd><p> Specifies which hosts are allowed to notify this server, a slave, of zone changes in addition to the zone masters. - <span><strong class="command">allow-notify</strong></span> may also be + <span class="command"><strong>allow-notify</strong></span> may also be specified in the - <span><strong class="command">zone</strong></span> statement, in which case + <span class="command"><strong>zone</strong></span> statement, in which case it overrides the - <span><strong class="command">options allow-notify</strong></span> + <span class="command"><strong>options allow-notify</strong></span> statement. It is only meaningful for a slave zone. If not specified, the default is to process notify messages only from a zone's master. </p></dd> -<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt> <dd> <p> Specifies which hosts are allowed to ask ordinary - DNS questions. <span><strong class="command">allow-query</strong></span> may - also be specified in the <span><strong class="command">zone</strong></span> + DNS questions. <span class="command"><strong>allow-query</strong></span> may + also be specified in the <span class="command"><strong>zone</strong></span> statement, in which case it overrides the - <span><strong class="command">options allow-query</strong></span> statement. + <span class="command"><strong>options allow-query</strong></span> statement. If not specified, the default is to allow queries from all hosts. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - <span><strong class="command">allow-query-cache</strong></span> is now + <span class="command"><strong>allow-query-cache</strong></span> is now used to specify access to the cache. </p> </div> </dd> -<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt> <dd> <p> Specifies which local addresses can accept ordinary @@ -4010,16 +4079,16 @@ options { necessarily knowing the internal network's addresses. </p> <p> - Note that <span><strong class="command">allow-query-on</strong></span> is only + Note that <span class="command"><strong>allow-query-on</strong></span> is only checked for queries that are permitted by - <span><strong class="command">allow-query</strong></span>. A query must be + <span class="command"><strong>allow-query</strong></span>. A query must be allowed by both ACLs, or it will be refused. </p> <p> - <span><strong class="command">allow-query-on</strong></span> may - also be specified in the <span><strong class="command">zone</strong></span> + <span class="command"><strong>allow-query-on</strong></span> may + also be specified in the <span class="command"><strong>zone</strong></span> statement, in which case it overrides the - <span><strong class="command">options allow-query-on</strong></span> statement. + <span class="command"><strong>options allow-query-on</strong></span> statement. </p> <p> If not specified, the default is to allow queries @@ -4028,57 +4097,57 @@ options { <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - <span><strong class="command">allow-query-cache</strong></span> is + <span class="command"><strong>allow-query-cache</strong></span> is used to specify access to the cache. </p> </div> </dd> -<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-query-cache</strong></span></span></dt> <dd><p> Specifies which hosts are allowed to get answers - from the cache. If <span><strong class="command">allow-query-cache</strong></span> - is not set then <span><strong class="command">allow-recursion</strong></span> - is used if set, otherwise <span><strong class="command">allow-query</strong></span> - is used if set unless <span><strong class="command">recursion no;</strong></span> is - set in which case <span><strong class="command">none;</strong></span> is used, - otherwise the default (<span><strong class="command">localnets;</strong></span> - <span><strong class="command">localhost;</strong></span>) is used. + from the cache. If <span class="command"><strong>allow-query-cache</strong></span> + is not set then <span class="command"><strong>allow-recursion</strong></span> + is used if set, otherwise <span class="command"><strong>allow-query</strong></span> + is used if set unless <span class="command"><strong>recursion no;</strong></span> is + set in which case <span class="command"><strong>none;</strong></span> is used, + otherwise the default (<span class="command"><strong>localnets;</strong></span> + <span class="command"><strong>localhost;</strong></span>) is used. </p></dd> -<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-query-cache-on</strong></span></span></dt> <dd><p> Specifies which local addresses can give answers from the cache. If not specified, the default is to allow cache queries on any address, - <span><strong class="command">localnets</strong></span> and - <span><strong class="command">localhost</strong></span>. + <span class="command"><strong>localnets</strong></span> and + <span class="command"><strong>localhost</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-recursion</strong></span></span></dt> <dd><p> Specifies which hosts are allowed to make recursive queries through this server. If - <span><strong class="command">allow-recursion</strong></span> is not set - then <span><strong class="command">allow-query-cache</strong></span> is - used if set, otherwise <span><strong class="command">allow-query</strong></span> + <span class="command"><strong>allow-recursion</strong></span> is not set + then <span class="command"><strong>allow-query-cache</strong></span> is + used if set, otherwise <span class="command"><strong>allow-query</strong></span> is used if set, otherwise the default - (<span><strong class="command">localnets;</strong></span> - <span><strong class="command">localhost;</strong></span>) is used. + (<span class="command"><strong>localnets;</strong></span> + <span class="command"><strong>localhost;</strong></span>) is used. </p></dd> -<dt><span class="term"><span><strong class="command">allow-recursion-on</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-recursion-on</strong></span></span></dt> <dd><p> Specifies which local addresses can accept recursive queries. If not specified, the default is to allow recursive queries on all addresses. </p></dd> -<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt> <dd><p> Specifies which hosts are allowed to submit Dynamic DNS updates for master zones. The default is to deny updates from all hosts. Note that allowing updates based on the requestor's IP address is insecure; see - <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details. + <a class="xref" href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details. </p></dd> -<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt> <dd> <p> Specifies which hosts are allowed to @@ -4102,11 +4171,11 @@ options { server may expose master servers relying on insecure IP address based - access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> + access control to attacks; see <a class="xref" href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for more details. </p> </dd> -<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-v6-synthesis</strong></span></span></dt> <dd><p> This option was introduced for the smooth transition from AAAA @@ -4116,17 +4185,17 @@ options { this option was also deprecated. It is now ignored with some warning messages. </p></dd> -<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt> <dd><p> Specifies which hosts are allowed to - receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may - also be specified in the <span><strong class="command">zone</strong></span> + receive zone transfers from the server. <span class="command"><strong>allow-transfer</strong></span> may + also be specified in the <span class="command"><strong>zone</strong></span> statement, in which - case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement. + case it overrides the <span class="command"><strong>options allow-transfer</strong></span> statement. If not specified, the default is to allow transfers to all hosts. </p></dd> -<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>blackhole</strong></span></span></dt> <dd><p> Specifies a list of addresses that the server will not accept queries from or use to resolve a @@ -4134,25 +4203,25 @@ options { from these addresses will not be responded to. The default is <strong class="userinput"><code>none</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">filter-aaaa</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>filter-aaaa</strong></span></span></dt> <dd><p> Specifies a list of addresses to which - <span><strong class="command">filter-aaaa-on-v4</strong></span> + <span class="command"><strong>filter-aaaa-on-v4</strong></span> is applies. The default is <strong class="userinput"><code>any</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">no-case-compress</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>no-case-compress</strong></span></span></dt> <dd> <p> Specifies a list of addresses which require responses to use case-insensitive compression. This ACL can be - used when <span><strong class="command">named</strong></span> needs to work with + used when <span class="command"><strong>named</strong></span> needs to work with clients that do not comply with the requirement in RFC 1034 to use case-insensitive name comparisons when checking for matching domain names. </p> <p> If left undefined, the ACL defaults to - <span><strong class="command">none</strong></span>: case-insensitive compression + <span class="command"><strong>none</strong></span>: case-insensitive compression will be used for all clients. If the ACL is defined and matches a client, then case will be ignored when compressing domain names in DNS responses sent to that @@ -4176,7 +4245,7 @@ options { the client matches this ACL. </p> <p> - There are circumstances in which <span><strong class="command">named</strong></span> + There are circumstances in which <span class="command"><strong>named</strong></span> will not preserve the case of owner names of records: if a zone file defines records of different types with the same name, but the capitalization of the name is @@ -4191,7 +4260,7 @@ options { ACL. </p> </dd> -<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>resolver-query-timeout</strong></span></span></dt> <dd><p> The amount of time the resolver will spend attempting to resolve a recursive query before failing. The default @@ -4201,12 +4270,12 @@ options { </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2584281"></a>Interfaces</h4></div></div></div> +<a name="interfaces"></a>Interfaces</h4></div></div></div> <p> The interfaces and ports that the server will answer queries - from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes + from may be specified using the <span class="command"><strong>listen-on</strong></span> option. <span class="command"><strong>listen-on</strong></span> takes an optional port and an <code class="varname">address_match_list</code> of IPv4 addresses. (IPv6 addresses are ignored, with a logged warning.) @@ -4214,7 +4283,7 @@ options { match list. If a port is not specified, port 53 will be used. </p> <p> - Multiple <span><strong class="command">listen-on</strong></span> statements are + Multiple <span class="command"><strong>listen-on</strong></span> statements are allowed. For example, </p> @@ -4227,11 +4296,11 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; }; 1.2 that is not 1.2.3.4. </p> <p> - If no <span><strong class="command">listen-on</strong></span> is specified, the + If no <span class="command"><strong>listen-on</strong></span> is specified, the server will listen on port 53 on all IPv4 interfaces. </p> <p> - The <span><strong class="command">listen-on-v6</strong></span> option is used to + The <span class="command"><strong>listen-on-v6</strong></span> option is used to specify the interfaces and the ports on which the server will listen for incoming queries sent using IPv6. @@ -4242,7 +4311,7 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; }; <p> is specified as the <code class="varname">address_match_list</code> for the - <span><strong class="command">listen-on-v6</strong></span> option, + <span class="command"><strong>listen-on-v6</strong></span> option, the server does not bind a separate socket to each IPv6 interface address as it does for IPv4 if the operating system has enough API support for IPv6 (specifically if it conforms to RFC 3493 and RFC @@ -4257,11 +4326,11 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; }; the server listens on a separate socket for each specified address, regardless of whether the desired API is supported by the system. - IPv4 addresses specified in <span><strong class="command">listen-on-v6</strong></span> + IPv4 addresses specified in <span class="command"><strong>listen-on-v6</strong></span> will be ignored, with a logged warning. </p> <p> - Multiple <span><strong class="command">listen-on-v6</strong></span> options can + Multiple <span class="command"><strong>listen-on-v6</strong></span> options can be used. For example, </p> @@ -4280,52 +4349,52 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; }; <pre class="programlisting">listen-on-v6 { none; }; </pre> <p> - If no <span><strong class="command">listen-on-v6</strong></span> option is + If no <span class="command"><strong>listen-on-v6</strong></span> option is specified, the server will not listen on any IPv6 address - unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is - invoked. If <span><strong class="command">-6</strong></span> is specified then - <span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default. + unless <span class="command"><strong>-6</strong></span> is specified when <span class="command"><strong>named</strong></span> is + invoked. If <span class="command"><strong>-6</strong></span> is specified then + <span class="command"><strong>named</strong></span> will listen on port 53 on all IPv6 interfaces by default. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="query_address"></a>Query Address</h4></div></div></div> <p> If the server doesn't know the answer to a question, it will - query other name servers. <span><strong class="command">query-source</strong></span> specifies + query other name servers. <span class="command"><strong>query-source</strong></span> specifies the address and port used for such queries. For queries sent over - IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option. - If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted, - a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>) + IPv6, there is a separate <span class="command"><strong>query-source-v6</strong></span> option. + If <span class="command"><strong>address</strong></span> is <span class="command"><strong>*</strong></span> (asterisk) or is omitted, + a wildcard IP address (<span class="command"><strong>INADDR_ANY</strong></span>) will be used. </p> <p> - If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted, + If <span class="command"><strong>port</strong></span> is <span class="command"><strong>*</strong></span> or is omitted, a random port number from a pre-configured range is picked up and will be used for each query. The port range(s) is that specified in - the <span><strong class="command">use-v4-udp-ports</strong></span> (for IPv4) - and <span><strong class="command">use-v6-udp-ports</strong></span> (for IPv6) + the <span class="command"><strong>use-v4-udp-ports</strong></span> (for IPv4) + and <span class="command"><strong>use-v6-udp-ports</strong></span> (for IPv6) options, excluding the ranges specified in - the <span><strong class="command">avoid-v4-udp-ports</strong></span> - and <span><strong class="command">avoid-v6-udp-ports</strong></span> options, respectively. + the <span class="command"><strong>avoid-v4-udp-ports</strong></span> + and <span class="command"><strong>avoid-v6-udp-ports</strong></span> options, respectively. </p> <p> - The defaults of the <span><strong class="command">query-source</strong></span> and - <span><strong class="command">query-source-v6</strong></span> options + The defaults of the <span class="command"><strong>query-source</strong></span> and + <span class="command"><strong>query-source-v6</strong></span> options are: </p> <pre class="programlisting">query-source address * port *; query-source-v6 address * port *; </pre> <p> - If <span><strong class="command">use-v4-udp-ports</strong></span> or - <span><strong class="command">use-v6-udp-ports</strong></span> is unspecified, - <span><strong class="command">named</strong></span> will check if the operating + If <span class="command"><strong>use-v4-udp-ports</strong></span> or + <span class="command"><strong>use-v6-udp-ports</strong></span> is unspecified, + <span class="command"><strong>named</strong></span> will check if the operating system provides a programming interface to retrieve the system's default range for ephemeral ports. If such an interface is available, - <span><strong class="command">named</strong></span> will use the corresponding system + <span class="command"><strong>named</strong></span> will use the corresponding system default range; otherwise, it will use its own defaults: </p> <pre class="programlisting">use-v4-udp-ports { range 1024 65535; }; @@ -4338,20 +4407,20 @@ use-v6-udp-ports { range 1024 65535; }; (14 bits of entropy). Note also that the system's default range when used may be too small for this purpose, and that the range may even be - changed while <span><strong class="command">named</strong></span> is running; the new - range will automatically be applied when <span><strong class="command">named</strong></span> + changed while <span class="command"><strong>named</strong></span> is running; the new + range will automatically be applied when <span class="command"><strong>named</strong></span> is reloaded. It is encouraged to - configure <span><strong class="command">use-v4-udp-ports</strong></span> and - <span><strong class="command">use-v6-udp-ports</strong></span> explicitly so that the + configure <span class="command"><strong>use-v4-udp-ports</strong></span> and + <span class="command"><strong>use-v6-udp-ports</strong></span> explicitly so that the ranges are sufficiently large and are reasonably independent from the ranges used by other applications. </p> <p> Note: the operational configuration - where <span><strong class="command">named</strong></span> runs may prohibit the use + where <span class="command"><strong>named</strong></span> runs may prohibit the use of some ports. For example, UNIX systems will not allow - <span><strong class="command">named</strong></span> running without a root privilege + <span class="command"><strong>named</strong></span> running without a root privilege to use ports less than 1024. If such ports are included in the specified (or detected) set of query ports, the corresponding query attempts will @@ -4360,8 +4429,8 @@ use-v6-udp-ports { range 1024 65535; }; that can be safely used in the expected operational environment. </p> <p> - The defaults of the <span><strong class="command">avoid-v4-udp-ports</strong></span> and - <span><strong class="command">avoid-v6-udp-ports</strong></span> options + The defaults of the <span class="command"><strong>avoid-v4-udp-ports</strong></span> and + <span class="command"><strong>avoid-v6-udp-ports</strong></span> options are: </p> <pre class="programlisting">avoid-v4-udp-ports {}; @@ -4369,26 +4438,26 @@ avoid-v6-udp-ports {}; </pre> <p> Note: BIND 9.5.0 introduced - the <span><strong class="command">use-queryport-pool</strong></span> + the <span class="command"><strong>use-queryport-pool</strong></span> option to support a pool of such random ports, but this option is now obsolete because reusing the same ports in the pool may not be sufficiently secure. For the same reason, it is generally strongly discouraged to specify a particular port for the - <span><strong class="command">query-source</strong></span> or - <span><strong class="command">query-source-v6</strong></span> options; + <span class="command"><strong>query-source</strong></span> or + <span class="command"><strong>query-source-v6</strong></span> options; it implicitly disables the use of randomized port numbers. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">use-queryport-pool</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>use-queryport-pool</strong></span></span></dt> <dd><p> This option is obsolete. </p></dd> -<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>queryport-pool-ports</strong></span></span></dt> <dd><p> This option is obsolete. </p></dd> -<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>queryport-pool-updateinterval</strong></span></span></dt> <dd><p> This option is obsolete. </p></dd> @@ -4396,7 +4465,7 @@ avoid-v6-udp-ports {}; <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - The address specified in the <span><strong class="command">query-source</strong></span> option + The address specified in the <span class="command"><strong>query-source</strong></span> option is used for both UDP and TCP queries, but the port applies only to UDP queries. TCP queries always use a random unprivileged port. @@ -4412,12 +4481,12 @@ avoid-v6-udp-ports {}; <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - See also <span><strong class="command">transfer-source</strong></span> and - <span><strong class="command">notify-source</strong></span>. + See also <span class="command"><strong>transfer-source</strong></span> and + <span class="command"><strong>notify-source</strong></span>. </p> </div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="zone_transfers"></a>Zone Transfers</h4></div></div></div> <p> @@ -4426,8 +4495,8 @@ avoid-v6-udp-ports {}; and set limits on the amount of load that transfers place on the system. The following options apply to zone transfers. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt> <dd> <p> Defines a global list of IP addresses of name servers @@ -4438,58 +4507,58 @@ avoid-v6-udp-ports {}; This helps to ensure that copies of the zones will quickly converge on stealth servers. Optionally, a port may be specified with each - <span><strong class="command">also-notify</strong></span> address to send + <span class="command"><strong>also-notify</strong></span> address to send the notify messages to a port other than the default of 53. An optional TSIG key can also be specified with each address to cause the notify messages to be signed; this can be useful when sending notifies to multiple views. In place of explicit addresses, one or more named - <span><strong class="command">masters</strong></span> lists can be used. + <span class="command"><strong>masters</strong></span> lists can be used. </p> <p> - If an <span><strong class="command">also-notify</strong></span> list - is given in a <span><strong class="command">zone</strong></span> statement, + If an <span class="command"><strong>also-notify</strong></span> list + is given in a <span class="command"><strong>zone</strong></span> statement, it will override - the <span><strong class="command">options also-notify</strong></span> - statement. When a <span><strong class="command">zone notify</strong></span> + the <span class="command"><strong>options also-notify</strong></span> + statement. When a <span class="command"><strong>zone notify</strong></span> statement - is set to <span><strong class="command">no</strong></span>, the IP - addresses in the global <span><strong class="command">also-notify</strong></span> list will + is set to <span class="command"><strong>no</strong></span>, the IP + addresses in the global <span class="command"><strong>also-notify</strong></span> list will not be sent NOTIFY messages for that zone. The default is the empty list (no global notification list). </p> </dd> -<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt> <dd><p> Inbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes). </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt> <dd><p> Inbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes). </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt> <dd><p> Outbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes). </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt> <dd><p> Outbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes). </p></dd> -<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>serial-query-rate</strong></span></span></dt> <dd> <p> Slave servers will periodically query master @@ -4498,7 +4567,7 @@ avoid-v6-udp-ports {}; the slave server's network bandwidth. To limit the amount of bandwidth used, BIND 9 limits the rate at which queries are sent. The value of the - <span><strong class="command">serial-query-rate</strong></span> option, an + <span class="command"><strong>serial-query-rate</strong></span> option, an integer, is the maximum number of queries sent per second. The default is 20 per second. The lowest possible rate is one per second; when set @@ -4507,77 +4576,77 @@ avoid-v6-udp-ports {}; <p> In addition to controlling the rate SOA refresh queries are issued at, - <span><strong class="command">serial-query-rate</strong></span> also controls + <span class="command"><strong>serial-query-rate</strong></span> also controls the rate at which NOTIFY messages are sent from both master and slave zones. </p> </dd> -<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>serial-queries</strong></span></span></dt> <dd><p> - In BIND 8, the <span><strong class="command">serial-queries</strong></span> + In BIND 8, the <span class="command"><strong>serial-queries</strong></span> option set the maximum number of concurrent serial number queries allowed to be outstanding at any given time. BIND 9 does not limit the number of outstanding - serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option. + serial queries and ignores the <span class="command"><strong>serial-queries</strong></span> option. Instead, it limits the rate at which the queries are sent - as defined using the <span><strong class="command">serial-query-rate</strong></span> option. + as defined using the <span class="command"><strong>serial-query-rate</strong></span> option. </p></dd> -<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfer-format</strong></span></span></dt> <dd><p> Zone transfers can be sent using two different formats, - <span><strong class="command">one-answer</strong></span> and - <span><strong class="command">many-answers</strong></span>. - The <span><strong class="command">transfer-format</strong></span> option is used + <span class="command"><strong>one-answer</strong></span> and + <span class="command"><strong>many-answers</strong></span>. + The <span class="command"><strong>transfer-format</strong></span> option is used on the master server to determine which format it sends. - <span><strong class="command">one-answer</strong></span> uses one DNS message per + <span class="command"><strong>one-answer</strong></span> uses one DNS message per resource record transferred. - <span><strong class="command">many-answers</strong></span> packs as many resource + <span class="command"><strong>many-answers</strong></span> packs as many resource records as possible into a message. - <span><strong class="command">many-answers</strong></span> is more efficient, but is + <span class="command"><strong>many-answers</strong></span> is more efficient, but is only supported by relatively new slave servers, such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards. - The <span><strong class="command">many-answers</strong></span> format is also supported by + The <span class="command"><strong>many-answers</strong></span> format is also supported by recent Microsoft Windows nameservers. - The default is <span><strong class="command">many-answers</strong></span>. - <span><strong class="command">transfer-format</strong></span> may be overridden on a - per-server basis by using the <span><strong class="command">server</strong></span> + The default is <span class="command"><strong>many-answers</strong></span>. + <span class="command"><strong>transfer-format</strong></span> may be overridden on a + per-server basis by using the <span class="command"><strong>server</strong></span> statement. </p></dd> -<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfers-in</strong></span></span></dt> <dd><p> The maximum number of inbound zone transfers that can be running concurrently. The default value is <code class="literal">10</code>. - Increasing <span><strong class="command">transfers-in</strong></span> may + Increasing <span class="command"><strong>transfers-in</strong></span> may speed up the convergence of slave zones, but it also may increase the load on the local system. </p></dd> -<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfers-out</strong></span></span></dt> <dd><p> The maximum number of outbound zone transfers that can be running concurrently. Zone transfer requests in excess of the limit will be refused. The default value is <code class="literal">10</code>. </p></dd> -<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfers-per-ns</strong></span></span></dt> <dd><p> The maximum number of inbound zone transfers that can be concurrently transferring from a given remote name server. The default value is <code class="literal">2</code>. - Increasing <span><strong class="command">transfers-per-ns</strong></span> + Increasing <span class="command"><strong>transfers-per-ns</strong></span> may speed up the convergence of slave zones, but it also may increase - the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may - be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase - of the <span><strong class="command">server</strong></span> statement. + the load on the remote name server. <span class="command"><strong>transfers-per-ns</strong></span> may + be overridden on a per-server basis by using the <span class="command"><strong>transfers</strong></span> phrase + of the <span class="command"><strong>server</strong></span> statement. </p></dd> -<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt> <dd> -<p><span><strong class="command">transfer-source</strong></span> +<p><span class="command"><strong>transfer-source</strong></span> determines which local address will be bound to IPv4 TCP connections used to fetch zones transferred inbound by the server. It also determines the @@ -4587,15 +4656,15 @@ avoid-v6-udp-ports {}; controlled value which will usually be the address of the interface "closest to" the remote end. This address must appear in the remote end's - <span><strong class="command">allow-transfer</strong></span> option for the + <span class="command"><strong>allow-transfer</strong></span> option for the zone being transferred, if one is specified. This statement sets the - <span><strong class="command">transfer-source</strong></span> for all zones, + <span class="command"><strong>transfer-source</strong></span> for all zones, but can be overridden on a per-view or per-zone basis by including a - <span><strong class="command">transfer-source</strong></span> statement within - the <span><strong class="command">view</strong></span> or - <span><strong class="command">zone</strong></span> block in the configuration + <span class="command"><strong>transfer-source</strong></span> statement within + the <span class="command"><strong>view</strong></span> or + <span class="command"><strong>zone</strong></span> block in the configuration file. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> @@ -4606,58 +4675,60 @@ avoid-v6-udp-ports {}; </p> </div> </dd> -<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt> <dd><p> - The same as <span><strong class="command">transfer-source</strong></span>, + The same as <span class="command"><strong>transfer-source</strong></span>, except zone transfers are performed using IPv6. </p></dd> -<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt> <dd> <p> An alternate transfer source if the one listed in - <span><strong class="command">transfer-source</strong></span> fails and - <span><strong class="command">use-alt-transfer-source</strong></span> is + <span class="command"><strong>transfer-source</strong></span> fails and + <span class="command"><strong>use-alt-transfer-source</strong></span> is set. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> +<p> If you do not wish the alternate transfer source to be used, you should set - <span><strong class="command">use-alt-transfer-source</strong></span> + <span class="command"><strong>use-alt-transfer-source</strong></span> appropriately and you should not depend upon getting an answer back to the first refresh query. - </div> + </p> +</div> </dd> -<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt> <dd><p> An alternate transfer source if the one listed in - <span><strong class="command">transfer-source-v6</strong></span> fails and - <span><strong class="command">use-alt-transfer-source</strong></span> is + <span class="command"><strong>transfer-source-v6</strong></span> fails and + <span class="command"><strong>use-alt-transfer-source</strong></span> is set. </p></dd> -<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt> <dd><p> Use the alternate transfer sources or not. If views are - specified this defaults to <span><strong class="command">no</strong></span> + specified this defaults to <span class="command"><strong>no</strong></span> otherwise it defaults to - <span><strong class="command">yes</strong></span> (for BIND 8 + <span class="command"><strong>yes</strong></span> (for BIND 8 compatibility). </p></dd> -<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt> <dd> -<p><span><strong class="command">notify-source</strong></span> +<p><span class="command"><strong>notify-source</strong></span> determines which local source address, and optionally UDP port, will be used to send NOTIFY messages. This address must appear in the slave - server's <span><strong class="command">masters</strong></span> zone clause or - in an <span><strong class="command">allow-notify</strong></span> clause. This - statement sets the <span><strong class="command">notify-source</strong></span> + server's <span class="command"><strong>masters</strong></span> zone clause or + in an <span class="command"><strong>allow-notify</strong></span> clause. This + statement sets the <span class="command"><strong>notify-source</strong></span> for all zones, but can be overridden on a per-zone or per-view basis by including a - <span><strong class="command">notify-source</strong></span> statement within - the <span><strong class="command">zone</strong></span> or - <span><strong class="command">view</strong></span> block in the configuration + <span class="command"><strong>notify-source</strong></span> statement within + the <span class="command"><strong>zone</strong></span> or + <span class="command"><strong>view</strong></span> block in the configuration file. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> @@ -4668,24 +4739,24 @@ avoid-v6-udp-ports {}; </p> </div> </dd> -<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt> <dd><p> - Like <span><strong class="command">notify-source</strong></span>, + Like <span class="command"><strong>notify-source</strong></span>, but applies to notify messages sent to IPv6 addresses. </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2585434"></a>UDP Port Lists</h4></div></div></div> +<a name="port_lists"></a>UDP Port Lists</h4></div></div></div> <p> - <span><strong class="command">use-v4-udp-ports</strong></span>, - <span><strong class="command">avoid-v4-udp-ports</strong></span>, - <span><strong class="command">use-v6-udp-ports</strong></span>, and - <span><strong class="command">avoid-v6-udp-ports</strong></span> + <span class="command"><strong>use-v4-udp-ports</strong></span>, + <span class="command"><strong>avoid-v4-udp-ports</strong></span>, + <span class="command"><strong>use-v6-udp-ports</strong></span>, and + <span class="command"><strong>avoid-v6-udp-ports</strong></span> specify a list of IPv4 and IPv6 UDP ports that will be used or not used as source ports for UDP messages. - See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the + See <a class="xref" href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the available ports are determined. For example, with the following configuration </p> @@ -4695,14 +4766,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </pre> <p> UDP ports of IPv6 messages sent - from <span><strong class="command">named</strong></span> will be in one + from <span class="command"><strong>named</strong></span> will be in one of the following ranges: 32768 to 39999, 40001 to 49999, and 60001 to 65535. </p> <p> - <span><strong class="command">avoid-v4-udp-ports</strong></span> and - <span><strong class="command">avoid-v6-udp-ports</strong></span> can be used - to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a + <span class="command"><strong>avoid-v4-udp-ports</strong></span> and + <span class="command"><strong>avoid-v6-udp-ports</strong></span> can be used + to prevent <span class="command"><strong>named</strong></span> from choosing as its random source port a port that is blocked by your firewall or a port that is used by other applications; if a query went out with a source port blocked by a @@ -4710,28 +4781,28 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; answer would not get by the firewall and the name server would have to query again. Note: the desired range can also be represented only with - <span><strong class="command">use-v4-udp-ports</strong></span> and - <span><strong class="command">use-v6-udp-ports</strong></span>, and the - <span><strong class="command">avoid-</strong></span> options are redundant in that + <span class="command"><strong>use-v4-udp-ports</strong></span> and + <span class="command"><strong>use-v6-udp-ports</strong></span>, and the + <span class="command"><strong>avoid-</strong></span> options are redundant in that sense; they are provided for backward compatibility and to possibly simplify the port specification. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2585562"></a>Operating System Resource Limits</h4></div></div></div> +<a name="resource_limits"></a>Operating System Resource Limits</h4></div></div></div> <p> The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For - example, <span><strong class="command">1G</strong></span> can be used instead of - <span><strong class="command">1073741824</strong></span> to specify a limit of + example, <span class="command"><strong>1G</strong></span> can be used instead of + <span class="command"><strong>1073741824</strong></span> to specify a limit of one - gigabyte. <span><strong class="command">unlimited</strong></span> requests + gigabyte. <span class="command"><strong>unlimited</strong></span> requests unlimited use, or the - maximum available amount. <span><strong class="command">default</strong></span> + maximum available amount. <span class="command"><strong>default</strong></span> uses the limit that was in force when the server was started. See the description - of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>. + of <span class="command"><strong>size_spec</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>. </p> <p> The following options set operating system resource limits for @@ -4741,13 +4812,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; the unsupported limit is used. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>coresize</strong></span></span></dt> <dd><p> The maximum size of a core dump. The default is <code class="literal">default</code>. </p></dd> -<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>datasize</strong></span></span></dt> <dd><p> The maximum amount of data memory the server may use. The default is <code class="literal">default</code>. @@ -4760,23 +4831,23 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; to raise an operating system data size limit that is too small by default. If you wish to limit the amount of memory used by the server, use the - <span><strong class="command">max-cache-size</strong></span> and - <span><strong class="command">recursive-clients</strong></span> + <span class="command"><strong>max-cache-size</strong></span> and + <span class="command"><strong>recursive-clients</strong></span> options instead. </p></dd> -<dt><span class="term"><span><strong class="command">files</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>files</strong></span></span></dt> <dd><p> The maximum number of files the server may have open concurrently. The default is <code class="literal">unlimited</code>. </p></dd> -<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>stacksize</strong></span></span></dt> <dd><p> The maximum amount of stack memory the server may use. The default is <code class="literal">default</code>. </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="server_resource_limits"></a>Server Resource Limits</h4></div></div></div> <p> @@ -4784,18 +4855,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; resource consumption that are enforced internally by the server rather than the operating system. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>max-ixfr-log-size</strong></span></span></dt> <dd><p> This option is obsolete; it is accepted and ignored for BIND 8 compatibility. The option - <span><strong class="command">max-journal-size</strong></span> performs a + <span class="command"><strong>max-journal-size</strong></span> performs a similar function in BIND 9. </p></dd> -<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt> <dd><p> Sets a maximum size for each journal file - (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file + (see <a class="xref" href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file approaches the specified size, some of the oldest transactions in the journal @@ -4805,13 +4876,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; means 2 gigabytes. This may also be set on a per-zone basis. </p></dd> -<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>host-statistics-max</strong></span></span></dt> <dd><p> In BIND 8, specifies the maximum number of host statistics entries to be kept. Not implemented in BIND 9. </p></dd> -<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>recursive-clients</strong></span></span></dt> <dd> <p> The maximum number ("hard quota") of simultaneous @@ -4821,7 +4892,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; client uses a fair bit of memory (on the order of 20 kilobytes), the value of the - <span><strong class="command">recursive-clients</strong></span> option may + <span class="command"><strong>recursive-clients</strong></span> option may have to be decreased on hosts with limited memory. </p> <p> @@ -4842,28 +4913,28 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <code class="option">recursive-clients</code>. </p> </dd> -<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>tcp-clients</strong></span></span></dt> <dd><p> The maximum number of simultaneous client TCP connections that the server will accept. The default is <code class="literal">100</code>. </p></dd> <dt> -<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span> +<a name="clients-per-query"></a><span class="term"><a name="cpq_term"></a><span class="command"><strong>clients-per-query</strong></span>, </span><span class="term"><span class="command"><strong>max-clients-per-query</strong></span></span> </dt> <dd> <p>These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept - before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to + before dropping additional clients. <span class="command"><strong>named</strong></span> will attempt to self tune this value and changes will be logged. The default values are 10 and 100. </p> <p> This value should reflect how many queries come in for a given name in the time it takes to resolve that name. - If the number of queries exceed this value, <span><strong class="command">named</strong></span> will + If the number of queries exceed this value, <span class="command"><strong>named</strong></span> will assume that it is dealing with a non-responsive zone and will drop additional queries. If it gets a response after dropping queries, it will raise the estimate. The @@ -4871,18 +4942,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; remained unchanged. </p> <p> - If <span><strong class="command">clients-per-query</strong></span> is set to zero, + If <span class="command"><strong>clients-per-query</strong></span> is set to zero, then there is no limit on the number of clients per query and no queries will be dropped. </p> <p> - If <span><strong class="command">max-clients-per-query</strong></span> is set to zero, + If <span class="command"><strong>max-clients-per-query</strong></span> is set to zero, then there is no upper bound other than imposed by - <span><strong class="command">recursive-clients</strong></span>. + <span class="command"><strong>recursive-clients</strong></span>. </p> </dd> <dt> -<a name="fetches-per-zone"></a><span class="term"><span><strong class="command">fetches-per-zone</strong></span></span> +<a name="fetches-per-zone"></a><span class="term"><span class="command"><strong>fetches-per-zone</strong></span></span> </dt> <dd> <p> @@ -4916,13 +4987,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <code class="literal">drop</code>. </p> <p> - If <span><strong class="command">fetches-per-zone</strong></span> is set to zero, + If <span class="command"><strong>fetches-per-zone</strong></span> is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero. </p> <p> The current list of active fetches can be dumped by - running <span><strong class="command">rndc recursing</strong></span>. The list + running <span class="command"><strong>rndc recursing</strong></span>. The list includes the number of active fetches for each domain and the number of queries that have been passed or dropped as a result of the @@ -4935,11 +5006,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> (Note: This option is only available when BIND is - built with <span><strong class="command">configure --enable-fetchlimit</strong></span>.) + built with <span class="command"><strong>configure --enable-fetchlimit</strong></span>.) </p> </dd> <dt> -<a name="fetches-per-server"></a><span class="term"><span><strong class="command">fetches-per-server</strong></span></span> +<a name="fetches-per-server"></a><span class="term"><span class="command"><strong>fetches-per-server</strong></span></span> </dt> <dd> <p> @@ -4962,32 +5033,32 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <code class="literal">fail</code>. </p> <p> - If <span><strong class="command">fetches-per-server</strong></span> is set to zero, + If <span class="command"><strong>fetches-per-server</strong></span> is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero. </p> <p> - The <span><strong class="command">fetches-per-server</strong></span> quota is + The <span class="command"><strong>fetches-per-server</strong></span> quota is dynamically adjusted in response to detected congestion. As queries are sent to a server and are either answered or time out, an exponentially weighted moving average is calculated of the ratio of timeouts to responses. If the current average timeout ratio rises above a "high" - threshold, then <span><strong class="command">fetches-per-server</strong></span> + threshold, then <span class="command"><strong>fetches-per-server</strong></span> is reduced for that server. If the timeout ratio drops below a "low" threshold, then - <span><strong class="command">fetches-per-server</strong></span> is increased. - The <span><strong class="command">fetch-quota-params</strong></span> options + <span class="command"><strong>fetches-per-server</strong></span> is increased. + The <span class="command"><strong>fetch-quota-params</strong></span> options can be used to adjust the parameters for this calculation. </p> <p> (Note: This option is only available when BIND is - built with <span><strong class="command">configure --enable-fetchlimit</strong></span>.) + built with <span class="command"><strong>configure --enable-fetchlimit</strong></span>.) </p> </dd> -<dt><span class="term"><span><strong class="command">fetch-quota-params</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>fetch-quota-params</strong></span></span></dt> <dd> <p> Sets the parameters to use for dynamic resizing of @@ -5019,15 +5090,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> (Note: This option is only available when BIND is - built with <span><strong class="command">configure --enable-fetchlimit</strong></span>.) + built with <span class="command"><strong>configure --enable-fetchlimit</strong></span>.) </p> </dd> -<dt><span class="term"><span><strong class="command">reserved-sockets</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>reserved-sockets</strong></span></span></dt> <dd> <p> The number of file descriptors reserved for TCP, stdio, etc. This needs to be big enough to cover the number of - interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as + interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as to provide room for outgoing TCP queries and incoming zone transfers. The default is <code class="literal">512</code>. The minimum value is <code class="literal">128</code> and the @@ -5038,7 +5109,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; This option has little effect on Windows. </p> </dd> -<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-cache-size</strong></span></span></dt> <dd><p> The maximum amount of memory to use for the server's cache, in bytes. @@ -5060,7 +5131,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; separately to the cache of each view. The default is 0. </p></dd> -<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>tcp-listen-queue</strong></span></span></dt> <dd><p> The listen queue depth. The default and minimum is 10. If the kernel supports the accept filter "dataready" this @@ -5074,35 +5145,35 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2586413"></a>Periodic Task Intervals</h4></div></div></div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt> +<a name="intervals"></a>Periodic Task Intervals</h4></div></div></div> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>cleaning-interval</strong></span></span></dt> <dd><p> This interval is effectively obsolete. Previously, the server would remove expired resource records - from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes. + from the cache every <span class="command"><strong>cleaning-interval</strong></span> minutes. <acronym class="acronym">BIND</acronym> 9 now manages cache memory in a more sophisticated manner and does not rely on the periodic cleaning any more. Specifying this option therefore has no effect on the server's behavior. </p></dd> -<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>heartbeat-interval</strong></span></span></dt> <dd><p> The server will perform zone maintenance tasks - for all zones marked as <span><strong class="command">dialup</strong></span> whenever this + for all zones marked as <span class="command"><strong>dialup</strong></span> whenever this interval expires. The default is 60 minutes. Reasonable values are up to 1 day (1440 minutes). The maximum value is 28 days (40320 minutes). If set to 0, no zone maintenance for these zones will occur. </p></dd> -<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>interface-interval</strong></span></span></dt> <dd><p> The server will scan the network interface list - every <span><strong class="command">interface-interval</strong></span> + every <span class="command"><strong>interface-interval</strong></span> minutes. The default is 60 minutes. The maximum value is 28 days (40320 minutes). If set to 0, interface scanning will only occur when @@ -5110,15 +5181,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; server will begin listening for queries on any newly discovered interfaces (provided they are allowed by the - <span><strong class="command">listen-on</strong></span> configuration), and + <span class="command"><strong>listen-on</strong></span> configuration), and will stop listening on interfaces that have gone away. </p></dd> -<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>statistics-interval</strong></span></span></dt> <dd> <p> Name server statistics will be logged - every <span><strong class="command">statistics-interval</strong></span> + every <span class="command"><strong>statistics-interval</strong></span> minutes. The default is 60. The maximum value is 28 days (40320 minutes). If set to 0, no statistics will be logged. @@ -5133,15 +5204,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="topology"></a>Topology</h4></div></div></div> <p> All other things being equal, when the server chooses a name server to query from a list of name servers, it prefers the one that is - topologically closest to itself. The <span><strong class="command">topology</strong></span> statement - takes an <span><strong class="command">address_match_list</strong></span> and + topologically closest to itself. The <span class="command"><strong>topology</strong></span> statement + takes an <span class="command"><strong>address_match_list</strong></span> and interprets it in a special way. Each top-level list element is assigned a distance. @@ -5172,21 +5243,21 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - The <span><strong class="command">topology</strong></span> option + The <span class="command"><strong>topology</strong></span> option is not implemented in <acronym class="acronym">BIND</acronym> 9. </p> </div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div> +<a name="the_sortlist_statement"></a>The <span class="command"><strong>sortlist</strong></span> Statement</h4></div></div></div> <p> The response to a DNS query may consist of multiple resource records (RRs) forming a resource records set (RRset). The name server will normally return the RRs within the RRset in an indeterminate order - (but see the <span><strong class="command">rrset-order</strong></span> - statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>). + (but see the <span class="command"><strong>rrset-order</strong></span> + statement in <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>). The client resolver code should rearrange the RRs as appropriate, that is, using any addresses on the local net in preference to other addresses. @@ -5197,18 +5268,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; configuring the name servers, not all the clients. </p> <p> - The <span><strong class="command">sortlist</strong></span> statement (see below) + The <span class="command"><strong>sortlist</strong></span> statement (see below) takes - an <span><strong class="command">address_match_list</strong></span> and + an <span class="command"><strong>address_match_list</strong></span> and interprets it even - more specifically than the <span><strong class="command">topology</strong></span> + more specifically than the <span class="command"><strong>topology</strong></span> statement - does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>). - Each top level statement in the <span><strong class="command">sortlist</strong></span> must - itself be an explicit <span><strong class="command">address_match_list</strong></span> with + does (<a class="xref" href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>). + Each top level statement in the <span class="command"><strong>sortlist</strong></span> must + itself be an explicit <span class="command"><strong>address_match_list</strong></span> with one or two elements. The first element (which may be an IP address, - an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>) + an IP prefix, an ACL name or a nested <span class="command"><strong>address_match_list</strong></span>) of each top level list is checked against the source address of the query until a match is found. </p> @@ -5220,8 +5291,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; address in the response to move to the beginning of the response. If the statement is a list of two elements, then the second element is - treated the same as the <span><strong class="command">address_match_list</strong></span> in - a <span><strong class="command">topology</strong></span> statement. Each top + treated the same as the <span class="command"><strong>address_match_list</strong></span> in + a <span class="command"><strong>topology</strong></span> statement. Each top level element is assigned a distance and the address in the response with the minimum @@ -5286,21 +5357,21 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; }; </pre> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div> <p> When multiple records are returned in an answer it may be useful to configure the order of the records placed into the response. - The <span><strong class="command">rrset-order</strong></span> statement permits + The <span class="command"><strong>rrset-order</strong></span> statement permits configuration of the ordering of the records in a multiple record response. - See also the <span><strong class="command">sortlist</strong></span> statement, - <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>. + See also the <span class="command"><strong>sortlist</strong></span> statement, + <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span class="command"><strong>sortlist</strong></span> Statement”</a>. </p> <p> - An <span><strong class="command">order_spec</strong></span> is defined as + An <span class="command"><strong>order_spec</strong></span> is defined as follows: </p> <p> @@ -5310,22 +5381,22 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; order <em class="replaceable"><code>ordering</code></em> </p> <p> - If no class is specified, the default is <span><strong class="command">ANY</strong></span>. - If no type is specified, the default is <span><strong class="command">ANY</strong></span>. - If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk). + If no class is specified, the default is <span class="command"><strong>ANY</strong></span>. + If no type is specified, the default is <span class="command"><strong>ANY</strong></span>. + If no name is specified, the default is "<span class="command"><strong>*</strong></span>" (asterisk). </p> <p> - The legal values for <span><strong class="command">ordering</strong></span> are: + The legal values for <span class="command"><strong>ordering</strong></span> are: </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="0.750in" class="1"> +<col width="3.750in" class="2"> </colgroup> <tbody> <tr> <td> - <p><span><strong class="command">fixed</strong></span></p> + <p><span class="command"><strong>fixed</strong></span></p> </td> <td> <p> @@ -5336,7 +5407,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </tr> <tr> <td> - <p><span><strong class="command">random</strong></span></p> + <p><span class="command"><strong>random</strong></span></p> </td> <td> <p> @@ -5346,7 +5417,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </tr> <tr> <td> - <p><span><strong class="command">cyclic</strong></span></p> + <p><span class="command"><strong>cyclic</strong></span></p> </td> <td> <p> @@ -5377,7 +5448,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; in random order. All other records are returned in cyclic order. </p> <p> - If multiple <span><strong class="command">rrset-order</strong></span> statements + If multiple <span class="command"><strong>rrset-order</strong></span> statements appear, they are not combined — the last one applies. </p> <p> @@ -5387,18 +5458,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <h3 class="title">Note</h3> <p> In this release of <acronym class="acronym">BIND</acronym> 9, the - <span><strong class="command">rrset-order</strong></span> statement does not support + <span class="command"><strong>rrset-order</strong></span> statement does not support "fixed" ordering by default. Fixed ordering can be enabled at compile time by specifying "--enable-fixed-rrset" on the "configure" command line. </p> </div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="tuning"></a>Tuning</h4></div></div></div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>lame-ttl</strong></span></span></dt> <dd> <p> Sets the number of seconds to cache a @@ -5415,19 +5486,19 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; lame-ttl is set to less than 30 seconds. </p> </dd> -<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-ncache-ttl</strong></span></span></dt> <dd><p> To reduce network traffic and increase performance, - the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is + the server stores negative answers. <span class="command"><strong>max-ncache-ttl</strong></span> is used to set a maximum retention time for these answers in the server in seconds. The default - <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours). - <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed + <span class="command"><strong>max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours). + <span class="command"><strong>max-ncache-ttl</strong></span> cannot exceed 7 days and will be silently truncated to 7 days if set to a greater value. </p></dd> -<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-cache-ttl</strong></span></span></dt> <dd><p> Sets the maximum time for which the server will cache ordinary (positive) answers. The default is @@ -5437,7 +5508,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; RRsets (such as NS and glue AAAA/A records) in the resolution process. </p></dd> -<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>min-roots</strong></span></span></dt> <dd> <p> The minimum number of root servers that @@ -5452,12 +5523,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> </div> </dd> -<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt> <dd> <p> Specifies the number of days into the future when DNSSEC signatures automatically generated as a - result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There + result of dynamic updates (<a class="xref" href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There is an optional second field which specifies how long before expiry that the signatures will be regenerated. If not specified, the signatures will @@ -5474,27 +5545,27 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; for a limited amount of clock skew. </p> <p> - The <span><strong class="command">sig-validity-interval</strong></span> + The <span class="command"><strong>sig-validity-interval</strong></span> should be, at least, several multiples of the SOA expire interval to allow for reasonable interaction between the various timer and expiry dates. </p> </dd> -<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt> <dd><p> Specify the maximum number of nodes to be examined in each quantum when signing a zone with a new DNSKEY. The default is <code class="literal">100</code>. </p></dd> -<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt> <dd><p> Specify a threshold number of signatures that will terminate processing a quantum when signing a zone with a new DNSKEY. The default is <code class="literal">10</code>. </p></dd> -<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt> <dd> <p> Specify a private RDATA type to be used when generating @@ -5507,23 +5578,23 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> Signing state records are used to internally by - <span><strong class="command">named</strong></span> to track the current state of + <span class="command"><strong>named</strong></span> to track the current state of a zone-signing process, i.e., whether it is still active or has been completed. The records can be inspected using the command - <span><strong class="command">rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>. - Once <span><strong class="command">named</strong></span> has finished signing + <span class="command"><strong>rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>. + Once <span class="command"><strong>named</strong></span> has finished signing a zone with a particular key, the signing state record associated with that key can be removed from the zone by running - <span><strong class="command">rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>. + <span class="command"><strong>rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>. To clear all of the completed signing state records for a zone, use - <span><strong class="command">rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>. + <span class="command"><strong>rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>. </p> </dd> <dt> -<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span> +<span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span> </dt> <dd> <p> @@ -5547,14 +5618,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> The following defaults apply. - <span><strong class="command">min-refresh-time</strong></span> 300 seconds, - <span><strong class="command">max-refresh-time</strong></span> 2419200 seconds - (4 weeks), <span><strong class="command">min-retry-time</strong></span> 500 seconds, - and <span><strong class="command">max-retry-time</strong></span> 1209600 seconds + <span class="command"><strong>min-refresh-time</strong></span> 300 seconds, + <span class="command"><strong>max-refresh-time</strong></span> 2419200 seconds + (4 weeks), <span class="command"><strong>min-retry-time</strong></span> 500 seconds, + and <span class="command"><strong>max-retry-time</strong></span> 1209600 seconds (2 weeks). </p> </dd> -<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>edns-udp-size</strong></span></span></dt> <dd> <p> Sets the advertised EDNS UDP buffer size in bytes @@ -5562,73 +5633,73 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting - <span><strong class="command">edns-udp-size</strong></span> to a non-default + <span class="command"><strong>edns-udp-size</strong></span> to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. </p> <p> - <span><strong class="command">named</strong></span> will fallback to using 512 bytes + <span class="command"><strong>named</strong></span> will fallback to using 512 bytes if it get a series of timeout at the initial value. 512 bytes is not being offered to encourage sites to fix their firewalls. Small EDNS UDP sizes will result in the excessive use of TCP. </p> </dd> -<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-udp-size</strong></span></span></dt> <dd> <p> Sets the maximum EDNS UDP message size - <span><strong class="command">named</strong></span> will send in bytes. + <span class="command"><strong>named</strong></span> will send in bytes. Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting - <span><strong class="command">max-udp-size</strong></span> to a non-default + <span class="command"><strong>max-udp-size</strong></span> to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. This is independent of the advertised receive - buffer (<span><strong class="command">edns-udp-size</strong></span>). + buffer (<span class="command"><strong>edns-udp-size</strong></span>). </p> <p> Setting this to a low value will encourage additional TCP traffic to the nameserver. </p> </dd> -<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt> <dd> <p>Specifies the file format of zone files (see - <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>). + <a class="xref" href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>). The default value is <code class="constant">text</code>, which is the standard textual representation, except for slave zones, in which the default value is <code class="constant">raw</code>. Files in other formats than <code class="constant">text</code> are typically expected to be generated by the - <span><strong class="command">named-compilezone</strong></span> tool, or dumped by - <span><strong class="command">named</strong></span>. + <span class="command"><strong>named-compilezone</strong></span> tool, or dumped by + <span class="command"><strong>named</strong></span>. </p> <p> Note that when a zone file in a different format than - <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span> + <code class="constant">text</code> is loaded, <span class="command"><strong>named</strong></span> may omit some of the checks which would be performed for a file in the <code class="constant">text</code> format. In particular, - <span><strong class="command">check-names</strong></span> checks do not apply + <span class="command"><strong>check-names</strong></span> checks do not apply for the <code class="constant">raw</code> format. This means a zone file in the <code class="constant">raw</code> format must be generated with the same check level as that - specified in the <span><strong class="command">named</strong></span> configuration + specified in the <span class="command"><strong>named</strong></span> configuration file. This statement sets the - <span><strong class="command">masterfile-format</strong></span> for all zones, + <span class="command"><strong>masterfile-format</strong></span> for all zones, but can be overridden on a per-zone or per-view basis - by including a <span><strong class="command">masterfile-format</strong></span> - statement within the <span><strong class="command">zone</strong></span> or - <span><strong class="command">view</strong></span> block in the configuration + by including a <span class="command"><strong>masterfile-format</strong></span> + statement within the <span class="command"><strong>zone</strong></span> or + <span class="command"><strong>view</strong></span> block in the configuration file. </p> </dd> <dt> -<a name="max-recursion-depth"></a><span class="term"><span><strong class="command">max-recursion-depth</strong></span></span> +<a name="max-recursion-depth"></a><span class="term"><span class="command"><strong>max-recursion-depth</strong></span></span> </dt> <dd><p> Sets the maximum number of levels of recursion @@ -5641,7 +5712,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; default is 7. </p></dd> <dt> -<a name="max-recursion-queries"></a><span class="term"><span><strong class="command">max-recursion-queries</strong></span></span> +<a name="max-recursion-queries"></a><span class="term"><span class="command"><strong>max-recursion-queries</strong></span></span> </dt> <dd><p> Sets the maximum number of iterative queries that @@ -5652,7 +5723,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; and the DNS root zone are exempt from this limitation. The default is 75. </p></dd> -<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt> <dd> <p> The delay, in seconds, between sending sets of notify @@ -5660,10 +5731,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> The overall rate that NOTIFY messages are sent for all - zones is controlled by <span><strong class="command">serial-query-rate</strong></span>. + zones is controlled by <span class="command"><strong>serial-query-rate</strong></span>. </p> </dd> -<dt><span class="term"><span><strong class="command">max-rsa-exponent-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-rsa-exponent-size</strong></span></span></dt> <dd><p> The maximum RSA exponent size, in bits, that will be accepted when validating. Valid values are 35 @@ -5672,73 +5743,73 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="builtin"></a>Built-in server information zones</h4></div></div></div> <p> The server provides some helpful diagnostic information through a number of built-in zones under the pseudo-top-level-domain <code class="literal">bind</code> in the - <span><strong class="command">CHAOS</strong></span> class. These zones are part + <span class="command"><strong>CHAOS</strong></span> class. These zones are part of a - built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of + built-in view (see <a class="xref" href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span class="command"><strong>view</strong></span> Statement Grammar”</a>) of class - <span><strong class="command">CHAOS</strong></span> which is separate from the - default view of class <span><strong class="command">IN</strong></span>. Most global - configuration options (<span><strong class="command">allow-query</strong></span>, + <span class="command"><strong>CHAOS</strong></span> which is separate from the + default view of class <span class="command"><strong>IN</strong></span>. Most global + configuration options (<span class="command"><strong>allow-query</strong></span>, etc) will apply to this view, but some are locally - overridden: <span><strong class="command">notify</strong></span>, - <span><strong class="command">recursion</strong></span> and - <span><strong class="command">allow-new-zones</strong></span> are + overridden: <span class="command"><strong>notify</strong></span>, + <span class="command"><strong>recursion</strong></span> and + <span class="command"><strong>allow-new-zones</strong></span> are always set to <strong class="userinput"><code>no</code></strong>. </p> <p> If you need to disable these zones, use the options - below, or hide the built-in <span><strong class="command">CHAOS</strong></span> + below, or hide the built-in <span class="command"><strong>CHAOS</strong></span> view by - defining an explicit view of class <span><strong class="command">CHAOS</strong></span> + defining an explicit view of class <span class="command"><strong>CHAOS</strong></span> that matches all clients. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">version</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>version</strong></span></span></dt> <dd><p> The version the server should report via a query of the name <code class="literal">version.bind</code> - with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. + with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>. The default is the real version number of this server. - Specifying <span><strong class="command">version none</strong></span> + Specifying <span class="command"><strong>version none</strong></span> disables processing of the queries. </p></dd> -<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>hostname</strong></span></span></dt> <dd><p> The hostname the server should report via a query of the name <code class="filename">hostname.bind</code> - with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. + with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>. This defaults to the hostname of the machine hosting the name server as found by the gethostname() function. The primary purpose of such queries is to identify which of a group of anycast servers is actually - answering your queries. Specifying <span><strong class="command">hostname none;</strong></span> + answering your queries. Specifying <span class="command"><strong>hostname none;</strong></span> disables processing of the queries. </p></dd> -<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>server-id</strong></span></span></dt> <dd><p> The ID the server should report when receiving a Name Server Identifier (NSID) query, or a query of the name <code class="filename">ID.SERVER</code> with type - <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. + <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>. The primary purpose of such queries is to identify which of a group of anycast servers is actually - answering your queries. Specifying <span><strong class="command">server-id none;</strong></span> + answering your queries. Specifying <span class="command"><strong>server-id none;</strong></span> disables processing of the queries. - Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to + Specifying <span class="command"><strong>server-id hostname;</strong></span> will cause <span class="command"><strong>named</strong></span> to use the hostname as found by the gethostname() function. - The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>. + The default <span class="command"><strong>server-id</strong></span> is <span class="command"><strong>none</strong></span>. </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="empty"></a>Built-in Empty Zones</h4></div></div></div> <p> @@ -5761,104 +5832,104 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <p> The current list of empty zones is: </p> -<div class="itemizedlist"><ul type="disc"> -<li>10.IN-ADDR.ARPA</li> -<li>16.172.IN-ADDR.ARPA</li> -<li>17.172.IN-ADDR.ARPA</li> -<li>18.172.IN-ADDR.ARPA</li> -<li>19.172.IN-ADDR.ARPA</li> -<li>20.172.IN-ADDR.ARPA</li> -<li>21.172.IN-ADDR.ARPA</li> -<li>22.172.IN-ADDR.ARPA</li> -<li>23.172.IN-ADDR.ARPA</li> -<li>24.172.IN-ADDR.ARPA</li> -<li>25.172.IN-ADDR.ARPA</li> -<li>26.172.IN-ADDR.ARPA</li> -<li>27.172.IN-ADDR.ARPA</li> -<li>28.172.IN-ADDR.ARPA</li> -<li>29.172.IN-ADDR.ARPA</li> -<li>30.172.IN-ADDR.ARPA</li> -<li>31.172.IN-ADDR.ARPA</li> -<li>168.192.IN-ADDR.ARPA</li> -<li>64.100.IN-ADDR.ARPA</li> -<li>65.100.IN-ADDR.ARPA</li> -<li>66.100.IN-ADDR.ARPA</li> -<li>67.100.IN-ADDR.ARPA</li> -<li>68.100.IN-ADDR.ARPA</li> -<li>69.100.IN-ADDR.ARPA</li> -<li>70.100.IN-ADDR.ARPA</li> -<li>71.100.IN-ADDR.ARPA</li> -<li>72.100.IN-ADDR.ARPA</li> -<li>73.100.IN-ADDR.ARPA</li> -<li>74.100.IN-ADDR.ARPA</li> -<li>75.100.IN-ADDR.ARPA</li> -<li>76.100.IN-ADDR.ARPA</li> -<li>77.100.IN-ADDR.ARPA</li> -<li>78.100.IN-ADDR.ARPA</li> -<li>79.100.IN-ADDR.ARPA</li> -<li>80.100.IN-ADDR.ARPA</li> -<li>81.100.IN-ADDR.ARPA</li> -<li>82.100.IN-ADDR.ARPA</li> -<li>83.100.IN-ADDR.ARPA</li> -<li>84.100.IN-ADDR.ARPA</li> -<li>85.100.IN-ADDR.ARPA</li> -<li>86.100.IN-ADDR.ARPA</li> -<li>87.100.IN-ADDR.ARPA</li> -<li>88.100.IN-ADDR.ARPA</li> -<li>89.100.IN-ADDR.ARPA</li> -<li>90.100.IN-ADDR.ARPA</li> -<li>91.100.IN-ADDR.ARPA</li> -<li>92.100.IN-ADDR.ARPA</li> -<li>93.100.IN-ADDR.ARPA</li> -<li>94.100.IN-ADDR.ARPA</li> -<li>95.100.IN-ADDR.ARPA</li> -<li>96.100.IN-ADDR.ARPA</li> -<li>97.100.IN-ADDR.ARPA</li> -<li>98.100.IN-ADDR.ARPA</li> -<li>99.100.IN-ADDR.ARPA</li> -<li>100.100.IN-ADDR.ARPA</li> -<li>101.100.IN-ADDR.ARPA</li> -<li>102.100.IN-ADDR.ARPA</li> -<li>103.100.IN-ADDR.ARPA</li> -<li>104.100.IN-ADDR.ARPA</li> -<li>105.100.IN-ADDR.ARPA</li> -<li>106.100.IN-ADDR.ARPA</li> -<li>107.100.IN-ADDR.ARPA</li> -<li>108.100.IN-ADDR.ARPA</li> -<li>109.100.IN-ADDR.ARPA</li> -<li>110.100.IN-ADDR.ARPA</li> -<li>111.100.IN-ADDR.ARPA</li> -<li>112.100.IN-ADDR.ARPA</li> -<li>113.100.IN-ADDR.ARPA</li> -<li>114.100.IN-ADDR.ARPA</li> -<li>115.100.IN-ADDR.ARPA</li> -<li>116.100.IN-ADDR.ARPA</li> -<li>117.100.IN-ADDR.ARPA</li> -<li>118.100.IN-ADDR.ARPA</li> -<li>119.100.IN-ADDR.ARPA</li> -<li>120.100.IN-ADDR.ARPA</li> -<li>121.100.IN-ADDR.ARPA</li> -<li>122.100.IN-ADDR.ARPA</li> -<li>123.100.IN-ADDR.ARPA</li> -<li>124.100.IN-ADDR.ARPA</li> -<li>125.100.IN-ADDR.ARPA</li> -<li>126.100.IN-ADDR.ARPA</li> -<li>127.100.IN-ADDR.ARPA</li> -<li>0.IN-ADDR.ARPA</li> -<li>127.IN-ADDR.ARPA</li> -<li>254.169.IN-ADDR.ARPA</li> -<li>2.0.192.IN-ADDR.ARPA</li> -<li>100.51.198.IN-ADDR.ARPA</li> -<li>113.0.203.IN-ADDR.ARPA</li> -<li>255.255.255.255.IN-ADDR.ARPA</li> -<li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> -<li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> -<li>8.B.D.0.1.0.0.2.IP6.ARPA</li> -<li>D.F.IP6.ARPA</li> -<li>8.E.F.IP6.ARPA</li> -<li>9.E.F.IP6.ARPA</li> -<li>A.E.F.IP6.ARPA</li> -<li>B.E.F.IP6.ARPA</li> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem">10.IN-ADDR.ARPA</li> +<li class="listitem">16.172.IN-ADDR.ARPA</li> +<li class="listitem">17.172.IN-ADDR.ARPA</li> +<li class="listitem">18.172.IN-ADDR.ARPA</li> +<li class="listitem">19.172.IN-ADDR.ARPA</li> +<li class="listitem">20.172.IN-ADDR.ARPA</li> +<li class="listitem">21.172.IN-ADDR.ARPA</li> +<li class="listitem">22.172.IN-ADDR.ARPA</li> +<li class="listitem">23.172.IN-ADDR.ARPA</li> +<li class="listitem">24.172.IN-ADDR.ARPA</li> +<li class="listitem">25.172.IN-ADDR.ARPA</li> +<li class="listitem">26.172.IN-ADDR.ARPA</li> +<li class="listitem">27.172.IN-ADDR.ARPA</li> +<li class="listitem">28.172.IN-ADDR.ARPA</li> +<li class="listitem">29.172.IN-ADDR.ARPA</li> +<li class="listitem">30.172.IN-ADDR.ARPA</li> +<li class="listitem">31.172.IN-ADDR.ARPA</li> +<li class="listitem">168.192.IN-ADDR.ARPA</li> +<li class="listitem">64.100.IN-ADDR.ARPA</li> +<li class="listitem">65.100.IN-ADDR.ARPA</li> +<li class="listitem">66.100.IN-ADDR.ARPA</li> +<li class="listitem">67.100.IN-ADDR.ARPA</li> +<li class="listitem">68.100.IN-ADDR.ARPA</li> +<li class="listitem">69.100.IN-ADDR.ARPA</li> +<li class="listitem">70.100.IN-ADDR.ARPA</li> +<li class="listitem">71.100.IN-ADDR.ARPA</li> +<li class="listitem">72.100.IN-ADDR.ARPA</li> +<li class="listitem">73.100.IN-ADDR.ARPA</li> +<li class="listitem">74.100.IN-ADDR.ARPA</li> +<li class="listitem">75.100.IN-ADDR.ARPA</li> +<li class="listitem">76.100.IN-ADDR.ARPA</li> +<li class="listitem">77.100.IN-ADDR.ARPA</li> +<li class="listitem">78.100.IN-ADDR.ARPA</li> +<li class="listitem">79.100.IN-ADDR.ARPA</li> +<li class="listitem">80.100.IN-ADDR.ARPA</li> +<li class="listitem">81.100.IN-ADDR.ARPA</li> +<li class="listitem">82.100.IN-ADDR.ARPA</li> +<li class="listitem">83.100.IN-ADDR.ARPA</li> +<li class="listitem">84.100.IN-ADDR.ARPA</li> +<li class="listitem">85.100.IN-ADDR.ARPA</li> +<li class="listitem">86.100.IN-ADDR.ARPA</li> +<li class="listitem">87.100.IN-ADDR.ARPA</li> +<li class="listitem">88.100.IN-ADDR.ARPA</li> +<li class="listitem">89.100.IN-ADDR.ARPA</li> +<li class="listitem">90.100.IN-ADDR.ARPA</li> +<li class="listitem">91.100.IN-ADDR.ARPA</li> +<li class="listitem">92.100.IN-ADDR.ARPA</li> +<li class="listitem">93.100.IN-ADDR.ARPA</li> +<li class="listitem">94.100.IN-ADDR.ARPA</li> +<li class="listitem">95.100.IN-ADDR.ARPA</li> +<li class="listitem">96.100.IN-ADDR.ARPA</li> +<li class="listitem">97.100.IN-ADDR.ARPA</li> +<li class="listitem">98.100.IN-ADDR.ARPA</li> +<li class="listitem">99.100.IN-ADDR.ARPA</li> +<li class="listitem">100.100.IN-ADDR.ARPA</li> +<li class="listitem">101.100.IN-ADDR.ARPA</li> +<li class="listitem">102.100.IN-ADDR.ARPA</li> +<li class="listitem">103.100.IN-ADDR.ARPA</li> +<li class="listitem">104.100.IN-ADDR.ARPA</li> +<li class="listitem">105.100.IN-ADDR.ARPA</li> +<li class="listitem">106.100.IN-ADDR.ARPA</li> +<li class="listitem">107.100.IN-ADDR.ARPA</li> +<li class="listitem">108.100.IN-ADDR.ARPA</li> +<li class="listitem">109.100.IN-ADDR.ARPA</li> +<li class="listitem">110.100.IN-ADDR.ARPA</li> +<li class="listitem">111.100.IN-ADDR.ARPA</li> +<li class="listitem">112.100.IN-ADDR.ARPA</li> +<li class="listitem">113.100.IN-ADDR.ARPA</li> +<li class="listitem">114.100.IN-ADDR.ARPA</li> +<li class="listitem">115.100.IN-ADDR.ARPA</li> +<li class="listitem">116.100.IN-ADDR.ARPA</li> +<li class="listitem">117.100.IN-ADDR.ARPA</li> +<li class="listitem">118.100.IN-ADDR.ARPA</li> +<li class="listitem">119.100.IN-ADDR.ARPA</li> +<li class="listitem">120.100.IN-ADDR.ARPA</li> +<li class="listitem">121.100.IN-ADDR.ARPA</li> +<li class="listitem">122.100.IN-ADDR.ARPA</li> +<li class="listitem">123.100.IN-ADDR.ARPA</li> +<li class="listitem">124.100.IN-ADDR.ARPA</li> +<li class="listitem">125.100.IN-ADDR.ARPA</li> +<li class="listitem">126.100.IN-ADDR.ARPA</li> +<li class="listitem">127.100.IN-ADDR.ARPA</li> +<li class="listitem">0.IN-ADDR.ARPA</li> +<li class="listitem">127.IN-ADDR.ARPA</li> +<li class="listitem">254.169.IN-ADDR.ARPA</li> +<li class="listitem">2.0.192.IN-ADDR.ARPA</li> +<li class="listitem">100.51.198.IN-ADDR.ARPA</li> +<li class="listitem">113.0.203.IN-ADDR.ARPA</li> +<li class="listitem">255.255.255.255.IN-ADDR.ARPA</li> +<li class="listitem">0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> +<li class="listitem">1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> +<li class="listitem">8.B.D.0.1.0.0.2.IP6.ARPA</li> +<li class="listitem">D.F.IP6.ARPA</li> +<li class="listitem">8.E.F.IP6.ARPA</li> +<li class="listitem">9.E.F.IP6.ARPA</li> +<li class="listitem">A.E.F.IP6.ARPA</li> +<li class="listitem">B.E.F.IP6.ARPA</li> </ul></div> <p> </p> @@ -5885,46 +5956,48 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> +<p> The real parent servers for these zones should disable all empty zone under the parent zone they serve. For the real root servers, this is all built-in empty zones. This will enable them to return referrals to deeper in the tree. - </div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt> + </p> +</div> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>empty-server</strong></span></span></dt> <dd><p> Specify what server name will appear in the returned SOA record for empty zones. If none is specified, then the zone's name will be used. </p></dd> -<dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>empty-contact</strong></span></span></dt> <dd><p> Specify what contact name will appear in the returned SOA record for empty zones. If none is specified, then "." will be used. </p></dd> -<dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>empty-zones-enable</strong></span></span></dt> <dd><p> Enable or disable all empty zones. By default, they are enabled. </p></dd> -<dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>disable-empty-zone</strong></span></span></dt> <dd><p> Disable individual empty zones. By default, none are disabled. This option can be specified multiple times. </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="acache"></a>Additional Section Caching</h4></div></div></div> <p> - The additional section cache, also called <span><strong class="command">acache</strong></span>, + The additional section cache, also called <span class="command"><strong>acache</strong></span>, is an internal cache to improve the response performance of BIND 9. When additional section caching is enabled, BIND 9 will cache an internal short-cut to the additional section content for each answer RR. - Note that <span><strong class="command">acache</strong></span> is an internal caching + Note that <span class="command"><strong>acache</strong></span> is an internal caching mechanism of BIND 9, and is not related to the DNS caching server function. </p> @@ -5939,35 +6012,35 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <p> In order to obtain the maximum performance improvement from additional section caching, setting - <span><strong class="command">additional-from-cache</strong></span> - to <span><strong class="command">no</strong></span> is recommended, since the current - implementation of <span><strong class="command">acache</strong></span> + <span class="command"><strong>additional-from-cache</strong></span> + to <span class="command"><strong>no</strong></span> is recommended, since the current + implementation of <span class="command"><strong>acache</strong></span> does not short-cut of additional section information from the DNS cache data. </p> <p> - One obvious disadvantage of <span><strong class="command">acache</strong></span> is + One obvious disadvantage of <span class="command"><strong>acache</strong></span> is that it requires much more memory for the internal cached data. Thus, if the response performance does not matter and memory consumption is much more critical, the - <span><strong class="command">acache</strong></span> mechanism can be - disabled by setting <span><strong class="command">acache-enable</strong></span> to - <span><strong class="command">no</strong></span>. + <span class="command"><strong>acache</strong></span> mechanism can be + disabled by setting <span class="command"><strong>acache-enable</strong></span> to + <span class="command"><strong>no</strong></span>. It is also possible to specify the upper limit of memory consumption - for acache by using <span><strong class="command">max-acache-size</strong></span>. + for acache by using <span class="command"><strong>max-acache-size</strong></span>. </p> <p> Additional section caching also has a minor effect on the RRset ordering in the additional section. - Without <span><strong class="command">acache</strong></span>, - <span><strong class="command">cyclic</strong></span> order is effective for the additional + Without <span class="command"><strong>acache</strong></span>, + <span class="command"><strong>cyclic</strong></span> order is effective for the additional section as well as the answer and authority sections. However, additional section caching fixes the ordering when it first caches an RRset for the additional section, and the same ordering will be kept in succeeding responses, regardless of the - setting of <span><strong class="command">rrset-order</strong></span>. + setting of <span class="command"><strong>rrset-order</strong></span>. The effect of this should be minor, however, since an RRset in the additional section typically only contains a small number of RRs (and in many cases @@ -5976,23 +6049,23 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> The following is a summary of options related to - <span><strong class="command">acache</strong></span>. + <span class="command"><strong>acache</strong></span>. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>acache-enable</strong></span></span></dt> <dd><p> - If <span><strong class="command">yes</strong></span>, additional section caching is - enabled. The default value is <span><strong class="command">no</strong></span>. + If <span class="command"><strong>yes</strong></span>, additional section caching is + enabled. The default value is <span class="command"><strong>no</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>acache-cleaning-interval</strong></span></span></dt> <dd><p> The server will remove stale cache entries, based on an LRU based - algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes. + algorithm, every <span class="command"><strong>acache-cleaning-interval</strong></span> minutes. The default is 60 minutes. If set to 0, no periodic cleaning will occur. </p></dd> -<dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-acache-size</strong></span></span></dt> <dd><p> The maximum amount of memory in bytes to use for the server's acache. When the amount of data in the acache reaches this limit, @@ -6006,9 +6079,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2588923"></a>Content Filtering</h4></div></div></div> +<a name="content_filtering"></a>Content Filtering</h4></div></div></div> <p> <acronym class="acronym">BIND</acronym> 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -6016,23 +6089,23 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; Specifically, it can reject address (A or AAAA) records if the corresponding IPv4 or IPv6 addresses match the given <code class="varname">address_match_list</code> of the - <span><strong class="command">deny-answer-addresses</strong></span> option. + <span class="command"><strong>deny-answer-addresses</strong></span> option. It can also reject CNAME or DNAME records if the "alias" name (i.e., the CNAME alias or the substituted query name due to DNAME) matches the given <code class="varname">namelist</code> of the - <span><strong class="command">deny-answer-aliases</strong></span> option, where + <span class="command"><strong>deny-answer-aliases</strong></span> option, where "match" means the alias name is a subdomain of one of the <code class="varname">name_list</code> elements. If the optional <code class="varname">namelist</code> is specified - with <span><strong class="command">except-from</strong></span>, records whose query name + with <span class="command"><strong>except-from</strong></span>, records whose query name matches the list will be accepted regardless of the filter setting. Likewise, if the alias name is a subdomain of the - corresponding zone, the <span><strong class="command">deny-answer-aliases</strong></span> + corresponding zone, the <span class="command"><strong>deny-answer-aliases</strong></span> filter will not apply; for example, even if "example.com" is specified for - <span><strong class="command">deny-answer-aliases</strong></span>, + <span class="command"><strong>deny-answer-aliases</strong></span>, </p> <pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre> <p> @@ -6040,7 +6113,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> In the <code class="varname">address_match_list</code> of the - <span><strong class="command">deny-answer-addresses</strong></span> option, only + <span class="command"><strong>deny-answer-addresses</strong></span> option, only <code class="varname">ip_addr</code> and <code class="varname">ip_prefix</code> are meaningful; @@ -6061,7 +6134,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; to get access to an internal node of your local network that couldn't be externally accessed otherwise. See the paper available at - <a href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top"> + <a class="link" href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top"> http://portal.acm.org/citation.cfm?id=1315245.1315298 </a> for more details about the attacks. @@ -6095,7 +6168,7 @@ deny-answer-aliases { "example.net"; }; <pre class="programlisting">www.example.net. A 192.0.2.2</pre> <p> it will be accepted since the owner name "www.example.net" - matches the <span><strong class="command">except-from</strong></span> element, + matches the <span class="command"><strong>except-from</strong></span> element, "example.net". </p> <p> @@ -6129,9 +6202,9 @@ deny-answer-aliases { "example.net"; }; spuriously can break such applications. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2589049"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div> +<a name="rpz"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div> <p> <acronym class="acronym">BIND</acronym> 9 includes a limited mechanism to modify DNS responses for requests @@ -6142,12 +6215,12 @@ deny-answer-aliases { "example.net"; }; </p> <p> Response policy zones are named in the - <span><strong class="command">response-policy</strong></span> option for the view or among the + <span class="command"><strong>response-policy</strong></span> option for the view or among the global options if there is no response-policy option for the view. RPZs are ordinary DNS zones containing RRsets that can be queried normally if allowed. It is usually best to restrict those queries with something like - <span><strong class="command">allow-query { localhost; };</strong></span>. + <span class="command"><strong>allow-query { localhost; };</strong></span>. </p> <p> Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP, @@ -6193,8 +6266,8 @@ deny-answer-aliases { "example.net"; }; NSIP triggers are encoded like IP triggers except as subdomains of <strong class="userinput"><code>rpz-nsip</code></strong>. NSDNAME and NSIP triggers are checked only for names with at - least <span><strong class="command">min-ns-dots</strong></span> dots. - The default value of <span><strong class="command">min-ns-dots</strong></span> is 1 to + least <span class="command"><strong>min-ns-dots</strong></span> dots. + The default value of <span class="command"><strong>min-ns-dots</strong></span> is 1 to exclude top level domains. </p> <p> @@ -6202,24 +6275,24 @@ deny-answer-aliases { "example.net"; }; two or more policy records can be triggered by a response. Because DNS responses can be rewritten according to at most one policy record, a single record encoding an action (other than - <span><strong class="command">DISABLED</strong></span> actions) must be chosen. + <span class="command"><strong>DISABLED</strong></span> actions) must be chosen. Triggers or the records that encode them are chosen in the following order: </p> -<div class="itemizedlist"><ul type="disc"> -<li>Choose the triggered record in the zone that appears +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem">Choose the triggered record in the zone that appears first in the response-policy option. </li> -<li>Prefer QNAME to IP to NSDNAME to NSIP triggers +<li class="listitem">Prefer QNAME to IP to NSDNAME to NSIP triggers in a single zone. </li> -<li>Among NSDNAME triggers, prefer the +<li class="listitem">Among NSDNAME triggers, prefer the trigger that matches the smallest name under the DNSSEC ordering. </li> -<li>Among IP or NSIP triggers, prefer the trigger +<li class="listitem">Among IP or NSIP triggers, prefer the trigger with the longest prefix. </li> -<li>Among triggers with the same prefix length, +<li class="listitem">Among triggers with the same prefix length, prefer the IP or NSIP trigger that matches the smallest IP address. </li> @@ -6237,15 +6310,15 @@ deny-answer-aliases { "example.net"; }; RPZ record sets are sets of any types of DNS record except DNAME or DNSSEC that encode actions or responses to queries. </p> -<div class="itemizedlist"><ul type="disc"> -<li>The <span><strong class="command">NXDOMAIN</strong></span> response is encoded +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem">The <span class="command"><strong>NXDOMAIN</strong></span> response is encoded by a CNAME whose target is the root domain (.) </li> -<li>A CNAME whose target is the wildcard top-level - domain (*.) specifies the <span><strong class="command">NODATA</strong></span> action, +<li class="listitem">A CNAME whose target is the wildcard top-level + domain (*.) specifies the <span class="command"><strong>NODATA</strong></span> action, which rewrites the response to NODATA or ANCOUNT=1. </li> -<li>The <span><strong class="command">Local Data</strong></span> action is +<li class="listitem">The <span class="command"><strong>Local Data</strong></span> action is represented by a set ordinary DNS records that are used to answer queries. Queries for record types not the set are answered with NODATA. @@ -6257,8 +6330,8 @@ deny-answer-aliases { "example.net"; }; The purpose for this special form is query logging in the walled garden's authority DNS server. </li> -<li>The <span><strong class="command">PASSTHRU</strong></span> policy is specified - by a CNAME whose target is <span><strong class="command">rpz-passthru.</strong></span> +<li class="listitem">The <span class="command"><strong>PASSTHRU</strong></span> policy is specified + by a CNAME whose target is <span class="command"><strong>rpz-passthru.</strong></span> It causes the response to not be rewritten and is most often used to "poke holes" in policies for CIDR blocks. @@ -6270,18 +6343,18 @@ deny-answer-aliases { "example.net"; }; </p> <p> The actions specified in an RPZ can be overridden with a - <span><strong class="command">policy</strong></span> clause in the - <span><strong class="command">response-policy</strong></span> option. + <span class="command"><strong>policy</strong></span> clause in the + <span class="command"><strong>response-policy</strong></span> option. An organization using an RPZ provided by another organization might use this mechanism to redirect domains to its own walled garden. </p> -<div class="itemizedlist"><ul type="disc"> -<li> -<span><strong class="command">GIVEN</strong></span> says "do not override but +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"> +<span class="command"><strong>GIVEN</strong></span> says "do not override but perform the action specified in the zone." </li> -<li> -<span><strong class="command">DISABLED</strong></span> causes policy records to do +<li class="listitem"> +<span class="command"><strong>DISABLED</strong></span> causes policy records to do nothing but log what they might have done. The response to the DNS query will be written according to any triggered policy records that are not disabled. @@ -6289,22 +6362,22 @@ deny-answer-aliases { "example.net"; }; because they will often not be logged if a higher precedence trigger is found first. </li> -<li> -<span><strong class="command">PASSTHRU</strong></span> causes all policy records +<li class="listitem"> +<span class="command"><strong>PASSTHRU</strong></span> causes all policy records to act as if they were CNAME records with targets the variable part of their owner name. They protect the response from being changed. </li> -<li> -<span><strong class="command">NXDOMAIN</strong></span> causes all RPZ records +<li class="listitem"> +<span class="command"><strong>NXDOMAIN</strong></span> causes all RPZ records to specify NXDOMAIN policies. </li> -<li> -<span><strong class="command">NODATA</strong></span> overrides with the +<li class="listitem"> +<span class="command"><strong>NODATA</strong></span> overrides with the NODATA policy </li> -<li> -<span><strong class="command">CNAME domain</strong></span> causes all RPZ +<li class="listitem"> +<span class="command"><strong>CNAME domain</strong></span> causes all RPZ policy records to act as if they were "cname domain" records. </li> </ul></div> @@ -6314,7 +6387,7 @@ deny-answer-aliases { "example.net"; }; By default, the actions encoded in an RPZ are applied only to queries that ask for recursion (RD=1). That default can be changed for a single RPZ or all RPZs in a view - with a <span><strong class="command">recursive-only no</strong></span> clause. + with a <span class="command"><strong>recursive-only no</strong></span> clause. This feature is useful for serving the same zone files both inside and outside an RFC 1918 cloud and using RPZ to delete answers that would otherwise contain RFC 1918 values @@ -6326,7 +6399,7 @@ deny-answer-aliases { "example.net"; }; records are available for request name in the original zone (not the response policy zone). This default can be changed for all RPZs in a view with a - <span><strong class="command">break-dnssec yes</strong></span> clause. + <span class="command"><strong>break-dnssec yes</strong></span> clause. In that case, RPZ actions are applied regardless of DNSSEC. The name of the clause option reflects the fact that results rewritten by RPZ actions cannot verify. @@ -6335,7 +6408,7 @@ deny-answer-aliases { "example.net"; }; The TTL of a record modified by RPZ policies is set from the TTL of the relevant record in policy zone. It is then limited to a maximum value. - The <span><strong class="command">max-policy-ttl</strong></span> clause changes that + The <span class="command"><strong>max-policy-ttl</strong></span> clause changes that maximum from its default of 5. </p> <p> @@ -6393,12 +6466,12 @@ ns.domain.com.rpz-nsdname CNAME . </p> <p> Responses rewritten by RPZ are counted in the - <span><strong class="command">RPZRewrites</strong></span> statistics. + <span class="command"><strong>RPZRewrites</strong></span> statistics. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2589479"></a>Response Rate Limiting</h4></div></div></div> +<a name="rrl"></a>Response Rate Limiting</h4></div></div></div> <p> This feature is only available when <acronym class="acronym">BIND</acronym> 9 is compiled with the <strong class="userinput"><code>--enable-rrl</code></strong> @@ -6407,8 +6480,8 @@ ns.domain.com.rpz-nsdname CNAME . <p> Excessive almost identical UDP <span class="emphasis"><em>responses</em></span> can be controlled by configuring a - <span><strong class="command">rate-limit</strong></span> clause in an - <span><strong class="command">options</strong></span> or <span><strong class="command">view</strong></span> statement. + <span class="command"><strong>rate-limit</strong></span> clause in an + <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> statement. This mechanism keeps authoritative BIND 9 from being used in amplifying reflection denial of service (DoS) attacks. Short truncated (TC=1) responses can be sent to provide @@ -6435,11 +6508,11 @@ ns.domain.com.rpz-nsdname CNAME . while the account is negative. Responses are tracked within a rolling window of time which defaults to 15 seconds, but can be configured with - the <span><strong class="command">window</strong></span> option to any value from + the <span class="command"><strong>window</strong></span> option to any value from 1 to 3600 seconds (1 hour). The account cannot become more positive than the per-second limit - or more negative than <span><strong class="command">window</strong></span> + or more negative than <span class="command"><strong>window</strong></span> times the per-second limit. When the specified number of credits for a class of responses is set to 0, those responses are not rate limited. @@ -6450,32 +6523,32 @@ ns.domain.com.rpz-nsdname CNAME . All responses to an address block are counted as if to a single client. The prefix lengths of addresses blocks are - specified with <span><strong class="command">ipv4-prefix-length</strong></span> (default 24) - and <span><strong class="command">ipv6-prefix-length</strong></span> (default 56). + specified with <span class="command"><strong>ipv4-prefix-length</strong></span> (default 24) + and <span class="command"><strong>ipv6-prefix-length</strong></span> (default 56). </p> <p> All non-empty responses for a valid domain name (qname) and record type (qtype) are identical and have a limit specified - with <span><strong class="command">responses-per-second</strong></span> + with <span class="command"><strong>responses-per-second</strong></span> (default 0 or no limit). All empty (NODATA) responses for a valid domain, regardless of query type, are identical. Responses in the NODATA class are limited by - <span><strong class="command">nodata-per-second</strong></span> - (default <span><strong class="command">responses-per-second</strong></span>). + <span class="command"><strong>nodata-per-second</strong></span> + (default <span class="command"><strong>responses-per-second</strong></span>). Requests for any and all undefined subdomains of a given valid domain result in NXDOMAIN errors, and are identical regardless of query type. - They are limited by <span><strong class="command">nxdomain-per-second</strong></span> - (default <span><strong class="command">responses-per-second</strong></span>). + They are limited by <span class="command"><strong>nxdomain-per-second</strong></span> + (default <span class="command"><strong>responses-per-second</strong></span>). This controls some attacks using random names, but can be relaxed or turned off (set to 0) on servers that expect many legitimate NXDOMAIN responses, such as from anti-spam blacklists. Referrals or delegations to the server of a given domain are identical and are limited by - <span><strong class="command">referrals-per-second</strong></span> - (default <span><strong class="command">responses-per-second</strong></span>). + <span class="command"><strong>referrals-per-second</strong></span> + (default <span class="command"><strong>responses-per-second</strong></span>). </p> <p> Responses generated from local wildcards are counted and limited @@ -6489,9 +6562,9 @@ ns.domain.com.rpz-nsdname CNAME . This controls attacks using invalid requests or distant, broken authoritative servers. By default the limit on errors is the same as the - <span><strong class="command">responses-per-second</strong></span> value, + <span class="command"><strong>responses-per-second</strong></span> value, but it can be set separately with - <span><strong class="command">errors-per-second</strong></span>. + <span class="command"><strong>errors-per-second</strong></span>. </p> <p> Many attacks using DNS involve UDP requests with forged source @@ -6501,13 +6574,13 @@ ns.domain.com.rpz-nsdname CNAME . but could let a third party block responses to legitimate requests. There is a mechanism that can answer some legitimate requests from a client whose address is being forged in a flood. - Setting <span><strong class="command">slip</strong></span> to 2 (its default) causes every + Setting <span class="command"><strong>slip</strong></span> to 2 (its default) causes every other UDP request to be answered with a small truncated (TC=1) response. The small size and reduced frequency, and so lack of amplification, of "slipped" responses make them unattractive for reflection DoS attacks. - <span><strong class="command">slip</strong></span> must be between 0 and 10. + <span class="command"><strong>slip</strong></span> must be between 0 and 10. A value of 0 does not "slip": no truncated responses are sent due to rate limiting, all responses are dropped. @@ -6515,7 +6588,7 @@ ns.domain.com.rpz-nsdname CNAME . values between 2 and 10 cause every n'th response to slip. Some error responses including REFUSED and SERVFAIL cannot be replaced with truncated responses and are instead - leaked at the <span><strong class="command">slip</strong></span> rate. + leaked at the <span class="command"><strong>slip</strong></span> rate. </p> <p> (NOTE: Dropped responses from an authoritative server may @@ -6526,21 +6599,21 @@ ns.domain.com.rpz-nsdname CNAME . to validate the responses. When this is not an option, operators who are more concerned with response integrity than with flood mitigation may consider setting - <span><strong class="command">slip</strong></span> to 1, causing all rate-limited + <span class="command"><strong>slip</strong></span> to 1, causing all rate-limited responses to be truncated rather than dropped. This reduces the effectiveness of rate-limiting against reflection attacks.) </p> <p> When the approximate query per second rate exceeds - the <span><strong class="command">qps-scale</strong></span> value, - then the <span><strong class="command">responses-per-second</strong></span>, - <span><strong class="command">errors-per-second</strong></span>, - <span><strong class="command">nxdomains-per-second</strong></span> and - <span><strong class="command">all-per-second</strong></span> values are reduced by the - ratio of the current rate to the <span><strong class="command">qps-scale</strong></span> value. + the <span class="command"><strong>qps-scale</strong></span> value, + then the <span class="command"><strong>responses-per-second</strong></span>, + <span class="command"><strong>errors-per-second</strong></span>, + <span class="command"><strong>nxdomains-per-second</strong></span> and + <span class="command"><strong>all-per-second</strong></span> values are reduced by the + ratio of the current rate to the <span class="command"><strong>qps-scale</strong></span> value. This feature can tighten defenses during attacks. For example, with - <span><strong class="command">qps-scale 250; responses-per-second 20;</strong></span> and + <span class="command"><strong>qps-scale 250; responses-per-second 20;</strong></span> and a total query rate of 1000 queries/second for all queries from all DNS clients including via TCP, then the effective responses/second limit changes to @@ -6551,30 +6624,30 @@ ns.domain.com.rpz-nsdname CNAME . <p> Communities of DNS clients can be given their own parameters or no rate limiting by putting - <span><strong class="command">rate-limit</strong></span> statements in <span><strong class="command">view</strong></span> - statements instead of the global <span><strong class="command">option</strong></span> + <span class="command"><strong>rate-limit</strong></span> statements in <span class="command"><strong>view</strong></span> + statements instead of the global <span class="command"><strong>option</strong></span> statement. - A <span><strong class="command">rate-limit</strong></span> statement in a view replaces, - rather than supplementing, a <span><strong class="command">rate-limit</strong></span> + A <span class="command"><strong>rate-limit</strong></span> statement in a view replaces, + rather than supplementing, a <span class="command"><strong>rate-limit</strong></span> statement among the main options. DNS clients within a view can be exempted from rate limits - with the <span><strong class="command">exempt-clients</strong></span> clause. + with the <span class="command"><strong>exempt-clients</strong></span> clause. </p> <p> UDP responses of all kinds can be limited with the - <span><strong class="command">all-per-second</strong></span> phrase. + <span class="command"><strong>all-per-second</strong></span> phrase. This rate limiting is unlike the rate limiting provided by - <span><strong class="command">responses-per-second</strong></span>, - <span><strong class="command">errors-per-second</strong></span>, and - <span><strong class="command">nxdomains-per-second</strong></span> on a DNS server + <span class="command"><strong>responses-per-second</strong></span>, + <span class="command"><strong>errors-per-second</strong></span>, and + <span class="command"><strong>nxdomains-per-second</strong></span> on a DNS server which are often invisible to the victim of a DNS reflection attack. Unless the forged requests of the attack are the same as the legitimate requests of the victim, the victim's requests are not affected. - Responses affected by an <span><strong class="command">all-per-second</strong></span> limit - are always dropped; the <span><strong class="command">slip</strong></span> value has no + Responses affected by an <span class="command"><strong>all-per-second</strong></span> limit + are always dropped; the <span class="command"><strong>slip</strong></span> value has no effect. - An <span><strong class="command">all-per-second</strong></span> limit should be + An <span class="command"><strong>all-per-second</strong></span> limit should be at least 4 times as large as the other limits, because single DNS clients often send bursts of legitimate requests. @@ -6582,11 +6655,11 @@ ns.domain.com.rpz-nsdname CNAME . requests from an SMTP server for NS, PTR, A, and AAAA records as the incoming SMTP/TCP/IP connection is considered. The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF - records as it considers the STMP <span><strong class="command">Mail From</strong></span> + records as it considers the STMP <span class="command"><strong>Mail From</strong></span> command. Web browsers often repeatedly resolve the same names that are repeated in HTML <IMG> tags in a page. - <span><strong class="command">All-per-second</strong></span> is similar to the + <span class="command"><strong>All-per-second</strong></span> is similar to the rate limiting offered by firewalls but often inferior. Attacks that justify ignoring the contents of DNS responses are likely to be attacks on the @@ -6598,35 +6671,35 @@ ns.domain.com.rpz-nsdname CNAME . </p> <p> The maximum size of the table used to track requests and - rate limit responses is set with <span><strong class="command">max-table-size</strong></span>. + rate limit responses is set with <span class="command"><strong>max-table-size</strong></span>. Each entry in the table is between 40 and 80 bytes. The table needs approximately as many entries as the number of requests received per second. The default is 20,000. To reduce the cold start of growing the table, - <span><strong class="command">min-table-size</strong></span> (default 500) + <span class="command"><strong>min-table-size</strong></span> (default 500) can set the minimum table size. - Enable <span><strong class="command">rate-limit</strong></span> category logging to monitor + Enable <span class="command"><strong>rate-limit</strong></span> category logging to monitor expansions of the table and inform choices for the initial and maximum table size. </p> <p> - Use <span><strong class="command">log-only yes</strong></span> to test rate limiting parameters + Use <span class="command"><strong>log-only yes</strong></span> to test rate limiting parameters without actually dropping any requests. </p> <p> Responses dropped by rate limits are included in the - <span><strong class="command">RateDropped</strong></span> and <span><strong class="command">QryDropped</strong></span> + <span class="command"><strong>RateDropped</strong></span> and <span class="command"><strong>QryDropped</strong></span> statistics. Responses that truncated by rate limits are included in - <span><strong class="command">RateSlipped</strong></span> and <span><strong class="command">RespTruncated</strong></span>. + <span class="command"><strong>RateSlipped</strong></span> and <span class="command"><strong>RespTruncated</strong></span>. </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> { +<a name="server_statement_grammar"></a><span class="command"><strong>server</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> { [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>] [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] @@ -6651,12 +6724,12 @@ ns.domain.com.rpz-nsdname CNAME . }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and +<a name="server_statement_definition_and_usage"></a><span class="command"><strong>server</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">server</strong></span> statement defines + The <span class="command"><strong>server</strong></span> statement defines characteristics to be associated with a remote name server. If a prefix length is specified, then a range of servers is covered. Only the most @@ -6665,17 +6738,17 @@ ns.domain.com.rpz-nsdname CNAME . <code class="filename">named.conf</code>. </p> <p> - The <span><strong class="command">server</strong></span> statement can occur at + The <span class="command"><strong>server</strong></span> statement can occur at the top level of the - configuration file or inside a <span><strong class="command">view</strong></span> + configuration file or inside a <span class="command"><strong>view</strong></span> statement. - If a <span><strong class="command">view</strong></span> statement contains - one or more <span><strong class="command">server</strong></span> statements, only + If a <span class="command"><strong>view</strong></span> statement contains + one or more <span class="command"><strong>server</strong></span> statements, only those apply to the view and any top-level ones are ignored. - If a view contains no <span><strong class="command">server</strong></span> + If a view contains no <span class="command"><strong>server</strong></span> statements, - any top-level <span><strong class="command">server</strong></span> statements are + any top-level <span class="command"><strong>server</strong></span> statements are used as defaults. </p> @@ -6683,30 +6756,30 @@ ns.domain.com.rpz-nsdname CNAME . If you discover that a remote server is giving out bad data, marking it as bogus will prevent further queries to it. The default - value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>. + value of <span class="command"><strong>bogus</strong></span> is <span class="command"><strong>no</strong></span>. </p> <p> - The <span><strong class="command">provide-ixfr</strong></span> clause determines + The <span class="command"><strong>provide-ixfr</strong></span> clause determines whether the local server, acting as master, will respond with an incremental zone transfer when the given remote server, a slave, requests it. - If set to <span><strong class="command">yes</strong></span>, incremental transfer + If set to <span class="command"><strong>yes</strong></span>, incremental transfer will be provided - whenever possible. If set to <span><strong class="command">no</strong></span>, + whenever possible. If set to <span class="command"><strong>no</strong></span>, all transfers to the remote server will be non-incremental. If not set, the value - of the <span><strong class="command">provide-ixfr</strong></span> option in the + of the <span class="command"><strong>provide-ixfr</strong></span> option in the view or global options block is used as a default. </p> <p> - The <span><strong class="command">request-ixfr</strong></span> clause determines + The <span class="command"><strong>request-ixfr</strong></span> clause determines whether the local server, acting as a slave, will request incremental zone transfers from the given remote server, a master. If not set, the - value of the <span><strong class="command">request-ixfr</strong></span> option in + value of the <span class="command"><strong>request-ixfr</strong></span> option in the view or global options block is used as a default. It may also be set in the zone block and, if set there, it will override the global or view setting for that zone. @@ -6717,22 +6790,22 @@ ns.domain.com.rpz-nsdname CNAME . fall back to AXFR. Therefore, there is no need to manually list which servers support IXFR and which ones do not; the global default - of <span><strong class="command">yes</strong></span> should always work. - The purpose of the <span><strong class="command">provide-ixfr</strong></span> and - <span><strong class="command">request-ixfr</strong></span> clauses is + of <span class="command"><strong>yes</strong></span> should always work. + The purpose of the <span class="command"><strong>provide-ixfr</strong></span> and + <span class="command"><strong>request-ixfr</strong></span> clauses is to make it possible to disable the use of IXFR even when both master and slave claim to support it, for example if one of the servers is buggy and crashes or corrupts data when IXFR is used. </p> <p> - The <span><strong class="command">edns</strong></span> clause determines whether + The <span class="command"><strong>edns</strong></span> clause determines whether the local server will attempt to use EDNS when communicating - with the remote server. The default is <span><strong class="command">yes</strong></span>. + with the remote server. The default is <span class="command"><strong>yes</strong></span>. </p> <p> - The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size - that is advertised by <span><strong class="command">named</strong></span> when querying the remote server. + The <span class="command"><strong>edns-udp-size</strong></span> option sets the EDNS UDP size + that is advertised by <span class="command"><strong>named</strong></span> when querying the remote server. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted). This option is useful when you wish to advertises a different value to this server than the value you @@ -6740,38 +6813,38 @@ ns.domain.com.rpz-nsdname CNAME . remote site that is blocking large replies. </p> <p> - The <span><strong class="command">max-udp-size</strong></span> option sets the - maximum EDNS UDP message size <span><strong class="command">named</strong></span> will send. Valid + The <span class="command"><strong>max-udp-size</strong></span> option sets the + maximum EDNS UDP message size <span class="command"><strong>named</strong></span> will send. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted). This option is useful when you know that there is a firewall that is blocking large - replies from <span><strong class="command">named</strong></span>. + replies from <span class="command"><strong>named</strong></span>. </p> <p> - The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>, - uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs - as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is + The server supports two zone transfer methods. The first, <span class="command"><strong>one-answer</strong></span>, + uses one DNS message per resource record transferred. <span class="command"><strong>many-answers</strong></span> packs + as many resource records as possible into a message. <span class="command"><strong>many-answers</strong></span> is more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> 8.x, and patched versions of <acronym class="acronym">BIND</acronym> 4.9.5. You can specify which method - to use for a server with the <span><strong class="command">transfer-format</strong></span> option. - If <span><strong class="command">transfer-format</strong></span> is not - specified, the <span><strong class="command">transfer-format</strong></span> + to use for a server with the <span class="command"><strong>transfer-format</strong></span> option. + If <span class="command"><strong>transfer-format</strong></span> is not + specified, the <span class="command"><strong>transfer-format</strong></span> specified - by the <span><strong class="command">options</strong></span> statement will be + by the <span class="command"><strong>options</strong></span> statement will be used. </p> -<p><span><strong class="command">transfers</strong></span> +<p><span class="command"><strong>transfers</strong></span> is used to limit the number of concurrent inbound zone transfers from the specified server. If no - <span><strong class="command">transfers</strong></span> clause is specified, the + <span class="command"><strong>transfers</strong></span> clause is specified, the limit is set according to the - <span><strong class="command">transfers-per-ns</strong></span> option. + <span class="command"><strong>transfers-per-ns</strong></span> option. </p> <p> - The <span><strong class="command">keys</strong></span> clause identifies a - <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement, - to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) + The <span class="command"><strong>keys</strong></span> clause identifies a + <span class="command"><strong>key_id</strong></span> defined by the <span class="command"><strong>key</strong></span> statement, + to be used for transaction security (TSIG, <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) when talking to the remote server. When a request is sent to the remote server, a request signature will be generated using the key specified here and appended to the @@ -6783,63 +6856,63 @@ ns.domain.com.rpz-nsdname CNAME . Only a single key per server is currently supported. </p> <p> - The <span><strong class="command">transfer-source</strong></span> and - <span><strong class="command">transfer-source-v6</strong></span> clauses specify + The <span class="command"><strong>transfer-source</strong></span> and + <span class="command"><strong>transfer-source-v6</strong></span> clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. - For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can + For an IPv4 remote server, only <span class="command"><strong>transfer-source</strong></span> can be specified. Similarly, for an IPv6 remote server, only - <span><strong class="command">transfer-source-v6</strong></span> can be + <span class="command"><strong>transfer-source-v6</strong></span> can be specified. For more details, see the description of - <span><strong class="command">transfer-source</strong></span> and - <span><strong class="command">transfer-source-v6</strong></span> in - <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>transfer-source</strong></span> and + <span class="command"><strong>transfer-source-v6</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p> <p> - The <span><strong class="command">notify-source</strong></span> and - <span><strong class="command">notify-source-v6</strong></span> clauses specify the + The <span class="command"><strong>notify-source</strong></span> and + <span class="command"><strong>notify-source-v6</strong></span> clauses specify the IPv4 and IPv6 source address to be used for notify messages sent to remote servers, respectively. For an - IPv4 remote server, only <span><strong class="command">notify-source</strong></span> + IPv4 remote server, only <span class="command"><strong>notify-source</strong></span> can be specified. Similarly, for an IPv6 remote server, - only <span><strong class="command">notify-source-v6</strong></span> can be specified. + only <span class="command"><strong>notify-source-v6</strong></span> can be specified. </p> <p> - The <span><strong class="command">query-source</strong></span> and - <span><strong class="command">query-source-v6</strong></span> clauses specify the + The <span class="command"><strong>query-source</strong></span> and + <span class="command"><strong>query-source-v6</strong></span> clauses specify the IPv4 and IPv6 source address to be used for queries sent to remote servers, respectively. For an IPv4 - remote server, only <span><strong class="command">query-source</strong></span> can + remote server, only <span class="command"><strong>query-source</strong></span> can be specified. Similarly, for an IPv6 remote server, - only <span><strong class="command">query-source-v6</strong></span> can be specified. + only <span class="command"><strong>query-source-v6</strong></span> can be specified. </p> <p> - The <span><strong class="command">request-nsid</strong></span> clause determines + The <span class="command"><strong>request-nsid</strong></span> clause determines whether the local server will add a NSID EDNS option to requests sent to the server. This overrides - <span><strong class="command">request-nsid</strong></span> set at the view or + <span class="command"><strong>request-nsid</strong></span> set at the view or option level. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> { +<a name="statschannels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>statistics-channels</strong></span> { [ inet ( ip_addr | * ) [ port ip_port ] [ allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ] [ inet ...; ] }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2590832"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and +<a name="statistics_channels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">statistics-channels</strong></span> statement + The <span class="command"><strong>statistics-channels</strong></span> statement declares communication channels to be used by system administrators to get access to statistics information of the name server. @@ -6849,46 +6922,46 @@ ns.domain.com.rpz-nsdname CNAME . communication protocols in the future, but currently only HTTP access is supported. It requires that BIND 9 be compiled with libxml2; - the <span><strong class="command">statistics-channels</strong></span> statement is + the <span class="command"><strong>statistics-channels</strong></span> statement is still accepted even if it is built without the library, but any HTTP access will fail with an error. </p> <p> - An <span><strong class="command">inet</strong></span> control channel is a TCP socket - listening at the specified <span><strong class="command">ip_port</strong></span> on the - specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6 - address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is + An <span class="command"><strong>inet</strong></span> control channel is a TCP socket + listening at the specified <span class="command"><strong>ip_port</strong></span> on the + specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6 + address. An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, - use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>. + use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>. </p> <p> If no port is specified, port 80 is used for HTTP channels. The asterisk "<code class="literal">*</code>" cannot be used for - <span><strong class="command">ip_port</strong></span>. + <span class="command"><strong>ip_port</strong></span>. </p> <p> The attempt of opening a statistics channel is - restricted by the optional <span><strong class="command">allow</strong></span> clause. + restricted by the optional <span class="command"><strong>allow</strong></span> clause. Connections to the statistics channel are permitted based on the - <span><strong class="command">address_match_list</strong></span>. - If no <span><strong class="command">allow</strong></span> clause is present, - <span><strong class="command">named</strong></span> accepts connection + <span class="command"><strong>address_match_list</strong></span>. + If no <span class="command"><strong>allow</strong></span> clause is present, + <span class="command"><strong>named</strong></span> accepts connection attempts from any address; since the statistics may contain sensitive internal information, it is highly recommended to restrict the source of connection requests appropriately. </p> <p> - If no <span><strong class="command">statistics-channels</strong></span> statement is present, - <span><strong class="command">named</strong></span> will not open any communication channels. + If no <span class="command"><strong>statistics-channels</strong></span> statement is present, + <span class="command"><strong>named</strong></span> will not open any communication channels. </p> <p> If the statistics channel is configured to listen on 127.0.0.1 port 8888, then the statistics are accessible in XML format at - <a href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or - <a href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is + <a class="link" href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or + <a class="link" href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is included which can format the XML statistics into tables when viewed with a stylesheet-capable browser. When <acronym class="acronym">BIND</acronym> 9 is configured with --enable-newstats, @@ -6901,30 +6974,30 @@ ns.domain.com.rpz-nsdname CNAME . <p> Applications that depend on a particular XML schema can request - <a href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2 + <a class="link" href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2 of the statistics XML schema or - <a href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3. + <a class="link" href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3. If the requested schema is supported by the server, then it will respond; if not, it will return a "page not found" error. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> { +<a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>] }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2591139"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition +<a name="trusted_keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">trusted-keys</strong></span> statement defines - DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the + The <span class="command"><strong>trusted-keys</strong></span> statement defines + DNSSEC security roots. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the public key for a non-authoritative zone is known, but cannot be securely obtained through DNS, either because it is the DNS root zone or because its parent zone is @@ -6935,14 +7008,14 @@ ns.domain.com.rpz-nsdname CNAME . </p> <p> All keys (and corresponding zones) listed in - <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless + <span class="command"><strong>trusted-keys</strong></span> are deemed to exist regardless of what parent zones say. Similarly for all keys listed in - <span><strong class="command">trusted-keys</strong></span> only those keys are + <span class="command"><strong>trusted-keys</strong></span> only those keys are used to validate the DNSKEY RRset. The parent's DS RRset will not be used. </p> <p> - The <span><strong class="command">trusted-keys</strong></span> statement can contain + The <span class="command"><strong>trusted-keys</strong></span> statement can contain multiple key entries, each consisting of the key's domain name, flags, protocol, algorithm, and the Base-64 representation of the key data. @@ -6951,31 +7024,31 @@ ns.domain.com.rpz-nsdname CNAME . multiple lines. </p> <p> - <span><strong class="command">trusted-keys</strong></span> may be set at the top level + <span class="command"><strong>trusted-keys</strong></span> may be set at the top level of <code class="filename">named.conf</code> or within a view. If it is set in both places, they are additive: keys defined at the top level are inherited by all views, but keys defined in a view are only used within that view. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2591186"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">managed-keys</strong></span> { +<a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional"> <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>] }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition +<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">managed-keys</strong></span> statement, like - <span><strong class="command">trusted-keys</strong></span>, defines DNSSEC + The <span class="command"><strong>managed-keys</strong></span> statement, like + <span class="command"><strong>trusted-keys</strong></span>, defines DNSSEC security roots. The difference is that - <span><strong class="command">managed-keys</strong></span> can be kept up to date + <span class="command"><strong>managed-keys</strong></span> can be kept up to date automatically, without intervention from the resolver operator. </p> @@ -6983,76 +7056,76 @@ ns.domain.com.rpz-nsdname CNAME . Suppose, for example, that a zone's key-signing key was compromised, and the zone owner had to revoke and replace the key. A resolver which had the old key in a - <span><strong class="command">trusted-keys</strong></span> statement would be + <span class="command"><strong>trusted-keys</strong></span> statement would be unable to validate this zone any longer; it would reply with a SERVFAIL response code. This would continue until the resolver operator had updated the - <span><strong class="command">trusted-keys</strong></span> statement with the new key. + <span class="command"><strong>trusted-keys</strong></span> statement with the new key. </p> <p> If, however, the zone were listed in a - <span><strong class="command">managed-keys</strong></span> statement instead, then the + <span class="command"><strong>managed-keys</strong></span> statement instead, then the zone owner could add a "stand-by" key to the zone in advance. - <span><strong class="command">named</strong></span> would store the stand-by key, and - when the original key was revoked, <span><strong class="command">named</strong></span> + <span class="command"><strong>named</strong></span> would store the stand-by key, and + when the original key was revoked, <span class="command"><strong>named</strong></span> would be able to transition smoothly to the new key. It would also recognize that the old key had been revoked, and cease using that key to validate answers, minimizing the damage that the compromised key could do. </p> <p> - A <span><strong class="command">managed-keys</strong></span> statement contains a list of + A <span class="command"><strong>managed-keys</strong></span> statement contains a list of the keys to be managed, along with information about how the keys are to be initialized for the first time. The only initialization method currently supported (as of <acronym class="acronym">BIND</acronym> 9.7.0) is <code class="literal">initial-key</code>. - This means the <span><strong class="command">managed-keys</strong></span> statement must + This means the <span class="command"><strong>managed-keys</strong></span> statement must contain a copy of the initializing key. (Future releases may allow keys to be initialized by other methods, eliminating this requirement.) </p> <p> - Consequently, a <span><strong class="command">managed-keys</strong></span> statement - appears similar to a <span><strong class="command">trusted-keys</strong></span>, differing + Consequently, a <span class="command"><strong>managed-keys</strong></span> statement + appears similar to a <span class="command"><strong>trusted-keys</strong></span>, differing in the presence of the second field, containing the keyword <code class="literal">initial-key</code>. The difference is, whereas the - keys listed in a <span><strong class="command">trusted-keys</strong></span> continue to be + keys listed in a <span class="command"><strong>trusted-keys</strong></span> continue to be trusted until they are removed from <code class="filename">named.conf</code>, an initializing key listed - in a <span><strong class="command">managed-keys</strong></span> statement is only trusted + in a <span class="command"><strong>managed-keys</strong></span> statement is only trusted <span class="emphasis"><em>once</em></span>: for as long as it takes to load the managed key database and start the RFC 5011 key maintenance process. </p> <p> - The first time <span><strong class="command">named</strong></span> runs with a managed key + The first time <span class="command"><strong>named</strong></span> runs with a managed key configured in <code class="filename">named.conf</code>, it fetches the DNSKEY RRset directly from the zone apex, and validates it - using the key specified in the <span><strong class="command">managed-keys</strong></span> + using the key specified in the <span class="command"><strong>managed-keys</strong></span> statement. If the DNSKEY RRset is validly signed, then it is used as the basis for a new managed keys database. </p> <p> - From that point on, whenever <span><strong class="command">named</strong></span> runs, it - sees the <span><strong class="command">managed-keys</strong></span> statement, checks to + From that point on, whenever <span class="command"><strong>named</strong></span> runs, it + sees the <span class="command"><strong>managed-keys</strong></span> statement, checks to make sure RFC 5011 key maintenance has already been initialized for the specified domain, and if so, it simply moves on. The - key specified in the <span><strong class="command">managed-keys</strong></span> is not + key specified in the <span class="command"><strong>managed-keys</strong></span> is not used to validate answers; it has been superseded by the key or keys stored in the managed keys database. </p> <p> - The next time <span><strong class="command">named</strong></span> runs after a name + The next time <span class="command"><strong>named</strong></span> runs after a name has been <span class="emphasis"><em>removed</em></span> from the - <span><strong class="command">managed-keys</strong></span> statement, the corresponding + <span class="command"><strong>managed-keys</strong></span> statement, the corresponding zone will be removed from the managed keys database, and RFC 5011 key maintenance will no longer be used for that domain. </p> <p> - <span><strong class="command">named</strong></span> only maintains a single managed keys - database; consequently, unlike <span><strong class="command">trusted-keys</strong></span>, - <span><strong class="command">managed-keys</strong></span> may only be set at the top + <span class="command"><strong>named</strong></span> only maintains a single managed keys + database; consequently, unlike <span class="command"><strong>trusted-keys</strong></span>, + <span class="command"><strong>managed-keys</strong></span> may only be set at the top level of <code class="filename">named.conf</code>, not within a view. </p> <p> @@ -7064,29 +7137,29 @@ ns.domain.com.rpz-nsdname CNAME . <code class="filename">managed-keys.bind.jnl</code>. They are committed to the master file as soon as possible afterward; in the case of the managed key database, this will usually occur within 30 - seconds. So, whenever <span><strong class="command">named</strong></span> is using + seconds. So, whenever <span class="command"><strong>named</strong></span> is using automatic key maintenance, those two files can be expected to exist in the working directory. (For this reason among others, the working directory should be always be writable by - <span><strong class="command">named</strong></span>.) + <span class="command"><strong>named</strong></span>.) </p> <p> - If the <span><strong class="command">dnssec-validation</strong></span> option is - set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span> + If the <span class="command"><strong>dnssec-validation</strong></span> option is + set to <strong class="userinput"><code>auto</code></strong>, <span class="command"><strong>named</strong></span> will automatically initialize a managed key for the - root zone. Similarly, if the <span><strong class="command">dnssec-lookaside</strong></span> + root zone. Similarly, if the <span class="command"><strong>dnssec-lookaside</strong></span> option is set to <strong class="userinput"><code>auto</code></strong>, - <span><strong class="command">named</strong></span> will automatically initialize + <span class="command"><strong>named</strong></span> will automatically initialize a managed key for the zone <code class="literal">dlv.isc.org</code>. In both cases, the key that is used to initialize the key - maintenance process is built into <span><strong class="command">named</strong></span>, - and can be overridden from <span><strong class="command">bindkeys-file</strong></span>. + maintenance process is built into <span class="command"><strong>named</strong></span>, + and can be overridden from <span class="command"><strong>bindkeys-file</strong></span>. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em> +<a name="view_statement_grammar"></a><span class="command"><strong>view</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>view</strong></span> <em class="replaceable"><code>view_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { match-clients { <em class="replaceable"><code>address_match_list</code></em> }; match-destinations { <em class="replaceable"><code>address_match_list</code></em> }; @@ -7096,11 +7169,11 @@ ns.domain.com.rpz-nsdname CNAME . }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2591553"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="view_statement"></a><span class="command"><strong>view</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">view</strong></span> statement is a powerful + The <span class="command"><strong>view</strong></span> statement is a powerful feature of <acronym class="acronym">BIND</acronym> 9 that lets a name server answer a DNS query differently @@ -7109,54 +7182,54 @@ ns.domain.com.rpz-nsdname CNAME . split DNS setups without having to run multiple servers. </p> <p> - Each <span><strong class="command">view</strong></span> statement defines a view + Each <span class="command"><strong>view</strong></span> statement defines a view of the DNS namespace that will be seen by a subset of clients. A client matches a view if its source IP address matches the <code class="varname">address_match_list</code> of the view's - <span><strong class="command">match-clients</strong></span> clause and its + <span class="command"><strong>match-clients</strong></span> clause and its destination IP address matches the <code class="varname">address_match_list</code> of the view's - <span><strong class="command">match-destinations</strong></span> clause. If not + <span class="command"><strong>match-destinations</strong></span> clause. If not specified, both - <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span> + <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span> default to matching all addresses. In addition to checking IP addresses - <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span> - can also take <span><strong class="command">keys</strong></span> which provide an + <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span> + can also take <span class="command"><strong>keys</strong></span> which provide an mechanism for the client to select the view. A view can also be specified - as <span><strong class="command">match-recursive-only</strong></span>, which + as <span class="command"><strong>match-recursive-only</strong></span>, which means that only recursive requests from matching clients will match that view. - The order of the <span><strong class="command">view</strong></span> statements is + The order of the <span class="command"><strong>view</strong></span> statements is significant — a client request will be resolved in the context of the first - <span><strong class="command">view</strong></span> that it matches. + <span class="command"><strong>view</strong></span> that it matches. </p> <p> - Zones defined within a <span><strong class="command">view</strong></span> + Zones defined within a <span class="command"><strong>view</strong></span> statement will - only be accessible to clients that match the <span><strong class="command">view</strong></span>. + only be accessible to clients that match the <span class="command"><strong>view</strong></span>. By defining a zone of the same name in multiple views, different zone data can be given to different clients, for example, "internal" and "external" clients in a split DNS setup. </p> <p> - Many of the options given in the <span><strong class="command">options</strong></span> statement - can also be used within a <span><strong class="command">view</strong></span> + Many of the options given in the <span class="command"><strong>options</strong></span> statement + can also be used within a <span class="command"><strong>view</strong></span> statement, and then apply only when resolving queries with that view. When no view-specific - value is given, the value in the <span><strong class="command">options</strong></span> statement + value is given, the value in the <span class="command"><strong>options</strong></span> statement is used as a default. Also, zone options can have default values specified - in the <span><strong class="command">view</strong></span> statement; these + in the <span class="command"><strong>view</strong></span> statement; these view-specific defaults - take precedence over those in the <span><strong class="command">options</strong></span> statement. + take precedence over those in the <span class="command"><strong>options</strong></span> statement. </p> <p> Views are class specific. If no class is given, class IN @@ -7164,24 +7237,24 @@ ns.domain.com.rpz-nsdname CNAME . since only the IN class has compiled-in default hints. </p> <p> - If there are no <span><strong class="command">view</strong></span> statements in + If there are no <span class="command"><strong>view</strong></span> statements in the config file, a default view that matches any client is automatically created - in class IN. Any <span><strong class="command">zone</strong></span> statements + in class IN. Any <span class="command"><strong>zone</strong></span> statements specified on the top level of the configuration file are considered to be part of - this default view, and the <span><strong class="command">options</strong></span> + this default view, and the <span class="command"><strong>options</strong></span> statement will - apply to the default view. If any explicit <span><strong class="command">view</strong></span> - statements are present, all <span><strong class="command">zone</strong></span> + apply to the default view. If any explicit <span class="command"><strong>view</strong></span> + statements are present, all <span class="command"><strong>zone</strong></span> statements must - occur inside <span><strong class="command">view</strong></span> statements. + occur inside <span class="command"><strong>view</strong></span> statements. </p> <p> Here is an example of a typical split DNS setup implemented - using <span><strong class="command">view</strong></span> statements: + using <span class="command"><strong>view</strong></span> statements: </p> <pre class="programlisting">view "internal" { // This should match our internal networks. @@ -7216,11 +7289,11 @@ view "external" { }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span> +<a name="zone_statement_grammar"></a><span class="command"><strong>zone</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { +<pre class="programlisting"><span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { type master; [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] @@ -7230,8 +7303,6 @@ view "external" { [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>] - [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; - [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>] @@ -7371,7 +7442,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>] [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>] [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] @@ -7385,7 +7456,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>] [<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>] - [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>] }; zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { @@ -7408,16 +7479,25 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2593398"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div> -<div class="sect3" lang="en"> +<a name="zone_statement"></a><span class="command"><strong>zone</strong></span> Statement Definition and Usage</h3></div></div></div> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2593405"></a>Zone Types</h4></div></div></div> +<a name="zone_types"></a>Zone Types</h4></div></div></div> +<p> + The <span class="command"><strong>type</strong></span> keyword is required + for the <span class="command"><strong>zone</strong></span> configuration. Its + acceptable values include: <code class="varname">delegation-only</code>, + <code class="varname">forward</code>, <code class="varname">hint</code>, + <code class="varname">master</code>, <code class="varname">redirect</code>, + <code class="varname">slave</code>, <code class="varname">static-stub</code>, + and <code class="varname">stub</code>. + </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col class="1"> +<col width="4.017in" class="2"> </colgroup> <tbody> <tr> @@ -7444,7 +7524,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" <td> <p> A slave zone is a replica of a master - zone. The <span><strong class="command">masters</strong></span> list + zone. The <span class="command"><strong>masters</strong></span> list specifies one or more IP addresses of master servers that the slave contacts to update its copy of the zone. @@ -7559,14 +7639,14 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </p> <p> Zone data is configured via the - <span><strong class="command">server-addresses</strong></span> and - <span><strong class="command">server-names</strong></span> zone options. + <span class="command"><strong>server-addresses</strong></span> and + <span class="command"><strong>server-names</strong></span> zone options. </p> <p> The zone data is maintained in the form of NS and (if necessary) glue A or AAAA RRs internally, which can be seen by dumping zone - databases by <span><strong class="command">rndc dumpdb -all</strong></span>. + databases by <span class="command"><strong>rndc dumpdb -all</strong></span>. The configured RRs are considered local configuration parameters rather than public data. Non recursive queries (i.e., those with the RD @@ -7597,22 +7677,22 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" <td> <p> A "forward zone" is a way to configure - forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement - of type <span><strong class="command">forward</strong></span> can - contain a <span><strong class="command">forward</strong></span> - and/or <span><strong class="command">forwarders</strong></span> + forwarding on a per-domain basis. A <span class="command"><strong>zone</strong></span> statement + of type <span class="command"><strong>forward</strong></span> can + contain a <span class="command"><strong>forward</strong></span> + and/or <span class="command"><strong>forwarders</strong></span> statement, which will apply to queries within the domain given by the zone - name. If no <span><strong class="command">forwarders</strong></span> + name. If no <span class="command"><strong>forwarders</strong></span> statement is present or - an empty list for <span><strong class="command">forwarders</strong></span> is given, then no + an empty list for <span class="command"><strong>forwarders</strong></span> is given, then no forwarding will be done for the domain, canceling the effects of - any forwarders in the <span><strong class="command">options</strong></span> statement. Thus + any forwarders in the <span class="command"><strong>options</strong></span> statement. Thus if you want to use this type of zone to change the behavior of the - global <span><strong class="command">forward</strong></span> option + global <span class="command"><strong>forward</strong></span> option (that is, "forward first" to, then "forward only", or vice versa, but want to use the same @@ -7654,7 +7734,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" queries when normal resolution would result in NXDOMAIN being returned. Only one redirect zone is supported - per view. <span><strong class="command">allow-query</strong></span> can be + per view. <span class="command"><strong>allow-query</strong></span> can be used to restrict which clients see these answers. </p> <p> @@ -7691,10 +7771,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" zone lookup table with normal master and slave zones. Consequently, it is not currently possible to use - <span><strong class="command">rndc reload + <span class="command"><strong>rndc reload <em class="replaceable"><code>zonename</code></em></strong></span> to reload a redirect zone. However, when using - <span><strong class="command">rndc reload</strong></span> without specifying + <span class="command"><strong>rndc reload</strong></span> without specifying a zone name, redirect zones will be reloaded along with other zones. </p> @@ -7722,16 +7802,16 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" effect on answers received from forwarders. </p> <p> - See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>. + See caveats in <a class="xref" href="Bv9ARM.ch06.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>. </p> </td> </tr> </tbody> </table></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2594150"></a>Class</h4></div></div></div> +<a name="class"></a>Class</h4></div></div></div> <p> The zone's name may optionally be followed by a class. If a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>), @@ -7751,48 +7831,48 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2594183"></a>Zone Options</h4></div></div></div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> +<a name="zone_options"></a>Zone Options</h4></div></div></div> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + <span class="command"><strong>allow-notify</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + <span class="command"><strong>allow-query</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + <span class="command"><strong>allow-query-on</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt> <dd><p> - See the description of <span><strong class="command">allow-transfer</strong></span> - in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + See the description of <span class="command"><strong>allow-transfer</strong></span> + in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt> <dd><p> - See the description of <span><strong class="command">allow-update</strong></span> - in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + See the description of <span class="command"><strong>allow-update</strong></span> + in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>update-policy</strong></span></span></dt> <dd><p> Specifies a "Simple Secure Update" policy. See - <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>. + <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt> <dd><p> - See the description of <span><strong class="command">allow-update-forwarding</strong></span> - in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + See the description of <span class="command"><strong>allow-update-forwarding</strong></span> + in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt> <dd><p> - Only meaningful if <span><strong class="command">notify</strong></span> + Only meaningful if <span class="command"><strong>notify</strong></span> is active for this zone. The set of machines that will receive a @@ -7801,85 +7881,90 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" (other than the primary master) for the zone plus any IP addresses specified - with <span><strong class="command">also-notify</strong></span>. A port + with <span class="command"><strong>also-notify</strong></span>. A port may be specified - with each <span><strong class="command">also-notify</strong></span> + with each <span class="command"><strong>also-notify</strong></span> address to send the notify messages to a port other than the default of 53. A TSIG key may also be specified to cause the <code class="literal">NOTIFY</code> to be signed by the given key. - <span><strong class="command">also-notify</strong></span> is not + <span class="command"><strong>also-notify</strong></span> is not meaningful for stub zones. The default is the empty list. </p></dd> -<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt> <dd><p> This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the - network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span> - zones the default is <span><strong class="command">warn</strong></span>. - It is not implemented for <span><strong class="command">hint</strong></span> zones. + network. The default varies according to zone type. For <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>. For <span class="command"><strong>slave</strong></span> + zones the default is <span class="command"><strong>warn</strong></span>. + It is not implemented for <span class="command"><strong>hint</strong></span> zones. </p></dd> -<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>check-mx</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">check-spf</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>check-spf</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>check-wildcard</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>check-integrity</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>check-sibling</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>zero-no-soa-ttl</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>update-check-ksk</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and - Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and + <span class="command"><strong>dnssec-loadkeys-interval</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and Usage”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>dnssec-update-mode</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and + Usage”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">database</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt> +<dd><p> + See the description of + <span class="command"><strong>try-tcp-refresh</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span class="command"><strong>database</strong></span></span></dt> <dd> <p> Specify the type of database to be used for storing the - zone data. The string following the <span><strong class="command">database</strong></span> keyword + zone data. The string following the <span class="command"><strong>database</strong></span> keyword is interpreted as a list of whitespace-delimited words. The first word identifies the database type, and any subsequent words are @@ -7901,12 +7986,12 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" with the distribution but none are linked in by default. </p> </dd> -<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>dialup</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>delegation-only</strong></span></span></dt> <dd> <p> The flag only applies to forward, hint and stub @@ -7915,25 +8000,25 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" also a delegation-only type zone. </p> <p> - See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>. + See caveats in <a class="xref" href="Bv9ARM.ch06.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>. </p> </dd> -<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt> <dd><p> Only meaningful if the zone has a forwarders - list. The <span><strong class="command">only</strong></span> value causes + list. The <span class="command"><strong>only</strong></span> value causes the lookup to fail - after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would + after trying the forwarders and getting no answer, while <span class="command"><strong>first</strong></span> would allow a normal lookup to be tried. </p></dd> -<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt> <dd><p> Used to override the list of global forwarders. - If it is not specified in a zone of type <span><strong class="command">forward</strong></span>, + If it is not specified in a zone of type <span class="command"><strong>forward</strong></span>, no forwarding is done for the zone and the global options are not used. </p></dd> -<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>ixfr-base</strong></span></span></dt> <dd><p> Was used in <acronym class="acronym">BIND</acronym> 8 to specify the name @@ -7945,59 +8030,59 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" to the name of the zone file. </p></dd> -<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>ixfr-tmp-file</strong></span></span></dt> <dd><p> Was an undocumented option in <acronym class="acronym">BIND</acronym> 8. Ignored in <acronym class="acronym">BIND</acronym> 9. </p></dd> -<dt><span class="term"><span><strong class="command">journal</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>journal</strong></span></span></dt> <dd><p> Allow the default journal's filename to be overridden. The default is the zone's filename with "<code class="filename">.jnl</code>" appended. - This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones. + This is applicable to <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span> zones. </p></dd> -<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>. + <span class="command"><strong>max-journal-size</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>max-transfer-time-in</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>max-transfer-idle-in</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>max-transfer-time-out</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>max-transfer-idle-out</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>notify</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + <span class="command"><strong>notify-delay</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">notify-to-soa</strong></span> in - <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>notify-to-soa</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>pubkey</strong></span></span></dt> <dd><p> In <acronym class="acronym">BIND</acronym> 8, this option was intended for specifying @@ -8006,15 +8091,14 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures on load and ignores the option. </p></dd> -<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt> <dd><p> - If <strong class="userinput"><code>yes</code></strong>, the server will keep - statistical - information for this zone, which can be dumped to the - <span><strong class="command">statistics-file</strong></span> defined in - the server options. + See the description of + <span class="command"><strong>zone-statistics</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and + Usage”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">server-addresses</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>server-addresses</strong></span></span></dt> <dd> <p> Only meaningful for static-stub zones. @@ -8028,7 +8112,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" <p> For example, if "example.com" is configured as a static-stub zone with 192.0.2.1 and 2001:db8::1234 - in a <span><strong class="command">server-addresses</strong></span> option, + in a <span class="command"><strong>server-addresses</strong></span> option, the following RRs will be internally configured. </p> <pre class="programlisting">example.com. NS example.com. @@ -8043,7 +8127,7 @@ example.com. AAAA 2001:db8::1234</pre> queries to 192.0.2.1 and/or 2001:db8::1234. </p> </dd> -<dt><span class="term"><span><strong class="command">server-names</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>server-names</strong></span></span></dt> <dd> <p> Only meaningful for static-stub zones. @@ -8051,7 +8135,7 @@ example.com. AAAA 2001:db8::1234</pre> act as authoritative servers of the static-stub zone. These names will be resolved to IP addresses when - <span><strong class="command">named</strong></span> needs to send queries to + <span class="command"><strong>named</strong></span> needs to send queries to these servers. To make this supplemental resolution successful, these names must not be a subdomain of the origin @@ -8059,7 +8143,7 @@ example.com. AAAA 2001:db8::1234</pre> That is, when "example.net" is the origin of a static-stub zone, "ns.example" and "master.example.com" can be specified in the - <span><strong class="command">server-names</strong></span> option, but + <span class="command"><strong>server-names</strong></span> option, but "ns.example.net" cannot, and will be rejected by the configuration parser. </p> @@ -8069,7 +8153,7 @@ example.com. AAAA 2001:db8::1234</pre> For example, if "example.com" is configured as a static-stub zone with "ns1.example.net" and "ns2.example.net" - in a <span><strong class="command">server-names</strong></span> option, + in a <span class="command"><strong>server-names</strong></span> option, the following RRs will be internally configured. </p> <pre class="programlisting">example.com. NS ns1.example.net. @@ -8086,146 +8170,97 @@ example.com. NS ns2.example.net. queries to (one or more of) these addresses. </p> </dd> -<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + <span class="command"><strong>sig-validity-interval</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + <span class="command"><strong>sig-signing-nodes</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + <span class="command"><strong>sig-signing-signatures</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + <span class="command"><strong>sig-signing-type</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>alt-transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>use-alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>notify-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>notify-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> <dt> -<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span> +<span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span> </dt> <dd><p> - See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + See the description in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. - (Note that the <span><strong class="command">ixfr-from-differences</strong></span> + <span class="command"><strong>ixfr-from-differences</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + (Note that the <span class="command"><strong>ixfr-from-differences</strong></span> <strong class="userinput"><code>master</code></strong> and <strong class="userinput"><code>slave</code></strong> choices are not available at the zone level.) </p></dd> -<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and - Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and + <span class="command"><strong>key-directory</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and Usage”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">auto-dnssec</strong></span></span></dt> -<dd> -<p> - Zones configured for dynamic DNS may also use this - option to allow varying levels of automatic DNSSEC key - management. There are three possible settings: - </p> -<p> - <span><strong class="command">auto-dnssec allow;</strong></span> permits - keys to be updated and the zone fully re-signed - whenever the user issues the command <span><strong class="command">rndc sign - <em class="replaceable"><code>zonename</code></em></strong></span>. - </p> -<p> - <span><strong class="command">auto-dnssec maintain;</strong></span> includes the - above, but also automatically adjusts the zone's DNSSEC - keys on schedule, according to the keys' timing metadata - (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and - <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command - <span><strong class="command">rndc sign - <em class="replaceable"><code>zonename</code></em></strong></span> causes - <span><strong class="command">named</strong></span> to load keys from the key - repository and sign the zone with all keys that are - active. - <span><strong class="command">rndc loadkeys - <em class="replaceable"><code>zonename</code></em></strong></span> causes - <span><strong class="command">named</strong></span> to load keys from the key - repository and schedule key maintenance events to occur - in the future, but it does not sign the full zone - immediately. Note: once keys have been loaded for a - zone the first time, the repository will be searched - for changes periodically, regardless of whether - <span><strong class="command">rndc loadkeys</strong></span> is used. The recheck - interval is defined by - <span><strong class="command">dnssec-loadkeys-interval</strong></span>.) - </p> -<p> - The default setting is <span><strong class="command">auto-dnssec off</strong></span>. - </p> -</dd> -<dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt> -<dd> -<p> - Zones configured for dynamic DNS may use this - option to set the update method that will be used for - the zone serial number in the SOA record. - </p> -<p> - With the default setting of - <span><strong class="command">serial-update-method increment;</strong></span>, the - SOA serial number will be incremented by one each time - the zone is updated. - </p> -<p> - When set to - <span><strong class="command">serial-update-method unixtime;</strong></span>, the - SOA serial number will be set to the number of seconds - since the UNIX epoch, unless the serial number is - already greater than or equal to that value, in which - case it is simply incremented by one. - </p> -</dd> -<dt><span class="term"><span><strong class="command">inline-signing</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt> +<dd><p> + See the description of + <span class="command"><strong>auto-dnssec</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and + Usage”</a>. + </p></dd> +<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt> +<dd><p> + See the description of + <span class="command"><strong>serial-update-method</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and + Usage”</a>. + </p></dd> +<dt><span class="term"><span class="command"><strong>inline-signing</strong></span></span></dt> <dd><p> If <code class="literal">yes</code>, this enables "bump in the wire" signing of a zone, where a @@ -8234,40 +8269,40 @@ example.com. NS ns2.example.net. with possibly, a different serial number. This behaviour is disabled by default. </p></dd> -<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt> <dd><p> - See the description of <span><strong class="command">multi-master</strong></span> in - <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + See the description of <span class="command"><strong>multi-master</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt> <dd><p> - See the description of <span><strong class="command">masterfile-format</strong></span> - in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + See the description of <span class="command"><strong>masterfile-format</strong></span> + in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>dnssec-secure-to-insecure</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div> <p><acronym class="acronym">BIND</acronym> 9 supports two alternative methods of granting clients the right to perform dynamic updates to a zone, configured by the - <span><strong class="command">allow-update</strong></span> and - <span><strong class="command">update-policy</strong></span> option, respectively. + <span class="command"><strong>allow-update</strong></span> and + <span class="command"><strong>update-policy</strong></span> option, respectively. </p> <p> - The <span><strong class="command">allow-update</strong></span> clause works the + The <span class="command"><strong>allow-update</strong></span> clause works the same way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the permission to update any record of any name in the zone. </p> <p> - The <span><strong class="command">update-policy</strong></span> clause + The <span class="command"><strong>update-policy</strong></span> clause allows more fine-grained control over what updates are allowed. A set of rules is specified, where each rule either grants or denies permissions for one or more @@ -8277,29 +8312,29 @@ example.com. NS ns2.example.net. identity of the signer can be determined. </p> <p> - Rules are specified in the <span><strong class="command">update-policy</strong></span> + Rules are specified in the <span class="command"><strong>update-policy</strong></span> zone option, and are only meaningful for master zones. - When the <span><strong class="command">update-policy</strong></span> statement + When the <span class="command"><strong>update-policy</strong></span> statement is present, it is a configuration error for the - <span><strong class="command">allow-update</strong></span> statement to be - present. The <span><strong class="command">update-policy</strong></span> statement + <span class="command"><strong>allow-update</strong></span> statement to be + present. The <span class="command"><strong>update-policy</strong></span> statement only examines the signer of a message; the source address is not relevant. </p> <p> - There is a pre-defined <span><strong class="command">update-policy</strong></span> + There is a pre-defined <span class="command"><strong>update-policy</strong></span> rule which can be switched on with the command - <span><strong class="command">update-policy local;</strong></span>. + <span class="command"><strong>update-policy local;</strong></span>. Switching on this rule in a zone causes - <span><strong class="command">named</strong></span> to generate a TSIG session + <span class="command"><strong>named</strong></span> to generate a TSIG session key and place it in a file, and to allow that key to update the zone. (By default, the file is <code class="filename">/var/run/named/session.key</code>, the key name is "local-ddns" and the key algorithm is HMAC-SHA256, but these values are configurable with the - <span><strong class="command">session-keyfile</strong></span>, - <span><strong class="command">session-keyname</strong></span> and - <span><strong class="command">session-keyalg</strong></span> options, respectively). + <span class="command"><strong>session-keyfile</strong></span>, + <span class="command"><strong>session-keyname</strong></span> and + <span class="command"><strong>session-keyalg</strong></span> options, respectively). </p> <p> A client running on the local system, and with appropriate @@ -8311,14 +8346,14 @@ example.com. NS ns2.example.net. <pre class="programlisting">update-policy { grant local-ddns zonesub any; }; </pre> <p> - The command <span><strong class="command">nsupdate -l</strong></span> sends update + The command <span class="command"><strong>nsupdate -l</strong></span> sends update requests to localhost, and signs them using the session key. </p> <p> Other rule definitions look like this: </p> <pre class="programlisting"> -( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>] +( <span class="command"><strong>grant</strong></span> | <span class="command"><strong>deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>] </pre> <p> Each rule grants or denies privileges. Once a message has @@ -8373,8 +8408,8 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="0.819in" class="1"> +<col width="3.681in" class="2"> </colgroup> <tbody> <tr> @@ -8418,10 +8453,10 @@ example.com. NS ns2.example.net. This rule is similar to subdomain, except that it matches when the name being updated is a subdomain of the zone in which the - <span><strong class="command">update-policy</strong></span> statement + <span class="command"><strong>update-policy</strong></span> statement appears. This obviates the need to type the zone name twice, and enables the use of a standard - <span><strong class="command">update-policy</strong></span> statement in + <span class="command"><strong>update-policy</strong></span> statement in multiple zones without modification. </p> <p> @@ -8441,7 +8476,7 @@ example.com. NS ns2.example.net. The <em class="replaceable"><code>name</code></em> field is subject to DNS wildcard expansion, and this rule matches when the name being updated - name is a valid expansion of the wildcard. + is a valid expansion of the wildcard. </p> </td> </tr> @@ -8614,7 +8649,7 @@ example.com. NS ns2.example.net. </td> <td> <p> - This rule allows <span><strong class="command">named</strong></span> + This rule allows <span class="command"><strong>named</strong></span> to defer the decision of whether to allow a given update to an external daemon. </p> @@ -8668,10 +8703,10 @@ example.com. NS ns2.example.net. </div> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2597084"></a>Zone File</h2></div></div></div> -<div class="sect2" lang="en"> +<a name="zone_file"></a>Zone File</h2></div></div></div> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div> <p> @@ -8681,9 +8716,9 @@ example.com. NS ns2.example.net. identified and implemented in the DNS. These are also included. </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2597102"></a>Resource Records</h4></div></div></div> +<a name="id-1.7.6.2.3"></a>Resource Records</h4></div></div></div> <p> A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -8692,15 +8727,15 @@ example.com. NS ns2.example.net. need not be preserved by name servers, resolvers, or other parts of the DNS. However, sorting of multiple RRs is permitted for optimization purposes, for example, to specify - that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>. + that a particular nearby server be tried first. See <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span class="command"><strong>sortlist</strong></span> Statement”</a> and <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>. </p> <p> The components of a Resource Record are: </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.000in" class="1"> +<col width="3.500in" class="2"> </colgroup> <tbody> <tr> @@ -8778,8 +8813,8 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="0.875in" class="1"> +<col width="3.625in" class="2"> </colgroup> <tbody> <tr> @@ -8864,6 +8899,18 @@ example.com. NS ns2.example.net. <tr> <td> <p> + AVC + </p> + </td> +<td> + <p> + Application Visibility and Control record. + </p> + </td> +</tr> +<tr> +<td> + <p> CAA </p> </td> @@ -8930,6 +8977,19 @@ example.com. NS ns2.example.net. <tr> <td> <p> + CSYNC + </p> + </td> +<td> + <p> + Child-to-Parent Synchronization in DNS as described + in RFC 7477. + </p> + </td> +</tr> +<tr> +<td> + <p> DHCID </p> </td> @@ -9308,6 +9368,18 @@ example.com. NS ns2.example.net. <tr> <td> <p> + NINFO + </p> + </td> +<td> + <p> + Contains zone status information. + </p> + </td> +</tr> +<tr> +<td> + <p> NIMLOC </p> </td> @@ -9478,6 +9550,18 @@ example.com. NS ns2.example.net. <tr> <td> <p> + RKEY + </p> + </td> +<td> + <p> + Resource key. + </p> + </td> +</tr> +<tr> +<td> + <p> RP </p> </td> @@ -9534,6 +9618,30 @@ example.com. NS ns2.example.net. <tr> <td> <p> + SINK + </p> + </td> +<td> + <p> + The kitchen sink record. + </p> + </td> +</tr> +<tr> +<td> + <p> + SMIMEA + </p> + </td> +<td> + <p> + The S/MIME Security Certificate Association. + </p> + </td> +</tr> +<tr> +<td> + <p> SOA </p> </td> @@ -9586,6 +9694,30 @@ example.com. NS ns2.example.net. <tr> <td> <p> + TA + </p> + </td> +<td> + <p> + Trust Anchor. Experimental. + </p> + </td> +</tr> +<tr> +<td> + <p> + TALINK + </p> + </td> +<td> + <p> + Trust Anchor Link. Experimental. + </p> + </td> +</tr> +<tr> +<td> + <p> TLSA </p> </td> @@ -9691,8 +9823,8 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="0.875in" class="1"> +<col width="3.625in" class="2"> </colgroup> <tbody> <tr> @@ -9781,9 +9913,9 @@ example.com. NS ns2.example.net. used as "pointers" to other data in the DNS. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2599413"></a>Textual expression of RRs</h4></div></div></div> +<a name="rr_text"></a>Textual expression of RRs</h4></div></div></div> <p> RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -9823,9 +9955,9 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> -<col> +<col width="1.381in" class="1"> +<col width="1.020in" class="2"> +<col width="2.099in" class="3"> </colgroup> <tbody> <tr> @@ -9941,9 +10073,9 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> -<col> +<col width="1.491in" class="1"> +<col width="1.067in" class="2"> +<col width="2.067in" class="3"> </colgroup> <tbody> <tr> @@ -9984,9 +10116,9 @@ example.com. NS ns2.example.net. </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2600002"></a>Discussion of MX Records</h3></div></div></div> +<a name="mx_records"></a>Discussion of MX Records</h3></div></div></div> <p> As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -10024,11 +10156,11 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> -<col> -<col> -<col> +<col width="1.708in" class="1"> +<col width="0.444in" class="2"> +<col width="0.444in" class="3"> +<col width="0.976in" class="4"> +<col width="1.553in" class="5"> </colgroup> <tbody> <tr> @@ -10167,7 +10299,7 @@ example.com. NS ns2.example.net. be attempted. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div> <p> @@ -10180,8 +10312,8 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="0.750in" class="1"> +<col width="4.375in" class="2"> </colgroup> <tbody> <tr> @@ -10239,9 +10371,9 @@ example.com. NS ns2.example.net. can be explicitly specified, for example, <code class="literal">1h30m</code>. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2600549"></a>Inverse Mapping in IPv4</h3></div></div></div> +<a name="ipv4_reverse"></a>Inverse Mapping in IPv4</h3></div></div></div> <p> Reverse name resolution (that is, translation from IP address to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain @@ -10259,8 +10391,8 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.125in" class="1"> +<col width="4.000in" class="2"> </colgroup> <tbody> <tr> @@ -10292,7 +10424,7 @@ example.com. NS ns2.example.net. <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - The <span><strong class="command">$ORIGIN</strong></span> lines in the examples + The <span class="command"><strong>$ORIGIN</strong></span> lines in the examples are for providing context to the examples only — they do not necessarily appear in the actual usage. They are only used here to indicate @@ -10300,9 +10432,9 @@ example.com. NS ns2.example.net. </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2600812"></a>Other Zone File Directives</h3></div></div></div> +<a name="zone_directives"></a>Other Zone File Directives</h3></div></div></div> <p> The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -10312,12 +10444,12 @@ example.com. NS ns2.example.net. class. </p> <p> - Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>, - and <span><strong class="command">$TTL.</strong></span> + Master File Directives include <span class="command"><strong>$ORIGIN</strong></span>, <span class="command"><strong>$INCLUDE</strong></span>, + and <span class="command"><strong>$TTL.</strong></span> </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2600835"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div> +<a name="atsign"></a>The <span class="command"><strong>@</strong></span> (at-sign)</h4></div></div></div> <p> When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -10326,22 +10458,22 @@ example.com. NS ns2.example.net. trailing dot). </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2600851"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div> +<a name="origin_directive"></a>The <span class="command"><strong>$ORIGIN</strong></span> Directive</h4></div></div></div> <p> - Syntax: <span><strong class="command">$ORIGIN</strong></span> + Syntax: <span class="command"><strong>$ORIGIN</strong></span> <em class="replaceable"><code>domain-name</code></em> [<span class="optional"><em class="replaceable"><code>comment</code></em></span>] </p> -<p><span><strong class="command">$ORIGIN</strong></span> +<p><span class="command"><strong>$ORIGIN</strong></span> sets the domain name that will be appended to any unqualified records. When a zone is first read in there - is an implicit <span><strong class="command">$ORIGIN</strong></span> - <<code class="varname">zone_name</code>><span><strong class="command">.</strong></span> + is an implicit <span class="command"><strong>$ORIGIN</strong></span> + <<code class="varname">zone_name</code>><span class="command"><strong>.</strong></span> (followed by trailing dot). - The current <span><strong class="command">$ORIGIN</strong></span> is appended to - the domain specified in the <span><strong class="command">$ORIGIN</strong></span> + The current <span class="command"><strong>$ORIGIN</strong></span> is appended to + the domain specified in the <span class="command"><strong>$ORIGIN</strong></span> argument if it is not absolute. </p> <pre class="programlisting"> @@ -10355,11 +10487,11 @@ WWW CNAME MAIN-SERVER WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. </pre> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2600912"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div> +<a name="include_directive"></a>The <span class="command"><strong>$INCLUDE</strong></span> Directive</h4></div></div></div> <p> - Syntax: <span><strong class="command">$INCLUDE</strong></span> + Syntax: <span class="command"><strong>$INCLUDE</strong></span> <em class="replaceable"><code>filename</code></em> [<span class="optional"> <em class="replaceable"><code>origin</code></em> </span>] @@ -10367,14 +10499,14 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. </p> <p> Read and process the file <code class="filename">filename</code> as - if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is - specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set - to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is + if it were included into the file at this point. If <span class="command"><strong>origin</strong></span> is + specified the file is processed with <span class="command"><strong>$ORIGIN</strong></span> set + to that value, otherwise the current <span class="command"><strong>$ORIGIN</strong></span> is used. </p> <p> The origin and the current domain name - revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once + revert to the values they had prior to the <span class="command"><strong>$INCLUDE</strong></span> once the file has been read. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> @@ -10382,7 +10514,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. <p> RFC 1035 specifies that the current origin should be restored after - an <span><strong class="command">$INCLUDE</strong></span>, but it is silent + an <span class="command"><strong>$INCLUDE</strong></span>, but it is silent on whether the current domain name should also be restored. BIND 9 restores both of them. @@ -10391,11 +10523,11 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. </p> </div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2600981"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div> +<a name="ttl_directive"></a>The <span class="command"><strong>$TTL</strong></span> Directive</h4></div></div></div> <p> - Syntax: <span><strong class="command">$TTL</strong></span> + Syntax: <span class="command"><strong>$TTL</strong></span> <em class="replaceable"><code>default-ttl</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>] @@ -10405,16 +10537,16 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds. </p> -<p><span><strong class="command">$TTL</strong></span> +<p><span class="command"><strong>$TTL</strong></span> is defined in RFC 2308. </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2601017"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div> +<a name="generate_directive"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span class="command"><strong>$GENERATE</strong></span> Directive</h3></div></div></div> <p> - Syntax: <span><strong class="command">$GENERATE</strong></span> + Syntax: <span class="command"><strong>$GENERATE</strong></span> <em class="replaceable"><code>range</code></em> <em class="replaceable"><code>lhs</code></em> [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>] @@ -10423,10 +10555,10 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. <em class="replaceable"><code>rhs</code></em> [<span class="optional"><em class="replaceable"><code>comment</code></em></span>] </p> -<p><span><strong class="command">$GENERATE</strong></span> +<p><span class="command"><strong>$GENERATE</strong></span> is used to create a series of resource records that only differ from each other by an - iterator. <span><strong class="command">$GENERATE</strong></span> can be used to + iterator. <span class="command"><strong>$GENERATE</strong></span> can be used to easily generate the sets of records required to support sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA delegation. @@ -10468,13 +10600,13 @@ HOST-127.EXAMPLE. MX 0 . </pre> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="0.875in" class="1"> +<col width="4.250in" class="2"> </colgroup> <tbody> <tr> <td> - <p><span><strong class="command">range</strong></span></p> + <p><span class="command"><strong>range</strong></span></p> </td> <td> <p> @@ -10488,43 +10620,43 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">lhs</strong></span></p> + <p><span class="command"><strong>lhs</strong></span></p> </td> <td> <p>This describes the owner name of the resource records - to be created. Any single <span><strong class="command">$</strong></span> + to be created. Any single <span class="command"><strong>$</strong></span> (dollar sign) - symbols within the <span><strong class="command">lhs</strong></span> string + symbols within the <span class="command"><strong>lhs</strong></span> string are replaced by the iterator value. To get a $ in the output, you need to escape the - <span><strong class="command">$</strong></span> using a backslash - <span><strong class="command">\</strong></span>, - e.g. <span><strong class="command">\$</strong></span>. The - <span><strong class="command">$</strong></span> may optionally be followed + <span class="command"><strong>$</strong></span> using a backslash + <span class="command"><strong>\</strong></span>, + e.g. <span class="command"><strong>\$</strong></span>. The + <span class="command"><strong>$</strong></span> may optionally be followed by modifiers which change the offset from the iterator, field width and base. Modifiers are introduced by a - <span><strong class="command">{</strong></span> (left brace) immediately following the - <span><strong class="command">$</strong></span> as - <span><strong class="command">${offset[,width[,base]]}</strong></span>. - For example, <span><strong class="command">${-20,3,d}</strong></span> + <span class="command"><strong>{</strong></span> (left brace) immediately following the + <span class="command"><strong>$</strong></span> as + <span class="command"><strong>${offset[,width[,base]]}</strong></span>. + For example, <span class="command"><strong>${-20,3,d}</strong></span> subtracts 20 from the current value, prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal - (<span><strong class="command">d</strong></span>), octal - (<span><strong class="command">o</strong></span>), hexadecimal - (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span> + (<span class="command"><strong>d</strong></span>), octal + (<span class="command"><strong>o</strong></span>), hexadecimal + (<span class="command"><strong>x</strong></span> or <span class="command"><strong>X</strong></span> for uppercase) and nibble - (<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\ + (<span class="command"><strong>n</strong></span> or <span class="command"><strong>N</strong></span>\ for uppercase). The default modifier is - <span><strong class="command">${0,0,d}</strong></span>. If the - <span><strong class="command">lhs</strong></span> is not absolute, the - current <span><strong class="command">$ORIGIN</strong></span> is appended + <span class="command"><strong>${0,0,d}</strong></span>. If the + <span class="command"><strong>lhs</strong></span> is not absolute, the + current <span class="command"><strong>$ORIGIN</strong></span> is appended to the name. </p> <p> @@ -10536,14 +10668,14 @@ HOST-127.EXAMPLE. MX 0 . </p> <p> For compatibility with earlier versions, - <span><strong class="command">$$</strong></span> is still recognized as + <span class="command"><strong>$$</strong></span> is still recognized as indicating a literal $ in the output. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">ttl</strong></span></p> + <p><span class="command"><strong>ttl</strong></span></p> </td> <td> <p> @@ -10551,15 +10683,15 @@ HOST-127.EXAMPLE. MX 0 . not specified this will be inherited using the normal TTL inheritance rules. </p> - <p><span><strong class="command">class</strong></span> - and <span><strong class="command">ttl</strong></span> can be + <p><span class="command"><strong>class</strong></span> + and <span class="command"><strong>ttl</strong></span> can be entered in either order. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">class</strong></span></p> + <p><span class="command"><strong>class</strong></span></p> </td> <td> <p> @@ -10567,15 +10699,15 @@ HOST-127.EXAMPLE. MX 0 . This must match the zone class if it is specified. </p> - <p><span><strong class="command">class</strong></span> - and <span><strong class="command">ttl</strong></span> can be + <p><span class="command"><strong>class</strong></span> + and <span class="command"><strong>ttl</strong></span> can be entered in either order. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">type</strong></span></p> + <p><span class="command"><strong>type</strong></span></p> </td> <td> <p> @@ -10585,25 +10717,25 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">rhs</strong></span></p> + <p><span class="command"><strong>rhs</strong></span></p> </td> <td> <p> - <span><strong class="command">rhs</strong></span>, optionally, quoted string. + <span class="command"><strong>rhs</strong></span>, optionally, quoted string. </p> </td> </tr> </tbody> </table></div> <p> - The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension + The <span class="command"><strong>$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension and not part of the standard zone file format. </p> <p> BIND 8 does not support the optional TTL and CLASS fields. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="zonefile_format"></a>Additional File Formats</h3></div></div></div> <p> @@ -10619,20 +10751,20 @@ HOST-127.EXAMPLE. MX 0 . For a primary server, a zone file in the <code class="constant">raw</code> format is expected to be generated from a textual zone file by the - <span><strong class="command">named-compilezone</strong></span> command. For a + <span class="command"><strong>named-compilezone</strong></span> command. For a secondary server or for a dynamic zone, it is automatically generated (if this format is specified by the - <span><strong class="command">masterfile-format</strong></span> option) when - <span><strong class="command">named</strong></span> dumps the zone contents after + <span class="command"><strong>masterfile-format</strong></span> option) when + <span class="command"><strong>named</strong></span> dumps the zone contents after zone transfer or when applying prior updates. </p> <p> If a zone file in a binary format needs manual modification, it first must be converted to a textual form by the - <span><strong class="command">named-compilezone</strong></span> command. All + <span class="command"><strong>named-compilezone</strong></span> command. All necessary modification should go to the text file, which should then be converted to the binary form by the - <span><strong class="command">named-compilezone</strong></span> command again. + <span class="command"><strong>named-compilezone</strong></span> command again. </p> <p> Although the <code class="constant">raw</code> format uses the @@ -10646,7 +10778,7 @@ HOST-127.EXAMPLE. MX 0 . </p> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="statistics"></a>BIND9 Statistics</h2></div></div></div> <p> @@ -10664,8 +10796,8 @@ HOST-127.EXAMPLE. MX 0 . </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="3.300in" class="1"> +<col width="2.625in" class="2"> </colgroup> <tbody> <tr> @@ -10764,30 +10896,35 @@ HOST-127.EXAMPLE. MX 0 . <p> A subset of Name Server Statistics is collected and shown per zone for which the server has the authority when - <span><strong class="command">zone-statistics</strong></span> is set to - <strong class="userinput"><code>yes</code></strong>. - These statistics counters are shown with their zone and view - names. - In some cases the view names are omitted for the default view. + <span class="command"><strong>zone-statistics</strong></span> is set to + <strong class="userinput"><code>full</code></strong> (or <strong class="userinput"><code>yes</code></strong> + for backward compatibility. See the description of + <span class="command"><strong>zone-statistics</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and + Usage”</a> + for further details. </p> <p> + These statistics counters are shown with their zone and + view names. The view name is omitted when the server is + not configured with explicit views.</p> +<p> There are currently two user interfaces to get access to the statistics. One is in the plain text format dumped to the file specified - by the <span><strong class="command">statistics-file</strong></span> configuration option. + by the <span class="command"><strong>statistics-file</strong></span> configuration option. The other is remotely accessible via a statistics channel - when the <span><strong class="command">statistics-channels</strong></span> statement + when the <span class="command"><strong>statistics-channels</strong></span> statement is specified in the configuration file - (see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.) + (see <a class="xref" href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span class="command"><strong>statistics-channels</strong></span> Statement Grammar”</a>.) </p> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="statsfile"></a>The Statistics File</h4></div></div></div> +<div class="section"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="statsfile"></a>The Statistics File</h3></div></div></div> <p> The text format statistics dump begins with a line, like: </p> <p> - <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span> + <span class="command"><strong>+++ Statistics Dump +++ (973798949)</strong></span> </p> <p> The number in parentheses is a standard @@ -10799,7 +10936,7 @@ HOST-127.EXAMPLE. MX 0 . Each section begins with a line, like: </p> <p> - <span><strong class="command">++ Name Server Statistics ++</strong></span> + <span class="command"><strong>++ Name Server Statistics ++</strong></span> </p> <p> Each section consists of lines, each containing the statistics @@ -10813,10 +10950,10 @@ HOST-127.EXAMPLE. MX 0 . number is identical to the number in the beginning line; for example: </p> <p> - <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span> + <span class="command"><strong>--- Statistics Dump --- (973798949)</strong></span> </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="statistics_counters"></a>Statistics Counters</h3></div></div></div> <p> @@ -10835,14 +10972,14 @@ HOST-127.EXAMPLE. MX 0 . it gives the corresponding counter name of the <acronym class="acronym">BIND</acronym> 8 statistics, if applicable. </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2602039"></a>Name Server Statistics Counters</h4></div></div></div> +<a name="stats_counters"></a>Name Server Statistics Counters</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> -<col> +<col width="1.150in" class="1"> +<col width="1.150in" class="2"> +<col width="3.350in" class="3"> </colgroup> <tbody> <tr> @@ -10864,10 +11001,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Requestv4</strong></span></p> + <p><span class="command"><strong>Requestv4</strong></span></p> </td> <td> - <p><span><strong class="command">RQ</strong></span></p> + <p><span class="command"><strong>RQ</strong></span></p> </td> <td> <p> @@ -10878,10 +11015,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Requestv6</strong></span></p> + <p><span class="command"><strong>Requestv6</strong></span></p> </td> <td> - <p><span><strong class="command">RQ</strong></span></p> + <p><span class="command"><strong>RQ</strong></span></p> </td> <td> <p> @@ -10892,10 +11029,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ReqEdns0</strong></span></p> + <p><span class="command"><strong>ReqEdns0</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -10905,10 +11042,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ReqBadEDNSVer</strong></span></p> + <p><span class="command"><strong>ReqBadEDNSVer</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -10918,10 +11055,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ReqTSIG</strong></span></p> + <p><span class="command"><strong>ReqTSIG</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -10931,10 +11068,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ReqSIG0</strong></span></p> + <p><span class="command"><strong>ReqSIG0</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -10944,10 +11081,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ReqBadSIG</strong></span></p> + <p><span class="command"><strong>ReqBadSIG</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -10957,10 +11094,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ReqTCP</strong></span></p> + <p><span class="command"><strong>ReqTCP</strong></span></p> </td> <td> - <p><span><strong class="command">RTCP</strong></span></p> + <p><span class="command"><strong>RTCP</strong></span></p> </td> <td> <p> @@ -10970,10 +11107,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">AuthQryRej</strong></span></p> + <p><span class="command"><strong>AuthQryRej</strong></span></p> </td> <td> - <p><span><strong class="command">RUQ</strong></span></p> + <p><span class="command"><strong>RUQ</strong></span></p> </td> <td> <p> @@ -10983,10 +11120,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RecQryRej</strong></span></p> + <p><span class="command"><strong>RecQryRej</strong></span></p> </td> <td> - <p><span><strong class="command">RURQ</strong></span></p> + <p><span class="command"><strong>RURQ</strong></span></p> </td> <td> <p> @@ -10996,10 +11133,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">XfrRej</strong></span></p> + <p><span class="command"><strong>XfrRej</strong></span></p> </td> <td> - <p><span><strong class="command">RUXFR</strong></span></p> + <p><span class="command"><strong>RUXFR</strong></span></p> </td> <td> <p> @@ -11009,10 +11146,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateRej</strong></span></p> + <p><span class="command"><strong>UpdateRej</strong></span></p> </td> <td> - <p><span><strong class="command">RUUpd</strong></span></p> + <p><span class="command"><strong>RUUpd</strong></span></p> </td> <td> <p> @@ -11022,10 +11159,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Response</strong></span></p> + <p><span class="command"><strong>Response</strong></span></p> </td> <td> - <p><span><strong class="command">SAns</strong></span></p> + <p><span class="command"><strong>SAns</strong></span></p> </td> <td> <p> @@ -11035,10 +11172,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RespTruncated</strong></span></p> + <p><span class="command"><strong>RespTruncated</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11048,10 +11185,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RespEDNS0</strong></span></p> + <p><span class="command"><strong>RespEDNS0</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11061,10 +11198,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RespTSIG</strong></span></p> + <p><span class="command"><strong>RespTSIG</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11074,10 +11211,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RespSIG0</strong></span></p> + <p><span class="command"><strong>RespSIG0</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11087,10 +11224,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QrySuccess</strong></span></p> + <p><span class="command"><strong>QrySuccess</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11098,7 +11235,7 @@ HOST-127.EXAMPLE. MX 0 . This means the query which returns a NOERROR response with at least one answer RR. This corresponds to the - <span><strong class="command">success</strong></span> counter + <span class="command"><strong>success</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11106,10 +11243,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryAuthAns</strong></span></p> + <p><span class="command"><strong>QryAuthAns</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11119,10 +11256,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryNoauthAns</strong></span></p> + <p><span class="command"><strong>QryNoauthAns</strong></span></p> </td> <td> - <p><span><strong class="command">SNaAns</strong></span></p> + <p><span class="command"><strong>SNaAns</strong></span></p> </td> <td> <p> @@ -11132,16 +11269,16 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryReferral</strong></span></p> + <p><span class="command"><strong>QryReferral</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> Queries resulted in referral answer. This corresponds to the - <span><strong class="command">referral</strong></span> counter + <span class="command"><strong>referral</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11149,16 +11286,16 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryNxrrset</strong></span></p> + <p><span class="command"><strong>QryNxrrset</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> Queries resulted in NOERROR responses with no data. This corresponds to the - <span><strong class="command">nxrrset</strong></span> counter + <span class="command"><strong>nxrrset</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11166,10 +11303,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QrySERVFAIL</strong></span></p> + <p><span class="command"><strong>QrySERVFAIL</strong></span></p> </td> <td> - <p><span><strong class="command">SFail</strong></span></p> + <p><span class="command"><strong>SFail</strong></span></p> </td> <td> <p> @@ -11179,10 +11316,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryFORMERR</strong></span></p> + <p><span class="command"><strong>QryFORMERR</strong></span></p> </td> <td> - <p><span><strong class="command">SFErr</strong></span></p> + <p><span class="command"><strong>SFErr</strong></span></p> </td> <td> <p> @@ -11192,16 +11329,16 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryNXDOMAIN</strong></span></p> + <p><span class="command"><strong>QryNXDOMAIN</strong></span></p> </td> <td> - <p><span><strong class="command">SNXD</strong></span></p> + <p><span class="command"><strong>SNXD</strong></span></p> </td> <td> <p> Queries resulted in NXDOMAIN. This corresponds to the - <span><strong class="command">nxdomain</strong></span> counter + <span class="command"><strong>nxdomain</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11209,17 +11346,17 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryRecursion</strong></span></p> + <p><span class="command"><strong>QryRecursion</strong></span></p> </td> <td> - <p><span><strong class="command">RFwdQ</strong></span></p> + <p><span class="command"><strong>RFwdQ</strong></span></p> </td> <td> <p> Queries which caused the server to perform recursion in order to find the final answer. This corresponds to the - <span><strong class="command">recursion</strong></span> counter + <span class="command"><strong>recursion</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11227,10 +11364,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryDuplicate</strong></span></p> + <p><span class="command"><strong>QryDuplicate</strong></span></p> </td> <td> - <p><span><strong class="command">RDupQ</strong></span></p> + <p><span class="command"><strong>RDupQ</strong></span></p> </td> <td> <p> @@ -11239,7 +11376,7 @@ HOST-127.EXAMPLE. MX 0 . IP address, port, query ID, name, type and class already being processed. This corresponds to the - <span><strong class="command">duplicate</strong></span> counter + <span class="command"><strong>duplicate</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11247,10 +11384,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryDropped</strong></span></p> + <p><span class="command"><strong>QryDropped</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11260,14 +11397,14 @@ HOST-127.EXAMPLE. MX 0 . class and were subsequently dropped. This is the number of dropped queries due to the reason explained with the - <span><strong class="command">clients-per-query</strong></span> + <span class="command"><strong>clients-per-query</strong></span> and - <span><strong class="command">max-clients-per-query</strong></span> + <span class="command"><strong>max-clients-per-query</strong></span> options (see the description about - <a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.) + <a class="xref" href="Bv9ARM.ch06.html#clients-per-query"><span class="command"><strong>clients-per-query</strong></span></a>.) This corresponds to the - <span><strong class="command">dropped</strong></span> counter + <span class="command"><strong>dropped</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11275,23 +11412,23 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryFailure</strong></span></p> + <p><span class="command"><strong>QryFailure</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> Other query failures. This corresponds to the - <span><strong class="command">failure</strong></span> counter + <span class="command"><strong>failure</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. Note: this counter is provided mainly for backward compatibility with the previous versions. Normally a more fine-grained counters such as - <span><strong class="command">AuthQryRej</strong></span> and - <span><strong class="command">RecQryRej</strong></span> + <span class="command"><strong>AuthQryRej</strong></span> and + <span class="command"><strong>RecQryRej</strong></span> that would also fall into this counter are provided, and so this counter would not be of much interest in practice. @@ -11300,10 +11437,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">XfrReqDone</strong></span></p> + <p><span class="command"><strong>XfrReqDone</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11313,10 +11450,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateReqFwd</strong></span></p> + <p><span class="command"><strong>UpdateReqFwd</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11326,10 +11463,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateRespFwd</strong></span></p> + <p><span class="command"><strong>UpdateRespFwd</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11339,10 +11476,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateFwdFail</strong></span></p> + <p><span class="command"><strong>UpdateFwdFail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11352,10 +11489,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateDone</strong></span></p> + <p><span class="command"><strong>UpdateDone</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11365,10 +11502,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateFail</strong></span></p> + <p><span class="command"><strong>UpdateFail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11378,10 +11515,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateBadPrereq</strong></span></p> + <p><span class="command"><strong>UpdateBadPrereq</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11391,10 +11528,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RPZRewrites</strong></span></p> + <p><span class="command"><strong>RPZRewrites</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11404,10 +11541,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RateDropped</strong></span></p> + <p><span class="command"><strong>RateDropped</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11417,10 +11554,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RateSlipped</strong></span></p> + <p><span class="command"><strong>RateSlipped</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11431,13 +11568,13 @@ HOST-127.EXAMPLE. MX 0 . </tbody> </table></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2603745"></a>Zone Maintenance Statistics Counters</h4></div></div></div> +<a name="zone_stats"></a>Zone Maintenance Statistics Counters</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.150in" class="1"> +<col width="3.350in" class="2"> </colgroup> <tbody> <tr> @@ -11454,7 +11591,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">NotifyOutv4</strong></span></p> + <p><span class="command"><strong>NotifyOutv4</strong></span></p> </td> <td> <p> @@ -11464,7 +11601,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">NotifyOutv6</strong></span></p> + <p><span class="command"><strong>NotifyOutv6</strong></span></p> </td> <td> <p> @@ -11474,7 +11611,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">NotifyInv4</strong></span></p> + <p><span class="command"><strong>NotifyInv4</strong></span></p> </td> <td> <p> @@ -11484,7 +11621,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">NotifyInv6</strong></span></p> + <p><span class="command"><strong>NotifyInv6</strong></span></p> </td> <td> <p> @@ -11494,7 +11631,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">NotifyRej</strong></span></p> + <p><span class="command"><strong>NotifyRej</strong></span></p> </td> <td> <p> @@ -11504,7 +11641,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">SOAOutv4</strong></span></p> + <p><span class="command"><strong>SOAOutv4</strong></span></p> </td> <td> <p> @@ -11514,7 +11651,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">SOAOutv6</strong></span></p> + <p><span class="command"><strong>SOAOutv6</strong></span></p> </td> <td> <p> @@ -11524,7 +11661,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">AXFRReqv4</strong></span></p> + <p><span class="command"><strong>AXFRReqv4</strong></span></p> </td> <td> <p> @@ -11534,7 +11671,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">AXFRReqv6</strong></span></p> + <p><span class="command"><strong>AXFRReqv6</strong></span></p> </td> <td> <p> @@ -11544,7 +11681,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">IXFRReqv4</strong></span></p> + <p><span class="command"><strong>IXFRReqv4</strong></span></p> </td> <td> <p> @@ -11554,7 +11691,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">IXFRReqv6</strong></span></p> + <p><span class="command"><strong>IXFRReqv6</strong></span></p> </td> <td> <p> @@ -11564,7 +11701,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">XfrSuccess</strong></span></p> + <p><span class="command"><strong>XfrSuccess</strong></span></p> </td> <td> <p> @@ -11574,7 +11711,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">XfrFail</strong></span></p> + <p><span class="command"><strong>XfrFail</strong></span></p> </td> <td> <p> @@ -11585,14 +11722,14 @@ HOST-127.EXAMPLE. MX 0 . </tbody> </table></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2604128"></a>Resolver Statistics Counters</h4></div></div></div> +<a name="resolver_stats"></a>Resolver Statistics Counters</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> -<col> +<col width="1.150in" class="1"> +<col width="1.150in" class="2"> +<col width="3.350in" class="3"> </colgroup> <tbody> <tr> @@ -11614,10 +11751,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Queryv4</strong></span></p> + <p><span class="command"><strong>Queryv4</strong></span></p> </td> <td> - <p><span><strong class="command">SFwdQ</strong></span></p> + <p><span class="command"><strong>SFwdQ</strong></span></p> </td> <td> <p> @@ -11627,10 +11764,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Queryv6</strong></span></p> + <p><span class="command"><strong>Queryv6</strong></span></p> </td> <td> - <p><span><strong class="command">SFwdQ</strong></span></p> + <p><span class="command"><strong>SFwdQ</strong></span></p> </td> <td> <p> @@ -11640,10 +11777,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Responsev4</strong></span></p> + <p><span class="command"><strong>Responsev4</strong></span></p> </td> <td> - <p><span><strong class="command">RR</strong></span></p> + <p><span class="command"><strong>RR</strong></span></p> </td> <td> <p> @@ -11653,10 +11790,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Responsev6</strong></span></p> + <p><span class="command"><strong>Responsev6</strong></span></p> </td> <td> - <p><span><strong class="command">RR</strong></span></p> + <p><span class="command"><strong>RR</strong></span></p> </td> <td> <p> @@ -11666,10 +11803,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">NXDOMAIN</strong></span></p> + <p><span class="command"><strong>NXDOMAIN</strong></span></p> </td> <td> - <p><span><strong class="command">RNXD</strong></span></p> + <p><span class="command"><strong>RNXD</strong></span></p> </td> <td> <p> @@ -11679,10 +11816,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">SERVFAIL</strong></span></p> + <p><span class="command"><strong>SERVFAIL</strong></span></p> </td> <td> - <p><span><strong class="command">RFail</strong></span></p> + <p><span class="command"><strong>RFail</strong></span></p> </td> <td> <p> @@ -11692,10 +11829,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">FORMERR</strong></span></p> + <p><span class="command"><strong>FORMERR</strong></span></p> </td> <td> - <p><span><strong class="command">RFErr</strong></span></p> + <p><span class="command"><strong>RFErr</strong></span></p> </td> <td> <p> @@ -11705,10 +11842,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">OtherError</strong></span></p> + <p><span class="command"><strong>OtherError</strong></span></p> </td> <td> - <p><span><strong class="command">RErr</strong></span></p> + <p><span class="command"><strong>RErr</strong></span></p> </td> <td> <p> @@ -11718,10 +11855,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">EDNS0Fail</strong></span></p> + <p><span class="command"><strong>EDNS0Fail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11731,10 +11868,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Mismatch</strong></span></p> + <p><span class="command"><strong>Mismatch</strong></span></p> </td> <td> - <p><span><strong class="command">RDupR</strong></span></p> + <p><span class="command"><strong>RDupR</strong></span></p> </td> <td> <p> @@ -11743,7 +11880,7 @@ HOST-127.EXAMPLE. MX 0 . and/or the response's source port does not match what was expected. (The port must be 53 or as defined by - the <span><strong class="command">port</strong></span> option.) + the <span class="command"><strong>port</strong></span> option.) This may be an indication of a cache poisoning attempt. </p> @@ -11751,10 +11888,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Truncated</strong></span></p> + <p><span class="command"><strong>Truncated</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11764,10 +11901,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Lame</strong></span></p> + <p><span class="command"><strong>Lame</strong></span></p> </td> <td> - <p><span><strong class="command">RLame</strong></span></p> + <p><span class="command"><strong>RLame</strong></span></p> </td> <td> <p> @@ -11777,10 +11914,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Retry</strong></span></p> + <p><span class="command"><strong>Retry</strong></span></p> </td> <td> - <p><span><strong class="command">SDupQ</strong></span></p> + <p><span class="command"><strong>SDupQ</strong></span></p> </td> <td> <p> @@ -11790,10 +11927,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QueryAbort</strong></span></p> + <p><span class="command"><strong>QueryAbort</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11803,10 +11940,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QuerySockFail</strong></span></p> + <p><span class="command"><strong>QuerySockFail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11819,10 +11956,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QueryTimeout</strong></span></p> + <p><span class="command"><strong>QueryTimeout</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11832,10 +11969,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">GlueFetchv4</strong></span></p> + <p><span class="command"><strong>GlueFetchv4</strong></span></p> </td> <td> - <p><span><strong class="command">SSysQ</strong></span></p> + <p><span class="command"><strong>SSysQ</strong></span></p> </td> <td> <p> @@ -11845,10 +11982,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">GlueFetchv6</strong></span></p> + <p><span class="command"><strong>GlueFetchv6</strong></span></p> </td> <td> - <p><span><strong class="command">SSysQ</strong></span></p> + <p><span class="command"><strong>SSysQ</strong></span></p> </td> <td> <p> @@ -11858,10 +11995,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">GlueFetchv4Fail</strong></span></p> + <p><span class="command"><strong>GlueFetchv4Fail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11871,10 +12008,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">GlueFetchv6Fail</strong></span></p> + <p><span class="command"><strong>GlueFetchv6Fail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11884,10 +12021,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ValAttempt</strong></span></p> + <p><span class="command"><strong>ValAttempt</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11897,10 +12034,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ValOk</strong></span></p> + <p><span class="command"><strong>ValOk</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11910,10 +12047,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ValNegOk</strong></span></p> + <p><span class="command"><strong>ValNegOk</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11923,10 +12060,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ValFail</strong></span></p> + <p><span class="command"><strong>ValFail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11936,60 +12073,60 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryRTTnn</strong></span></p> + <p><span class="command"><strong>QryRTTnn</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> Frequency table on round trip times (RTTs) of queries. - Each <span><strong class="command">nn</strong></span> specifies the corresponding + Each <span class="command"><strong>nn</strong></span> specifies the corresponding frequency. In the sequence of - <span><strong class="command">nn_1</strong></span>, - <span><strong class="command">nn_2</strong></span>, + <span class="command"><strong>nn_1</strong></span>, + <span class="command"><strong>nn_2</strong></span>, ..., - <span><strong class="command">nn_m</strong></span>, - the value of <span><strong class="command">nn_i</strong></span> is the + <span class="command"><strong>nn_m</strong></span>, + the value of <span class="command"><strong>nn_i</strong></span> is the number of queries whose RTTs are between - <span><strong class="command">nn_(i-1)</strong></span> (inclusive) and - <span><strong class="command">nn_i</strong></span> (exclusive) milliseconds. + <span class="command"><strong>nn_(i-1)</strong></span> (inclusive) and + <span class="command"><strong>nn_i</strong></span> (exclusive) milliseconds. For the sake of convenience we define - <span><strong class="command">nn_0</strong></span> to be 0. + <span class="command"><strong>nn_0</strong></span> to be 0. The last entry should be represented as - <span><strong class="command">nn_m+</strong></span>, which means the + <span class="command"><strong>nn_m+</strong></span>, which means the number of queries whose RTTs are equal to or over - <span><strong class="command">nn_m</strong></span> milliseconds. + <span class="command"><strong>nn_m</strong></span> milliseconds. </p> </td> </tr> </tbody> </table></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2605149"></a>Socket I/O Statistics Counters</h4></div></div></div> +<a name="socket_stats"></a>Socket I/O Statistics Counters</h4></div></div></div> <p> Socket I/O statistics counters are defined per socket types, which are - <span><strong class="command">UDP4</strong></span> (UDP/IPv4), - <span><strong class="command">UDP6</strong></span> (UDP/IPv6), - <span><strong class="command">TCP4</strong></span> (TCP/IPv4), - <span><strong class="command">TCP6</strong></span> (TCP/IPv6), - <span><strong class="command">Unix</strong></span> (Unix Domain), and - <span><strong class="command">FDwatch</strong></span> (sockets opened outside the + <span class="command"><strong>UDP4</strong></span> (UDP/IPv4), + <span class="command"><strong>UDP6</strong></span> (UDP/IPv6), + <span class="command"><strong>TCP4</strong></span> (TCP/IPv4), + <span class="command"><strong>TCP6</strong></span> (TCP/IPv6), + <span class="command"><strong>Unix</strong></span> (Unix Domain), and + <span class="command"><strong>FDwatch</strong></span> (sockets opened outside the socket module). - In the following table <span><strong class="command"><TYPE></strong></span> + In the following table <span class="command"><strong><TYPE></strong></span> represents a socket type. Not all counters are available for all socket types; exceptions are noted in the description field. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.150in" class="1"> +<col width="3.350in" class="2"> </colgroup> <tbody> <tr> @@ -12006,31 +12143,31 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command"><TYPE>Open</strong></span></p> + <p><span class="command"><strong><TYPE>Open</strong></span></p> </td> <td> <p> Sockets opened successfully. This counter is not applicable to the - <span><strong class="command">FDwatch</strong></span> type. + <span class="command"><strong>FDwatch</strong></span> type. </p> </td> </tr> <tr> <td> - <p><span><strong class="command"><TYPE>OpenFail</strong></span></p> + <p><span class="command"><strong><TYPE>OpenFail</strong></span></p> </td> <td> <p> Failures of opening sockets. This counter is not applicable to the - <span><strong class="command">FDwatch</strong></span> type. + <span class="command"><strong>FDwatch</strong></span> type. </p> </td> </tr> <tr> <td> - <p><span><strong class="command"><TYPE>Close</strong></span></p> + <p><span class="command"><strong><TYPE>Close</strong></span></p> </td> <td> <p> @@ -12040,7 +12177,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command"><TYPE>BindFail</strong></span></p> + <p><span class="command"><strong><TYPE>BindFail</strong></span></p> </td> <td> <p> @@ -12050,7 +12187,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command"><TYPE>ConnFail</strong></span></p> + <p><span class="command"><strong><TYPE>ConnFail</strong></span></p> </td> <td> <p> @@ -12060,7 +12197,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command"><TYPE>Conn</strong></span></p> + <p><span class="command"><strong><TYPE>Conn</strong></span></p> </td> <td> <p> @@ -12070,46 +12207,46 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command"><TYPE>AcceptFail</strong></span></p> + <p><span class="command"><strong><TYPE>AcceptFail</strong></span></p> </td> <td> <p> Failures of accepting incoming connection requests. This counter is not applicable to the - <span><strong class="command">UDP</strong></span> and - <span><strong class="command">FDwatch</strong></span> types. + <span class="command"><strong>UDP</strong></span> and + <span class="command"><strong>FDwatch</strong></span> types. </p> </td> </tr> <tr> <td> - <p><span><strong class="command"><TYPE>Accept</strong></span></p> + <p><span class="command"><strong><TYPE>Accept</strong></span></p> </td> <td> <p> Incoming connections successfully accepted. This counter is not applicable to the - <span><strong class="command">UDP</strong></span> and - <span><strong class="command">FDwatch</strong></span> types. + <span class="command"><strong>UDP</strong></span> and + <span class="command"><strong>FDwatch</strong></span> types. </p> </td> </tr> <tr> <td> - <p><span><strong class="command"><TYPE>SendErr</strong></span></p> + <p><span class="command"><strong><TYPE>SendErr</strong></span></p> </td> <td> <p> Errors in socket send operations. This counter corresponds - to <span><strong class="command">SErr</strong></span> counter of - <span><strong class="command">BIND</strong></span> 8. + to <span class="command"><strong>SErr</strong></span> counter of + <span class="command"><strong>BIND</strong></span> 8. </p> </td> </tr> <tr> <td> - <p><span><strong class="command"><TYPE>RecvErr</strong></span></p> + <p><span class="command"><strong><TYPE>RecvErr</strong></span></p> </td> <td> <p> @@ -12123,36 +12260,36 @@ HOST-127.EXAMPLE. MX 0 . </tbody> </table></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2605523"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div> +<a name="bind8_compatibility"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div> <p> Most statistics counters that were available - in <span><strong class="command">BIND</strong></span> 8 are also supported in - <span><strong class="command">BIND</strong></span> 9 as shown in the above tables. + in <span class="command"><strong>BIND</strong></span> 8 are also supported in + <span class="command"><strong>BIND</strong></span> 9 as shown in the above tables. Here are notes about other counters that do not appear in these tables. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">RFwdR,SFwdR</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>RFwdR,SFwdR</strong></span></span></dt> <dd><p> These counters are not supported - because <span><strong class="command">BIND</strong></span> 9 does not adopt + because <span class="command"><strong>BIND</strong></span> 9 does not adopt the notion of <span class="emphasis"><em>forwarding</em></span> - as <span><strong class="command">BIND</strong></span> 8 did. + as <span class="command"><strong>BIND</strong></span> 8 did. </p></dd> -<dt><span class="term"><span><strong class="command">RAXFR</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>RAXFR</strong></span></span></dt> <dd><p> This counter is accessible in the Incoming Queries section. </p></dd> -<dt><span class="term"><span><strong class="command">RIQ</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>RIQ</strong></span></span></dt> <dd><p> This counter is accessible in the Incoming Requests section. </p></dd> -<dt><span class="term"><span><strong class="command">ROpts</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>ROpts</strong></span></span></dt> <dd><p> This counter is not supported - because <span><strong class="command">BIND</strong></span> 9 does not care + because <span class="command"><strong>BIND</strong></span> 9 does not care about IP options in the first place. </p></dd> </dl></div> @@ -12177,6 +12314,6 @@ HOST-127.EXAMPLE. MX 0 . </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index bdfca511662a..95aa52f2f0bd 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Chapter 7. BIND 9 Security Considerations</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference"> <link rel="next" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting"> @@ -39,30 +38,30 @@ </table> <hr> </div> -<div class="chapter" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch07"></a>Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div> +<div class="chapter"> +<div class="titlepage"><div><div><h1 class="title"> +<a name="Bv9ARM.ch07"></a>Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h1></div></div></div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2605750"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt> +<dl class="toc"> +<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot_and_setuid"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605831">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605959">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch07.html#setuid">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt> </dl> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div> <p> Access Control Lists (ACLs) are address match lists that - you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>, - <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>, - <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>, - <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>, + you can set up and nickname for future use in <span class="command"><strong>allow-notify</strong></span>, + <span class="command"><strong>allow-query</strong></span>, <span class="command"><strong>allow-query-on</strong></span>, + <span class="command"><strong>allow-recursion</strong></span>, <span class="command"><strong>allow-recursion-on</strong></span>, + <span class="command"><strong>blackhole</strong></span>, <span class="command"><strong>allow-transfer</strong></span>, etc. </p> <p> @@ -112,15 +111,15 @@ zone "example.com" { unless recursion has been previously disabled. </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2605750"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span> +<a name="chroot_and_setuid"></a><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span> </h2></div></div></div> <p> On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment (using - the <span><strong class="command">chroot()</strong></span> function) by specifying - the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>. + the <span class="command"><strong>chroot()</strong></span> function) by specifying + the "<code class="option">-t</code>" option for <span class="command"><strong>named</strong></span>. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit the damage done if a server is compromised. @@ -128,21 +127,21 @@ zone "example.com" { <p> Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ). - We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature. + We suggest running as an unprivileged user when using the <span class="command"><strong>chroot</strong></span> feature. </p> <p> - Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox, - <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to + Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span class="command"><strong>chroot</strong></span> sandbox, + <span class="command"><strong>/var/named</strong></span>, and to run <span class="command"><strong>named</strong></span> <span class="command"><strong>setuid</strong></span> to user 202: </p> <p> <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong> </p> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2605831"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div> +<a name="chroot"></a>The <span class="command"><strong>chroot</strong></span> Environment</h3></div></div></div> <p> - In order for a <span><strong class="command">chroot</strong></span> environment + In order for a <span class="command"><strong>chroot</strong></span> environment to work properly in a particular directory (for example, <code class="filename">/var/named</code>), @@ -151,12 +150,12 @@ zone "example.com" { From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is the root of the filesystem. You will need to adjust the values of options like - like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account + like <span class="command"><strong>directory</strong></span> and <span class="command"><strong>pid-file</strong></span> to account for this. </p> <p> Unlike with earlier versions of BIND, you typically will - <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span> + <span class="emphasis"><em>not</em></span> need to compile <span class="command"><strong>named</strong></span> statically nor install shared libraries under the new root. However, depending on your operating system, you may need to set up things like @@ -166,15 +165,15 @@ zone "example.com" { <code class="filename">/etc/localtime</code>. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2605959"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div> +<a name="setuid"></a>Using the <span class="command"><strong>setuid</strong></span> Function</h3></div></div></div> <p> - Prior to running the <span><strong class="command">named</strong></span> daemon, + Prior to running the <span class="command"><strong>named</strong></span> daemon, use - the <span><strong class="command">touch</strong></span> utility (to change file + the <span class="command"><strong>touch</strong></span> utility (to change file access and - modification times) or the <span><strong class="command">chown</strong></span> + modification times) or the <span class="command"><strong>chown</strong></span> utility (to set the user id and/or group id) on files to which you want <acronym class="acronym">BIND</acronym> @@ -182,13 +181,15 @@ zone "example.com" { </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> - Note that if the <span><strong class="command">named</strong></span> daemon is running as an +<p> + If the <span class="command"><strong>named</strong></span> daemon is running as an unprivileged user, it will not be able to bind to new restricted ports if the server is reloaded. - </div> + </p> +</div> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div> <p> @@ -198,12 +199,12 @@ zone "example.com" { based on the IP address of the host requesting the update, by listing an IP address or - network prefix in the <span><strong class="command">allow-update</strong></span> + network prefix in the <span class="command"><strong>allow-update</strong></span> zone option. This method is insecure since the source address of the update UDP packet is easily forged. Also note that if the IP addresses allowed by the - <span><strong class="command">allow-update</strong></span> option include the + <span class="command"><strong>allow-update</strong></span> option include the address of a slave server which performs forwarding of dynamic updates, the master can be @@ -214,10 +215,10 @@ zone "example.com" { <p> For these reasons, we strongly recommend that updates be cryptographically authenticated by means of transaction signatures - (TSIG). That is, the <span><strong class="command">allow-update</strong></span> + (TSIG). That is, the <span class="command"><strong>allow-update</strong></span> option should list only TSIG key names, not IP addresses or network - prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span> + prefixes. Alternatively, the new <span class="command"><strong>update-policy</strong></span> option can be used. </p> <p> @@ -247,6 +248,6 @@ zone "example.com" { </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 8a25488b22b2..4120cfc426f3 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Chapter 8. Troubleshooting</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations"> <link rel="next" href="Bv9ARM.ch09.html" title="Appendix A. Release Notes"> @@ -39,24 +38,24 @@ </table> <hr> </div> -<div class="chapter" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch08"></a>Chapter 8. Troubleshooting</h2></div></div></div> +<div class="chapter"> +<div class="titlepage"><div><div><h1 class="title"> +<a name="Bv9ARM.ch08"></a>Chapter 8. Troubleshooting</h1></div></div></div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2606107">Common Problems</a></span></dt> -<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2606113">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2606124">Incrementing and Changing the Serial Number</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2606141">Where Can I Get Help?</a></span></dt> +<dl class="toc"> +<dt><span class="section"><a href="Bv9ARM.ch08.html#common_problems">Common Problems</a></span></dt> +<dd><dl><dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2.2">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd> +<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.3">Incrementing and Changing the Serial Number</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch08.html#more_help">Where Can I Get Help?</a></span></dt> </dl> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2606107"></a>Common Problems</h2></div></div></div> -<div class="sect2" lang="en"> +<a name="common_problems"></a>Common Problems</h2></div></div></div> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2606113"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div> +<a name="id-1.9.2.2"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div> <p> The best solution to solving installation and configuration issues is to take preventative measures by setting @@ -66,9 +65,9 @@ </p> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2606124"></a>Incrementing and Changing the Serial Number</h2></div></div></div> +<a name="id-1.9.3"></a>Incrementing and Changing the Serial Number</h2></div></div></div> <p> Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that @@ -93,9 +92,9 @@ it to be, and reload the zone again. </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2606141"></a>Where Can I Get Help?</h2></div></div></div> +<a name="more_help"></a>Where Can I Get Help?</h2></div></div></div> <p> The Internet Systems Consortium (<acronym class="acronym">ISC</acronym>) offers a wide range @@ -111,9 +110,9 @@ </p> <p> To discuss arrangements for support, contact - <a href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the + <a class="link" href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the <acronym class="acronym">ISC</acronym> web page at - <a href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a> + <a class="link" href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a> to read more. </p> </div> @@ -135,6 +134,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 706fb8b602b9..08d15df68710 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Appendix A. Release Notes</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting"> <link rel="next" href="Bv9ARM.ch10.html" title="Appendix B. A Brief History of the DNS and BIND"> @@ -39,136 +38,130 @@ </table> <hr> </div> -<div class="appendix" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch09"></a>Appendix A. Release Notes</h2></div></div></div> +<div class="appendix"> +<div class="titlepage"><div><div><h1 class="title"> +<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2563593">Release Notes for BIND Version 9.9.8-P4</a></span></dt> +<dl class="toc"> +<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.9.9-P3</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt> </dl></dd> </dl> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2563593"></a>Release Notes for BIND Version 9.9.8-P4</h2></div></div></div> -<div class="sect2" lang="en"> +<a name="id-1.10.2"></a>Release Notes for BIND Version 9.9.9-P3</h2></div></div></div> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_intro"></a>Introduction</h3></div></div></div> <p> - This document summarizes changes since BIND 9.9.8: + This document summarizes changes since BIND 9.9.9: </p> <p> - BIND 9.9.8-P4 addresses the security issues described in - CVE-2016-1285 and CVE-2016-1286. + BIND 9.10.9-P3 addresses the security issue described in + CVE-2016-2776. </p> <p> - BIND 9.9.8-P3 addresses the security issue described in CVE-2015-8704. - It also fixes a serious regression in authoritative server selection - that was introduced in 9.9.8. + BIND 9.9.9-P2 addresses the security issue described in + CVE-2016-2775. </p> <p> - BIND 9.9.8-P2 addresses security issues described in CVE-2015-3193 - (OpenSSL), CVE-2015-8000 and CVE-2015-8461. - </p> -<p> - BIND 9.9.8-P1 was incomplete and was withdrawn prior to publication. + BIND 9.9.9-P1 addresses Windows installation issues and a race + condition in the rbt/rbtdb implementation resulting in named + exiting due to assertion failures being detected. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_download"></a>Download</h3></div></div></div> <p> The latest versions of BIND 9 software can always be found at - <a href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>. + <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_security"></a>Security Fixes</h3></div></div></div> -<div class="itemizedlist"><ul type="disc"> -<li><p> - The resolver could abort with an assertion failure due to - improper DNAME handling when parsing fetch reply - messages. This flaw is disclosed in CVE-2016-1286. [RT #41753] - </p></li> -<li><p> - Malformed control messages can trigger assertions in named - and rndc. This flaw is disclosed in CVE-2016-1285. [RT - #41666] - </p></li> -<li><p> - Specific APL data could trigger an INSIST. This flaw - is disclosed in CVE-2015-8704. [RT #41396] +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"><p> + It was possible to trigger a assertion when rendering a + message using a specially crafted request. This flaw is + disclosed in CVE-2016-2776. [RT #43139] </p></li> -<li><p> - Named is potentially vulnerable to the OpenSSL vulnerability - described in CVE-2015-3193. - </p></li> -<li><p> - Incorrect reference counting could result in an INSIST - failure if a socket error occurred while performing a - lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] - </p></li> -<li><p> - Insufficient testing when parsing a message allowed - records with an incorrect class to be be accepted, - triggering a REQUIRE failure when those records - were subsequently cached. This flaw is disclosed - in CVE-2015-8000. [RT #40987] +<li class="listitem"><p> + getrrsetbyname with a non absolute name could trigger an + infinite recursion bug in lwresd and named with lwres + configured if when combined with a search list entry the + resulting name is too long. This flaw is disclosed in + CVE-2016-2775. [RT #42694] </p></li> </ul></div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_features"></a>New Features</h3></div></div></div> -<div class="itemizedlist"><ul type="disc"><li><p>None</p></li></ul></div> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + None. + </p></li></ul></div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div> -<div class="itemizedlist"><ul type="disc"><li><p> - Updated the compiled in addresses for H.ROOT-SERVERS.NET. +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + None. </p></li></ul></div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div> -<div class="itemizedlist"><ul type="disc"><li><p> - Authoritative servers that were marked as bogus (e.g. blackholed - in configuration or with invalid addresses) were being queried - anyway. [RT #41321] +<a name="relnotes_port"></a>Porting Changes</h3></div></div></div> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + None. </p></li></ul></div> </div> -<div class="sect2" lang="en"> +<div class="section"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"><p> + Windows installs were failing due to triggering UAC without + the installation binary being signed. + </p></li> +<li class="listitem"><p> + A race condition in rbt/rbtdb was leading to INSISTs being + triggered. + </p></li> +</ul></div> +</div> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="end_of_life"></a>End of Life</h3></div></div></div> <p> - The BIND 9.9 (Extended Support Version) will be supported until + BIND 9.9 (Extended Support Version) will be supported until December, 2017. - <a href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a> + <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a> </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_thanks"></a>Thank You</h3></div></div></div> <p> Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at - <a href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>. + <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>. </p> </div> </div> @@ -191,6 +184,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index 763d446cd404..e2c60355c34f 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Appendix B. A Brief History of the DNS and BIND</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.ch09.html" title="Appendix A. Release Notes"> <link rel="next" href="Bv9ARM.ch11.html" title="Appendix C. General DNS Reference Information"> @@ -40,111 +39,104 @@ </table> <hr> </div> -<div class="appendix" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch10"></a>Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> -</h2></div></div></div> -<div class="toc"> -<p><b>Table of Contents</b></p> -<dl><dt><span class="sect1"><a href="Bv9ARM.ch10.html#historical_dns_information"></a></span></dt></dl> -</div> -<div class="sect1" lang="en"> -<div class="titlepage"></div> -<p> - Although the "official" beginning of the Domain Name - System occurred in 1984 with the publication of RFC 920, the - core of the new system was described in 1983 in RFCs 882 and - 883. From 1984 to 1987, the ARPAnet (the precursor to today's - Internet) became a testbed of experimentation for developing the - new naming/addressing scheme in a rapidly expanding, - operational network environment. New RFCs were written and - published in 1987 that modified the original documents to - incorporate improvements based on the working model. RFC 1034, - "Domain Names-Concepts and Facilities", and RFC 1035, "Domain - Names-Implementation and Specification" were published and - became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are - built. - </p> +<div class="appendix"> +<div class="titlepage"><div><div><h1 class="title"> +<a name="Bv9ARM.ch10"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> +</h1></div></div></div> +<p><a name="historical_dns_information"></a> + Although the "official" beginning of the Domain Name + System occurred in 1984 with the publication of RFC 920, the + core of the new system was described in 1983 in RFCs 882 and + 883. From 1984 to 1987, the ARPAnet (the precursor to today's + Internet) became a testbed of experimentation for developing the + new naming/addressing scheme in a rapidly expanding, + operational network environment. New RFCs were written and + published in 1987 that modified the original documents to + incorporate improvements based on the working model. RFC 1034, + "Domain Names-Concepts and Facilities", and RFC 1035, "Domain + Names-Implementation and Specification" were published and + became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are + built. + </p> <p> - The first working domain name server, called "Jeeves", was - written in 1983-84 by Paul Mockapetris for operation on DEC - Tops-20 - machines located at the University of Southern California's - Information - Sciences Institute (USC-ISI) and SRI International's Network - Information - Center (SRI-NIC). A <acronym class="acronym">DNS</acronym> server for - Unix machines, the Berkeley Internet - Name Domain (<acronym class="acronym">BIND</acronym>) package, was - written soon after by a group of - graduate students at the University of California at Berkeley - under - a grant from the US Defense Advanced Research Projects - Administration - (DARPA). - </p> + The first working domain name server, called "Jeeves", was + written in 1983-84 by Paul Mockapetris for operation on DEC + Tops-20 + machines located at the University of Southern California's + Information + Sciences Institute (USC-ISI) and SRI International's Network + Information + Center (SRI-NIC). A <acronym class="acronym">DNS</acronym> server for + Unix machines, the Berkeley Internet + Name Domain (<acronym class="acronym">BIND</acronym>) package, was + written soon after by a group of + graduate students at the University of California at Berkeley + under + a grant from the US Defense Advanced Research Projects + Administration + (DARPA). + </p> <p> - Versions of <acronym class="acronym">BIND</acronym> through - 4.8.3 were maintained by the Computer - Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark - Painter, David Riggle and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym> - project team. After that, additional work on the software package - was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment - Corporation - employee on loan to the CSRG, worked on <acronym class="acronym">BIND</acronym> for 2 years, from 1985 - to 1987. Many other people also contributed to <acronym class="acronym">BIND</acronym> development - during that time: Doug Kingston, Craig Partridge, Smoot - Carl-Mitchell, - Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently - handled by Mike Karels and Øivind Kure. - </p> + Versions of <acronym class="acronym">BIND</acronym> through + 4.8.3 were maintained by the Computer + Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark + Painter, David Riggle and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym> + project team. After that, additional work on the software package + was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment + Corporation + employee on loan to the CSRG, worked on <acronym class="acronym">BIND</acronym> for 2 years, from 1985 + to 1987. Many other people also contributed to <acronym class="acronym">BIND</acronym> development + during that time: Doug Kingston, Craig Partridge, Smoot + Carl-Mitchell, + Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently + handled by Mike Karels and Øivind Kure. + </p> <p> - <acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were - released by Digital Equipment - Corporation (now Compaq Computer Corporation). Paul Vixie, then - a DEC employee, became <acronym class="acronym">BIND</acronym>'s - primary caretaker. He was assisted - by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan - Beecher, Andrew - Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat - Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe - Wolfhugel, and others. - </p> + <acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were + released by Digital Equipment + Corporation (now Compaq Computer Corporation). Paul Vixie, then + a DEC employee, became <acronym class="acronym">BIND</acronym>'s + primary caretaker. He was assisted + by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan + Beecher, Andrew + Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat + Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe + Wolfhugel, and others. + </p> <p> - In 1994, <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by - Vixie Enterprises. Paul - Vixie became <acronym class="acronym">BIND</acronym>'s principal - architect/programmer. - </p> + In 1994, <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by + Vixie Enterprises. Paul + Vixie became <acronym class="acronym">BIND</acronym>'s principal + architect/programmer. + </p> <p> - <acronym class="acronym">BIND</acronym> versions from 4.9.3 onward - have been developed and maintained - by the Internet Systems Consortium and its predecessor, - the Internet Software Consortium, with support being provided - by ISC's sponsors. - </p> + <acronym class="acronym">BIND</acronym> versions from 4.9.3 onward + have been developed and maintained + by the Internet Systems Consortium and its predecessor, + the Internet Software Consortium, with support being provided + by ISC's sponsors. + </p> <p> - As co-architects/programmers, Bob Halley and - Paul Vixie released the first production-ready version of - <acronym class="acronym">BIND</acronym> version 8 in May 1997. - </p> + As co-architects/programmers, Bob Halley and + Paul Vixie released the first production-ready version of + <acronym class="acronym">BIND</acronym> version 8 in May 1997. + </p> <p> - BIND version 9 was released in September 2000 and is a - major rewrite of nearly all aspects of the underlying - BIND architecture. - </p> + BIND version 9 was released in September 2000 and is a + major rewrite of nearly all aspects of the underlying + BIND architecture. + </p> <p> - BIND versions 4 and 8 are officially deprecated. - No additional development is done - on BIND version 4 or BIND version 8. - </p> + BIND versions 4 and 8 are officially deprecated. + No additional development is done + on BIND version 4 or BIND version 8. + </p> <p> - <acronym class="acronym">BIND</acronym> development work is made - possible today by the sponsorship - of several corporations, and by the tireless work efforts of - numerous individuals. - </p> -</div> + <acronym class="acronym">BIND</acronym> development work is made + possible today by the sponsorship + of several corporations, and by the tireless work efforts of + numerous individuals. + </p> </div> <div class="navfooter"> <hr> @@ -163,6 +155,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index 207760ace378..c842b29f629e 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Appendix C. General DNS Reference Information</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.ch10.html" title="Appendix B. A Brief History of the DNS and BIND"> <link rel="next" href="Bv9ARM.ch12.html" title="Appendix D. BIND 9 DNS Library Support"> @@ -39,22 +38,22 @@ </table> <hr> </div> -<div class="appendix" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch11"></a>Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div> +<div class="appendix"> +<div class="titlepage"><div><div><h1 class="title"> +<a name="Bv9ARM.ch11"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h1></div></div></div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt> +<dl class="toc"> +<dt><span class="section"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch11.html#id2609865">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch11.html#more_about_bind">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt> </dl></dd> </dl> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h2></div></div></div> <p> @@ -101,7 +100,7 @@ implementation, although it is usually possible to override the default setting if necessary. A typical IPv6 address might look like: - <span><strong class="command">2001:db8:201:9:a00:20ff:fe81:2b32</strong></span> + <span class="command"><strong>2001:db8:201:9:a00:20ff:fe81:2b32</strong></span> </p> <p> IPv6 address specifications often contain long strings @@ -112,10 +111,10 @@ of zeros that can fit, and can be used only once in an address. </p> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="bibliography"></a>Bibliography (and Suggested Reading)</h2></div></div></div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="rfcs"></a>Request for Comments (RFCs)</h3></div></div></div> <p> @@ -127,7 +126,7 @@ Engineering Steering Group (IESG). RFCs can be obtained online via FTP at: </p> <p> - <a href="ftp://www.isi.edu/in-notes/" target="_top"> + <a class="link" href="ftp://www.isi.edu/in-notes/" target="_top"> ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxxx</code></em>.txt </a> </p> @@ -136,238 +135,224 @@ the number of the RFC). RFCs are also available via the Web at: </p> <p> - <a href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>. + <a class="link" href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>. </p> <div class="bibliography"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2606773"></a>Bibliography</h4></div></div></div> +<a name="id-1.12.3.2.6"></a>Bibliography</h4></div></div></div> <div class="bibliodiv"> -<h3 class="title">Standards</h3> <div class="biblioentry"> -<a name="id2606784"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p> +<a name="id-1.12.3.2.6.1.2"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="citetitle"><em class="citetitle">Mail Routing and the Domain System</em>. </span><span class="pubdate">January 1986. </span></p> </div> <div class="biblioentry"> -<a name="id2606807"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names — Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p> +<a name="id-1.12.3.2.6.1.3"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="citetitle"><em class="citetitle">Domain Names — Concepts and Facilities</em>. </span><span class="pubdate">November 1987. </span></p> </div> <div class="biblioentry"> -<a name="id2606830"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names — Implementation and - Specification</i>. </span><span class="pubdate">November 1987. </span></p> +<a name="id-1.12.3.2.6.1.4"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="citetitle"><em class="citetitle">Domain Names — Implementation and + Specification</em>. </span><span class="pubdate">November 1987. </span></p> </div> </div> <div class="bibliodiv"> -<h3 class="title"> -<a name="proposed_standards"></a>Proposed Standards</h3> <div class="biblioentry"> -<a name="id2606867"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym> - Specification</i>. </span><span class="pubdate">July 1997. </span></p> +<a name="id-1.12.3.2.6.2.2"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="citetitle"><em class="citetitle">Clarifications to the <acronym class="acronym">DNS</acronym> + Specification</em>. </span><span class="pubdate">July 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2606893"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym> - Queries</i>. </span><span class="pubdate">March 1998. </span></p> +<a name="id-1.12.3.2.6.2.3"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="citetitle"><em class="citetitle">Negative Caching of <acronym class="acronym">DNS</acronym> + Queries</em>. </span><span class="pubdate">March 1998. </span></p> </div> <div class="biblioentry"> -<a name="id2606919"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p> +<a name="id-1.12.3.2.6.2.4"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="citetitle"><em class="citetitle">Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></em>. </span><span class="pubdate">August 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2606944"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p> +<a name="id-1.12.3.2.6.2.5"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="citetitle"><em class="citetitle">A Mechanism for Prompt Notification of Zone Changes</em>. </span><span class="pubdate">August 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2606967"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p> +<a name="id-1.12.3.2.6.2.6"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="citetitle"><em class="citetitle">Dynamic Updates in the Domain Name System</em>. </span><span class="pubdate">April 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2607022"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p> +<a name="id-1.12.3.2.6.2.7"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="citetitle"><em class="citetitle">Extension Mechanisms for DNS (EDNS0)</em>. </span><span class="pubdate">August 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2607049"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p> +<a name="id-1.12.3.2.6.2.8"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="citetitle"><em class="citetitle">Non-Terminal DNS Name Redirection</em>. </span><span class="pubdate">August 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2607076"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p> +<a name="id-1.12.3.2.6.2.9"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="citetitle"><em class="citetitle">Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</em>. </span><span class="pubdate">May 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2607138"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p> +<a name="id-1.12.3.2.6.2.10"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="citetitle"><em class="citetitle">Secret Key Establishment for DNS (TKEY RR)</em>. </span><span class="pubdate">September 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2607168"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p> +<a name="id-1.12.3.2.6.2.11"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="citetitle"><em class="citetitle">DNS Request and Transaction Signatures (SIG(0)s)</em>. </span><span class="pubdate">September 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2607197"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p> +<a name="id-1.12.3.2.6.2.12"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="citetitle"><em class="citetitle">Secure Domain Name System (DNS) Dynamic Update</em>. </span><span class="pubdate">November 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2607224"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret +<a name="id-1.12.3.2.6.2.13"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="citetitle"><em class="citetitle">Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS - (GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p> + (GSS-TSIG)</em>. </span><span class="pubdate">October 2003. </span></p> </div> </div> <div class="bibliodiv"> -<h3 class="title"> -<acronym class="acronym">DNS</acronym> Security Proposed Standards</h3> <div class="biblioentry"> -<a name="id2607306"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p> +<a name="id-1.12.3.2.6.3.2"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="citetitle"><em class="citetitle">Indicating Resolver Support of DNSSEC</em>. </span><span class="pubdate">December 2001. </span></p> </div> <div class="biblioentry"> -<a name="id2607333"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p> +<a name="id-1.12.3.2.6.3.3"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="citetitle"><em class="citetitle">Threat Analysis of the Domain Name System (DNS)</em>. </span><span class="pubdate">August 2004. </span></p> </div> <div class="biblioentry"> -<a name="id2607369"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p> +<a name="id-1.12.3.2.6.3.4"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="citetitle"><em class="citetitle">DNS Security Introduction and Requirements</em>. </span><span class="pubdate">March 2005. </span></p> </div> <div class="biblioentry"> -<a name="id2607434"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p> +<a name="id-1.12.3.2.6.3.5"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="citetitle"><em class="citetitle">Resource Records for the DNS Security Extensions</em>. </span><span class="pubdate">March 2005. </span></p> </div> <div class="biblioentry"> -<a name="id2607499"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS - Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p> +<a name="id-1.12.3.2.6.3.6"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="citetitle"><em class="citetitle">Protocol Modifications for the DNS + Security Extensions</em>. </span><span class="pubdate">March 2005. </span></p> </div> </div> <div class="bibliodiv"> -<h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym> - Implementation</h3> <div class="biblioentry"> -<a name="id2607573"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely - Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p> +<a name="id-1.12.3.2.6.4.2"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="citetitle"><em class="citetitle">A Security Problem and Proposed Correction With Widely + Deployed <acronym class="acronym">DNS</acronym> Software.</em>. </span><span class="pubdate">October 1993. </span></p> </div> <div class="biblioentry"> -<a name="id2607598"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation - Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p> +<a name="id-1.12.3.2.6.4.3"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Implementation + Errors and Suggested Fixes</em>. </span><span class="pubdate">October 1993. </span></p> </div> <div class="biblioentry"> -<a name="id2607667"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p> +<a name="id-1.12.3.2.6.4.4"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="citetitle"><em class="citetitle">Serial Number Arithmetic</em>. </span><span class="pubdate">August 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2607702"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym> - Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p> +<a name="id-1.12.3.2.6.4.5"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="citetitle"><em class="citetitle">Common Misbehaviour Against <acronym class="acronym">DNS</acronym> + Queries for IPv6 Addresses</em>. </span><span class="pubdate">May 2005. </span></p> </div> </div> <div class="bibliodiv"> -<h3 class="title">Resource Record Types</h3> <div class="biblioentry"> -<a name="id2607748"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p> +<a name="id-1.12.3.2.6.5.2"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="citetitle"><em class="citetitle">New <acronym class="acronym">DNS</acronym> RR Definitions</em>. </span><span class="pubdate">October 1990. </span></p> </div> <div class="biblioentry"> -<a name="id2607874"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p> +<a name="id-1.12.3.2.6.5.3"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> NSAP Resource Records</em>. </span><span class="pubdate">October 1994. </span></p> </div> <div class="biblioentry"> -<a name="id2607911"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using - the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p> +<a name="id-1.12.3.2.6.5.4"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="citetitle"><em class="citetitle">Resolution of Uniform Resource Identifiers using + the Domain Name System</em>. </span><span class="pubdate">June 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2607946"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the +<a name="id-1.12.3.2.6.5.5"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="citetitle"><em class="citetitle">A Means for Expressing Location Information in the Domain - Name System</i>. </span><span class="pubdate">January 1996. </span></p> + Name System</em>. </span><span class="pubdate">January 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2608001"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the +<a name="id-1.12.3.2.6.5.6"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="citetitle"><em class="citetitle">A <acronym class="acronym">DNS</acronym> RR for Specifying the Location of - Services.</i>. </span><span class="pubdate">October 1996. </span></p> + Services.</em>. </span><span class="pubdate">October 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2608039"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to +<a name="id-1.12.3.2.6.5.7"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="citetitle"><em class="citetitle">Using the Internet <acronym class="acronym">DNS</acronym> to Distribute MIXER - Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p> + Conformant Global Address Mapping</em>. </span><span class="pubdate">January 1998. </span></p> </div> <div class="biblioentry"> -<a name="id2608065"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p> +<a name="id-1.12.3.2.6.5.8"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="citetitle"><em class="citetitle">Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></em>. </span><span class="pubdate">October 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2608090"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p> +<a name="id-1.12.3.2.6.5.9"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="citetitle"><em class="citetitle">DSA KEYs and SIGs in the Domain Name System (DNS)</em>. </span><span class="pubdate">March 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2608117"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p> +<a name="id-1.12.3.2.6.5.10"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="citetitle"><em class="citetitle">RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</em>. </span><span class="pubdate">March 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2608144"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p> +<a name="id-1.12.3.2.6.5.11"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="citetitle"><em class="citetitle">Storing Certificates in the Domain Name System (DNS)</em>. </span><span class="pubdate">March 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2608183"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p> +<a name="id-1.12.3.2.6.5.12"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="citetitle"><em class="citetitle">Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</em>. </span><span class="pubdate">March 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2608213"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p> +<a name="id-1.12.3.2.6.5.13"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="citetitle"><em class="citetitle">Detached Domain Name System (DNS) Information</em>. </span><span class="pubdate">March 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2608243"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p> +<a name="id-1.12.3.2.6.5.14"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="citetitle"><em class="citetitle">A DNS RR for specifying the location of services (DNS SRV)</em>. </span><span class="pubdate">February 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2608285"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p> +<a name="id-1.12.3.2.6.5.15"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="citetitle"><em class="citetitle">The Naming Authority Pointer (NAPTR) DNS Resource Record</em>. </span><span class="pubdate">September 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2608318"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p> +<a name="id-1.12.3.2.6.5.16"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="citetitle"><em class="citetitle">RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</em>. </span><span class="pubdate">May 2001. </span></p> </div> <div class="biblioentry"> -<a name="id2608345"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p> +<a name="id-1.12.3.2.6.5.17"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="citetitle"><em class="citetitle">A DNS RR Type for Lists of Address Prefixes (APL RR)</em>. </span><span class="pubdate">June 2001. </span></p> </div> <div class="biblioentry"> -<a name="id2608369"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP - version 6</i>. </span><span class="pubdate">October 2003. </span></p> +<a name="id-1.12.3.2.6.5.18"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Extensions to support IP + version 6</em>. </span><span class="pubdate">October 2003. </span></p> </div> <div class="biblioentry"> -<a name="id2608426"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p> +<a name="id-1.12.3.2.6.5.19"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="citetitle"><em class="citetitle">Handling of Unknown DNS Resource Record (RR) Types</em>. </span><span class="pubdate">September 2003. </span></p> </div> </div> <div class="bibliodiv"> -<h3 class="title"> -<acronym class="acronym">DNS</acronym> and the Internet</h3> <div class="biblioentry"> -<a name="id2608458"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names - and Other Types</i>. </span><span class="pubdate">April 1989. </span></p> +<a name="id-1.12.3.2.6.6.2"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Encoding of Network Names + and Other Types</em>. </span><span class="pubdate">April 1989. </span></p> </div> <div class="biblioentry"> -<a name="id2608552"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and - Support</i>. </span><span class="pubdate">October 1989. </span></p> +<a name="id-1.12.3.2.6.6.3"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="citetitle"><em class="citetitle">Requirements for Internet Hosts - Application and + Support</em>. </span><span class="pubdate">October 1989. </span></p> </div> <div class="biblioentry"> -<a name="id2608574"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p> +<a name="id-1.12.3.2.6.6.4"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="citetitle"><em class="citetitle">Domain Name System Structure and Delegation</em>. </span><span class="pubdate">March 1994. </span></p> </div> <div class="biblioentry"> -<a name="id2608598"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p> +<a name="id-1.12.3.2.6.6.5"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="citetitle"><em class="citetitle">Classless IN-ADDR.ARPA Delegation</em>. </span><span class="pubdate">March 1998. </span></p> </div> <div class="biblioentry"> -<a name="id2608712"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p> +<a name="id-1.12.3.2.6.6.6"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="citetitle"><em class="citetitle">IAB Technical Comment on the Unique DNS Root</em>. </span><span class="pubdate">May 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2608736"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p> +<a name="id-1.12.3.2.6.6.7"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="citetitle"><em class="citetitle">Domain Name System (DNS) IANA Considerations</em>. </span><span class="pubdate">September 2000. </span></p> </div> </div> <div class="bibliodiv"> -<h3 class="title"> -<acronym class="acronym">DNS</acronym> Operations</h3> <div class="biblioentry"> -<a name="id2608793"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p> +<a name="id-1.12.3.2.6.7.2"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="citetitle"><em class="citetitle">Domain administrators operations guide.</em>. </span><span class="pubdate">November 1987. </span></p> </div> <div class="biblioentry"> -<a name="id2608817"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File - Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p> +<a name="id-1.12.3.2.6.7.3"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Data File + Configuration Errors</em>. </span><span class="pubdate">October 1993. </span></p> </div> <div class="biblioentry"> -<a name="id2608843"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and - Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p> +<a name="id-1.12.3.2.6.7.4"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Operational and + Configuration Errors</em>. </span><span class="pubdate">February 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2608870"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p> +<a name="id-1.12.3.2.6.7.5"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="citetitle"><em class="citetitle">Operational Criteria for Root Name Servers.</em>. </span><span class="pubdate">October 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2608906"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for - Network Services.</i>. </span><span class="pubdate">October 1997. </span></p> +<a name="id-1.12.3.2.6.7.6"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="citetitle"><em class="citetitle">Use of <acronym class="acronym">DNS</acronym> Aliases for + Network Services.</em>. </span><span class="pubdate">October 1997. </span></p> </div> </div> <div class="bibliodiv"> -<h3 class="title">Internationalized Domain Names</h3> <div class="biblioentry"> -<a name="id2608952"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names, - and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p> +<a name="id-1.12.3.2.6.8.2"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="citetitle"><em class="citetitle">A Tangled Web: Issues of I18N, Domain Names, + and the Other Internet protocols</em>. </span><span class="pubdate">May 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2608984"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p> +<a name="id-1.12.3.2.6.8.3"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="citetitle"><em class="citetitle">Internationalizing Domain Names in Applications (IDNA)</em>. </span><span class="pubdate">March 2003. </span></p> </div> <div class="biblioentry"> -<a name="id2609030"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p> +<a name="id-1.12.3.2.6.8.4"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="citetitle"><em class="citetitle">Nameprep: A Stringprep Profile for Internationalized Domain Names</em>. </span><span class="pubdate">March 2003. </span></p> </div> <div class="biblioentry"> -<a name="id2609065"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode +<a name="id-1.12.3.2.6.8.5"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="citetitle"><em class="citetitle">Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in - Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p> + Applications (IDNA)</em>. </span><span class="pubdate">March 2003. </span></p> </div> </div> <div class="bibliodiv"> -<h3 class="title">Other <acronym class="acronym">DNS</acronym>-related RFCs</h3> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> @@ -377,52 +362,50 @@ </p> </div> <div class="biblioentry"> -<a name="id2609110"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String - Attributes</i>. </span><span class="pubdate">May 1993. </span></p> +<a name="id-1.12.3.2.6.9.3"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="citetitle"><em class="citetitle">Using the Domain Name System To Store Arbitrary String + Attributes</em>. </span><span class="pubdate">May 1993. </span></p> </div> <div class="biblioentry"> -<a name="id2609132"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p> +<a name="id-1.12.3.2.6.9.4"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="citetitle"><em class="citetitle">Tools for <acronym class="acronym">DNS</acronym> Debugging</em>. </span><span class="pubdate">November 1994. </span></p> </div> <div class="biblioentry"> -<a name="id2609158"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load - Balancing</i>. </span><span class="pubdate">April 1995. </span></p> +<a name="id-1.12.3.2.6.9.5"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Support for Load + Balancing</em>. </span><span class="pubdate">April 1995. </span></p> </div> <div class="biblioentry"> -<a name="id2609184"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p> +<a name="id-1.12.3.2.6.9.6"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="citetitle"><em class="citetitle">A Legal Basis for Domain Name Allocation</em>. </span><span class="pubdate">November 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2609207"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p> +<a name="id-1.12.3.2.6.9.7"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="citetitle"><em class="citetitle">Domain Names and Company Name Retrieval</em>. </span><span class="pubdate">May 1998. </span></p> </div> <div class="biblioentry"> -<a name="id2609253"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p> +<a name="id-1.12.3.2.6.9.8"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="citetitle"><em class="citetitle">A Convention For Using Legal Names as Domain Names</em>. </span><span class="pubdate">May 1998. </span></p> </div> <div class="biblioentry"> -<a name="id2609276"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p> +<a name="id-1.12.3.2.6.9.9"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="citetitle"><em class="citetitle">Reflections on the DNS, RFC 1591, and Categories of Domains</em>. </span><span class="pubdate">February 2001. </span></p> </div> <div class="biblioentry"> -<a name="id2609303"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via - Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p> +<a name="id-1.12.3.2.6.9.10"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="citetitle"><em class="citetitle">Distributing Authoritative Name Servers via + Shared Unicast Addresses</em>. </span><span class="pubdate">April 2002. </span></p> </div> <div class="biblioentry"> -<a name="id2609329"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p> +<a name="id-1.12.3.2.6.9.11"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="citetitle"><em class="citetitle">DNS IPv6 Transport Operational Guidelines</em>. </span><span class="pubdate">September 2004. </span></p> </div> </div> <div class="bibliodiv"> -<h3 class="title">Obsolete and Unimplemented Experimental RFC</h3> <div class="biblioentry"> -<a name="id2609372"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical - Location</i>. </span><span class="pubdate">November 1994. </span></p> +<a name="id-1.12.3.2.6.10.2"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Encoding of Geographical + Location</em>. </span><span class="pubdate">November 1994. </span></p> </div> <div class="biblioentry"> -<a name="id2609430"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p> +<a name="id-1.12.3.2.6.10.3"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="citetitle"><em class="citetitle">Binary Labels in the Domain Name System</em>. </span><span class="pubdate">August 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2609457"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation - and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p> +<a name="id-1.12.3.2.6.10.4"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="citetitle"><em class="citetitle">DNS Extensions to Support IPv6 Address Aggregation + and Renumbering</em>. </span><span class="pubdate">July 2000. </span></p> </div> </div> <div class="bibliodiv"> -<h3 class="title">Obsoleted DNS Security RFCs</h3> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> @@ -431,44 +414,44 @@ </p> </div> <div class="biblioentry"> -<a name="id2609505"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p> +<a name="id-1.12.3.2.6.11.3"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="citetitle"><em class="citetitle">Domain Name System Security Extensions</em>. </span><span class="pubdate">January 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2609544"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p> +<a name="id-1.12.3.2.6.11.4"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="citetitle"><em class="citetitle">Secure Domain Name System Dynamic Update</em>. </span><span class="pubdate">April 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2609571"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p> +<a name="id-1.12.3.2.6.11.5"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="citetitle"><em class="citetitle">Domain Name System Security Extensions</em>. </span><span class="pubdate">March 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2609601"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC) - Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p> +<a name="id-1.12.3.2.6.11.6"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="citetitle"><em class="citetitle">Domain Name System Security (DNSSEC) + Signing Authority</em>. </span><span class="pubdate">November 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2609626"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p> +<a name="id-1.12.3.2.6.11.7"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="citetitle"><em class="citetitle">DNS Security Extension Clarification on Zone Status</em>. </span><span class="pubdate">March 2001. </span></p> </div> <div class="biblioentry"> -<a name="id2609653"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p> +<a name="id-1.12.3.2.6.11.8"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="citetitle"><em class="citetitle">Limiting the Scope of the KEY Resource Record (RR)</em>. </span><span class="pubdate">December 2002. </span></p> </div> <div class="biblioentry"> -<a name="id2609689"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p> +<a name="id-1.12.3.2.6.11.9"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="citetitle"><em class="citetitle">Redefinition of DNS Authenticated Data (AD) bit</em>. </span><span class="pubdate">November 2003. </span></p> </div> <div class="biblioentry"> -<a name="id2609725"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p> +<a name="id-1.12.3.2.6.11.10"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="citetitle"><em class="citetitle">Delegation Signer (DS) Resource Record (RR)</em>. </span><span class="pubdate">December 2003. </span></p> </div> <div class="biblioentry"> -<a name="id2609752"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p> +<a name="id-1.12.3.2.6.11.11"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="citetitle"><em class="citetitle">Legacy Resolver Compatibility for Delegation Signer (DS)</em>. </span><span class="pubdate">May 2004. </span></p> </div> <div class="biblioentry"> -<a name="id2609779"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record - (RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p> +<a name="id-1.12.3.2.6.11.12"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="citetitle"><em class="citetitle">Domain Name System KEY (DNSKEY) Resource Record + (RR) Secure Entry Point (SEP) Flag</em>. </span><span class="pubdate">April 2004. </span></p> </div> <div class="biblioentry"> -<a name="id2609824"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p> +<a name="id-1.12.3.2.6.11.13"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="citetitle"><em class="citetitle">DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</em>. </span><span class="pubdate">August 2004. </span></p> </div> </div> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="internet_drafts"></a>Internet Drafts</h3></div></div></div> <p> @@ -482,16 +465,16 @@ after which they are deleted unless updated by their authors. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2609865"></a>Other Documents About <acronym class="acronym">BIND</acronym> +<a name="more_about_bind"></a>Other Documents About <acronym class="acronym">BIND</acronym> </h3></div></div></div> <p></p> <div class="bibliography"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2609875"></a>Bibliography</h4></div></div></div> +<a name="id-1.12.3.4.3"></a>Bibliography</h4></div></div></div> <div class="biblioentry"> -<a name="id2609877"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p> +<a name="id-1.12.3.4.3.1"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></em>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p> </div> </div> </div> @@ -514,6 +497,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index 8228d9722d5d..ccce85620416 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Appendix D. BIND 9 DNS Library Support</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.ch11.html" title="Appendix C. General DNS Reference Information"> <link rel="next" href="Bv9ARM.ch13.html" title="Manual pages"> @@ -39,25 +38,25 @@ </table> <hr> </div> -<div class="appendix" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch12"></a>Appendix D. BIND 9 DNS Library Support</h2></div></div></div> +<div class="appendix"> +<div class="titlepage"><div><div><h1 class="title"> +<a name="Bv9ARM.ch12"></a>BIND 9 DNS Library Support</h1></div></div></div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt> +<dl class="toc"> +<dt><span class="section"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611557">Prerequisite</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611566">Compilation</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611591">Installation</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611827">Known Defects/Restrictions</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611904">The dns.conf File</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611930">Sample Applications</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612698">Library References</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.4">Prerequisite</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.5">Compilation</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.6">Installation</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.7">Known Defects/Restrictions</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.8">The dns.conf File</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.9">Sample Applications</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.10">Library References</a></span></dt> </dl></dd> </dl> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="bind9.library"></a>BIND 9 DNS Library Support</h2></div></div></div> <p>This version of BIND 9 "exports" its internal libraries so @@ -65,40 +64,40 @@ call them "export" libraries in this document). In addition to all major DNS-related APIs BIND 9 is currently using, the export libraries provide the following features:</p> -<div class="itemizedlist"><ul type="disc"> -<li><p>The newly created "DNS client" module. This is a higher +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"><p>The newly created "DNS client" module. This is a higher level API that provides an interface to name resolution, single DNS transaction with a particular server, and dynamic update. Regarding name resolution, it supports advanced features such as DNSSEC validation and caching. This module supports both synchronous and asynchronous mode.</p></li> -<li><p>The new "IRS" (Information Retrieval System) library. +<li class="listitem"><p>The new "IRS" (Information Retrieval System) library. It provides an interface to parse the traditional resolv.conf file and more advanced, DNS-specific configuration file for the rest of this package (see the description for the dns.conf file below).</p></li> -<li><p>As part of the IRS library, newly implemented standard +<li class="listitem"><p>As part of the IRS library, newly implemented standard address-name mapping functions, getaddrinfo() and getnameinfo(), are provided. They use the DNSSEC-aware validating resolver backend, and could use other advanced features of the BIND 9 libraries such as caching. The getaddrinfo() function resolves both A and AAAA RRs concurrently (when the address family is unspecified).</p></li> -<li><p>An experimental framework to support other event +<li class="listitem"><p>An experimental framework to support other event libraries than BIND 9's internal event task system.</p></li> </ul></div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2611557"></a>Prerequisite</h3></div></div></div> +<a name="id-1.13.2.4"></a>Prerequisite</h3></div></div></div> <p>GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that in some platforms you may need to invoke a different command name than "make" (e.g. "gmake") to indicate it's GNU make.</p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2611566"></a>Compilation</h3></div></div></div> +<a name="id-1.13.2.5"></a>Compilation</h3></div></div></div> <pre class="screen"> $ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags]</code></em></code></strong> $ <strong class="userinput"><code>make</code></strong> @@ -111,9 +110,9 @@ $ <strong class="userinput"><code>make</code></strong> programs using the libraries will also be built under the lib/export/samples directory (see below).</p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2611591"></a>Installation</h3></div></div></div> +<a name="id-1.13.2.6"></a>Installation</h3></div></div></div> <pre class="screen"> $ <strong class="userinput"><code>cd lib/export</code></strong> $ <strong class="userinput"><code>make install</code></strong> @@ -125,7 +124,7 @@ $ <strong class="userinput"><code>make install</code></strong> specified by the --with-export-includedir configure option (default: PREFIX/include/bind9). Root privilege is normally required. - "<span><strong class="command">make install</strong></span>" at the top directory will do the + "<span class="command"><strong>make install</strong></span>" at the top directory will do the same. </p> <p> @@ -133,17 +132,17 @@ $ <strong class="userinput"><code>make install</code></strong> application after the installation, see <code class="filename">lib/export/samples/Makefile-postinstall.in</code>.</p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2611827"></a>Known Defects/Restrictions</h3></div></div></div> -<div class="itemizedlist"><ul type="disc"> -<li><p>Currently, win32 is not supported for the export +<a name="id-1.13.2.7"></a>Known Defects/Restrictions</h3></div></div></div> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"><p>Currently, win32 is not supported for the export library. (Normal BIND 9 application can be built as before).</p></li> -<li> +<li class="listitem"> <p>The "fixed" RRset order is not (currently) supported in the export library. If you want to use "fixed" RRset order - for, e.g. <span><strong class="command">named</strong></span> while still building the + for, e.g. <span class="command"><strong>named</strong></span> while still building the export library even without the fixed order support, build them separately: </p> @@ -157,25 +156,25 @@ $ <strong class="userinput"><code>make</code></strong> <p> </p> </li> -<li><p>The client module and the IRS library currently do not +<li class="listitem"><p>The client module and the IRS library currently do not support DNSSEC validation using DLV (the underlying modules can handle it, but there is no tunable interface to enable the feature).</p></li> -<li><p>RFC 5011 is not supported in the validating stub +<li class="listitem"><p>RFC 5011 is not supported in the validating stub resolver of the export library. In fact, it is not clear whether it should: trust anchors would be a system-wide configuration which would be managed by an administrator, while the stub resolver will be used by ordinary applications run by a normal user.</p></li> -<li><p>Not all common <code class="filename">/etc/resolv.conf</code> +<li class="listitem"><p>Not all common <code class="filename">/etc/resolv.conf</code> options are supported in the IRS library. The only available options in this version are "debug" and "ndots".</p></li> </ul></div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2611904"></a>The dns.conf File</h3></div></div></div> +<a name="id-1.13.2.8"></a>The dns.conf File</h3></div></div></div> <p>The IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the @@ -186,21 +185,21 @@ $ <strong class="userinput"><code>make</code></strong> This module is very experimental and the configuration syntax or library interfaces may change in future versions. Currently, only the - <span><strong class="command">trusted-keys</strong></span> + <span class="command"><strong>trusted-keys</strong></span> statement is supported, whose syntax is the same as the same name of statement for <code class="filename">named.conf</code>. (See - <a href="Bv9ARM.ch06.html#trusted-keys" title="trusted-keys Statement Grammar">the section called “<span><strong class="command">trusted-keys</strong></span> Statement Grammar”</a> for details.)</p> + <a class="xref" href="Bv9ARM.ch06.html#trusted-keys" title="trusted-keys Statement Grammar">the section called “<span class="command"><strong>trusted-keys</strong></span> Statement Grammar”</a> for details.)</p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2611930"></a>Sample Applications</h3></div></div></div> +<a name="id-1.13.2.9"></a>Sample Applications</h3></div></div></div> <p>Some sample application programs using this API are provided for reference. The following is a brief description of these applications. </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2611939"></a>sample: a simple stub resolver utility</h4></div></div></div> +<a name="id-1.13.2.9.3"></a>sample: a simple stub resolver utility</h4></div></div></div> <p> It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of @@ -212,59 +211,59 @@ $ <strong class="userinput"><code>make</code></strong> <p> Options and Arguments: </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term"> -t RRtype </span></dt> <dd><p> - specify the RR type of the query. The default is the A RR. + specify the RR type of the query. The default is the A RR. </p></dd> <dt><span class="term"> [-a algorithm] [-e] -k keyname -K keystring </span></dt> <dd> <p> - specify a command-line DNS key to validate the answer. For - example, to specify the following DNSKEY of example.com: + specify a command-line DNS key to validate the answer. For + example, to specify the following DNSKEY of example.com: </p> <div class="literallayout"><p><br> - example.com. 3600 IN DNSKEY 257 3 5 xxx<br> + example.com. 3600 IN DNSKEY 257 3 5 xxx<br> </p></div> <p> - specify the options as follows: + specify the options as follows: </p> <pre class="screen"> <strong class="userinput"><code> - -e -k example.com -K "xxx" + -e -k example.com -K "xxx" </code></strong> </pre> <p> - -e means that this key is a zone's "key signing key" (as known - as "secure Entry point"). - When -a is omitted rsasha1 will be used by default. + -e means that this key is a zone's "key signing key" (as known + as "secure Entry point"). + When -a is omitted rsasha1 will be used by default. </p> </dd> <dt><span class="term"> -s domain:alt_server_address </span></dt> <dd><p> - specify a separate recursive server address for the specific - "domain". Example: -s example.com:2001:db8::1234 + specify a separate recursive server address for the specific + "domain". Example: -s example.com:2001:db8::1234 </p></dd> <dt><span class="term">server_address</span></dt> <dd><p> - an IP(v4/v6) address of the recursive server to which queries - are sent. + an IP(v4/v6) address of the recursive server to which queries + are sent. </p></dd> <dt><span class="term">hostname</span></dt> <dd><p> - the domain name for the query + the domain name for the query </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2612029"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div> +<a name="id-1.13.2.9.4"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div> <p> Similar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names @@ -274,7 +273,7 @@ $ <strong class="userinput"><code>make</code></strong> <p> Options and Arguments: </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term"> -s server_address </span></dt> @@ -303,9 +302,9 @@ $ <strong class="userinput"><code>make</code></strong> </dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2612083"></a>sample-request: a simple DNS transaction client</h4></div></div></div> +<a name="id-1.13.2.9.5"></a>sample-request: a simple DNS transaction client</h4></div></div></div> <p> It sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a @@ -313,7 +312,7 @@ $ <strong class="userinput"><code>make</code></strong> response from the server, whether it's a referral or an alias (CNAME or DNAME) that would require further queries to get the ultimate answer. In other words, this utility acts as a very - simplified <span><strong class="command">dig</strong></span>. + simplified <span class="command"><strong>dig</strong></span>. </p> <p> Usage: sample-request [-t RRtype] server_address hostname @@ -321,7 +320,7 @@ $ <strong class="userinput"><code>make</code></strong> <p> Options and Arguments: </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term"> -t RRtype </span></dt> @@ -344,9 +343,9 @@ $ <strong class="userinput"><code>make</code></strong> </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2612147"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div> +<a name="id-1.13.2.9.6"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div> <p> This is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a @@ -361,14 +360,14 @@ $ <strong class="userinput"><code>make</code></strong> Usage: sample-gai hostname </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2612162"></a>sample-update: a simple dynamic update client program</h4></div></div></div> +<a name="id-1.13.2.9.7"></a>sample-update: a simple dynamic update client program</h4></div></div></div> <p> It accepts a single update command as a command-line argument, sends an update request message to the authoritative server, and shows the response from the server. In - other words, this is a simplified <span><strong class="command">nsupdate</strong></span>. + other words, this is a simplified <span class="command"><strong>nsupdate</strong></span>. </p> <p> Usage: sample-update [options] (add|delete) "update data" @@ -376,60 +375,60 @@ $ <strong class="userinput"><code>make</code></strong> <p> Options and Arguments: </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term"> -a auth_server </span></dt> <dd><p> - An IP address of the authoritative server that has authority - for the zone containing the update name. This should normally - be the primary authoritative server that accepts dynamic - updates. It can also be a secondary server that is configured - to forward update requests to the primary server. + An IP address of the authoritative server that has authority + for the zone containing the update name. This should normally + be the primary authoritative server that accepts dynamic + updates. It can also be a secondary server that is configured + to forward update requests to the primary server. </p></dd> <dt><span class="term"> -k keyfile </span></dt> <dd><p> - A TSIG key file to secure the update transaction. The keyfile - format is the same as that for the nsupdate utility. + A TSIG key file to secure the update transaction. The keyfile + format is the same as that for the nsupdate utility. </p></dd> <dt><span class="term"> -p prerequisite </span></dt> <dd><p> - A prerequisite for the update (only one prerequisite can be - specified). The prerequisite format is the same as that is - accepted by the nsupdate utility. + A prerequisite for the update (only one prerequisite can be + specified). The prerequisite format is the same as that is + accepted by the nsupdate utility. </p></dd> <dt><span class="term"> -r recursive_server </span></dt> <dd><p> - An IP address of a recursive server that this utility will - use. A recursive server may be necessary to identify the - authoritative server address to which the update request is - sent. + An IP address of a recursive server that this utility will + use. A recursive server may be necessary to identify the + authoritative server address to which the update request is + sent. </p></dd> <dt><span class="term"> -z zonename </span></dt> <dd><p> - The domain name of the zone that contains + The domain name of the zone that contains </p></dd> <dt><span class="term"> (add|delete) </span></dt> <dd><p> - Specify the type of update operation. Either "add" or "delete" - must be specified. + Specify the type of update operation. Either "add" or "delete" + must be specified. </p></dd> <dt><span class="term"> "update data" </span></dt> <dd><p> - Specify the data to be updated. A typical example of the data - would look like "name TTL RRtype RDATA". + Specify the data to be updated. A typical example of the data + would look like "name TTL RRtype RDATA". </p></dd> </dl></div> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> @@ -450,15 +449,15 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm <p> removes all A RRs for foo.dynamic.example.com using the given key. </p> -<pre class="screen"> +<pre class="screen"> $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</code></strong></pre> <p> removes all RRs for foo.dynamic.example.com using the given key. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2612634"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div> +<a name="id-1.13.2.9.8"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div> <p> It checks a set of domains to see the name servers of the domains behave @@ -472,50 +471,50 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm <p> Options </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term"> -d </span></dt> <dd><p> - run in the "debug" mode. with this option nsprobe will dump - every RRs it receives. + run in the "debug" mode. with this option nsprobe will dump + every RRs it receives. </p></dd> <dt><span class="term"> -v </span></dt> <dd><p> - increase verbosity of other normal log messages. This can be - specified multiple times + increase verbosity of other normal log messages. This can be + specified multiple times </p></dd> <dt><span class="term"> -c cache_address </span></dt> <dd><p> - specify an IP address of a recursive (caching) name server. - nsprobe uses this server to get the NS RRset of each domain and - the A and/or AAAA RRsets for the name servers. The default - value is 127.0.0.1. + specify an IP address of a recursive (caching) name server. + nsprobe uses this server to get the NS RRset of each domain and + the A and/or AAAA RRsets for the name servers. The default + value is 127.0.0.1. </p></dd> <dt><span class="term"> input_file </span></dt> <dd><p> - a file name containing a list of domain (zone) names to be - probed. when omitted the standard input will be used. Each - line of the input file specifies a single domain name such as - "example.com". In general this domain name must be the apex - name of some DNS zone (unlike normal "host names" such as - "www.example.com"). nsprobe first identifies the NS RRsets for - the given domain name, and sends A and AAAA queries to these - servers for some "widely used" names under the zone; - specifically, adding "www" and "ftp" to the zone name. + a file name containing a list of domain (zone) names to be + probed. when omitted the standard input will be used. Each + line of the input file specifies a single domain name such as + "example.com". In general this domain name must be the apex + name of some DNS zone (unlike normal "host names" such as + "www.example.com"). nsprobe first identifies the NS RRsets for + the given domain name, and sends A and AAAA queries to these + servers for some "widely used" names under the zone; + specifically, adding "www" and "ftp" to the zone name. </p></dd> </dl></div> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2612698"></a>Library References</h3></div></div></div> +<a name="id-1.13.2.10"></a>Library References</h3></div></div></div> <p>As of this writing, there is no formal "manual" of the libraries, except this document, header files (some of them provide pretty detailed explanations), and sample application @@ -540,6 +539,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.ch13.html b/doc/arm/Bv9ARM.ch13.html index 175515f9f537..474badc3fec0 100644 --- a/doc/arm/Bv9ARM.ch13.html +++ b/doc/arm/Bv9ARM.ch13.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Manual pages</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.ch12.html" title="Appendix D. BIND 9 DNS Library Support"> <link rel="next" href="man.dig.html" title="dig"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="reference" lang="en"> +<div class="reference"> <div class="titlepage"> <div><div><h1 class="title"> <a name="Bv9ARM.ch13"></a>Manual pages</h1></div></div> @@ -47,7 +46,7 @@ </div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> +<dl class="toc"> <dt> <span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> — DNS lookup utility</span> </dt> @@ -64,6 +63,9 @@ <span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> — DNSSEC DS RR generation tool</span> </dt> <dt> +<span class="refentrytitle"><a href="man.dnssec-importkey.html"><span class="application">dnssec-importkey</span></a></span><span class="refpurpose"> — Import DNSKEY records from external systems so they can be managed.</span> +</dt> +<dt> <span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> — DNSSEC key generation tool</span> </dt> <dt> @@ -91,6 +93,12 @@ <span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> — Internet domain name server</span> </dt> <dt> +<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> — configuration file for named</span> +</dt> +<dt> +<span class="refentrytitle"><a href="man.lwresd.html"><span class="application">lwresd</span></a></span><span class="refpurpose"> — lightweight resolver daemon</span> +</dt> +<dt> <span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> — print zone journal in human-readable form</span> </dt> <dt> @@ -140,6 +148,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.conf b/doc/arm/Bv9ARM.conf new file mode 100644 index 000000000000..cf095caa9212 --- /dev/null +++ b/doc/arm/Bv9ARM.conf @@ -0,0 +1,3 @@ +TexInputs: ../tex// +TexStyle: armstyle +XslParam: ../xsl/arm-param.xsl diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index b2288026ea67..3eb4077193b8 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>BIND 9 Administrator Reference Manual</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> @@ -36,12 +35,12 @@ </table> <hr> </div> -<div class="book" lang="en"> +<div class="book"> <div class="titlepage"> <div> <div><h1 class="title"> -<a name="id2563180"></a>BIND 9 Administrator Reference Manual</h1></div> -<div><p class="releaseinfo">BIND Version 9.9.8-P4</p></div> +<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div> +<div><p class="releaseinfo">BIND Version 9.9.9-P3</p></div> <div><p class="copyright">Copyright © 2004-2015 Internet Systems Consortium, Inc. ("ISC")</p></div> <div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div> </div> @@ -49,226 +48,226 @@ </div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> +<dl class="toc"> <dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563509">Scope of Document</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563533">Organization of This Document</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564629">Conventions Used in This Document</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564810">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#doc_scope">Scope of Document</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#organization">Organization of This Document</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#conventions">Conventions Used in This Document</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_overview">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564832">DNS Fundamentals</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564934">Domains and Domain Names</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567271">Zones</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567348">Authoritative Name Servers</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567589">Caching Name Servers</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567651">Name Servers in Multiple Roles</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_fundamentals">DNS Fundamentals</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#domain_names">Domains and Domain Names</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#zones">Zones</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#auth_servers">Authoritative Name Servers</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#cache_servers">Caching Name Servers</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch01.html#multi_role">Name Servers in Multiple Roles</a></span></dt> </dl></dd> </dl></dd> <dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567685">Hardware requirements</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567712">CPU Requirements</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567793">Memory Requirements</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567819">Name Server Intensive Environment Issues</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567830">Supported Operating Systems</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch02.html#hw_req">Hardware requirements</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch02.html#cpu_req">CPU Requirements</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch02.html#mem_req">Memory Requirements</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch02.html#intensive_env">Name Server Intensive Environment Issues</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch02.html#supported_os">Supported Operating Systems</a></span></dt> </dl></dd> <dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567998">A Caching-only Name Server</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568014">An Authoritative-only Name Server</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch03.html#cache_only_sample">A Caching-only Name Server</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch03.html#auth_only_sample">An Authoritative-only Name Server</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568037">Load Balancing</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568391">Name Server Operations</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch03.html#load_balancing">Load Balancing</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch03.html#ns_operations">Name Server Operations</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568396">Tools for Use With the Name Server Daemon</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2569449">Signals</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch03.html#tools">Tools for Use With the Name Server Daemon</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch03.html#signals">Signals</a></span></dt> </dl></dd> </dl></dd> <dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt> -<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564237">Split DNS</a></span></dt> -<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564256">Example split DNS setup</a></span></dt></dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt> +<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd> +<dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns">Split DNS</a></span></dt> +<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example split DNS setup</a></span></dt></dl></dd> +<dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570560">Generate Shared Keys for Each Pair of Hosts</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570701">Copying the Shared Secret to Both Machines</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570712">Informing the Servers of the Key's Existence</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570748">Instructing the Server to Use the Key</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570806">TSIG Key Based Access Control</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570855">Errors</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generating a Shared Key</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading A New Key</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.7">Instructing the Server to Use a Key</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.8">TSIG-Based Access Control</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">Errors</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570869">TKEY</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570918">SIG(0)</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#tkey">TKEY</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571054">Generating Keys</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571270">Signing the Zone</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571351">Configuring Servers</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610615">Converting from insecure to secure</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610652">Dynamic DNS update method</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563653">Fully automatic zone signing</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563900">Private-type records</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563938">DNSKEY rollovers</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563950">Dynamic DNS update method</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564052">Automatic key rollovers</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564078">NSEC3PARAM rollovers via UPDATE</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564088">Converting from NSEC to NSEC3</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569832">Converting from NSEC3 to NSEC</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569845">Converting from secure to insecure</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569882">Periodic re-signing</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569892">NSEC3 and OPTOUT</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.3">Converting from insecure to secure</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.8">Dynamic DNS update method</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.16">Fully automatic zone signing</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.25">Private-type records</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.32">DNSKEY rollovers</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">Dynamic DNS update method</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.39">Automatic key rollovers</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">NSEC3PARAM rollovers via UPDATE</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">Converting from NSEC to NSEC3</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC3 to NSEC</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.47">Converting from secure to insecure</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.51">Periodic re-signing</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.53">NSEC3 and OPTOUT</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610129">Validating Resolver</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610151">Authoritative Server</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.3">Validating Resolver</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Authoritative Server</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2613326">Prerequisites</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611166">Building BIND 9 with PKCS#11</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2613408">PKCS #11 Tools</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2613438">Using the HSM</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2637735">Specifying the engine on the command line</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2637781">Running named with automatic zone re-signing</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.4">Prerequisites</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.5">Building BIND 9 with PKCS#11</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.6">PKCS #11 Tools</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.7">Using the HSM</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.8">Specifying the engine on the command line</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.9">Running named with automatic zone re-signing</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571571">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#ipv6">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571837">Address Lookups Using AAAA Records</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571859">Address to Name Lookups Using Nibble Format</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.6">Address Lookups Using AAAA Records</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Address to Name Lookups Using Nibble Format</a></span></dt> </dl></dd> </dl></dd> <dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2571892">The Lightweight Resolver Library</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch05.html#lightweight_resolver">The Lightweight Resolver Library</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt> </dl></dd> <dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573374">Comment Syntax</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#comment_syntax">Comment Syntax</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574035"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#acl_grammar"><span class="command"><strong>acl</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#acl"><span class="command"><strong>acl</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574225"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_grammar"><span class="command"><strong>controls</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span class="command"><strong>controls</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574584"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574601"><span><strong class="command">include</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#include_grammar"><span class="command"><strong>include</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#include_statement"><span class="command"><strong>include</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#key_grammar"><span class="command"><strong>key</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#key_statement"><span class="command"><strong>key</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_grammar"><span class="command"><strong>logging</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_statement"><span class="command"><strong>logging</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#lwres_grammar"><span class="command"><strong>lwres</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#lwres_statement"><span class="command"><strong>lwres</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_grammar"><span class="command"><strong>masters</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_statement"><span class="command"><strong>masters</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574761"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574785"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574875"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575001"><span><strong class="command">logging</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#options_grammar"><span class="command"><strong>options</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#options"><span class="command"><strong>options</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577236"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577309"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577373"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577417"><span><strong class="command">masters</strong></span> Statement Definition and - Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577438"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and - Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span class="command"><strong>server</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span class="command"><strong>server</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590832"><span><strong class="command">statistics-channels</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591139"><span><strong class="command">trusted-keys</strong></span> Statement Definition +<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591186"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition +<dt><span class="section"><a href="Bv9ARM.ch06.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591553"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span> +<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593398"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement"><span class="command"><strong>zone</strong></span> Statement Definition and Usage</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2597084">Zone File</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_file">Zone File</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600002">Discussion of MX Records</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600549">Inverse Mapping in IPv4</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600812">Other Zone File Directives</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2601017"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#mx_records">Discussion of MX Records</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#ipv4_reverse">Inverse Mapping in IPv4</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_directives">Other Zone File Directives</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#generate_directive"><acronym class="acronym">BIND</acronym> Master File Extension: the <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt> +</dl></dd> +<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt> +<dd><dl> +<dt><span class="section"><a href="Bv9ARM.ch06.html#statsfile">The Statistics File</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt> -<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd> </dl></dd> <dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2605750"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot_and_setuid"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605831">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605959">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch07.html#setuid">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt> </dl></dd> <dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2606107">Common Problems</a></span></dt> -<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2606113">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2606124">Incrementing and Changing the Serial Number</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2606141">Where Can I Get Help?</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch08.html#common_problems">Common Problems</a></span></dt> +<dd><dl><dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2.2">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd> +<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.3">Incrementing and Changing the Serial Number</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch08.html#more_help">Where Can I Get Help?</a></span></dt> </dl></dd> <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2563593">Release Notes for BIND Version 9.9.8-P4</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.9.9-P3</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt> </dl></dd> </dl></dd> <dt><span class="appendix"><a href="Bv9ARM.ch10.html">B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt> -<dd><dl><dt><span class="sect1"><a href="Bv9ARM.ch10.html#historical_dns_information"></a></span></dt></dl></dd> <dt><span class="appendix"><a href="Bv9ARM.ch11.html">C. General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch11.html#id2609865">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch11.html#more_about_bind">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt> </dl></dd> </dl></dd> <dt><span class="appendix"><a href="Bv9ARM.ch12.html">D. BIND 9 DNS Library Support</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611557">Prerequisite</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611566">Compilation</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611591">Installation</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611827">Known Defects/Restrictions</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611904">The dns.conf File</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611930">Sample Applications</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612698">Library References</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.4">Prerequisite</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.5">Compilation</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.6">Installation</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.7">Known Defects/Restrictions</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.8">The dns.conf File</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.9">Sample Applications</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.10">Library References</a></span></dt> </dl></dd> </dl></dd> <dt><span class="reference"><a href="Bv9ARM.ch13.html">I. Manual pages</a></span></dt> @@ -289,6 +288,9 @@ <span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> — DNSSEC DS RR generation tool</span> </dt> <dt> +<span class="refentrytitle"><a href="man.dnssec-importkey.html"><span class="application">dnssec-importkey</span></a></span><span class="refpurpose"> — Import DNSKEY records from external systems so they can be managed.</span> +</dt> +<dt> <span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> — DNSSEC key generation tool</span> </dt> <dt> @@ -316,6 +318,12 @@ <span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> — Internet domain name server</span> </dt> <dt> +<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> — configuration file for named</span> +</dt> +<dt> +<span class="refentrytitle"><a href="man.lwresd.html"><span class="application">lwresd</span></a></span><span class="refpurpose"> — lightweight resolver daemon</span> +</dt> +<dt> <span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> — print zone journal in human-readable form</span> </dt> <dt> @@ -365,6 +373,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf Binary files differindex 294d17910191..5dd76894943f 100644 --- a/doc/arm/Bv9ARM.pdf +++ b/doc/arm/Bv9ARM.pdf diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in index 501133e0db39..2baf3a32fc47 100644 --- a/doc/arm/Makefile.in +++ b/doc/arm/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2007, 2009, 2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2007, 2009, 2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001, 2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -13,18 +13,12 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.22 2009/02/12 23:47:56 tbox Exp $ - srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ @BIND9_MAKE_RULES@ -@BIND9_VERSION@ - -PKGVERSION = @PACKAGE_VERSION@ - MANOBJS = Bv9ARM.html notes.html PDFOBJS = Bv9ARM.pdf notes.pdf @@ -33,69 +27,39 @@ doc man:: ${MANOBJS} ${PDFOBJS} clean:: rm -f Bv9ARM.aux Bv9ARM.brf Bv9ARM.glo Bv9ARM.idx Bv9ARM.toc - rm -f Bv9ARM.log Bv9ARM.out Bv9ARM.tex Bv9ARM.tex.tmp + rm -f Bv9ARM.log Bv9ARM.out rm -f notes.aux notes.brf notes.glo notes.idx notes.toc - rm -f notes.log notes.out notes.tex notes.tex.tmp + rm -f notes.log notes.out docclean manclean maintainer-clean:: clean rm -f *.html ${PDFOBJS} -docclean manclean maintainer-clean distclean:: +maintainer-clean distclean:: rm -f releaseinfo.xml rm -f pkgversion.xml rm -f noteversion.xml +# use xmllint to process include notes.html: notes-wrapper.xml notes.xml releaseinfo.xml pkgversion.xml noteversion.xml - expand notes-wrapper.xml | \ - ${XSLTPROC} --stringparam generate.toc "" ../xsl/isc-notes-html.xsl - |\ - @PERL@ html-fixup.pl > notes.html + expand notes-wrapper.xml | ${XMLLINT} --xinclude - | \ + ${XSLTPROC} --stringparam generate.toc "" ../xsl/isc-notes-html.xsl - > notes.html -notes.tex: notes-wrapper.xml notes.xml releaseinfo.xml pkgversion.xml noteversion.xml - expand notes-wrapper.xml | \ - ${XSLTPROC} --stringparam generate.toc "book toc" ${top_srcdir}/doc/xsl/pre-latex.xsl - | \ - ${XSLTPROC} ${top_srcdir}/doc/xsl/isc-notes-latex.xsl - | \ - @PERL@ latex-fixup.pl >$@.tmp - if test -s $@.tmp; then mv $@.tmp $@; else rm -f $@.tmp; exit 1; fi - -notes.pdf: notes.tex releaseinfo.xml pkgversion.xml noteversion.xml - rm -f notes-wrapper.aux notes.pdf notes.log - ${PDFLATEX} '\batchmode\input notes.tex' || (rm -f $@ ; exit 1) +notes.pdf: notes-wrapper.xml notes.xml releaseinfo.xml pkgversion.xml noteversion.xml + ${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl notes-wrapper.xml | \ + ${DBLATEX} -c notes.conf -Pdoc.layout="mainmatter" -o notes.pdf - +# use xmllint to process include Bv9ARM.html: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml - expand Bv9ARM-book.xml | \ + expand Bv9ARM-book.xml | ${XMLLINT} --xinclude - | \ ${XSLTPROC} --stringparam root.filename Bv9ARM \ ${top_srcdir}/doc/xsl/isc-docbook-chunk.xsl - +# use xmllint to process include Bv9ARM-all.html: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml - expand Bv9ARM-book.xml | \ + expand Bv9ARM-book.xml | ${XMLLINT} --xinclude - |\ ${XSLTPROC} -o Bv9ARM-all.html ../xsl/isc-docbook-html.xsl - -Bv9ARM.tex: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml +Bv9ARM.pdf: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml expand Bv9ARM-book.xml | \ ${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl - | \ - ${XSLTPROC} ${top_srcdir}/doc/xsl/isc-docbook-latex.xsl - | \ - @PERL@ latex-fixup.pl >$@.tmp - if test -s $@.tmp; then mv $@.tmp $@; else rm -f $@.tmp; exit 1; fi - -Bv9ARM.dvi: Bv9ARM.tex releaseinfo.xml pkgversion.xml noteversion.xml - rm -f Bv9ARM-book.aux Bv9ARM-book.dvi Bv9ARM-book.log - ${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1) - ${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1) - ${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1) - -Bv9ARM.pdf: Bv9ARM.tex releaseinfo.xml pkgversion.xml noteversion.xml - rm -f Bv9ARM-book.aux Bv9ARM-book.pdf Bv9ARM-book.log - ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1) - ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1) - ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1) - -FORCE: - -releaseinfo.xml: FORCE - echo >$@ '<releaseinfo>BIND Version ${VERSION}</releaseinfo>' - -noteversion.xml: FORCE - echo >$@ '<title>Release Notes for BIND Version ${VERSION}</title>' - -pkgversion.xml: FORCE - echo >$@ ' <para>This version of the manual corresponds to BIND version ${PKGVERSION}.</para>' + ${DBLATEX} -c Bv9ARM.conf -o Bv9ARM.pdf - diff --git a/doc/arm/README-SGML b/doc/arm/README-SGML index e33c937e4b87..a7c347c654bd 100644 --- a/doc/arm/README-SGML +++ b/doc/arm/README-SGML @@ -1,32 +1,45 @@ -Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 2004, 2015 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2000, 2001 Internet Software Consortium. See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. -The BIND v9 ARM master document is now kept in DocBook XML format. +The BIND v9 ARM master document is now kept in DocBook 5 XML format. -Version: $Id: README-SGML,v 1.17 2004/03/05 05:04:43 marka Exp $ +Most of the ARM is in the single file "Bv9ARM-book.xml", with certain +other files included into it: -The entire ARM is in the single file: + - dlz.xml + - dnssec.xml + - libdns.xml + - logging-categories.xml + - managed-keys.xml + - notes.xml + - pkcs11.xml + - BIND man pages - Bv9ARM-book.xml +All of the published ARM formats - HTML, PDF, etc - are generated from +this master source. -All of the other documents - HTML, PDF, etc - are generated from this -master source. +The file "notes.xml" contains the release notes for the current release. In +addition to being included in the ARM as an appendix, it is also built into +a stand-alone document: "notes.pdf" and "notes.html". -This file attempts to describe what tools are necessary for the -maintenance of this document as well as the generation of the -alternate formats of this document. +Building these these files requires DocBook 5 and dblatex. These are +available as packages in many OS distributes; in debian, for example: -This file will also spend a very little time describing the XML and -SGML headers so you can understand a bit what you may need to do to be -able to work with this document in any fashion other than simply -editing it. + $ sudo apt-get install docbook5-xml docbook-xml docbook-xsl-ns \ + docbook-utils dblatex -We will spend almost no time on the actual tags and how to write an -XML DocBook compliant document. If you are at all familiar with SGML -or HTML it will be very evident. You only need to know what the tags -are and how to use them. You can find a good resource either for this -either online or in printed form: +To build all documentation, run "make doc". + +When committing changes or submitting patches, it is only necessary to +edit the XML source (i.e., the files with ".docbook" or ".xml" suffixes); +the files in HTML and man page format are built from the XML source by a +cron job. + +If you are familiar with SGML or HTML, editing the DocBook XML is quite +straightforward. You only need to know what the tags are and how to use +them. You can find a good resource either for this either online or in +printed form: DocBook: The Definitive Guide By Norman Walsh and Leonard Muellner @@ -38,292 +51,5 @@ The book is available online in HTML format: http://docbook.org/ -and buried in: - - http://www.nwalsh.com/docbook/defguide/index.html - -A lot of useful stuff is at NWalsh's site in general. You may also -want to look at: - - http://www.xml.com/ - -The BIND v9 ARM is based on the XML 4.0 DocBook DTD. Every XML and -SGML document begins with a prefix that tells where to find the file -that describes the meaning and structure of the tags used in the rest -of the document. - -For our XML DocBook 4.0 based document this prefix looks like this: - - <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "/usr/local/share/xml/dtd/docbook/docbookx.dtd"> - -This "DOCTYPE" statement has three parts, of which we are only using -two: - -o The highest level term that represents this document (in this case - it is "book" - -o The identifier that tells us which DTD to use. This identifier has - two parts, the "Formal Public Identifier" (or FPI) and the system - identifier. In SGML you can have either a FPI or a SYSTEM identifier - but you have to have at least one of them. In XML you have to have a - SYSTEM identifier. - -FP & SYSTEM identifiers - These are names/lookups for the actual -DTD. The FPI is a globally unique name that should, on a properly -configured system, tell you exactly what DTD to use. The SYSTEM -identifier gives an absolute location for the DTD. In XML these are -supposed to be properly formatted URL's. - -SGML has these things called "catalogs" that are files that map FPI's -in to actual files. A "catalog" can also be used to remap a SYSTEM -identifier so you can say something like: "http://www.oasis.org/foo" -is actually "/usr/local/share/xml/foo.dtd" - -When you use various SGML/XML tools they need to be configured to look -at the same "catalog" files so that as you move from tool to tool they -all refer to the same DTD for the same document. - -We will be spending most of our configuration time making sure our -tools use the same "catalog" files and that we have the same DTD's -installed on our machines. XML's requirement of the SYSTEM identifier -over the FPI will probably lead to more problems as it does not -guarantee that everyone is using the same DTD. - -I did my initial work with the "sgmltools" the XML 4.0 DocBook DTD and -"jade" or "openjade." - -You can get the 4.0 XML DocBook DTD from: - - http://www.docbook.org/xml/4.0/ - -(download the .zip file.) NOTE: We will eventually be changing the -SYSTEM identifier to the recommended value of: - - http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd - -NOTE: Under FreeBSD this is the package: - - /usr/ports/textproc/docbook-xml - -NetBSD instructions are coming soon. - -With packages listed below installed under FreeBSD the "catalog" file -that all the tools refer to at least one is in: - - /usr/local/share/sgml/catalog - -In order for our SYSTEM identifier for the XML DocBook dtd to be found -I create a new catalog file at the top of the XML directory created on -FreeBSD: - - /usr/local/share/xml/catalog - -This file has one line: - - SYSTEM "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" "/usr/local/share/xml/dtd/docbook/docbookx.dtd" - -Then in the main "catalog" I have it include this XML catalog: - - CATALOG "/usr/local/share/xml/catalog" - - -On your systems you need to replace "/usr/local/share" with your -prefix root (probably /usr/pkg under NetBSD.) - -NOTE: The URL used above is supposed to the be the proper one for this -XML DocBook DTD... but there is nothing at that URL so you really do -need the "SYSTEM" identifier mapping in your catalog (or make the -SYSTEM identifier in your document refer to the real location of the -file on your local system.) - -HOW TO VALIDATE A DOCUMENT: - -I use the sgmltools "nsgmls" document validator. Since we are using -XML we need to use the XML declarations, which are installed as part -of the modular DSSL style sheets: - - nsgmls -sv /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \ - Bv9ARM-book.xml - -A convenient shell script "validate.sh" is now generated by configure -to invoke the above command with the correct system-dependent paths. - -The SGML tools can be found at: - - ftp://ftp.us.sgmltools.org/pub/SGMLtools/v2.0/source/ \ - ftp://ftp.nllgg.nl/pub/SGMLtools/v2.0/source/ - -FreeBSD package for these is: - - /usr/ports/textproc/sgmltools - -HOW TO RENDER A DOCUMENT AS HTML or TeX: - -o Generate html doc with: - - openjade -v -d ./nominum-docbook-html.dsl \ - -t sgml \ - /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \ - Bv9ARM-book.xml - -A convenient shell script "genhtml.sh" is now generated by configure to -invoke the above command with the correct system-dependent paths. - -On NetBSD there is no port for "openjade" however "jade" does still -work. However you need to specify the "catalog" file to use for style -sheets on the command line AND you need to have a default "catalog" -mapping where to find various DTDs. It seems that "jade" installed out -of the box on NetBSD does not use a globally defined "catalog" file -for mapping PUBLIC identifiers in to SYSTEM identifiers. - -So you need to have a "catalog" file in your current working directory -that has in it this: (these are probably more entries than you need!) - - CATALOG "/usr/pkg/share/sgml/iso8879/catalog" - CATALOG "/usr/pkg/share/sgml/docbook/2.4.1/catalog" - CATALOG "/usr/pkg/share/sgml/docbook/3.0/catalog" - CATALOG "/usr/pkg/share/sgml/docbook/3.1/catalog" - CATALOG "/usr/pkg/share/sgml/jade/catalog" - CATALOG "/usr/local/share/xml/catalog" - -(These would all be "/usr/local" on FreeBSD) - -So the command for jade on NetBSD will look like this: - -jade -v -c /usr/pkg/share/sgml/catalog -t sgml \ - -d ./nominum-docbook-html.dsl \ - /usr/pkg/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \ - ./Bv9ARM-book.xml - -Furthermore, since the style sheet subset we define has in it a hard -coded path to the style sheet is based, it is actually generated by -configure from a .in file so that it will contain the correct -system-dependent path: where on FreeBSD the second line reads: - - <!ENTITY dbstyle SYSTEM "/usr/local/share/sgml/docbook/dsssl/modular/html/docbook.dsl" CDATA DSSSL> - -On NetBSD it needs to read: - - <!ENTITY dbstyle SYSTEM "/usr/pkg/share/sgml/docbook/dsssl/modular/html/docbook.dsl" CDATA DSSSL> - -NOTE: This is usually solved by having this style sheet modification -be installed in a system directory and have it reference the style -sheet it is based on via a relative path. - -o Generate TeX documentation: - -openjade -d ./nominum-docbook-print.dsl -t tex -v \ - /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \ - Bv9ARM-book.xml - -If you have "jade" installed instead of "openjade" then use that as -the command. There is little difference, openjade has some bug fixes -and is in more active development. - -To convert the resulting TeX file in to a DVI file you need to do: - - tex "&jadetex" Bv9ARM-book.tex - -You can also directly generate the pdf file via: - - pdftex "&pdfjadetex" Bv9ARM-book.tex - -The scripts "genpdf.sh" and "gendvi." have been added to simply -generating the PDF and DVI output. These substitute the correct paths -of NetBSD & FreeBSD. You still need to have TeX, jadeTeX, and pdfTeX -installed and configured properly for these to work. - -You will need to up both the "pool_size" and "hash_extra" variables in -your texmf.cnf file and regenerate them. See below. - -You can see that I am using a DSSSL style sheet for DocBook. Actually -two different ones - one for rendering html, and one for 'print' -media. - -NOTE: For HTML we are using a Nominum DSSSL style instead of the -default one (all it does is change the chunking to the chapter level -and makes the files end with ".html" instead of ".htm" so far.) If you -want to use the plain jane DSSSL style sheet replace the: - - -d ./nominum-docbook-html.dsl - -with - - -d /usr/local/share/sgml/docbook/dsssl/modular/html/docbook.dsl - -This style sheet will attempt to reference the one above. - -I am currently working on fixing these up so that it works the same on -our various systems. The main trick is knowing which DTD's and DSSSL -stylesheets you have installed, installing the right ones, and -configuring a CATALOG that refers to them in the same way. We will -probably end up putting our CATALOG's in the same place and then we -should be able to generate and validate our documents with a minimal -number of command line arguments. - -When running these commands you will get a lot of messages about a -bunch of general entities not being defined and having no default -entity. You can ignore those for now. - -Also with the style sheets we have and jade as it is you will get -messages about "xref to title" being unsupported. You can ignore these -for now as well. - -=== Getting the various tools installed on FreeBSD -(NetBSD coming soon..) - -o On freebsd you need to install the following packages: - o print/teTeX - o textproc/openjade - o textproc/docbook - o textproc/docbook-xml - o textproc/dsssl-docbook-modular - o textproc/dtd-catalogs - -o on freebsd you need to make some entities visible to the docbook xml - dtd by making a symlink (can probably be done with a catalog too) - ln -s /usr/local/share/xml/entity /usr/local/share/xml/dtd/docbook/ent - -o you may need to edit /usr/local/share/sgml/catalog and add the line: - - CATALOG "/usr/local/share/sgml/openjade/catalog" - -o add "hugelatex," Enlarge pool sizes, install the jadetex TeX driver - file. - - cd /usr/local/share/texmf/web2c/ - sudo cp texmf.cnf texmf.cnf.bak - - o edit the lines in texmf.cnf with these keys to these values: - - main_memory = 1100000 - hash_extra = 15000 - pool_size = 500000 - string_vacancies = 45000 - max_strings = 55000 - pool_free = 47500 - nest_size = 500 - param_size = 1500 - save_size = 5000 - stack_size = 1500 - - sudo tex -ini -progname=hugelatex -fmt=hugelatex latex.ltx - sudo texconfig init - sudo texhash - - o For the jadetex macros you will need I recommend you get a more - current version than what is packaged with openjade or jade. - - Checkout http://www.tug.org/applications/jadetex/ - - Unzip the file you get from there (should be jadetex-2.20 or - newer.) - - In the directory you unzip: - - sudo make install - sudo texhash - - NOTE: In the most uptodate "ports" for FreeBSD, jadetext is 2.20+ - so on this platform you should be set as of 2001.01.08. +After editing documentation, it is useful to check the correctness of the +XML; this can be done using the "xmllint" utility. diff --git a/doc/arm/dnssec.xml b/doc/arm/dnssec.xml index 4b058eb8b0e5..467bc725fe8b 100644 --- a/doc/arm/dnssec.xml +++ b/doc/arm/dnssec.xml @@ -1,4 +1,3 @@ -<?xml version="1.0" encoding="utf-8"?> <!-- - Copyright (C) 2010, 2011, 2015 Internet Systems Consortium, Inc. ("ISC") - @@ -15,24 +14,25 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<sect1 id="dnssec.dynamic.zones"> - <title>DNSSEC, Dynamic Zones, and Automatic Signing</title> +<!-- Converted by db4-upgrade version 1.0 --> +<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dnssec.dynamic.zones"><info><title>DNSSEC, Dynamic Zones, and Automatic Signing</title></info> + <para>As of BIND 9.7.0 it is possible to change a dynamic zone from insecure to signed and back again. A secure zone can use either NSEC or NSEC3 chains.</para> - <sect2> - <title>Converting from insecure to secure</title> - </sect2> + <section><info><title>Converting from insecure to secure</title></info> + + </section> <para>Changing a zone from insecure to secure can be done in two - ways: using a dynamic DNS update, or the + ways: using a dynamic DNS update, or the <command>auto-dnssec</command> zone option.</para> - <para>For either method, you need to configure - <command>named</command> so that it can see the + <para>For either method, you need to configure + <command>named</command> so that it can see the <filename>K*</filename> files which contain the public and private parts of the keys that will be used to sign the zone. These files - will have been generated by + will have been generated by <command>dnssec-keygen</command>. You can do this by placing them - in the key-directory, as specified in + in the key-directory, as specified in <filename>named.conf</filename>:</para> <programlisting> zone example.net { @@ -47,9 +47,9 @@ with the ZSK, and the DNSKEY RRset to be signed with the KSK as well. An NSEC chain will be generated as part of the initial signing process.</para> - <sect2> - <title>Dynamic DNS update method</title> - </sect2> + <section><info><title>Dynamic DNS update method</title></info> + + </section> <para>To insert the keys via dynamic update:</para> <screen> % nsupdate @@ -59,7 +59,7 @@ > send </screen> <para>While the update request will complete almost immediately, - the zone will not be completely signed until + the zone will not be completely signed until <command>named</command> has had time to walk the zone and generate the NSEC and RRSIG records. The NSEC record at the apex will be added last, to signal that there is a complete NSEC @@ -77,27 +77,27 @@ > send </screen> <para>Again, this update request will complete almost - immediately; however, the record won't show up until + immediately; however, the record won't show up until <command>named</command> has had a chance to build/remove the relevant chain. A private type record will be created to record the state of the operation (see below for more details), and will be removed once the operation completes.</para> <para>While the initial signing and NSEC/NSEC3 chain generation is happening, other updates are possible as well.</para> - <sect2> - <title>Fully automatic zone signing</title> - </sect2> - <para>To enable automatic signing, add the - <command>auto-dnssec</command> option to the zone statement in - <filename>named.conf</filename>. - <command>auto-dnssec</command> has two possible arguments: - <constant>allow</constant> or + <section><info><title>Fully automatic zone signing</title></info> + + </section> + <para>To enable automatic signing, add the + <command>auto-dnssec</command> option to the zone statement in + <filename>named.conf</filename>. + <command>auto-dnssec</command> has two possible arguments: + <constant>allow</constant> or <constant>maintain</constant>.</para> - <para>With - <command>auto-dnssec allow</command>, + <para>With + <command>auto-dnssec allow</command>, <command>named</command> can search the key directory for keys matching the zone, insert them into the zone, and use them to - sign the zone. It will do so only when it receives an + sign the zone. It will do so only when it receives an <command>rndc sign <zonename></command>.</para> <para> <!-- TODO: this is repeated in the ARM --> @@ -105,7 +105,7 @@ functionality, but will also automatically adjust the zone's DNSKEY records on schedule according to the keys' timing metadata. (See <xref linkend="man.dnssec-keygen"/> and - <xref linkend="man.dnssec-settime"/> for more information.) + <xref linkend="man.dnssec-settime"/> for more information.) </para> <para> <command>named</command> will periodically search the key directory @@ -119,7 +119,7 @@ </para> <para> If keys are present in the key directory the first time the zone - is loaded, the zone will be signed immediately, without waiting for an + is loaded, the zone will be signed immediately, without waiting for an <command>rndc sign</command> or <command>rndc loadkeys</command> command. (Those commands can still be used when there are unscheduled key changes, however.) @@ -141,16 +141,16 @@ the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM record will appear in the zone. </para> - <para>Using the + <para>Using the <command>auto-dnssec</command> option requires the zone to be - configured to allow dynamic updates, by adding an - <command>allow-update</command> or + configured to allow dynamic updates, by adding an + <command>allow-update</command> or <command>update-policy</command> statement to the zone configuration. If this has not been done, the configuration will fail.</para> - <sect2> - <title>Private-type records</title> - </sect2> + <section><info><title>Private-type records</title></info> + + </section> <para>The state of the signing process is signaled by private-type records (with a default type value of 65534). When signing is complete, these records will have a nonzero value for @@ -186,19 +186,19 @@ 0x20 NONSEC </literallayout> </para> - <sect2> - <title>DNSKEY rollovers</title> - </sect2> + <section><info><title>DNSKEY rollovers</title></info> + + </section> <para>As with insecure-to-secure conversions, rolling DNSSEC - keys can be done in two ways: using a dynamic DNS update, or the + keys can be done in two ways: using a dynamic DNS update, or the <command>auto-dnssec</command> zone option.</para> - <sect2> - <title>Dynamic DNS update method</title> - </sect2> + <section><info><title>Dynamic DNS update method</title></info> + + </section> <para> To perform key rollovers via dynamic update, you need to add - the <filename>K*</filename> files for the new keys so that + the <filename>K*</filename> files for the new keys so that <command>named</command> can find them. You can then add the new - DNSKEY RRs via dynamic update. + DNSKEY RRs via dynamic update. <command>named</command> will then cause the zone to be signed with the new keys. When the signing is complete the private type records will be updated so that the last octet is non @@ -212,15 +212,15 @@ be able to verify at least one signature when you remove the old DNSKEY.</para> <para>The old DNSKEY can be removed via UPDATE. Take care to - specify the correct key. + specify the correct key. <command>named</command> will clean out any signatures generated by the old key after the update completes.</para> - <sect2> - <title>Automatic key rollovers</title> - </sect2> + <section><info><title>Automatic key rollovers</title></info> + + </section> <para>When a new key reaches its activation date (as set by <command>dnssec-keygen</command> or <command>dnssec-settime</command>), - if the <command>auto-dnssec</command> zone option is set to + if the <command>auto-dnssec</command> zone option is set to <constant>maintain</constant>, <command>named</command> will automatically carry out the key rollover. If the key's algorithm has not previously been used to sign the zone, then the zone will @@ -231,64 +231,64 @@ signature validity periods expire. By default, this rollover completes in 30 days, after which it will be safe to remove the old key from the DNSKEY RRset.</para> - <sect2> - <title>NSEC3PARAM rollovers via UPDATE</title> - </sect2> + <section><info><title>NSEC3PARAM rollovers via UPDATE</title></info> + + </section> <para>Add the new NSEC3PARAM record via dynamic update. When the new NSEC3 chain has been generated, the NSEC3PARAM flag field will be zero. At this point you can remove the old NSEC3PARAM record. The old chain will be removed after the update request completes.</para> - <sect2> - <title>Converting from NSEC to NSEC3</title> - </sect2> + <section><info><title>Converting from NSEC to NSEC3</title></info> + + </section> <para>To do this, you just need to add an NSEC3PARAM record. When the conversion is complete, the NSEC chain will have been removed and the NSEC3PARAM record will have a zero flag field. The NSEC3 chain will be generated before the NSEC chain is destroyed.</para> - <sect2> - <title>Converting from NSEC3 to NSEC</title> - </sect2> + <section><info><title>Converting from NSEC3 to NSEC</title></info> + + </section> <para>To do this, use <command>nsupdate</command> to remove all NSEC3PARAM records with a zero flag field. The NSEC chain will be generated before the NSEC3 chain is removed.</para> - <sect2> - <title>Converting from secure to insecure</title> - </sect2> + <section><info><title>Converting from secure to insecure</title></info> + + </section> <para>To convert a signed zone to unsigned using dynamic DNS, delete all the DNSKEY records from the zone apex using <command>nsupdate</command>. All signatures, NSEC or NSEC3 chains, and associated NSEC3PARAM records will be removed automatically. This will take place after the update request completes.</para> - <para> This requires the - <command>dnssec-secure-to-insecure</command> option to be set to - <userinput>yes</userinput> in + <para> This requires the + <command>dnssec-secure-to-insecure</command> option to be set to + <userinput>yes</userinput> in <filename>named.conf</filename>.</para> <para>In addition, if the <command>auto-dnssec maintain</command> zone statement is used, it should be removed or changed to <command>allow</command> instead (or it will re-sign). </para> - <sect2> - <title>Periodic re-signing</title> - </sect2> + <section><info><title>Periodic re-signing</title></info> + + </section> <para>In any secure zone which supports dynamic updates, named will periodically re-sign RRsets which have not been re-signed as a result of some update action. The signature lifetimes will be adjusted so as to spread the re-sign load over time rather than all at once.</para> - <sect2> - <title>NSEC3 and OPTOUT</title> - </sect2> + <section><info><title>NSEC3 and OPTOUT</title></info> + + </section> <para> <command>named</command> only supports creating new NSEC3 chains where all the NSEC3 records in the zone have the same OPTOUT - state. + state. <command>named</command> supports UPDATES to zones where the NSEC3 - records in the chain have mixed OPTOUT state. + records in the chain have mixed OPTOUT state. <command>named</command> does not support changing the OPTOUT state of an individual NSEC3 record, the entire chain needs to be changed if the OPTOUT state of an individual NSEC3 needs to be changed.</para> -</sect1> +</section> diff --git a/doc/arm/html-fixup.pl b/doc/arm/html-fixup.pl deleted file mode 100755 index 276381360139..000000000000 --- a/doc/arm/html-fixup.pl +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/perl -w -# -# Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and/or distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -while (<>) { - s/쎶/ö/; - print; -} diff --git a/doc/arm/libdns.xml b/doc/arm/libdns.xml index 6b5e81739d8b..dc8655763175 100644 --- a/doc/arm/libdns.xml +++ b/doc/arm/libdns.xml @@ -1,6 +1,5 @@ -<?xml version="1.0" encoding="utf-8"?> <!-- - - Copyright (C) 2010, 2014 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2010, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -15,8 +14,9 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<sect1 id="bind9.library"> - <title>BIND 9 DNS Library Support</title> +<!-- Converted by db4-upgrade version 1.0 --> +<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="bind9.library"><info><title>BIND 9 DNS Library Support</title></info> + <para>This version of BIND 9 "exports" its internal libraries so that they can be used by third-party applications more easily (we call them "export" libraries in this document). In addition to @@ -52,16 +52,16 @@ libraries than BIND 9's internal event task system.</para> </listitem> </itemizedlist> - <sect2> - <title>Prerequisite</title> + <section><info><title>Prerequisite</title></info> + <para>GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that in some platforms you may need to invoke a different command name than "make" (e.g. "gmake") to indicate it's GNU make.</para> - </sect2> - <sect2> - <title>Compilation</title> + </section> + <section><info><title>Compilation</title></info> + <screen> $ <userinput>./configure --enable-exportlib <replaceable>[other flags]</replaceable></userinput> $ <userinput>make</userinput> @@ -73,9 +73,9 @@ $ <userinput>make</userinput> export version of the BIND 9 DNS library. Sample application programs using the libraries will also be built under the lib/export/samples directory (see below).</para> - </sect2> - <sect2> - <title>Installation</title> + </section> + <section><info><title>Installation</title></info> + <screen> $ <userinput>cd lib/export</userinput> $ <userinput>make install</userinput> @@ -94,9 +94,9 @@ $ <userinput>make install</userinput> To see how to build your own application after the installation, see <filename>lib/export/samples/Makefile-postinstall.in</filename>.</para> - </sect2> - <sect2> - <title>Known Defects/Restrictions</title> + </section> + <section><info><title>Known Defects/Restrictions</title></info> + <itemizedlist> <listitem> <!-- TODO: what about AIX? --> @@ -140,9 +140,9 @@ $ <userinput>make</userinput> version are "debug" and "ndots".</para> </listitem> </itemizedlist> - </sect2> - <sect2> - <title>The dns.conf File</title> + </section> + <section><info><title>The dns.conf File</title></info> + <para>The IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the @@ -156,16 +156,16 @@ $ <userinput>make</userinput> <command>trusted-keys</command> statement is supported, whose syntax is the same as the same name of statement for <filename>named.conf</filename>. (See - <xref linkend="trusted-keys" /> for details.)</para> - </sect2> - <sect2> - <title>Sample Applications</title> + <xref linkend="trusted-keys"/> for details.)</para> + </section> + <section><info><title>Sample Applications</title></info> + <para>Some sample application programs using this API are provided for reference. The following is a brief description of these applications. </para> - <sect3> - <title>sample: a simple stub resolver utility</title> + <section><info><title>sample: a simple stub resolver utility</title></info> + <para> It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of @@ -183,7 +183,7 @@ $ <userinput>make</userinput> -t RRtype </term> <listitem><para> - specify the RR type of the query. The default is the A RR. + specify the RR type of the query. The default is the A RR. </para></listitem> </varlistentry> <varlistentry> @@ -191,20 +191,20 @@ $ <userinput>make</userinput> [-a algorithm] [-e] -k keyname -K keystring </term> <listitem><para> - specify a command-line DNS key to validate the answer. For - example, to specify the following DNSKEY of example.com: + specify a command-line DNS key to validate the answer. For + example, to specify the following DNSKEY of example.com: <literallayout> - example.com. 3600 IN DNSKEY 257 3 5 xxx + example.com. 3600 IN DNSKEY 257 3 5 xxx </literallayout> - specify the options as follows: + specify the options as follows: <screen> <userinput> - -e -k example.com -K "xxx" + -e -k example.com -K "xxx" </userinput> </screen> - -e means that this key is a zone's "key signing key" (as known - as "secure Entry point"). - When -a is omitted rsasha1 will be used by default. + -e means that this key is a zone's "key signing key" (as known + as "secure Entry point"). + When -a is omitted rsasha1 will be used by default. </para></listitem> </varlistentry> <varlistentry> @@ -212,27 +212,27 @@ $ <userinput>make</userinput> -s domain:alt_server_address </term> <listitem><para> - specify a separate recursive server address for the specific - "domain". Example: -s example.com:2001:db8::1234 + specify a separate recursive server address for the specific + "domain". Example: -s example.com:2001:db8::1234 </para></listitem> </varlistentry> <varlistentry> <term>server_address</term> <listitem><para> - an IP(v4/v6) address of the recursive server to which queries - are sent. + an IP(v4/v6) address of the recursive server to which queries + are sent. </para></listitem> </varlistentry> <varlistentry> <term>hostname</term> <listitem><para> - the domain name for the query + the domain name for the query </para></listitem> </varlistentry> </variablelist> - </sect3> - <sect3> - <title>sample-async: a simple stub resolver, working asynchronously</title> + </section> + <section><info><title>sample-async: a simple stub resolver, working asynchronously</title></info> + <para> Similar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names @@ -276,9 +276,9 @@ $ <userinput>make</userinput> </listitem> </varlistentry> </variablelist> - </sect3> - <sect3> - <title>sample-request: a simple DNS transaction client</title> + </section> + <section><info><title>sample-request: a simple DNS transaction client</title></info> + <para> It sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a @@ -328,9 +328,9 @@ $ <userinput>make</userinput> </listitem> </varlistentry> </variablelist> - </sect3> - <sect3> - <title>sample-gai: getaddrinfo() and getnameinfo() test code</title> + </section> + <section><info><title>sample-gai: getaddrinfo() and getnameinfo() test code</title></info> + <para> This is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a @@ -344,9 +344,9 @@ $ <userinput>make</userinput> <para> Usage: sample-gai hostname </para> - </sect3> - <sect3> - <title>sample-update: a simple dynamic update client program</title> + </section> + <section><info><title>sample-update: a simple dynamic update client program</title></info> + <para> It accepts a single update command as a command-line argument, sends an update request message to the @@ -365,11 +365,11 @@ $ <userinput>make</userinput> -a auth_server </term> <listitem><para> - An IP address of the authoritative server that has authority - for the zone containing the update name. This should normally - be the primary authoritative server that accepts dynamic - updates. It can also be a secondary server that is configured - to forward update requests to the primary server. + An IP address of the authoritative server that has authority + for the zone containing the update name. This should normally + be the primary authoritative server that accepts dynamic + updates. It can also be a secondary server that is configured + to forward update requests to the primary server. </para></listitem> </varlistentry> <varlistentry> @@ -377,8 +377,8 @@ $ <userinput>make</userinput> -k keyfile </term> <listitem><para> - A TSIG key file to secure the update transaction. The keyfile - format is the same as that for the nsupdate utility. + A TSIG key file to secure the update transaction. The keyfile + format is the same as that for the nsupdate utility. </para></listitem> </varlistentry> <varlistentry> @@ -386,9 +386,9 @@ $ <userinput>make</userinput> -p prerequisite </term> <listitem><para> - A prerequisite for the update (only one prerequisite can be - specified). The prerequisite format is the same as that is - accepted by the nsupdate utility. + A prerequisite for the update (only one prerequisite can be + specified). The prerequisite format is the same as that is + accepted by the nsupdate utility. </para></listitem> </varlistentry> <varlistentry> @@ -396,10 +396,10 @@ $ <userinput>make</userinput> -r recursive_server </term> <listitem><para> - An IP address of a recursive server that this utility will - use. A recursive server may be necessary to identify the - authoritative server address to which the update request is - sent. + An IP address of a recursive server that this utility will + use. A recursive server may be necessary to identify the + authoritative server address to which the update request is + sent. </para></listitem> </varlistentry> <varlistentry> @@ -407,7 +407,7 @@ $ <userinput>make</userinput> -z zonename </term> <listitem><para> - The domain name of the zone that contains + The domain name of the zone that contains </para></listitem> </varlistentry> <varlistentry> @@ -415,8 +415,8 @@ $ <userinput>make</userinput> (add|delete) </term> <listitem><para> - Specify the type of update operation. Either "add" or "delete" - must be specified. + Specify the type of update operation. Either "add" or "delete" + must be specified. </para></listitem> </varlistentry> <varlistentry> @@ -424,8 +424,8 @@ $ <userinput>make</userinput> "update data" </term> <listitem><para> - Specify the data to be updated. A typical example of the data - would look like "name TTL RRtype RDATA". + Specify the data to be updated. A typical example of the data + would look like "name TTL RRtype RDATA". </para></listitem> </varlistentry> </variablelist> @@ -448,14 +448,14 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy <para> removes all A RRs for foo.dynamic.example.com using the given key. </para> - <screen> + <screen> $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</userinput></screen> <para> removes all RRs for foo.dynamic.example.com using the given key. </para> - </sect3> - <sect3> - <title>nsprobe: domain/name server checker in terms of RFC 4074</title> + </section> + <section><info><title>nsprobe: domain/name server checker in terms of RFC 4074</title></info> + <para> It checks a set of domains to see the name servers of the domains behave @@ -476,8 +476,8 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy -d </term> <listitem><para> - run in the "debug" mode. with this option nsprobe will dump - every RRs it receives. + run in the "debug" mode. with this option nsprobe will dump + every RRs it receives. </para></listitem> </varlistentry> <varlistentry> @@ -485,8 +485,8 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy -v </term> <listitem><para> - increase verbosity of other normal log messages. This can be - specified multiple times + increase verbosity of other normal log messages. This can be + specified multiple times </para></listitem> </varlistentry> <varlistentry> @@ -494,10 +494,10 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy -c cache_address </term> <listitem><para> - specify an IP address of a recursive (caching) name server. - nsprobe uses this server to get the NS RRset of each domain and - the A and/or AAAA RRsets for the name servers. The default - value is 127.0.0.1. + specify an IP address of a recursive (caching) name server. + nsprobe uses this server to get the NS RRset of each domain and + the A and/or AAAA RRsets for the name servers. The default + value is 127.0.0.1. </para></listitem> </varlistentry> <varlistentry> @@ -505,26 +505,25 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy input_file </term> <listitem><para> - a file name containing a list of domain (zone) names to be - probed. when omitted the standard input will be used. Each - line of the input file specifies a single domain name such as - "example.com". In general this domain name must be the apex - name of some DNS zone (unlike normal "host names" such as - "www.example.com"). nsprobe first identifies the NS RRsets for - the given domain name, and sends A and AAAA queries to these - servers for some "widely used" names under the zone; - specifically, adding "www" and "ftp" to the zone name. + a file name containing a list of domain (zone) names to be + probed. when omitted the standard input will be used. Each + line of the input file specifies a single domain name such as + "example.com". In general this domain name must be the apex + name of some DNS zone (unlike normal "host names" such as + "www.example.com"). nsprobe first identifies the NS RRsets for + the given domain name, and sends A and AAAA queries to these + servers for some "widely used" names under the zone; + specifically, adding "www" and "ftp" to the zone name. </para></listitem> </varlistentry> </variablelist> - </sect3> - </sect2> - <sect2> - <title>Library References</title> + </section> + </section> + <section><info><title>Library References</title></info> + <para>As of this writing, there is no formal "manual" of the libraries, except this document, header files (some of them provide pretty detailed explanations), and sample application programs.</para> - </sect2> -</sect1> -<!-- $Id: libdns.xml,v 1.3 2010/02/03 23:49:07 tbox Exp $ --> + </section> +</section> diff --git a/doc/arm/logging-categories.xml b/doc/arm/logging-categories.xml new file mode 100644 index 000000000000..d54d5cf9589c --- /dev/null +++ b/doc/arm/logging-categories.xml @@ -0,0 +1,378 @@ +<!-- + - Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- Converted by db4-upgrade version 1.0 --> +<informaltable xmlns="http://docbook.org/ns/docbook" version="5.0" colsep="0" rowsep="0"> + <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table"> + <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/> + <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/> + <tbody> + <row rowsep="0"> + <entry colname="1"> + <para><command>client</command></para> + </entry> + <entry colname="2"> + <para> + Processing of client requests. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>cname</command></para> + </entry> + <entry colname="2"> + <para> + Logs nameservers that are skipped due to them being + a CNAME rather than A / AAAA records. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>config</command></para> + </entry> + <entry colname="2"> + <para> + Configuration file parsing and processing. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>database</command></para> + </entry> + <entry colname="2"> + <para> + Messages relating to the databases used + internally by the name server to store zone and cache + data. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>default</command></para> + </entry> + <entry colname="2"> + <para> + The default category defines the logging + options for those categories where no specific + configuration has been + defined. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>delegation-only</command></para> + </entry> + <entry colname="2"> + <para> + Delegation only. Logs queries that have been + forced to NXDOMAIN as the result of a + delegation-only zone or a + <command>delegation-only</command> in a + forward, hint or stub zone declaration. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>dispatch</command></para> + </entry> + <entry colname="2"> + <para> + Dispatching of incoming packets to the + server modules where they are to be processed. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>dnssec</command></para> + </entry> + <entry colname="2"> + <para> + DNSSEC and TSIG protocol processing. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>edns-disabled</command></para> + </entry> + <entry colname="2"> + <para> + Log queries that have been forced to use plain + DNS due to timeouts. This is often due to + the remote servers not being RFC 1034 compliant + (not always returning FORMERR or similar to + EDNS queries and other extensions to the DNS + when they are not understood). In other words, this is + targeted at servers that fail to respond to + DNS queries that they don't understand. + </para> + <para> + Note: the log message can also be due to + packet loss. Before reporting servers for + non-RFC 1034 compliance they should be re-tested + to determine the nature of the non-compliance. + This testing should prevent or reduce the + number of false-positive reports. + </para> + <para> + Note: eventually <command>named</command> will have to stop + treating such timeouts as due to RFC 1034 non + compliance and start treating it as plain + packet loss. Falsely classifying packet + loss as due to RFC 1034 non compliance impacts + on DNSSEC validation which requires EDNS for + the DNSSEC records to be returned. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>general</command></para> + </entry> + <entry colname="2"> + <para> + The catch-all. Many things still aren't + classified into categories, and they all end up here. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>lame-servers</command></para> + </entry> + <entry colname="2"> + <para> + Lame servers. These are misconfigurations + in remote servers, discovered by BIND 9 when trying to + query those servers during resolution. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>network</command></para> + </entry> + <entry colname="2"> + <para> + Network operations. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>notify</command></para> + </entry> + <entry colname="2"> + <para> + The NOTIFY protocol. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>queries</command></para> + </entry> + <entry colname="2"> + <para> + Specify where queries should be logged to. + </para> + <para> + At startup, specifying the category <command>queries</command> will also + enable query logging unless <command>querylog</command> option has been + specified. + </para> + + <para> + The query log entry reports the client's IP + address and port number, and the query name, + class and type. Next it reports whether the + Recursion Desired flag was set (+ if set, - + if not set), if the query was signed (S), + EDNS was in use (E), if TCP was used (T), if + DO (DNSSEC Ok) was set (D), or if CD (Checking + Disabled) was set (C). After this the + destination address the query was sent to is + reported. + </para> + + <para> + <computeroutput>client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</computeroutput> + </para> + <para> + <computeroutput>client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</computeroutput> + </para> + <para> + (The first part of this log message, showing the + client address/port number and query name, is + repeated in all subsequent log messages related + to the same query.) + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>query-errors</command></para> + </entry> + <entry colname="2"> + <para> + Information about queries that resulted in some + failure. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>rate-limit</command></para> + </entry> + <entry colname="2"> + <para> + (Only available when <acronym>BIND</acronym> 9 is + configured with the <userinput>--enable-rrl</userinput> + option at compile time.) + </para> + <para> + The start, periodic, and final notices of the + rate limiting of a stream of responses are logged at + <command>info</command> severity in this category. + These messages include a hash value of the domain name + of the response and the name itself, + except when there is insufficient memory to record + the name for the final notice + The final notice is normally delayed until about one + minute after rate limit stops. + A lack of memory can hurry the final notice, + in which case it starts with an asterisk (*). + Various internal events are logged at debug 1 level + and higher. + </para> + <para> + Rate limiting of individual requests + is logged in the <command>query-errors</command> category. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>resolver</command></para> + </entry> + <entry colname="2"> + <para> + DNS resolution, such as the recursive + lookups performed on behalf of clients by a caching name + server. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>rpz</command></para> + </entry> + <entry colname="2"> + <para> + Information about errors in response policy zone files, + rewritten responses, and at the highest + <command>debug</command> levels, mere rewriting + attempts. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>security</command></para> + </entry> + <entry colname="2"> + <para> + Approval and denial of requests. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>spill</command></para> + </entry> + <entry colname="2"> + <para> + Logs queries that have been terminated, either by dropping + or responding with SERVFAIL, as a result of a fetchlimit + quota being exceeded. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>unmatched</command></para> + </entry> + <entry colname="2"> + <para> + Messages that <command>named</command> was unable to determine the + class of or for which there was no matching <command>view</command>. + A one line summary is also logged to the <command>client</command> category. + This category is best sent to a file or stderr, by + default it is sent to + the <command>null</command> channel. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>update</command></para> + </entry> + <entry colname="2"> + <para> + Dynamic updates. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>update-security</command></para> + </entry> + <entry colname="2"> + <para> + Approval and denial of update requests. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>xfer-in</command></para> + </entry> + <entry colname="2"> + <para> + Zone transfers the server is receiving. + </para> + </entry> + </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>xfer-out</command></para> + </entry> + <entry colname="2"> + <para> + Zone transfers the server is sending. + </para> + </entry> + </row> + </tbody> + </tgroup> +</informaltable> diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index 06449e19fd30..c05cbf11abfe 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>arpaname</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.ddns-confgen.html" title="ddns-confgen"> <link rel="next" href="man.genrandom.html" title="genrandom"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.arpaname"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,24 +48,19 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">arpaname</code> {<em class="replaceable"><code>ipaddress </code></em>...}</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2618811"></a><h2>DESCRIPTION</h2> +<div class="refsection"> +<a name="id-1.14.25.7"></a><h2>DESCRIPTION</h2> <p> - <span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and + <span class="command"><strong>arpaname</strong></span> translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2618826"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.25.8"></a><h2>SEE ALSO</h2> <p> <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2618840"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -87,6 +81,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index aef19fe485be..3b2f7e472a0a 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>ddns-confgen</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.rndc-confgen.html" title="rndc-confgen"> <link rel="next" href="man.arpaname.html" title="arpaname"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.ddns-confgen"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,36 +48,36 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2650372"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">ddns-confgen</strong></span> - generates a key for use by <span><strong class="command">nsupdate</strong></span> - and <span><strong class="command">named</strong></span>. It simplifies configuration +<div class="refsection"> +<a name="id-1.14.24.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>ddns-confgen</strong></span> + generates a key for use by <span class="command"><strong>nsupdate</strong></span> + and <span class="command"><strong>named</strong></span>. It simplifies configuration of dynamic zones by generating a key and providing the - <span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span> + <span class="command"><strong>nsupdate</strong></span> and <span class="command"><strong>named.conf</strong></span> syntax that will be needed to use it, including an example - <span><strong class="command">update-policy</strong></span> statement. + <span class="command"><strong>update-policy</strong></span> statement. </p> <p> If a domain name is specified on the command line, it will be used in the name of the generated key and in the sample - <span><strong class="command">named.conf</strong></span> syntax. For example, - <span><strong class="command">ddns-confgen example.com</strong></span> would + <span class="command"><strong>named.conf</strong></span> syntax. For example, + <span class="command"><strong>ddns-confgen example.com</strong></span> would generate a key called "ddns-key.example.com", and sample - <span><strong class="command">named.conf</strong></span> command that could be used + <span class="command"><strong>named.conf</strong></span> command that could be used in the zone definition for "example.com". </p> <p> - Note that <span><strong class="command">named</strong></span> itself can configure a - local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>. - <span><strong class="command">ddns-confgen</strong></span> is only needed when a + Note that <span class="command"><strong>named</strong></span> itself can configure a + local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>. + <span class="command"><strong>ddns-confgen</strong></span> is only needed when a more elaborate configuration is required: for instance, if - <span><strong class="command">nsupdate</strong></span> is to be used from a remote system. + <span class="command"><strong>nsupdate</strong></span> is to be used from a remote system. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2650459"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.24.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd><p> Specifies the algorithm to use for the TSIG key. Available @@ -88,7 +87,7 @@ <dt><span class="term">-h</span></dt> <dd><p> Prints a short summary of the options and arguments to - <span><strong class="command">ddns-confgen</strong></span>. + <span class="command"><strong>ddns-confgen</strong></span>. </p></dd> <dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt> <dd><p> @@ -121,7 +120,7 @@ </p></dd> <dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt> <dd><p> - Single host mode: The example <span><strong class="command">named.conf</strong></span> text + Single host mode: The example <span class="command"><strong>named.conf</strong></span> text shows how to set an update policy for the specified <em class="replaceable"><code>name</code></em> using the "name" nametype. @@ -133,7 +132,7 @@ </p></dd> <dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt> <dd><p> - zone mode: The example <span><strong class="command">named.conf</strong></span> text + zone mode: The example <span class="command"><strong>named.conf</strong></span> text shows how to set an update policy for the specified <em class="replaceable"><code>zone</code></em> using the "zonesub" nametype, allowing updates to all subdomain @@ -143,19 +142,14 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2658715"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.24.9"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2658754"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -176,6 +170,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 44cc60bbedac..25496707aed0 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dig</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="next" href="man.host.html" title="host"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.dig"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -51,41 +50,41 @@ <div class="cmdsynopsis"><p><code class="command">dig</code> [<code class="option">-h</code>]</p></div> <div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2613030"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">dig</strong></span> +<div class="refsection"> +<a name="id-1.14.2.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>dig</strong></span> (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that - were queried. Most DNS administrators use <span><strong class="command">dig</strong></span> to + were queried. Most DNS administrators use <span class="command"><strong>dig</strong></span> to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality - than <span><strong class="command">dig</strong></span>. + than <span class="command"><strong>dig</strong></span>. </p> <p> - Although <span><strong class="command">dig</strong></span> is normally used with + Although <span class="command"><strong>dig</strong></span> is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments and options is printed when the <code class="option">-h</code> option is given. Unlike earlier versions, the BIND 9 implementation of - <span><strong class="command">dig</strong></span> allows multiple lookups to be issued + <span class="command"><strong>dig</strong></span> allows multiple lookups to be issued from the command line. </p> <p> Unless it is told to query a specific name server, - <span><strong class="command">dig</strong></span> will try each of the servers listed in + <span class="command"><strong>dig</strong></span> will try each of the servers listed in <code class="filename">/etc/resolv.conf</code>. If no usable server addresses - are found, <span><strong class="command">dig</strong></span> will send the query to the local + are found, <span class="command"><strong>dig</strong></span> will send the query to the local host. </p> <p> When no command line arguments or options are given, - <span><strong class="command">dig</strong></span> will perform an NS query for "." (the root). + <span class="command"><strong>dig</strong></span> will perform an NS query for "." (the root). </p> <p> - It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via + It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via <code class="filename">${HOME}/.digrc</code>. This file is read and any options in it are applied before the command line arguments. @@ -93,22 +92,22 @@ <p> The IN and CH class names overlap with the IN and CH top level domain names. Either use the <code class="option">-t</code> and - <code class="option">-c</code> options to specify the type and class, + <code class="option">-c</code> options to specify the type and class, use the <code class="option">-q</code> the specify the domain name, or use "IN." and "CH." when looking up these top level domains. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2613269"></a><h2>SIMPLE USAGE</h2> +<div class="refsection"> +<a name="id-1.14.2.8"></a><h2>SIMPLE USAGE</h2> <p> - A typical invocation of <span><strong class="command">dig</strong></span> looks like: + A typical invocation of <span class="command"><strong>dig</strong></span> looks like: </p> <pre class="programlisting"> dig @server name type </pre> <p> where: </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term"><code class="constant">server</code></span></dt> <dd> <p> @@ -116,19 +115,19 @@ can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied <em class="parameter"><code>server</code></em> argument is a hostname, - <span><strong class="command">dig</strong></span> resolves that name before querying + <span class="command"><strong>dig</strong></span> resolves that name before querying that name server. </p> <p> If no <em class="parameter"><code>server</code></em> argument is - provided, <span><strong class="command">dig</strong></span> consults + provided, <span class="command"><strong>dig</strong></span> consults <code class="filename">/etc/resolv.conf</code>; if an address is found there, it queries the name server at that address. If either of the <code class="option">-4</code> or <code class="option">-6</code> options are in use, then only addresses for the corresponding transport will be tried. If no usable addresses are found, - <span><strong class="command">dig</strong></span> will send the query to the + <span class="command"><strong>dig</strong></span> will send the query to the local host. The reply from the name server that responds is displayed. </p> @@ -144,16 +143,16 @@ <em class="parameter"><code>type</code></em> can be any valid query type. If no <em class="parameter"><code>type</code></em> argument is supplied, - <span><strong class="command">dig</strong></span> will perform a lookup for an + <span class="command"><strong>dig</strong></span> will perform a lookup for an A record. </p></dd> </dl></div> <p> </p> </div> -<div class="refsect1" lang="en"> -<a name="id2613600"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.2.9"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-4</span></dt> <dd><p> Use IPv4 only. @@ -177,12 +176,12 @@ </p></dd> <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt> <dd><p> - Batch mode: <span><strong class="command">dig</strong></span> reads a list of lookup + Batch mode: <span class="command"><strong>dig</strong></span> reads a list of lookup requests to process from the given <em class="parameter"><code>file</code></em>. Each line in the file should be organized in the same way they would be presented as queries to - <span><strong class="command">dig</strong></span> using the command-line interface. + <span class="command"><strong>dig</strong></span> using the command-line interface. </p></dd> <dt><span class="term">-i</span></dt> <dd><p> @@ -195,11 +194,11 @@ Sign queries using TSIG using a key read from the given file. Key files can be generated using <span class="citerefentry"><span class="refentrytitle">tsig-keygen</span>(8)</span>. - When using TSIG authentication with <span><strong class="command">dig</strong></span>, + When using TSIG authentication with <span class="command"><strong>dig</strong></span>, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by - providing appropriate <span><strong class="command">key</strong></span> - and <span><strong class="command">server</strong></span> statements in + providing appropriate <span class="command"><strong>key</strong></span> + and <span class="command"><strong>server</strong></span> statements in <code class="filename">named.conf</code>. </p></dd> <dt><span class="term">-m</span></dt> @@ -246,7 +245,7 @@ need to provide the <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and <em class="parameter"><code>type</code></em> - arguments. <span><strong class="command">dig</strong></span> automatically performs a + arguments. <span class="command"><strong>dig</strong></span> automatically performs a lookup for a name like <code class="literal">94.2.0.192.in-addr.arpa</code> and sets the query type and class to PTR and IN respectively. IPv6 @@ -279,9 +278,9 @@ </dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2665793"></a><h2>QUERY OPTIONS</h2> -<p><span><strong class="command">dig</strong></span> +<div class="refsection"> +<a name="id-1.14.2.10"></a><h2>QUERY OPTIONS</h2> +<p><span class="command"><strong>dig</strong></span> provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which @@ -302,7 +301,7 @@ The query options are: </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term"><code class="option">+[no]aaflag</code></span></dt> <dd><p> A synonym for <em class="parameter"><code>+[no]aaonly</code></em>. @@ -371,7 +370,7 @@ <dt><span class="term"><code class="option">+[no]cmd</code></span></dt> <dd><p> Toggles the printing of the initial comment in the - output identifying the version of <span><strong class="command">dig</strong></span> + output identifying the version of <span class="command"><strong>dig</strong></span> and the query options that have been applied. This comment is printed by default. </p></dd> @@ -395,7 +394,7 @@ <dd><p> Set the search list to contain the single domain <em class="parameter"><code>somename</code></em>, as if specified in - a <span><strong class="command">domain</strong></span> directive in + a <span class="command"><strong>domain</strong></span> directive in <code class="filename">/etc/resolv.conf</code>, and enable search list processing as if the <em class="parameter"><code>+search</code></em> option were given. @@ -439,7 +438,7 @@ Print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to - facilitate machine parsing of the <span><strong class="command">dig</strong></span> + facilitate machine parsing of the <span class="command"><strong>dig</strong></span> output. </p></dd> <dt><span class="term"><code class="option">+ndots=D</code></span></dt> @@ -463,7 +462,7 @@ </p></dd> <dt><span class="term"><code class="option">+[no]nssearch</code></span></dt> <dd><p> - When this option is set, <span><strong class="command">dig</strong></span> + When this option is set, <span class="command"><strong>dig</strong></span> attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for @@ -494,7 +493,7 @@ <dd><p> Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means - <span><strong class="command">dig</strong></span> normally sends recursive + <span class="command"><strong>dig</strong></span> normally sends recursive queries. Recursion is automatically disabled when the <em class="parameter"><code>+nssearch</code></em> or <em class="parameter"><code>+trace</code></em> query options are used. @@ -591,7 +590,7 @@ Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, - <span><strong class="command">dig</strong></span> makes iterative queries to + <span class="command"><strong>dig</strong></span> makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup. @@ -601,7 +600,7 @@ initial query for the root zone name servers. </p> <p> - <span><strong class="command">+dnssec</strong></span> is also set when +trace + <span class="command"><strong>+dnssec</strong></span> is also set when +trace is set to better emulate the default queries from a nameserver. </p> @@ -622,7 +621,7 @@ must be on its own line. </p> <p> - If not specified, <span><strong class="command">dig</strong></span> will look + If not specified, <span class="command"><strong>dig</strong></span> will look for <code class="filename">/etc/trusted-key.key</code> then <code class="filename">trusted-key.key</code> in the current directory. @@ -648,10 +647,10 @@ </p> </div> -<div class="refsect1" lang="en"> -<a name="id2666872"></a><h2>MULTIPLE QUERIES</h2> +<div class="refsection"> +<a name="id-1.14.2.11"></a><h2>MULTIPLE QUERIES</h2> <p> - The BIND 9 implementation of <span><strong class="command">dig </strong></span> + The BIND 9 implementation of <span class="command"><strong>dig </strong></span> supports specifying multiple queries on the command line (in addition to supporting the <code class="option">-f</code> batch file option). Each of those @@ -678,7 +677,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </pre> <p> - shows how <span><strong class="command">dig</strong></span> could be used from the + shows how <span class="command"><strong>dig</strong></span> could be used from the command line to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a reverse lookup of 127.0.0.1 and a query for the NS records of @@ -686,45 +685,45 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr A global query option of <em class="parameter"><code>+qr</code></em> is applied, so - that <span><strong class="command">dig</strong></span> shows the initial query it made + that <span class="command"><strong>dig</strong></span> shows the initial query it made for each lookup. The final query has a local query option of - <em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span> + <em class="parameter"><code>+noqr</code></em> which means that <span class="command"><strong>dig</strong></span> will not print the initial query when it looks up the NS records for <code class="literal">isc.org</code>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2667026"></a><h2>IDN SUPPORT</h2> +<div class="refsection"> +<a name="id-1.14.2.12"></a><h2>IDN SUPPORT</h2> <p> - If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized + If <span class="command"><strong>dig</strong></span> has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. - <span><strong class="command">dig</strong></span> appropriately converts character encoding of + <span class="command"><strong>dig</strong></span> appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the <code class="envar">IDN_DISABLE</code> environment variable. - The IDN support is disabled if the variable is set when - <span><strong class="command">dig</strong></span> runs. + The IDN support is disabled if the variable is set when + <span class="command"><strong>dig</strong></span> runs. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2667123"></a><h2>FILES</h2> +<div class="refsection"> +<a name="id-1.14.2.13"></a><h2>FILES</h2> <p><code class="filename">/etc/resolv.conf</code> </p> <p><code class="filename">${HOME}/.digrc</code> </p> </div> -<div class="refsect1" lang="en"> -<a name="id2667144"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.2.14"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">RFC1035</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2667181"></a><h2>BUGS</h2> +<div class="refsection"> +<a name="id-1.14.2.15"></a><h2>BUGS</h2> <p> There are probably too many query options. </p> @@ -747,6 +746,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 9965a076d5cd..c11e1b4f220a 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-checkds</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.host.html" title="host"> <link rel="next" href="man.dnssec-coverage.html" title="dnssec-coverage"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.dnssec-checkds"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -50,17 +49,17 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-checkds</code> [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div> <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2614701"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">dnssec-checkds</strong></span> +<div class="refsection"> +<a name="id-1.14.4.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>dnssec-checkds</strong></span> verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified zone. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2614715"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.4.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt> <dd><p> If a <code class="option">file</code> is specified, then the zone is @@ -69,36 +68,31 @@ </p></dd> <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt> <dd><p> - Check for a DLV record in the specified lookaside domain, + Check for a DLV record in the specified lookaside domain, instead of checking for a DS record in the zone's parent. For example, to check for DLV records for "example.com" in ISC's DLV zone, use: - <span><strong class="command">dnssec-checkds -l dlv.isc.org example.com</strong></span> + <span class="command"><strong>dnssec-checkds -l dlv.isc.org example.com</strong></span> </p></dd> <dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt> <dd><p> - Specifies a path to a <span><strong class="command">dig</strong></span> binary. Used + Specifies a path to a <span class="command"><strong>dig</strong></span> binary. Used for testing. </p></dd> <dt><span class="term">-D <em class="replaceable"><code>dsfromkey path</code></em></span></dt> <dd><p> - Specifies a path to a <span><strong class="command">dnssec-dsfromkey</strong></span> binary. + Specifies a path to a <span class="command"><strong>dnssec-dsfromkey</strong></span> binary. Used for testing. </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2614818"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.4.9"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, </p> </div> -<div class="refsect1" lang="en"> -<a name="id2614852"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -118,6 +112,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 7ecaed3c68b2..6cd24c947031 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-coverage</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds"> <link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.dnssec-coverage"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,9 +48,9 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [zone]</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2615900"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">dnssec-coverage</strong></span> +<div class="refsection"> +<a name="id-1.14.5.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>dnssec-coverage</strong></span> verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC coverage. @@ -77,9 +76,9 @@ share the same TTL parameters.) </p> </div> -<div class="refsect1" lang="en"> -<a name="id2615927"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.5.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt> <dd><p> If a <code class="option">file</code> is specified, then the zone is @@ -137,7 +136,7 @@ This option is mandatory unless the <code class="option">-f</code> has been used to specify a zone file, or a default key TTL was set with the <code class="option">-L</code> to - <span><strong class="command">dnssec-keygen</strong></span>. (If either of those is true, + <span class="command"><strong>dnssec-keygen</strong></span>. (If either of those is true, this option may still be used; it will override the value found in the zone or key file.) </p> @@ -149,7 +148,7 @@ or zones being analyzed when determining whether there is a possibility of validation failure. This value defaults to 22.5 days, which is also the default in - <span><strong class="command">named</strong></span>. However, if it has been changed + <span class="command"><strong>named</strong></span>. However, if it has been changed by the <code class="option">sig-validity-interval</code> option in <code class="filename">named.conf</code>, then it should also be changed here. @@ -162,13 +161,13 @@ </dd> <dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt> <dd><p> - Specifies a path to a <span><strong class="command">named-compilezone</strong></span> binary. + Specifies a path to a <span class="command"><strong>named-compilezone</strong></span> binary. Used for testing. </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2616382"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.5.9"></a><h2>SEE ALSO</h2> <p> <span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>, @@ -176,11 +175,6 @@ <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span> </p> </div> -<div class="refsect1" lang="en"> -<a name="id2616494"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -201,6 +195,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 46425f9fb649..c4006a824eab 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -14,16 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-dsfromkey</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.dnssec-coverage.html" title="dnssec-coverage"> -<link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"> +<link rel="next" href="man.dnssec-importkey.html" title="dnssec-importkey"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> <div class="navheader"> @@ -33,13 +32,13 @@ <td width="20%" align="left"> <a accesskey="p" href="man.dnssec-coverage.html">Prev</a> </td> <th width="60%" align="center">Manual pages</th> -<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a> +<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-importkey.html">Next</a> </td> </tr> </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -51,16 +50,16 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div> <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2617147"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">dnssec-dsfromkey</strong></span> +<div class="refsection"> +<a name="id-1.14.6.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>dnssec-dsfromkey</strong></span> outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s). </p> </div> -<div class="refsect1" lang="en"> -<a name="id2617161"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.6.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-1</span></dt> <dd><p> Use SHA-1 as the digest algorithm (the default is to use @@ -103,7 +102,7 @@ <p> If <code class="option">file</code> is set to <code class="literal">"-"</code>, then the zone data is read from the standard input. This makes it - possible to use the output of the <span><strong class="command">dig</strong></span> + possible to use the output of the <span class="command"><strong>dig</strong></span> command as input, as in: </p> <p> @@ -114,7 +113,7 @@ <dd><p> Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS - records and printed. Useful only in zone file mode. + records and printed. Useful only in zone file mode. </p></dd> <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt> <dd><p> @@ -149,8 +148,8 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2617914"></a><h2>EXAMPLE</h2> +<div class="refsection"> +<a name="id-1.14.6.9"></a><h2>EXAMPLE</h2> <p> To build the SHA-256 DS RR from the <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> @@ -164,8 +163,8 @@ <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong> </p> </div> -<div class="refsect1" lang="en"> -<a name="id2617950"></a><h2>FILES</h2> +<div class="refsection"> +<a name="id-1.14.6.10"></a><h2>FILES</h2> <p> The keyfile can be designed by the key identification <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name @@ -178,14 +177,14 @@ <code class="option">dnsname</code>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2617992"></a><h2>CAVEAT</h2> +<div class="refsection"> +<a name="id-1.14.6.11"></a><h2>CAVEAT</h2> <p> A keyfile error can give a "file not found" even if the file exists. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2618002"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.6.12"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -194,11 +193,6 @@ <em class="citetitle">RFC 4509</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2619065"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -207,18 +201,18 @@ <td width="40%" align="left"> <a accesskey="p" href="man.dnssec-coverage.html">Prev</a> </td> <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td> -<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a> +<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-importkey.html">Next</a> </td> </tr> <tr> <td width="40%" align="left" valign="top"> <span class="application">dnssec-coverage</span> </td> <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> -<td width="40%" align="right" valign="top"> <span class="application">dnssec-keyfromlabel</span> +<td width="40%" align="right" valign="top"> <span class="application">dnssec-importkey</span> </td> </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html new file mode 100644 index 000000000000..f24553ed4dd6 --- /dev/null +++ b/doc/arm/man.dnssec-importkey.html @@ -0,0 +1,182 @@ +<!-- + - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>dnssec-importkey</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> +<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey"> +<link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center"><span class="application">dnssec-importkey</span></th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a> </td> +<th width="60%" align="center">Manual pages</th> +<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="refentry"> +<a name="man.dnssec-importkey"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">dnssec-importkey</span> — Import DNSKEY records from external systems so they can be managed.</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div> +<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.7.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>dnssec-importkey</strong></span> + reads a public DNSKEY record and generates a pair of + .key/.private files. The DNSKEY record may be read from an + existing .key file, in which case a corresponding .private file + will be generated, or it may be read from any other file or + from the standard input, in which case both .key and .private + files will be generated. + </p> +<p> + The newly-created .private file does <span class="emphasis"><em>not</em></span> + contain private key data, and cannot be used for signing. + However, having a .private file makes it possible to set + publication (<code class="option">-P</code>) and deletion + (<code class="option">-D</code>) times for the key, which means the + public key can be added to and removed from the DNSKEY RRset + on schedule even if the true private key is stored offline. + </p> +</div> +<div class="refsection"> +<a name="id-1.14.7.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt> +<dd> +<p> + Zone file mode: instead of a public keyfile name, the argument + is the DNS domain name of a zone master file, which can be read + from <code class="option">file</code>. If the domain name is the same as + <code class="option">file</code>, then it may be omitted. + </p> +<p> + If <code class="option">file</code> is set to <code class="literal">"-"</code>, then + the zone data is read from the standard input. + </p> +</dd> +<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt> +<dd><p> + Sets the directory in which the key files are to reside. + </p></dd> +<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt> +<dd><p> + Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + <code class="literal">0</code> or <code class="literal">none</code> removes it. + </p></dd> +<dt><span class="term">-h</span></dt> +<dd><p> + Emit usage message and exit. + </p></dd> +<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> +<dd><p> + Sets the debugging level. + </p></dd> +<dt><span class="term">-V</span></dt> +<dd><p> + Prints version information. + </p></dd> +</dl></div> +</div> +<div class="refsection"> +<a name="id-1.14.7.9"></a><h2>TIMING OPTIONS</h2> +<p> + Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. + If the argument begins with a '+' or '-', it is interpreted as + an offset from the present time. For convenience, if such an offset + is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', + then the offset is computed in years (defined as 365 24-hour days, + ignoring leap years), months (defined as 30 24-hour days), weeks, + days, hours, or minutes, respectively. Without a suffix, the offset + is computed in seconds. To explicitly prevent a date from being + set, use 'none' or 'never'. + </p> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt> +<dd><p> + Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. + </p></dd> +<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt> +<dd><p> + Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) + </p></dd> +</dl></div> +</div> +<div class="refsection"> +<a name="id-1.14.7.10"></a><h2>FILES</h2> +<p> + A keyfile can be designed by the key identification + <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name + <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by + <span class="refentrytitle">dnssec-keygen</span>(8). + </p> +</div> +<div class="refsection"> +<a name="id-1.14.7.11"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>, + <em class="citetitle">RFC 5011</em>. + </p> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a> </td> +<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td> +<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top"> +<span class="application">dnssec-dsfromkey</span> </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> <span class="application">dnssec-keyfromlabel</span> +</td> +</tr> +</table> +</div> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> +</body> +</html> diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 535b8c3be195..8931f8d21ef2 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -14,15 +14,14 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-keyfromlabel</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> -<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey"> +<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey"> <link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> @@ -31,7 +30,7 @@ <tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr> <tr> <td width="20%" align="left"> -<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a> </td> +<a accesskey="p" href="man.dnssec-importkey.html">Prev</a> </td> <th width="60%" align="center">Manual pages</th> <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a> </td> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,13 +48,13 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2618380"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">dnssec-keyfromlabel</strong></span> +<div class="refsection"> +<a name="id-1.14.8.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>dnssec-keyfromlabel</strong></span> generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key file can be used for DNSSEC signing of zone data as if it were a - conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>, + conventional signing key created by <span class="command"><strong>dnssec-keygen</strong></span>, but the key material is stored within the HSM, and the actual signing takes place there. </p> @@ -65,9 +64,9 @@ being generated. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2618406"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.8.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> <p> @@ -122,7 +121,7 @@ <dt><span class="term">-C</span></dt> <dd><p> Compatibility mode: generates an old-style key, without - any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span> + any metadata. By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span> will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include @@ -147,7 +146,7 @@ <dt><span class="term">-h</span></dt> <dd><p> Prints a short summary of the options and arguments to - <span><strong class="command">dnssec-keyfromlabel</strong></span>. + <span class="command"><strong>dnssec-keyfromlabel</strong></span>. </p></dd> <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> @@ -208,8 +207,8 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2670988"></a><h2>TIMING OPTIONS</h2> +<div class="refsection"> +<a name="id-1.14.8.9"></a><h2>TIMING OPTIONS</h2> <p> Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -221,7 +220,7 @@ is computed in seconds. To explicitly prevent a date from being set, use 'none' or 'never'. </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt> <dd><p> Sets the date on which a key is to be published to the zone. @@ -267,7 +266,7 @@ </p> <p> If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; + key, then the default prepublication interval is 30 days; otherwise it is zero. </p> <p> @@ -280,26 +279,26 @@ </dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2671178"></a><h2>GENERATED KEY FILES</h2> +<div class="refsection"> +<a name="id-1.14.8.10"></a><h2>GENERATED KEY FILES</h2> <p> - When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes + When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes successfully, it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code> to the standard output. This is an identification string for the key files it has generated. </p> -<div class="itemizedlist"><ul type="disc"> -<li><p><code class="filename">nnnn</code> is the key name. +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"><p><code class="filename">nnnn</code> is the key name. </p></li> -<li><p><code class="filename">aaa</code> is the numeric representation +<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation of the algorithm. </p></li> -<li><p><code class="filename">iiiii</code> is the key identifier (or +<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or footprint). </p></li> </ul></div> -<p><span><strong class="command">dnssec-keyfromlabel</strong></span> +<p><span class="command"><strong>dnssec-keyfromlabel</strong></span> creates two files, with names based on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code> contains the public key, and @@ -319,39 +318,34 @@ general read permission. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2671340"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.8.11"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 4034</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2671373"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> <table width="100%" summary="Navigation footer"> <tr> <td width="40%" align="left"> -<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a> </td> +<a accesskey="p" href="man.dnssec-importkey.html">Prev</a> </td> <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td> <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a> </td> </tr> <tr> <td width="40%" align="left" valign="top"> -<span class="application">dnssec-dsfromkey</span> </td> +<span class="application">dnssec-importkey</span> </td> <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> <td width="40%" align="right" valign="top"> <span class="application">dnssec-keygen</span> </td> </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index d3252e94120e..dd46bf33ea7b 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-keygen</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"> <link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.dnssec-keygen"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,9 +48,9 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2619564"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">dnssec-keygen</strong></span> +<div class="refsection"> +<a name="id-1.14.9.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>dnssec-keygen</strong></span> generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY @@ -63,9 +62,9 @@ which the key is being generated. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2619585"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.9.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> <p> @@ -138,7 +137,7 @@ <dt><span class="term">-C</span></dt> <dd><p> Compatibility mode: generates an old-style key, without - any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span> + any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span> will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include @@ -177,7 +176,7 @@ <dt><span class="term">-h</span></dt> <dd><p> Prints a short summary of the options and arguments to - <span><strong class="command">dnssec-keygen</strong></span>. + <span class="command"><strong>dnssec-keygen</strong></span>. </p></dd> <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> @@ -209,7 +208,7 @@ <dd><p> Quiet mode: Suppresses unnecessary output, including progress indication. Without this option, when - <span><strong class="command">dnssec-keygen</strong></span> is run interactively + <span class="command"><strong>dnssec-keygen</strong></span> is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to <code class="filename">stderr</code> indicating the progress of the key generation. A '.' indicates that a @@ -279,8 +278,8 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2671876"></a><h2>TIMING OPTIONS</h2> +<div class="refsection"> +<a name="id-1.14.9.9"></a><h2>TIMING OPTIONS</h2> <p> Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -292,7 +291,7 @@ is computed in seconds. To explicitly prevent a date from being set, use 'none' or 'never'. </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt> <dd><p> Sets the date on which a key is to be published to the zone. @@ -340,7 +339,7 @@ </p> <p> If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; + key, then the default prepublication interval is 30 days; otherwise it is zero. </p> <p> @@ -353,27 +352,27 @@ </dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2672066"></a><h2>GENERATED KEYS</h2> +<div class="refsection"> +<a name="id-1.14.9.10"></a><h2>GENERATED KEYS</h2> <p> - When <span><strong class="command">dnssec-keygen</strong></span> completes + When <span class="command"><strong>dnssec-keygen</strong></span> completes successfully, it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code> to the standard output. This is an identification string for the key it has generated. </p> -<div class="itemizedlist"><ul type="disc"> -<li><p><code class="filename">nnnn</code> is the key name. +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"><p><code class="filename">nnnn</code> is the key name. </p></li> -<li><p><code class="filename">aaa</code> is the numeric representation +<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation of the algorithm. </p></li> -<li><p><code class="filename">iiiii</code> is the key identifier (or +<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or footprint). </p></li> </ul></div> -<p><span><strong class="command">dnssec-keygen</strong></span> +<p><span class="command"><strong>dnssec-keygen</strong></span> creates two files, with names based on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code> contains the public key, and @@ -399,8 +398,8 @@ HMAC-MD5, even though the public and private key are equivalent. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2672310"></a><h2>EXAMPLE</h2> +<div class="refsection"> +<a name="id-1.14.9.11"></a><h2>EXAMPLE</h2> <p> To generate a 768-bit DSA key for the domain <strong class="userinput"><code>example.com</code></strong>, the following command would be @@ -414,14 +413,14 @@ <p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong> </p> <p> - In this example, <span><strong class="command">dnssec-keygen</strong></span> creates + In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates the files <code class="filename">Kexample.com.+003+26160.key</code> and <code class="filename">Kexample.com.+003+26160.private</code>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2672435"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.9.12"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2539</em>, @@ -429,11 +428,6 @@ <em class="citetitle">RFC 4034</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2672466"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -454,6 +448,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 43c5ad091752..2adbbb403440 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-revoke</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen"> <link rel="next" href="man.dnssec-settime.html" title="dnssec-settime"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.dnssec-revoke"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,17 +48,17 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2620151"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">dnssec-revoke</strong></span> +<div class="refsection"> +<a name="id-1.14.10.6"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>dnssec-revoke</strong></span> reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now-revoked key. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2620165"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.10.7"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-h</span></dt> <dd><p> Emit usage message and exit. @@ -88,7 +87,7 @@ </p></dd> <dt><span class="term">-f</span></dt> <dd><p> - Force overwrite: Causes <span><strong class="command">dnssec-revoke</strong></span> to + Force overwrite: Causes <span class="command"><strong>dnssec-revoke</strong></span> to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key. </p></dd> @@ -99,18 +98,13 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2620299"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.10.8"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 5011</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2620324"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -131,6 +125,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index fd4fa7c3b7a3..2d4afe24a099 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-settime</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke"> <link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.dnssec-settime"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,20 +48,20 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2621125"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">dnssec-settime</strong></span> +<div class="refsection"> +<a name="id-1.14.11.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>dnssec-settime</strong></span> reads a DNSSEC private key file and sets the key timing metadata as specified by the <code class="option">-P</code>, <code class="option">-A</code>, <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code> options. The metadata can then be used by - <span><strong class="command">dnssec-signzone</strong></span> or other signing software to + <span class="command"><strong>dnssec-signzone</strong></span> or other signing software to determine when a key is to be published, whether it should be used for signing a zone, etc. </p> <p> If none of these options is set on the command line, - then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing + then <span class="command"><strong>dnssec-settime</strong></span> simply prints the key timing metadata already stored in the key. </p> <p> @@ -75,18 +74,18 @@ inaccessible to anyone other than the owner (mode 0600). </p> </div> -<div class="refsect1" lang="en"> -<a name="id2621252"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.11.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-f</span></dt> <dd><p> Force an update of an old-format key with no metadata fields. - Without this option, <span><strong class="command">dnssec-settime</strong></span> will + Without this option, <span class="command"><strong>dnssec-settime</strong></span> will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the original key data retained. The key's creation date will be - set to the present time. If no other values are specified, - then the key's publication and activation dates will also + set to the present time. If no other values are specified, + then the key's publication and activation dates will also be set to the present time. </p></dd> <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt> @@ -123,8 +122,8 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2621525"></a><h2>TIMING OPTIONS</h2> +<div class="refsection"> +<a name="id-1.14.11.9"></a><h2>TIMING OPTIONS</h2> <p> Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -135,7 +134,7 @@ days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none' or 'never'. </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt> <dd><p> Sets the date on which a key is to be published to the zone. @@ -189,7 +188,7 @@ </p> <p> If the key is being set to be an explicit successor to another - key, then the default prepublication interval is 30 days; + key, then the default prepublication interval is 30 days; otherwise it is zero. </p> <p> @@ -202,13 +201,13 @@ </dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2622005"></a><h2>PRINTING OPTIONS</h2> +<div class="refsection"> +<a name="id-1.14.11.10"></a><h2>PRINTING OPTIONS</h2> <p> - <span><strong class="command">dnssec-settime</strong></span> can also be used to print the + <span class="command"><strong>dnssec-settime</strong></span> can also be used to print the timing metadata associated with a key. </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-u</span></dt> <dd><p> Print times in UNIX epoch format. @@ -228,19 +227,14 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2622153"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.11.11"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 5011</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2622186"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -261,6 +255,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 489b0c7a601a..0a387d41f622 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-signzone</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime"> <link rel="next" href="man.dnssec-verify.html" title="dnssec-verify"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.dnssec-signzone"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,9 +48,9 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2635306"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">dnssec-signzone</strong></span> +<div class="refsection"> +<a name="id-1.14.12.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>dnssec-signzone</strong></span> signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone @@ -60,9 +59,9 @@ <code class="filename">keyset</code> file for each child zone. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2635325"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.12.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-a</span></dt> <dd><p> Verify all generated signatures. @@ -78,7 +77,7 @@ file in addition to <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code> when signing a zone, for use by older versions of - <span><strong class="command">dnssec-signzone</strong></span>. + <span class="command"><strong>dnssec-signzone</strong></span>. </p></dd> <dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> @@ -88,11 +87,11 @@ <dt><span class="term">-D</span></dt> <dd><p> Output only those record types automatically managed by - <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC, + <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC, NSEC3 and NSEC3PARAM records. If smart signing (<code class="option">-S</code>) is used, DNSKEY records are also included. The resulting file can be included in the original - zone file with <span><strong class="command">$INCLUDE</strong></span>. This option + zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option cannot be combined with <code class="option">-O raw</code> or serial number updating. </p></dd> @@ -181,7 +180,7 @@ <dt><span class="term">-h</span></dt> <dd><p> Prints a short summary of the options and arguments to - <span><strong class="command">dnssec-signzone</strong></span>. + <span class="command"><strong>dnssec-signzone</strong></span>. </p></dd> <dt><span class="term">-V</span></dt> <dd><p> @@ -201,7 +200,7 @@ The default cycle interval is one quarter of the difference between the signature end and start times. So if neither <code class="option">end-time</code> or <code class="option">start-time</code> - are specified, <span><strong class="command">dnssec-signzone</strong></span> + are specified, <span class="command"><strong>dnssec-signzone</strong></span> generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records @@ -212,8 +211,8 @@ <dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt> <dd><p> The format of the input zone file. - Possible formats are <span><strong class="command">"text"</strong></span> (default) - and <span><strong class="command">"raw"</strong></span>. + Possible formats are <span class="command"><strong>"text"</strong></span> (default) + and <span class="command"><strong>"raw"</strong></span>. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non-text format containing updates can be signed directly. @@ -243,7 +242,7 @@ </dd> <dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt> <dd><p> - When writing a signed zone to 'raw' format, set the "source serial" + When writing a signed zone to 'raw' format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.) </p></dd> @@ -256,17 +255,17 @@ <dd> <p> The SOA serial number format of the signed zone. - Possible formats are <span><strong class="command">"keep"</strong></span> (default), - <span><strong class="command">"increment"</strong></span> and - <span><strong class="command">"unixtime"</strong></span>. + Possible formats are <span class="command"><strong>"keep"</strong></span> (default), + <span class="command"><strong>"increment"</strong></span> and + <span class="command"><strong>"unixtime"</strong></span>. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt> <dd><p>Do not modify the SOA serial number.</p></dd> -<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt> <dd><p>Increment the SOA serial number using RFC 1982 arithmetics.</p></dd> -<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt> <dd><p>Set the SOA serial number to the number of seconds since epoch.</p></dd> </dl></div> @@ -279,15 +278,15 @@ <dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt> <dd><p> The format of the output file containing the signed zone. - Possible formats are <span><strong class="command">"text"</strong></span> (default) - <span><strong class="command">"full"</strong></span>, which is text output in a + Possible formats are <span class="command"><strong>"text"</strong></span> (default) + <span class="command"><strong>"full"</strong></span>, which is text output in a format suitable for processing by external scripts, - and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>, + and <span class="command"><strong>"raw"</strong></span> or <span class="command"><strong>"raw=N"</strong></span>, which store the zone in a binary format for rapid loading - by <span><strong class="command">named</strong></span>. <span><strong class="command">"raw=N"</strong></span> + by <span class="command"><strong>named</strong></span>. <span class="command"><strong>"raw=N"</strong></span> specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of - <span><strong class="command">named</strong></span>; if N is 1, the file can be + <span class="command"><strong>named</strong></span>; if N is 1, the file can be read by release 9.9.0 or higher. The default is 1. </p></dd> <dt><span class="term">-p</span></dt> @@ -318,11 +317,11 @@ <p> Normally, when a previously-signed zone is passed as input to the signer, and a DNSKEY record has been removed and - replaced with a new one, signatures from the old key + replaced with a new one, signatures from the old key that are still within their validity period are retained. This allows the zone to continue to validate with cached copies of the old DNSKEY RRset. The <code class="option">-Q</code> - forces <span><strong class="command">dnssec-signzone</strong></span> to remove + forces <span class="command"><strong>dnssec-signzone</strong></span> to remove signatures from keys that are no longer active. This enables ZSK rollover using the procedure described in RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover"). @@ -335,7 +334,7 @@ </p> <p> This option is similar to <code class="option">-Q</code>, except it - forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from + forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from keys that are no longer published. This enables ZSK rollover using the procedure described in RFC 4641, section 4.2.1.2 ("Double Signature Zone Signing Key Rollover"). @@ -356,7 +355,7 @@ <dt><span class="term">-S</span></dt> <dd> <p> - Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to + Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate. </p> @@ -366,7 +365,7 @@ rules. Each successive rule takes priority over the prior ones: </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt></dt> <dd><p> If no timing metadata has been set for the key, the key is @@ -381,7 +380,7 @@ <dd><p> If the key's activation date is set and in the past, the key is published (regardless of publication date) and - used to sign the zone. + used to sign the zone. </p></dd> <dt></dt> <dd><p> @@ -421,7 +420,7 @@ zone. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters. - Without this option, <span><strong class="command">dnssec-signzone</strong></span> will + Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will retain the existing chain when re-signing. </p></dd> <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> @@ -432,16 +431,16 @@ <dd><p> Only sign the DNSKEY RRset with key-signing keys, and omit signatures from zone-signing keys. (This is similar to the - <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in - <span><strong class="command">named</strong></span>.) + <span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in + <span class="command"><strong>named</strong></span>.) </p></dd> <dt><span class="term">-z</span></dt> <dd><p> Ignore KSK flag on key when determining what to sign. This causes KSK-flagged keys to sign all records, not just the DNSKEY RRset. (This is similar to the - <span><strong class="command">update-check-ksk no;</strong></span> zone option in - <span><strong class="command">named</strong></span>.) + <span class="command"><strong>update-check-ksk no;</strong></span> zone option in + <span class="command"><strong>named</strong></span>.) </p></dd> <dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt> <dd><p> @@ -482,23 +481,23 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2677686"></a><h2>EXAMPLE</h2> +<div class="refsection"> +<a name="id-1.14.12.9"></a><h2>EXAMPLE</h2> <p> The following command signs the <strong class="userinput"><code>example.com</code></strong> - zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span> - (Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option + zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span> + (Kexample.com.+003+17247). Because the <span class="command"><strong>-S</strong></span> option is not being used, the zone's keys must be in the master file (<code class="filename">db.example.com</code>). This invocation looks for <code class="filename">dsset</code> files, in the current directory, - so that DS records can be imported from them (<span><strong class="command">-g</strong></span>). + so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>). </p> <pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \ Kexample.com.+003+17247 db.example.com.signed %</pre> <p> - In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates + In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates the file <code class="filename">db.example.com.signed</code>. This file should be referenced in a zone statement in a <code class="filename">named.conf</code> file. @@ -512,18 +511,13 @@ db.example.com.signed db.example.com.signed %</pre> </div> -<div class="refsect1" lang="en"> -<a name="id2677765"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.12.10"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2677793"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -544,6 +538,6 @@ db.example.com.signed </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index be68c50abb56..3d1bb32254a9 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-verify</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone"> <link rel="next" href="man.named-checkconf.html" title="named-checkconf"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.dnssec-verify"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,17 +48,17 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2630077"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">dnssec-verify</strong></span> +<div class="refsection"> +<a name="id-1.14.13.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>dnssec-verify</strong></span> verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2630091"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.13.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> <dd><p> Specifies the DNS class of the zone. @@ -67,8 +66,8 @@ <dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt> <dd><p> The format of the input zone file. - Possible formats are <span><strong class="command">"text"</strong></span> (default) - and <span><strong class="command">"raw"</strong></span>. + Possible formats are <span class="command"><strong>"text"</strong></span> (default) + and <span class="command"><strong>"raw"</strong></span>. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non-text format containing updates can be verified independently. @@ -95,7 +94,7 @@ will be signed by all active keys. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone-signing keys. This corresponds to the <code class="option">-x</code> - option in <span><strong class="command">dnssec-signzone</strong></span>. + option in <span class="command"><strong>dnssec-signzone</strong></span>. </p></dd> <dt><span class="term">-z</span></dt> <dd> @@ -114,7 +113,7 @@ will be signed by a non-revoked key for the same algorithm that includes the self-signed key; the same key may be used for both purposes. This corresponds to the <code class="option">-z</code> - option in <span><strong class="command">dnssec-signzone</strong></span>. + option in <span class="command"><strong>dnssec-signzone</strong></span>. </p> </dd> <dt><span class="term">zonefile</span></dt> @@ -123,19 +122,14 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2635511"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.13.9"></a><h2>SEE ALSO</h2> <p> <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 4033</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2635537"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -156,6 +150,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index 5a8530d185f2..9552a57c7aa5 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>genrandom</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.arpaname.html" title="arpaname"> <link rel="next" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.genrandom"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,18 +48,18 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">genrandom</code> [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2658873"></a><h2>DESCRIPTION</h2> +<div class="refsection"> +<a name="id-1.14.26.7"></a><h2>DESCRIPTION</h2> <p> - <span><strong class="command">genrandom</strong></span> + <span class="command"><strong>genrandom</strong></span> generates a file or a set of files containing a specified quantity of pseudo-random data, which can be used as a source of entropy for other commands on systems with no random device. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2658888"></a><h2>ARGUMENTS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.26.8"></a><h2>ARGUMENTS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt> <dd><p> In place of generating one file, generates <code class="option">number</code> @@ -76,18 +75,13 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2658949"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.26.9"></a><h2>SEE ALSO</h2> <p> <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>, <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span> </p> </div> -<div class="refsect1" lang="en"> -<a name="id2658976"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -108,6 +102,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index e36dba36545b..393de1676ca3 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>host</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.dig.html" title="dig"> <link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.host"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,34 +48,34 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-v</code>] [<code class="option">-V</code>] {name} [server]</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2613877"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">host</strong></span> +<div class="refsection"> +<a name="id-1.14.3.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>host</strong></span> is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, - <span><strong class="command">host</strong></span> + <span class="command"><strong>host</strong></span> prints a short summary of its command line arguments and options. </p> <p><em class="parameter"><code>name</code></em> is the domain name that is to be looked up. It can also be a dotted-decimal IPv4 address or a colon-delimited - IPv6 address, in which case <span><strong class="command">host</strong></span> will by + IPv6 address, in which case <span class="command"><strong>host</strong></span> will by default perform a reverse lookup for that address. <em class="parameter"><code>server</code></em> is an optional argument which is either - the name or IP address of the name server that <span><strong class="command">host</strong></span> + the name or IP address of the name server that <span class="command"><strong>host</strong></span> should query instead of the server or servers listed in <code class="filename">/etc/resolv.conf</code>. </p> <p> The <code class="option">-a</code> (all) option is equivalent to setting the - <code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make + <code class="option">-v</code> option and asking <span class="command"><strong>host</strong></span> to make a query of type ANY. </p> <p> - When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span> + When the <code class="option">-C</code> option is used, <span class="command"><strong>host</strong></span> will attempt to display the SOA records for zone <em class="parameter"><code>name</code></em> from all the listed authoritative name @@ -90,7 +89,7 @@ Chaosnet class resource records. The default class is IN (Internet). </p> <p> - Verbose output is generated by <span><strong class="command">host</strong></span> when + Verbose output is generated by <span class="command"><strong>host</strong></span> when the <code class="option">-d</code> or <code class="option">-v</code> option is used. The two options are equivalent. They have been provided for backwards @@ -100,7 +99,7 @@ </p> <p> List mode is selected by the <code class="option">-l</code> option. This makes - <span><strong class="command">host</strong></span> perform a zone transfer for zone + <span class="command"><strong>host</strong></span> perform a zone transfer for zone <em class="parameter"><code>name</code></em>. Transfer the zone printing out the NS, PTR and address records (A/AAAA). If combined with <code class="option">-a</code> @@ -128,7 +127,7 @@ The number of UDP retries for a lookup can be changed with the <code class="option">-R</code> option. <em class="parameter"><code>number</code></em> indicates - how many times <span><strong class="command">host</strong></span> will repeat a query + how many times <span class="command"><strong>host</strong></span> will repeat a query that does not get answered. The default number of retries is 1. If <em class="parameter"><code>number</code></em> is negative or zero, the @@ -138,39 +137,39 @@ <p> Non-recursive queries can be made via the <code class="option">-r</code> option. Setting this option clears the <span class="type">RD</span> — recursion - desired — bit in the query which <span><strong class="command">host</strong></span> makes. + desired — bit in the query which <span class="command"><strong>host</strong></span> makes. This should mean that the name server receiving the query will not attempt to resolve <em class="parameter"><code>name</code></em>. The - <code class="option">-r</code> option enables <span><strong class="command">host</strong></span> + <code class="option">-r</code> option enables <span class="command"><strong>host</strong></span> to mimic the behavior of a name server by making non-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers. </p> <p> - By default, <span><strong class="command">host</strong></span> uses UDP when making + By default, <span class="command"><strong>host</strong></span> uses UDP when making queries. The <code class="option">-T</code> option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests. </p> <p> - The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only + The <code class="option">-4</code> option forces <span class="command"><strong>host</strong></span> to only use IPv4 query transport. The <code class="option">-6</code> option forces - <span><strong class="command">host</strong></span> to only use IPv6 query transport. + <span class="command"><strong>host</strong></span> to only use IPv6 query transport. </p> <p> The <code class="option">-t</code> option is used to select the query type. <em class="parameter"><code>type</code></em> can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, - <span><strong class="command">host</strong></span> automatically selects an appropriate + <span class="command"><strong>host</strong></span> automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records, but if the <code class="option">-C</code> option was given, queries will be made for SOA records, and if <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4 - address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will + address or colon-delimited IPv6 address, <span class="command"><strong>host</strong></span> will query for PTR records. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (e.g. -t IXFR=12345678). @@ -178,18 +177,18 @@ <p> The time to wait for a reply can be controlled through the <code class="option">-W</code> and <code class="option">-w</code> options. The - <code class="option">-W</code> option makes <span><strong class="command">host</strong></span> + <code class="option">-W</code> option makes <span class="command"><strong>host</strong></span> wait for <em class="parameter"><code>wait</code></em> seconds. If <em class="parameter"><code>wait</code></em> is less than one, the wait interval is set to one second. When the - <code class="option">-w</code> option is used, <span><strong class="command">host</strong></span> + <code class="option">-w</code> option is used, <span class="command"><strong>host</strong></span> will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity. </p> <p> - The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span> + The <code class="option">-s</code> option tells <span class="command"><strong>host</strong></span> <span class="emphasis"><em>not</em></span> to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior. @@ -201,31 +200,31 @@ <em class="parameter"><code>trace</code></em>. </p> <p> - The <code class="option">-V</code> option causes <span><strong class="command">host</strong></span> + The <code class="option">-V</code> option causes <span class="command"><strong>host</strong></span> to print the version number and exit. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2614336"></a><h2>IDN SUPPORT</h2> +<div class="refsection"> +<a name="id-1.14.3.8"></a><h2>IDN SUPPORT</h2> <p> - If <span><strong class="command">host</strong></span> has been built with IDN (internationalized - domain name) support, it can accept and display non-ASCII domain names. - <span><strong class="command">host</strong></span> appropriately converts character encoding of + If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized + domain name) support, it can accept and display non-ASCII domain names. + <span class="command"><strong>host</strong></span> appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the <code class="envar">IDN_DISABLE</code> environment variable. The IDN support is disabled if the variable is set when - <span><strong class="command">host</strong></span> runs. + <span class="command"><strong>host</strong></span> runs. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2614433"></a><h2>FILES</h2> +<div class="refsection"> +<a name="id-1.14.3.9"></a><h2>FILES</h2> <p><code class="filename">/etc/resolv.conf</code> </p> </div> -<div class="refsect1" lang="en"> -<a name="id2614446"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.3.10"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>. </p> @@ -249,6 +248,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index 20367ea677fd..ca78b731ef22 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>isc-hmac-fixup</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.genrandom.html" title="genrandom"> <link rel="next" href="man.nsec3hash.html" title="nsec3hash"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.isc-hmac-fixup"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,8 +48,8 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2619915"></a><h2>DESCRIPTION</h2> +<div class="refsection"> +<a name="id-1.14.27.7"></a><h2>DESCRIPTION</h2> <p> Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -62,11 +61,11 @@ <p> This bug has been fixed in BIND 9.7. However, the fix may cause incompatibility between older and newer versions of - BIND, when using long keys. <span><strong class="command">isc-hmac-fixup</strong></span> + BIND, when using long keys. <span class="command"><strong>isc-hmac-fixup</strong></span> modifies those keys to restore compatibility. </p> <p> - To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and + To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and specify the key's algorithm and secret on the command line. If the secret is longer than the digest length of the algorithm (64 bytes for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a @@ -75,10 +74,10 @@ printed without modification.) </p> </div> -<div class="refsect1" lang="en"> -<a name="id2659333"></a><h2>SECURITY CONSIDERATIONS</h2> +<div class="refsection"> +<a name="id-1.14.27.8"></a><h2>SECURITY CONSIDERATIONS</h2> <p> - Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span> + Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span> are shortened, but as this is how the HMAC protocol works in operation anyway, it does not affect security. RFC 2104 notes, "Keys longer than [the digest length] are acceptable but the @@ -86,18 +85,13 @@ strength." </p> </div> -<div class="refsect1" lang="en"> -<a name="id2659349"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.27.9"></a><h2>SEE ALSO</h2> <p> <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2104</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2659366"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -118,6 +112,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.lwresd.html b/doc/arm/man.lwresd.html new file mode 100644 index 000000000000..f62e50157a25 --- /dev/null +++ b/doc/arm/man.lwresd.html @@ -0,0 +1,258 @@ +<!-- + - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwresd</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> +<link rel="prev" href="man.named.conf.html" title="named.conf"> +<link rel="next" href="man.named-journalprint.html" title="named-journalprint"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center"><span class="application">lwresd</span></th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="man.named.conf.html">Prev</a> </td> +<th width="60%" align="center">Manual pages</th> +<td width="20%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="refentry"> +<a name="man.lwresd"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">lwresd</span> — lightweight resolver daemon</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">lwresd</code> [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-4</code>] [<code class="option">-6</code>]</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.18.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>lwresd</strong></span> + is the daemon providing name lookup + services to clients that use the BIND 9 lightweight resolver + library. It is essentially a stripped-down, caching-only name + server that answers queries using the BIND 9 lightweight + resolver protocol rather than the DNS protocol. + </p> +<p><span class="command"><strong>lwresd</strong></span> + listens for resolver queries on a + UDP port on the IPv4 loopback interface, 127.0.0.1. This + means that <span class="command"><strong>lwresd</strong></span> can only be used by + processes running on the local machine. By default, UDP port + number 921 is used for lightweight resolver requests and + responses. + </p> +<p> + Incoming lightweight resolver requests are decoded by the + server which then resolves them using the DNS protocol. When + the DNS lookup completes, <span class="command"><strong>lwresd</strong></span> encodes + the answers in the lightweight resolver format and returns + them to the client that made the request. + </p> +<p> + If <code class="filename">/etc/resolv.conf</code> contains any + <code class="option">nameserver</code> entries, <span class="command"><strong>lwresd</strong></span> + sends recursive DNS queries to those servers. This is similar + to the use of forwarders in a caching name server. If no + <code class="option">nameserver</code> entries are present, or if + forwarding fails, <span class="command"><strong>lwresd</strong></span> resolves the + queries autonomously starting at the root name servers, using + a built-in list of root server hints. + </p> +</div> +<div class="refsection"> +<a name="id-1.14.18.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term">-4</span></dt> +<dd><p> + Use IPv4 only even if the host machine is capable of IPv6. + <code class="option">-4</code> and <code class="option">-6</code> are mutually + exclusive. + </p></dd> +<dt><span class="term">-6</span></dt> +<dd><p> + Use IPv6 only even if the host machine is capable of IPv4. + <code class="option">-4</code> and <code class="option">-6</code> are mutually + exclusive. + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt> +<dd><p> + Use <em class="replaceable"><code>config-file</code></em> as the + configuration file instead of the default, + <code class="filename">/etc/lwresd.conf</code>. + + <code class="option">-c</code> can not be used with <code class="option">-C</code>. + </p></dd> +<dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt> +<dd><p> + Use <em class="replaceable"><code>config-file</code></em> as the + configuration file instead of the default, + <code class="filename">/etc/resolv.conf</code>. + <code class="option">-C</code> can not be used with <code class="option">-c</code>. + </p></dd> +<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt> +<dd><p> + Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. + Debugging traces from <span class="command"><strong>lwresd</strong></span> become + more verbose as the debug level increases. + </p></dd> +<dt><span class="term">-f</span></dt> +<dd><p> + Run the server in the foreground (i.e. do not daemonize). + </p></dd> +<dt><span class="term">-g</span></dt> +<dd><p> + Run the server in the foreground and force all logging + to <code class="filename">stderr</code>. + </p></dd> +<dt><span class="term">-i <em class="replaceable"><code>pid-file</code></em></span></dt> +<dd><p> + Use <em class="replaceable"><code>pid-file</code></em> as the + PID file instead of the default, + <code class="filename">/var/run/lwresd/lwresd.pid</code>. + </p></dd> +<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt> +<dd><p> + Turn on memory usage debugging flags. Possible flags are + <em class="replaceable"><code>usage</code></em>, + <em class="replaceable"><code>trace</code></em>, + <em class="replaceable"><code>record</code></em>, + <em class="replaceable"><code>size</code></em>, and + <em class="replaceable"><code>mctx</code></em>. + These correspond to the ISC_MEM_DEBUGXXXX flags described in + <code class="filename"><isc/mem.h></code>. + </p></dd> +<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt> +<dd><p> + Create <em class="replaceable"><code>#cpus</code></em> worker threads + to take advantage of multiple CPUs. If not specified, + <span class="command"><strong>lwresd</strong></span> will try to determine the + number of CPUs present and create one thread per CPU. + If it is unable to determine the number of CPUs, a + single worker thread will be created. + </p></dd> +<dt><span class="term">-P <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Listen for lightweight resolver queries on port + <em class="replaceable"><code>port</code></em>. If + not specified, the default is port 921. + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Send DNS lookups to port <em class="replaceable"><code>port</code></em>. If not + specified, the default is port 53. This provides a + way of testing the lightweight resolver daemon with a + name server that listens for queries on a non-standard + port number. + </p></dd> +<dt><span class="term">-s</span></dt> +<dd> +<p> + Write memory usage statistics to <code class="filename">stdout</code> + on exit. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + This option is mainly of interest to BIND 9 developers + and may be removed or changed in a future release. + </p> +</div> +</dd> +<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> +<dd> +<p>Chroot + to <em class="replaceable"><code>directory</code></em> after + processing the command line arguments, but before + reading the configuration file. + </p> +<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Warning</h3> +<p> + This option should be used in conjunction with the + <code class="option">-u</code> option, as chrooting a process + running as root doesn't enhance security on most + systems; the way <code class="function">chroot(2)</code> is + defined allows a process with root privileges to + escape a chroot jail. + </p> +</div> +</dd> +<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> +<dd><p>Setuid + to <em class="replaceable"><code>user</code></em> after completing + privileged operations, such as creating sockets that + listen on privileged ports. + </p></dd> +<dt><span class="term">-v</span></dt> +<dd><p> + Report the version number and exit. + </p></dd> +</dl></div> +</div> +<div class="refsection"> +<a name="id-1.14.18.9"></a><h2>FILES</h2> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt> +<dd><p> + The default configuration file. + </p></dd> +<dt><span class="term"><code class="filename">/var/run/lwresd.pid</code></span></dt> +<dd><p> + The default process-id file. + </p></dd> +</dl></div> +</div> +<div class="refsection"> +<a name="id-1.14.18.10"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>, + <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>. + </p> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="man.named.conf.html">Prev</a> </td> +<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td> +<td width="40%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top"> +<code class="filename">named.conf</code> </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> <span class="application">named-journalprint</span> +</td> +</tr> +</table> +</div> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> +</body> +</html> diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 0c888027eb3e..37495c1fdb9b 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>named-checkconf</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.dnssec-verify.html" title="dnssec-verify"> <link rel="next" href="man.named-checkzone.html" title="named-checkzone"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.named-checkconf"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,29 +48,29 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-x</code>] [<code class="option">-z</code>]</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2635724"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">named-checkconf</strong></span> +<div class="refsection"> +<a name="id-1.14.14.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>named-checkconf</strong></span> checks the syntax, but not the semantics, of a - <span><strong class="command">named</strong></span> configuration file. The file is parsed + <span class="command"><strong>named</strong></span> configuration file. The file is parsed and checked for syntax errors, along with all files included by it. If no file is specified, <code class="filename">/etc/named.conf</code> is read by default. </p> <p> - Note: files that <span><strong class="command">named</strong></span> reads in separate + Note: files that <span class="command"><strong>named</strong></span> reads in separate parser contexts, such as <code class="filename">rndc.key</code> and <code class="filename">bind.keys</code>, are not automatically read - by <span><strong class="command">named-checkconf</strong></span>. Configuration - errors in these files may cause <span><strong class="command">named</strong></span> to - fail to run, even if <span><strong class="command">named-checkconf</strong></span> was - successful. <span><strong class="command">named-checkconf</strong></span> can be run + by <span class="command"><strong>named-checkconf</strong></span>. Configuration + errors in these files may cause <span class="command"><strong>named</strong></span> to + fail to run, even if <span class="command"><strong>named-checkconf</strong></span> was + successful. <span class="command"><strong>named-checkconf</strong></span> can be run on these files explicitly, however. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2635795"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.14.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-h</span></dt> <dd><p> Print the usage summary and exit. @@ -84,7 +83,7 @@ </p></dd> <dt><span class="term">-v</span></dt> <dd><p> - Print the version of the <span><strong class="command">named-checkconf</strong></span> + Print the version of the <span class="command"><strong>named-checkconf</strong></span> program and exit. </p></dd> <dt><span class="term">-p</span></dt> @@ -118,25 +117,20 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2637179"></a><h2>RETURN VALUES</h2> -<p><span><strong class="command">named-checkconf</strong></span> +<div class="refsection"> +<a name="id-1.14.14.9"></a><h2>RETURN VALUES</h2> +<p><span class="command"><strong>named-checkconf</strong></span> returns an exit status of 1 if errors were detected and 0 otherwise. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2637193"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.14.10"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2637223"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -157,6 +151,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index beb1273e27c6..244371986067 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>named-checkzone</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.named-checkconf.html" title="named-checkconf"> <link rel="next" href="man.named.html" title="named"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.named-checkzone"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -50,29 +49,29 @@ <div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div> <div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2680250"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">named-checkzone</strong></span> +<div class="refsection"> +<a name="id-1.14.15.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>named-checkzone</strong></span> checks the syntax and integrity of a zone file. It performs the - same checks as <span><strong class="command">named</strong></span> does when loading a - zone. This makes <span><strong class="command">named-checkzone</strong></span> useful for + same checks as <span class="command"><strong>named</strong></span> does when loading a + zone. This makes <span class="command"><strong>named-checkzone</strong></span> useful for checking zone files before configuring them into a name server. </p> <p> - <span><strong class="command">named-compilezone</strong></span> is similar to - <span><strong class="command">named-checkzone</strong></span>, but it always dumps the + <span class="command"><strong>named-compilezone</strong></span> is similar to + <span class="command"><strong>named-checkzone</strong></span>, but it always dumps the zone contents to a specified file in a specified format. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file - loaded by <span><strong class="command">named</strong></span>. + loaded by <span class="command"><strong>named</strong></span>. When manually specified otherwise, the check levels must at least be as strict as those specified in the - <span><strong class="command">named</strong></span> configuration file. + <span class="command"><strong>named</strong></span> configuration file. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2680300"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.15.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-d</span></dt> <dd><p> Enable debugging. @@ -87,7 +86,7 @@ </p></dd> <dt><span class="term">-v</span></dt> <dd><p> - Print the version of the <span><strong class="command">named-checkzone</strong></span> + Print the version of the <span class="command"><strong>named-checkzone</strong></span> program and exit. </p></dd> <dt><span class="term">-j</span></dt> @@ -102,133 +101,133 @@ <dd> <p> Perform post-load zone integrity checks. Possible modes are - <span><strong class="command">"full"</strong></span> (default), - <span><strong class="command">"full-sibling"</strong></span>, - <span><strong class="command">"local"</strong></span>, - <span><strong class="command">"local-sibling"</strong></span> and - <span><strong class="command">"none"</strong></span>. + <span class="command"><strong>"full"</strong></span> (default), + <span class="command"><strong>"full-sibling"</strong></span>, + <span class="command"><strong>"local"</strong></span>, + <span class="command"><strong>"local-sibling"</strong></span> and + <span class="command"><strong>"none"</strong></span>. </p> <p> - Mode <span><strong class="command">"full"</strong></span> checks that MX records + Mode <span class="command"><strong>"full"</strong></span> checks that MX records refer to A or AAAA record (both in-zone and out-of-zone - hostnames). Mode <span><strong class="command">"local"</strong></span> only + hostnames). Mode <span class="command"><strong>"local"</strong></span> only checks MX records which refer to in-zone hostnames. </p> <p> - Mode <span><strong class="command">"full"</strong></span> checks that SRV records + Mode <span class="command"><strong>"full"</strong></span> checks that SRV records refer to A or AAAA record (both in-zone and out-of-zone - hostnames). Mode <span><strong class="command">"local"</strong></span> only + hostnames). Mode <span class="command"><strong>"local"</strong></span> only checks SRV records which refer to in-zone hostnames. </p> <p> - Mode <span><strong class="command">"full"</strong></span> checks that delegation NS + Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS records refer to A or AAAA record (both in-zone and out-of-zone hostnames). It also checks that glue address records in the zone match those advertised by the child. - Mode <span><strong class="command">"local"</strong></span> only checks NS records which + Mode <span class="command"><strong>"local"</strong></span> only checks NS records which refer to in-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone. </p> <p> - Mode <span><strong class="command">"full-sibling"</strong></span> and - <span><strong class="command">"local-sibling"</strong></span> disable sibling glue - checks but are otherwise the same as <span><strong class="command">"full"</strong></span> - and <span><strong class="command">"local"</strong></span> respectively. + Mode <span class="command"><strong>"full-sibling"</strong></span> and + <span class="command"><strong>"local-sibling"</strong></span> disable sibling glue + checks but are otherwise the same as <span class="command"><strong>"full"</strong></span> + and <span class="command"><strong>"local"</strong></span> respectively. </p> <p> - Mode <span><strong class="command">"none"</strong></span> disables the checks. + Mode <span class="command"><strong>"none"</strong></span> disables the checks. </p> </dd> <dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt> <dd><p> Specify the format of the zone file. - Possible formats are <span><strong class="command">"text"</strong></span> (default) - and <span><strong class="command">"raw"</strong></span>. + Possible formats are <span class="command"><strong>"text"</strong></span> (default) + and <span class="command"><strong>"raw"</strong></span>. </p></dd> <dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt> <dd> <p> Specify the format of the output file specified. - For <span><strong class="command">named-checkzone</strong></span>, + For <span class="command"><strong>named-checkzone</strong></span>, this does not cause any effects unless it dumps the zone contents. </p> <p> - Possible formats are <span><strong class="command">"text"</strong></span> (default) - and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>, + Possible formats are <span class="command"><strong>"text"</strong></span> (default) + and <span class="command"><strong>"raw"</strong></span> or <span class="command"><strong>"raw=N"</strong></span>, which store the zone in a binary format for rapid loading - by <span><strong class="command">named</strong></span>. <span><strong class="command">"raw=N"</strong></span> + by <span class="command"><strong>named</strong></span>. <span class="command"><strong>"raw=N"</strong></span> specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of - <span><strong class="command">named</strong></span>; if N is 1, the file can be read + <span class="command"><strong>named</strong></span>; if N is 1, the file can be read by release 9.9.0 or higher. The default is 1. </p> </dd> <dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt> <dd><p> - Perform <span><strong class="command">"check-names"</strong></span> checks with the + Perform <span class="command"><strong>"check-names"</strong></span> checks with the specified failure mode. - Possible modes are <span><strong class="command">"fail"</strong></span> - (default for <span><strong class="command">named-compilezone</strong></span>), - <span><strong class="command">"warn"</strong></span> - (default for <span><strong class="command">named-checkzone</strong></span>) and - <span><strong class="command">"ignore"</strong></span>. + Possible modes are <span class="command"><strong>"fail"</strong></span> + (default for <span class="command"><strong>named-compilezone</strong></span>), + <span class="command"><strong>"warn"</strong></span> + (default for <span class="command"><strong>named-checkzone</strong></span>) and + <span class="command"><strong>"ignore"</strong></span>. </p></dd> <dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt> <dd><p> - When compiling a zone to 'raw' format, set the "source serial" + When compiling a zone to 'raw' format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.) </p></dd> <dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt> <dd><p> Specify whether MX records should be checked to see if they - are addresses. Possible modes are <span><strong class="command">"fail"</strong></span>, - <span><strong class="command">"warn"</strong></span> (default) and - <span><strong class="command">"ignore"</strong></span>. + are addresses. Possible modes are <span class="command"><strong>"fail"</strong></span>, + <span class="command"><strong>"warn"</strong></span> (default) and + <span class="command"><strong>"ignore"</strong></span>. </p></dd> <dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt> <dd><p> Check if a MX record refers to a CNAME. - Possible modes are <span><strong class="command">"fail"</strong></span>, - <span><strong class="command">"warn"</strong></span> (default) and - <span><strong class="command">"ignore"</strong></span>. + Possible modes are <span class="command"><strong>"fail"</strong></span>, + <span class="command"><strong>"warn"</strong></span> (default) and + <span class="command"><strong>"ignore"</strong></span>. </p></dd> <dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt> <dd><p> Specify whether NS records should be checked to see if they are addresses. - Possible modes are <span><strong class="command">"fail"</strong></span> - (default for <span><strong class="command">named-compilezone</strong></span>), - <span><strong class="command">"warn"</strong></span> - (default for <span><strong class="command">named-checkzone</strong></span>) and - <span><strong class="command">"ignore"</strong></span>. + Possible modes are <span class="command"><strong>"fail"</strong></span> + (default for <span class="command"><strong>named-compilezone</strong></span>), + <span class="command"><strong>"warn"</strong></span> + (default for <span class="command"><strong>named-checkzone</strong></span>) and + <span class="command"><strong>"ignore"</strong></span>. </p></dd> <dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt> <dd><p> Write zone output to <code class="filename">filename</code>. If <code class="filename">filename</code> is <code class="filename">-</code> then write to standard out. - This is mandatory for <span><strong class="command">named-compilezone</strong></span>. + This is mandatory for <span class="command"><strong>named-compilezone</strong></span>. </p></dd> <dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt> <dd><p> Check for records that are treated as different by DNSSEC but - are semantically equal in plain DNS. - Possible modes are <span><strong class="command">"fail"</strong></span>, - <span><strong class="command">"warn"</strong></span> (default) and - <span><strong class="command">"ignore"</strong></span>. + are semantically equal in plain DNS. + Possible modes are <span class="command"><strong>"fail"</strong></span>, + <span class="command"><strong>"warn"</strong></span> (default) and + <span class="command"><strong>"ignore"</strong></span>. </p></dd> <dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt> <dd><p> Specify the style of the dumped zone file. - Possible styles are <span><strong class="command">"full"</strong></span> (default) - and <span><strong class="command">"relative"</strong></span>. + Possible styles are <span class="command"><strong>"full"</strong></span> (default) + and <span class="command"><strong>"relative"</strong></span>. The full format is most suitable for processing automatically by a separate script. On the other hand, the relative format is more human-readable and is thus suitable for editing by hand. - For <span><strong class="command">named-checkzone</strong></span> + For <span class="command"><strong>named-checkzone</strong></span> this does not cause any effects unless it dumps the zone contents. It also does not have any meaning if the output format @@ -237,9 +236,9 @@ <dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt> <dd><p> Check if a SRV record refers to a CNAME. - Possible modes are <span><strong class="command">"fail"</strong></span>, - <span><strong class="command">"warn"</strong></span> (default) and - <span><strong class="command">"ignore"</strong></span>. + Possible modes are <span class="command"><strong>"fail"</strong></span>, + <span class="command"><strong>"warn"</strong></span> (default) and + <span class="command"><strong>"ignore"</strong></span>. </p></dd> <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> @@ -252,8 +251,8 @@ <dd><p> Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF-formatted TXT record is - not also present. Possible modes are <span><strong class="command">"warn"</strong></span> - (default), <span><strong class="command">"ignore"</strong></span>. + not also present. Possible modes are <span class="command"><strong>"warn"</strong></span> + (default), <span class="command"><strong>"ignore"</strong></span>. </p></dd> <dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> @@ -266,16 +265,16 @@ <dt><span class="term">-D</span></dt> <dd><p> Dump zone file in canonical format. - This is always enabled for <span><strong class="command">named-compilezone</strong></span>. + This is always enabled for <span class="command"><strong>named-compilezone</strong></span>. </p></dd> <dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt> <dd><p> Specify whether to check for non-terminal wildcards. Non-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). - Possible modes are <span><strong class="command">"warn"</strong></span> (default) + Possible modes are <span class="command"><strong>"warn"</strong></span> (default) and - <span><strong class="command">"ignore"</strong></span>. + <span class="command"><strong>"ignore"</strong></span>. </p></dd> <dt><span class="term">zonename</span></dt> <dd><p> @@ -287,26 +286,21 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2681141"></a><h2>RETURN VALUES</h2> -<p><span><strong class="command">named-checkzone</strong></span> +<div class="refsection"> +<a name="id-1.14.15.9"></a><h2>RETURN VALUES</h2> +<p><span class="command"><strong>named-checkzone</strong></span> returns an exit status of 1 if errors were detected and 0 otherwise. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2681155"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.15.10"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>, <em class="citetitle">RFC 1035</em>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2681188"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -327,6 +321,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 237f6c750131..74ccac0a9d6a 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -14,15 +14,14 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>named-journalprint</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> -<link rel="prev" href="man.named.html" title="named"> +<link rel="prev" href="man.lwresd.html" title="lwresd"> <link rel="next" href="man.nsupdate.html" title="nsupdate"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> @@ -31,7 +30,7 @@ <tr><th colspan="3" align="center"><span class="application">named-journalprint</span></th></tr> <tr> <td width="20%" align="left"> -<a accesskey="p" href="man.named.html">Prev</a> </td> +<a accesskey="p" href="man.lwresd.html">Prev</a> </td> <th width="60%" align="center">Manual pages</th> <td width="20%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a> </td> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.named-journalprint"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,17 +48,17 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">named-journalprint</code> {<em class="replaceable"><code>journal</code></em>}</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2617477"></a><h2>DESCRIPTION</h2> +<div class="refsection"> +<a name="id-1.14.19.7"></a><h2>DESCRIPTION</h2> <p> - <span><strong class="command">named-journalprint</strong></span> + <span class="command"><strong>named-journalprint</strong></span> prints the contents of a zone journal file in a human-readable - form. + form. </p> <p> - Journal files are automatically created by <span><strong class="command">named</strong></span> + Journal files are automatically created by <span class="command"><strong>named</strong></span> when changes are made to dynamic zones (e.g., by - <span><strong class="command">nsupdate</strong></span>). They record each addition + <span class="command"><strong>nsupdate</strong></span>). They record each addition or deletion of a resource record, in binary format, allowing the changes to be re-applied to the zone when the server is restarted after a shutdown or crash. By default, the name of @@ -68,46 +67,41 @@ zone file. </p> <p> - <span><strong class="command">named-journalprint</strong></span> converts the contents of a given + <span class="command"><strong>named-journalprint</strong></span> converts the contents of a given journal file into a human-readable text format. Each line begins with "add" or "del", to indicate whether the record was added or deleted, and continues with the resource record in master-file format. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2643532"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.19.8"></a><h2>SEE ALSO</h2> <p> <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2643563"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> <table width="100%" summary="Navigation footer"> <tr> <td width="40%" align="left"> -<a accesskey="p" href="man.named.html">Prev</a> </td> +<a accesskey="p" href="man.lwresd.html">Prev</a> </td> <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td> <td width="40%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a> </td> </tr> <tr> <td width="40%" align="left" valign="top"> -<span class="application">named</span> </td> +<span class="application">lwresd</span> </td> <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> <td width="40%" align="right" valign="top"> <span class="application">nsupdate</span> </td> </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html new file mode 100644 index 000000000000..8242a0e28107 --- /dev/null +++ b/doc/arm/man.named.conf.html @@ -0,0 +1,677 @@ +<!-- + - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>named.conf</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> +<link rel="prev" href="man.named.html" title="named"> +<link rel="next" href="man.lwresd.html" title="lwresd"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center"><code class="filename">named.conf</code></th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="man.named.html">Prev</a> </td> +<th width="60%" align="center">Manual pages</th> +<td width="20%" align="right"> <a accesskey="n" href="man.lwresd.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="refentry"> +<a name="man.named.conf"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><code class="filename">named.conf</code> — configuration file for named</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div> +</div> +<div class="refsection"> +<a name="id-1.14.17.7"></a><h2>DESCRIPTION</h2> +<p><code class="filename">named.conf</code> is the configuration file + for + <span class="command"><strong>named</strong></span>. Statements are enclosed + in braces and terminated with a semi-colon. Clauses in + the statements are also semi-colon terminated. The usual + comment styles are supported: + </p> +<p> + C style: /* */ + </p> +<p> + C++ style: // to end of line + </p> +<p> + Unix style: # to end of line + </p> +</div> +<div class="refsection"> +<a name="id-1.14.17.8"></a><h2>ACL</h2> +<div class="literallayout"><p><br> +acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> +<br> +</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.17.9"></a><h2>KEY</h2> +<div class="literallayout"><p><br> +key <em class="replaceable"><code>domain_name</code></em> {<br> + algorithm <em class="replaceable"><code>string</code></em>;<br> + secret <em class="replaceable"><code>string</code></em>;<br> +};<br> +</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.17.10"></a><h2>MASTERS</h2> +<div class="literallayout"><p><br> +masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> + ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br> + <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br> +};<br> +</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.17.11"></a><h2>SERVER</h2> +<div class="literallayout"><p><br> +server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br> + bogus <em class="replaceable"><code>boolean</code></em>;<br> + edns <em class="replaceable"><code>boolean</code></em>;<br> + edns-udp-size <em class="replaceable"><code>integer</code></em>;<br> + max-udp-size <em class="replaceable"><code>integer</code></em>;<br> + provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br> + request-ixfr <em class="replaceable"><code>boolean</code></em>;<br> + keys <em class="replaceable"><code>server_key</code></em>;<br> + transfers <em class="replaceable"><code>integer</code></em>;<br> + transfer-format ( many-answers | one-answer );<br> + transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> +<br> + support-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br> +};<br> +</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.17.12"></a><h2>TRUSTED-KEYS</h2> +<div class="literallayout"><p><br> +trusted-keys {<br> + <em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br> +};<br> +</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.17.13"></a><h2>MANAGED-KEYS</h2> +<div class="literallayout"><p><br> +managed-keys {<br> + <em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br> +};<br> +</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.17.14"></a><h2>CONTROLS</h2> +<div class="literallayout"><p><br> +controls {<br> + inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br> + allow { <em class="replaceable"><code>address_match_element</code></em>; ... }<br> + [<span class="optional"> keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br> + unix <em class="replaceable"><code>unsupported</code></em>; // not implemented<br> +};<br> +</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.17.15"></a><h2>LOGGING</h2> +<div class="literallayout"><p><br> +logging {<br> + channel <em class="replaceable"><code>string</code></em> {<br> + file <em class="replaceable"><code>log_file</code></em>;<br> + syslog <em class="replaceable"><code>optional_facility</code></em>;<br> + null;<br> + stderr;<br> + severity <em class="replaceable"><code>log_severity</code></em>;<br> + print-time <em class="replaceable"><code>boolean</code></em>;<br> + print-severity <em class="replaceable"><code>boolean</code></em>;<br> + print-category <em class="replaceable"><code>boolean</code></em>;<br> + };<br> + category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br> +};<br> +</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.17.16"></a><h2>LWRES</h2> +<div class="literallayout"><p><br> +lwres {<br> + listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> + ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br> + };<br> + view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em>;<br> + search { <em class="replaceable"><code>string</code></em>; ... };<br> + ndots <em class="replaceable"><code>integer</code></em>;<br> +};<br> +</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.17.17"></a><h2>OPTIONS</h2> +<div class="literallayout"><p><br> +options {<br> + avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br> + avoid-v6-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br> + blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + coresize <em class="replaceable"><code>size</code></em>;<br> + datasize <em class="replaceable"><code>size</code></em>;<br> + directory <em class="replaceable"><code>quoted_string</code></em>;<br> + dump-file <em class="replaceable"><code>quoted_string</code></em>;<br> + files <em class="replaceable"><code>size</code></em>;<br> + heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br> + host-statistics <em class="replaceable"><code>boolean</code></em>; // not implemented<br> + host-statistics-max <em class="replaceable"><code>number</code></em>; // not implemented<br> + hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br> + interface-interval <em class="replaceable"><code>integer</code></em>;<br> + listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br> + memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br> + pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br> + port <em class="replaceable"><code>integer</code></em>;<br> + querylog <em class="replaceable"><code>boolean</code></em>;<br> + recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br> + reserved-sockets <em class="replaceable"><code>integer</code></em>;<br> + random-device <em class="replaceable"><code>quoted_string</code></em>;<br> + recursive-clients <em class="replaceable"><code>integer</code></em>;<br> + serial-query-rate <em class="replaceable"><code>integer</code></em>;<br> + server-id ( <em class="replaceable"><code>quoted_string</code></em> | hostname | none );<br> + stacksize <em class="replaceable"><code>size</code></em>;<br> + statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br> + statistics-interval <em class="replaceable"><code>integer</code></em>; // not yet implemented<br> + tcp-clients <em class="replaceable"><code>integer</code></em>;<br> + tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br> + tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br> + tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br> + tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br> + tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br> + transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br> + transfers-in <em class="replaceable"><code>integer</code></em>;<br> + transfers-out <em class="replaceable"><code>integer</code></em>;<br> + version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br> + allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br> + auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br> + minimal-responses <em class="replaceable"><code>boolean</code></em>;<br> + recursion <em class="replaceable"><code>boolean</code></em>;<br> + rrset-order {<br> + [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br> + [<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br> + };<br> + provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br> + request-ixfr <em class="replaceable"><code>boolean</code></em>;<br> + rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br> + additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br> + additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br> + query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br> + queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br> + queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br> + cleaning-interval <em class="replaceable"><code>integer</code></em>;<br> + resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br> + min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br> + lame-ttl <em class="replaceable"><code>integer</code></em>;<br> + max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br> + max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br> + transfer-format ( many-answers | one-answer );<br> + max-cache-size <em class="replaceable"><code>size</code></em>;<br> + max-acache-size <em class="replaceable"><code>size</code></em>;<br> + clients-per-query <em class="replaceable"><code>number</code></em>;<br> + max-clients-per-query <em class="replaceable"><code>number</code></em>;<br> + check-names ( master | slave | response )<br> + ( fail | warn | ignore );<br> + check-mx ( fail | warn | ignore );<br> + check-integrity <em class="replaceable"><code>boolean</code></em>;<br> + check-mx-cname ( fail | warn | ignore );<br> + check-srv-cname ( fail | warn | ignore );<br> + cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br> + suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br> + preferred-glue <em class="replaceable"><code>string</code></em>;<br> + dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> + ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br> + <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br> + <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br> + };<br> + edns-udp-size <em class="replaceable"><code>integer</code></em>;<br> + max-udp-size <em class="replaceable"><code>integer</code></em>;<br> + root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br> + disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br> + dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br> + dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br> +<br> + dns64-server <em class="replaceable"><code>string</code></em>;<br> + dns64-contact <em class="replaceable"><code>string</code></em>;<br> + dns64 <em class="replaceable"><code>prefix</code></em> {<br> + clients { <span style="color: red"><replacable>acl</replacable></span>; };<br> + exclude { <span style="color: red"><replacable>acl</replacable></span>; };<br> + mapped { <span style="color: red"><replacable>acl</replacable></span>; };<br> + break-dnssec <em class="replaceable"><code>boolean</code></em>;<br> + recursive-only <em class="replaceable"><code>boolean</code></em>;<br> + suffix <em class="replaceable"><code>ipv6_address</code></em>;<br> + };<br> +<br> + empty-server <em class="replaceable"><code>string</code></em>;<br> + empty-contact <em class="replaceable"><code>string</code></em>;<br> + empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br> + disable-empty-zone <em class="replaceable"><code>string</code></em>;<br> +<br> + dialup <em class="replaceable"><code>dialuptype</code></em>;<br> + ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br> +<br> + allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br> +<br> + masterfile-format ( text | raw );<br> + notify <em class="replaceable"><code>notifytype</code></em>;<br> + notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + notify-delay <em class="replaceable"><code>seconds</code></em>;<br> + notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br> + also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br> + [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br> + [<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br> + allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> +<br> + forward ( first | only );<br> + forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> + ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br> + };<br> +<br> + max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br> + max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br> + max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br> + max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br> + max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br> + max-retry-time <em class="replaceable"><code>integer</code></em>;<br> + min-retry-time <em class="replaceable"><code>integer</code></em>;<br> + max-refresh-time <em class="replaceable"><code>integer</code></em>;<br> + min-refresh-time <em class="replaceable"><code>integer</code></em>;<br> + multi-master <em class="replaceable"><code>boolean</code></em>;<br> +<br> + sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br> + sig-re-signing-interval <em class="replaceable"><code>integer</code></em>;<br> + sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br> + sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br> + sig-signing-type <em class="replaceable"><code>integer</code></em>;<br> +<br> + transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> +<br> + alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br> +<br> + zone-statistics <em class="replaceable"><code>boolean</code></em>;<br> + key-directory <em class="replaceable"><code>quoted_string</code></em>;<br> + managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br> + auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>;<br> + try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br> + zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br> + zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br> + deny-answer-addresses {<br> + <em class="replaceable"><code>address_match_list</code></em><br> + } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br> + deny-answer-aliases {<br> + <em class="replaceable"><code>namelist</code></em><br> + } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br> +<br> + nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // testing only<br> +<br> + allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br> + deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br> + fake-iquery <em class="replaceable"><code>boolean</code></em>; // obsolete<br> + fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br> + has-old-clients <em class="replaceable"><code>boolean</code></em>; // obsolete<br> + maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br> + max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br> + multiple-cnames <em class="replaceable"><code>boolean</code></em>; // obsolete<br> + named-xfer <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br> + serial-queries <em class="replaceable"><code>integer</code></em>; // obsolete<br> + treat-cr-as-space <em class="replaceable"><code>boolean</code></em>; // obsolete<br> + use-id-pool <em class="replaceable"><code>boolean</code></em>; // obsolete<br> + use-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br> +};<br> +</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.17.18"></a><h2>VIEW</h2> +<div class="literallayout"><p><br> +view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br> + match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br> +<br> + key <em class="replaceable"><code>string</code></em> {<br> + algorithm <em class="replaceable"><code>string</code></em>;<br> + secret <em class="replaceable"><code>string</code></em>;<br> + };<br> +<br> + zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br> + ...<br> + };<br> +<br> + server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br> + ...<br> + };<br> +<br> + trusted-keys {<br> + <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br> + [<span class="optional">...</span>]<br> + };<br> +<br> + allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br> + auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br> + minimal-responses <em class="replaceable"><code>boolean</code></em>;<br> + recursion <em class="replaceable"><code>boolean</code></em>;<br> + rrset-order {<br> + [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br> + [<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br> + };<br> + provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br> + request-ixfr <em class="replaceable"><code>boolean</code></em>;<br> + rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br> + additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br> + additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br> + query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br> + queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br> + queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br> + cleaning-interval <em class="replaceable"><code>integer</code></em>;<br> + resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br> + min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br> + lame-ttl <em class="replaceable"><code>integer</code></em>;<br> + max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br> + max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br> + transfer-format ( many-answers | one-answer );<br> + max-cache-size <em class="replaceable"><code>size</code></em>;<br> + max-acache-size <em class="replaceable"><code>size</code></em>;<br> + clients-per-query <em class="replaceable"><code>number</code></em>;<br> + max-clients-per-query <em class="replaceable"><code>number</code></em>;<br> + check-names ( master | slave | response )<br> + ( fail | warn | ignore );<br> + check-mx ( fail | warn | ignore );<br> + check-integrity <em class="replaceable"><code>boolean</code></em>;<br> + check-mx-cname ( fail | warn | ignore );<br> + check-srv-cname ( fail | warn | ignore );<br> + cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br> + suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br> + preferred-glue <em class="replaceable"><code>string</code></em>;<br> + dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> + ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br> + <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br> + <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br> + };<br> + edns-udp-size <em class="replaceable"><code>integer</code></em>;<br> + max-udp-size <em class="replaceable"><code>integer</code></em>;<br> + root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br> + disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br> + dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br> + dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br> +<br> + dns64-server <em class="replaceable"><code>string</code></em>;<br> + dns64-contact <em class="replaceable"><code>string</code></em>;<br> + dns64 <em class="replaceable"><code>prefix</code></em> {<br> + clients { <span style="color: red"><replacable>acl</replacable></span>; };<br> + exclude { <span style="color: red"><replacable>acl</replacable></span>; };<br> + mapped { <span style="color: red"><replacable>acl</replacable></span>; };<br> + break-dnssec <em class="replaceable"><code>boolean</code></em>;<br> + recursive-only <em class="replaceable"><code>boolean</code></em>;<br> + suffix <em class="replaceable"><code>ipv6_address</code></em>;<br> + };<br> +<br> + empty-server <em class="replaceable"><code>string</code></em>;<br> + empty-contact <em class="replaceable"><code>string</code></em>;<br> + empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br> + disable-empty-zone <em class="replaceable"><code>string</code></em>;<br> +<br> + dialup <em class="replaceable"><code>dialuptype</code></em>;<br> + ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br> +<br> + allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br> +<br> + masterfile-format ( text | raw );<br> + notify <em class="replaceable"><code>notifytype</code></em>;<br> + notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + notify-delay <em class="replaceable"><code>seconds</code></em>;<br> + notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br> + also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br> + [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br> + [<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br> + allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> +<br> + forward ( first | only );<br> + forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> + ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br> + };<br> +<br> + max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br> + max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br> + max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br> + max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br> + max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br> + max-retry-time <em class="replaceable"><code>integer</code></em>;<br> + min-retry-time <em class="replaceable"><code>integer</code></em>;<br> + max-refresh-time <em class="replaceable"><code>integer</code></em>;<br> + min-refresh-time <em class="replaceable"><code>integer</code></em>;<br> + multi-master <em class="replaceable"><code>boolean</code></em>;<br> + sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br> +<br> + transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> +<br> + alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br> +<br> + zone-statistics <em class="replaceable"><code>boolean</code></em>;<br> + try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br> + key-directory <em class="replaceable"><code>quoted_string</code></em>;<br> + zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br> + zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br> +<br> + allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br> + fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br> + maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br> + max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br> +};<br> +</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.17.19"></a><h2>ZONE</h2> +<div class="literallayout"><p><br> +zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br> + type ( master | slave | stub | hint | redirect |<br> + forward | delegation-only );<br> + file <em class="replaceable"><code>quoted_string</code></em>;<br> +<br> + masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> + ( <em class="replaceable"><code>masters</code></em> |<br> + <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br> + <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br> + };<br> +<br> + database <em class="replaceable"><code>string</code></em>;<br> + delegation-only <em class="replaceable"><code>boolean</code></em>;<br> + check-names ( fail | warn | ignore );<br> + check-mx ( fail | warn | ignore );<br> + check-integrity <em class="replaceable"><code>boolean</code></em>;<br> + check-mx-cname ( fail | warn | ignore );<br> + check-srv-cname ( fail | warn | ignore );<br> + dialup <em class="replaceable"><code>dialuptype</code></em>;<br> + ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br> + journal <em class="replaceable"><code>quoted_string</code></em>;<br> + zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br> +<br> + allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + update-policy <em class="replaceable"><code>local</code></em> | <em class="replaceable"><code> {<br> + ( grant | deny ) <em class="replaceable"><code>string</code></em><br> + ( name | subdomain | wildcard | self | selfsub | selfwild |<br> + krb5-self | ms-self | krb5-subdomain | ms-subdomain |<br> + tcp-self | zonesub | 6to4-self ) <em class="replaceable"><code>string</code></em><br> + <em class="replaceable"><code>rrtypelist</code></em>;<br> + [<span class="optional">...</span>]<br> + }</code></em>;<br> + update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br> +<br> + masterfile-format ( text | raw );<br> + notify <em class="replaceable"><code>notifytype</code></em>;<br> + notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + notify-delay <em class="replaceable"><code>seconds</code></em>;<br> + notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br> + also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br> + [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br> + [<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br> + allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> +<br> + forward ( first | only );<br> + forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> + ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br> + };<br> +<br> + max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br> + max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br> + max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br> + max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br> + max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br> + max-retry-time <em class="replaceable"><code>integer</code></em>;<br> + min-retry-time <em class="replaceable"><code>integer</code></em>;<br> + max-refresh-time <em class="replaceable"><code>integer</code></em>;<br> + min-refresh-time <em class="replaceable"><code>integer</code></em>;<br> + multi-master <em class="replaceable"><code>boolean</code></em>;<br> + request-ixfr <em class="replaceable"><code>boolean</code></em>;<br> + sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br> +<br> + transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> +<br> + alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br> + [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br> +<br> + zone-statistics <em class="replaceable"><code>boolean</code></em>;<br> + try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br> + key-directory <em class="replaceable"><code>quoted_string</code></em>;<br> +<br> + nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // testing only<br> +<br> + ixfr-base <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br> + ixfr-tmp-file <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br> + maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br> + max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br> + pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br> +};<br> +</p></div> +</div> +<div class="refsection"> +<a name="id-1.14.17.20"></a><h2>FILES</h2> +<p><code class="filename">/etc/named.conf</code> + </p> +</div> +<div class="refsection"> +<a name="id-1.14.17.21"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. + </p> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="man.named.html">Prev</a> </td> +<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td> +<td width="40%" align="right"> <a accesskey="n" href="man.lwresd.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top"> +<span class="application">named</span> </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> <span class="application">lwresd</span> +</td> +</tr> +</table> +</div> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> +</body> +</html> diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 7090ece74fe4..ddcf66271593 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -14,16 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>named</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.named-checkzone.html" title="named-checkzone"> -<link rel="next" href="man.named-journalprint.html" title="named-journalprint"> +<link rel="next" href="man.named.conf.html" title="named.conf"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> <div class="navheader"> @@ -33,13 +32,13 @@ <td width="20%" align="left"> <a accesskey="p" href="man.named-checkzone.html">Prev</a> </td> <th width="60%" align="center">Manual pages</th> -<td width="20%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a> +<td width="20%" align="right"> <a accesskey="n" href="man.named.conf.html">Next</a> </td> </tr> </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.named"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,24 +48,24 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-M <em class="replaceable"><code>option</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2642459"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">named</strong></span> +<div class="refsection"> +<a name="id-1.14.16.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>named</strong></span> is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more information on the DNS, see RFCs 1033, 1034, and 1035. </p> <p> - When invoked without arguments, <span><strong class="command">named</strong></span> + When invoked without arguments, <span class="command"><strong>named</strong></span> will read the default configuration file <code class="filename">/etc/named.conf</code>, read any initial data, and listen for queries. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2642490"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.16.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-4</span></dt> <dd><p> Use IPv4 only even if the host machine is capable of IPv6. @@ -94,7 +93,7 @@ <dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt> <dd><p> Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. - Debugging traces from <span><strong class="command">named</strong></span> become + Debugging traces from <span class="command"><strong>named</strong></span> become more verbose as the debug level increases. </p></dd> <dt><span class="term">-E <em class="replaceable"><code>engine-name</code></em></span></dt> @@ -137,7 +136,7 @@ <dd><p> Create <em class="replaceable"><code>#cpus</code></em> worker threads to take advantage of multiple CPUs. If not specified, - <span><strong class="command">named</strong></span> will try to determine the + <span class="command"><strong>named</strong></span> will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. @@ -163,7 +162,7 @@ <dt><span class="term">-S <em class="replaceable"><code>#max-socks</code></em></span></dt> <dd> <p> - Allow <span><strong class="command">named</strong></span> to use up to + Allow <span class="command"><strong>named</strong></span> to use up to <em class="replaceable"><code>#max-socks</code></em> sockets. </p> <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> @@ -180,7 +179,7 @@ specified number of sockets. Note also that the actual maximum number is normally a little fewer than the specified value because - <span><strong class="command">named</strong></span> reserves some file descriptors + <span class="command"><strong>named</strong></span> reserves some file descriptors for its internal use. </p> </div> @@ -208,13 +207,16 @@ <dd><p> Use <em class="replaceable"><code>#listeners</code></em> worker threads to listen for incoming UDP packets on each - address. If not specified, <span><strong class="command">named</strong></span> will + address. If not specified, <span class="command"><strong>named</strong></span> will calculate a default value based on the number of detected - CPUs: 1 for 1 CPU, 2 for 2-4 CPUs, and the number of - detected CPUs divided by 2 for values higher than 4. + CPUs: 1 for 1 CPU, and the number of detected CPUs + minus one for machines with more than 1 CPU. This cannot + be increased to a value higher than the number of CPUs. If <code class="option">-n</code> has been set to a higher value than the number of detected CPUs, then <code class="option">-U</code> may be increased as high as that value, but no higher. + On Windows, the number of UDP listeners is hardwired to 1 + and this option has no effect. </p></dd> <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> <dd> @@ -226,13 +228,13 @@ <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - On Linux, <span><strong class="command">named</strong></span> uses the kernel's + On Linux, <span class="command"><strong>named</strong></span> uses the kernel's capability mechanism to drop all root privileges except the ability to <code class="function">bind(2)</code> to a privileged port and set process resource limits. Unfortunately, this means that the <code class="option">-u</code> - option only works when <span><strong class="command">named</strong></span> is + option only works when <span class="command"><strong>named</strong></span> is run on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since previous kernels did not allow privileges @@ -265,14 +267,14 @@ </dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2681466"></a><h2>SIGNALS</h2> +<div class="refsection"> +<a name="id-1.14.16.9"></a><h2>SIGNALS</h2> <p> In routine operation, signals should not be used to control - the nameserver; <span><strong class="command">rndc</strong></span> should be used + the nameserver; <span class="command"><strong>rndc</strong></span> should be used instead. </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">SIGHUP</span></dt> <dd><p> Force a reload of the server. @@ -286,26 +288,26 @@ The result of sending any other signals to the server is undefined. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2681585"></a><h2>CONFIGURATION</h2> +<div class="refsection"> +<a name="id-1.14.16.10"></a><h2>CONFIGURATION</h2> <p> - The <span><strong class="command">named</strong></span> configuration file is too complex + The <span class="command"><strong>named</strong></span> configuration file is too complex to describe in detail here. A complete description is provided in the <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> <p> - <span><strong class="command">named</strong></span> inherits the <code class="function">umask</code> + <span class="command"><strong>named</strong></span> inherits the <code class="function">umask</code> (file creation mode mask) from the parent process. If files - created by <span><strong class="command">named</strong></span>, such as journal files, + created by <span class="command"><strong>named</strong></span>, such as journal files, need to have custom permissions, the <code class="function">umask</code> should be set explicitly in the script used to start the - <span><strong class="command">named</strong></span> process. + <span class="command"><strong>named</strong></span> process. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2681634"></a><h2>FILES</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.16.11"></a><h2>FILES</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt> <dd><p> The default configuration file. @@ -316,8 +318,8 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2681677"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.16.12"></a><h2>SEE ALSO</h2> <p><em class="citetitle">RFC 1033</em>, <em class="citetitle">RFC 1034</em>, <em class="citetitle">RFC 1035</em>, @@ -329,11 +331,6 @@ <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2681748"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -342,18 +339,18 @@ <td width="40%" align="left"> <a accesskey="p" href="man.named-checkzone.html">Prev</a> </td> <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td> -<td width="40%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a> +<td width="40%" align="right"> <a accesskey="n" href="man.named.conf.html">Next</a> </td> </tr> <tr> <td width="40%" align="left" valign="top"> <span class="application">named-checkzone</span> </td> <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> -<td width="40%" align="right" valign="top"> <span class="application">named-journalprint</span> +<td width="40%" align="right" valign="top"> <code class="filename">named.conf</code> </td> </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 83c712ba03e0..ef3b6cdd8d2a 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>nsec3hash</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup"> </head> @@ -37,7 +36,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.nsec3hash"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -47,17 +46,17 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">nsec3hash</code> {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2659411"></a><h2>DESCRIPTION</h2> +<div class="refsection"> +<a name="id-1.14.28.7"></a><h2>DESCRIPTION</h2> <p> - <span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on + <span class="command"><strong>nsec3hash</strong></span> generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity of NSEC3 records in a signed zone. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2659426"></a><h2>ARGUMENTS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.28.8"></a><h2>ARGUMENTS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">salt</span></dt> <dd><p> The salt provided to the hash algorithm. @@ -79,18 +78,13 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2659488"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.28.9"></a><h2>SEE ALSO</h2> <p> <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 5155</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2659505"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -109,6 +103,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 4462acb91d81..45b5b31701a8 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>nsupdate</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.named-journalprint.html" title="named-journalprint"> <link rel="next" href="man.rndc.html" title="rndc"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.nsupdate"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,9 +48,9 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [<code class="option">-L <em class="replaceable"><code>level</code></em></code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [filename]</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2644203"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">nsupdate</strong></span> +<div class="refsection"> +<a name="id-1.14.20.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>nsupdate</strong></span> is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. This allows resource records to be added or removed from a zone @@ -62,14 +61,14 @@ </p> <p> Zones that are under dynamic control via - <span><strong class="command">nsupdate</strong></span> + <span class="command"><strong>nsupdate</strong></span> or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost. </p> <p> The resource records that are dynamically added or removed with - <span><strong class="command">nsupdate</strong></span> + <span class="command"><strong>nsupdate</strong></span> have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record. @@ -83,15 +82,15 @@ <p> TSIG relies on a shared secret that should only be known to - <span><strong class="command">nsupdate</strong></span> and the name server. + <span class="command"><strong>nsupdate</strong></span> and the name server. For instance, suitable <span class="type">key</span> and <span class="type">server</span> statements would be added to <code class="filename">/etc/named.conf</code> so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using - TSIG authentication. You can use <span><strong class="command">ddns-confgen</strong></span> + TSIG authentication. You can use <span class="command"><strong>ddns-confgen</strong></span> to generate suitable configuration fragments. - <span><strong class="command">nsupdate</strong></span> + <span class="command"><strong>nsupdate</strong></span> uses the <code class="option">-y</code> or <code class="option">-k</code> options to provide the TSIG shared secret. These options are mutually exclusive. </p> @@ -107,9 +106,9 @@ 2000 can be switched on with the <code class="option">-o</code> flag. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2644497"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.20.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-d</span></dt> <dd><p> Debug mode. This provides tracing information about the @@ -124,12 +123,12 @@ <dd><p> The file containing the TSIG authentication key. Keyfiles may be in two formats: a single file containing - a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span> + a <code class="filename">named.conf</code>-format <span class="command"><strong>key</strong></span> statement, which may be generated automatically by - <span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are + <span class="command"><strong>ddns-confgen</strong></span>, or a pair of files whose names are of the format <code class="filename">K{name}.+157.+{random}.key</code> and <code class="filename">K{name}.+157.+{random}.private</code>, which can be - generated by <span><strong class="command">dnssec-keygen</strong></span>. + generated by <span class="command"><strong>dnssec-keygen</strong></span>. The <code class="option">-k</code> may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC-MD5 key. @@ -137,12 +136,12 @@ <dt><span class="term">-l</span></dt> <dd><p> Local-host only mode. This sets the server address to - localhost (disabling the <span><strong class="command">server</strong></span> so that the server + localhost (disabling the <span class="command"><strong>server</strong></span> so that the server address cannot be overridden). Connections to the local server will use a TSIG key found in <code class="filename">/var/run/named/session.key</code>, - which is automatically generated by <span><strong class="command">named</strong></span> if any - local master zone has set <span><strong class="command">update-policy</strong></span> to - <span><strong class="command">local</strong></span>. The location of this key file can be + which is automatically generated by <span class="command"><strong>named</strong></span> if any + local master zone has set <span class="command"><strong>update-policy</strong></span> to + <span class="command"><strong>local</strong></span>. The location of this key file can be overridden with the <code class="option">-k</code> option. </p></dd> <dt><span class="term">-L <em class="replaceable"><code>level</code></em></span></dt> @@ -185,7 +184,7 @@ <dt><span class="term">-v</span></dt> <dd><p> Use TCP even for small update requests. - By default, <span><strong class="command">nsupdate</strong></span> + By default, <span class="command"><strong>nsupdate</strong></span> uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. TCP may be preferable when a batch of update requests is made. @@ -217,9 +216,9 @@ </dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2682020"></a><h2>INPUT FORMAT</h2> -<p><span><strong class="command">nsupdate</strong></span> +<div class="refsection"> +<a name="id-1.14.20.9"></a><h2>INPUT FORMAT</h2> +<p><span class="command"><strong>nsupdate</strong></span> reads input from <em class="parameter"><code>filename</code></em> or standard input. @@ -238,7 +237,7 @@ and zero or more updates. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone. - A blank input line (or the <span><strong class="command">send</strong></span> command) + A blank input line (or the <span class="command"><strong>send</strong></span> command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server. @@ -246,9 +245,9 @@ <p> The command formats and their meaning are as follows: </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term"> - <span><strong class="command">server</strong></span> + <span class="command"><strong>server</strong></span> {servername} [port] </span></dt> @@ -256,7 +255,7 @@ Sends all dynamic update requests to the name server <em class="parameter"><code>servername</code></em>. When no server statement is provided, - <span><strong class="command">nsupdate</strong></span> + <span class="command"><strong>nsupdate</strong></span> will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master @@ -270,7 +269,7 @@ used. </p></dd> <dt><span class="term"> - <span><strong class="command">local</strong></span> + <span class="command"><strong>local</strong></span> {address} [port] </span></dt> @@ -279,7 +278,7 @@ <em class="parameter"><code>address</code></em>. When no local statement is provided, - <span><strong class="command">nsupdate</strong></span> + <span class="command"><strong>nsupdate</strong></span> will send updates using an address and port chosen by the system. <em class="parameter"><code>port</code></em> @@ -288,7 +287,7 @@ If no port number is specified, the system will assign one. </p></dd> <dt><span class="term"> - <span><strong class="command">zone</strong></span> + <span class="command"><strong>zone</strong></span> {zonename} </span></dt> <dd><p> @@ -297,12 +296,12 @@ If no <em class="parameter"><code>zone</code></em> statement is provided, - <span><strong class="command">nsupdate</strong></span> + <span class="command"><strong>nsupdate</strong></span> will attempt determine the correct zone to update based on the rest of the input. </p></dd> <dt><span class="term"> - <span><strong class="command">class</strong></span> + <span class="command"><strong>class</strong></span> {classname} </span></dt> <dd><p> @@ -312,7 +311,7 @@ <em class="parameter"><code>IN</code></em>. </p></dd> <dt><span class="term"> - <span><strong class="command">ttl</strong></span> + <span class="command"><strong>ttl</strong></span> {seconds} </span></dt> <dd><p> @@ -321,7 +320,7 @@ ttl. </p></dd> <dt><span class="term"> - <span><strong class="command">key</strong></span> + <span class="command"><strong>key</strong></span> [hmac:] {keyname} {secret} </span></dt> @@ -330,19 +329,19 @@ <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>secret</code></em> pair. If <em class="parameter"><code>hmac</code></em> is specified, then it sets the signing algorithm in use; the default is - <code class="literal">hmac-md5</code>. The <span><strong class="command">key</strong></span> + <code class="literal">hmac-md5</code>. The <span class="command"><strong>key</strong></span> command overrides any key specified on the command line via <code class="option">-y</code> or <code class="option">-k</code>. </p></dd> <dt><span class="term"> - <span><strong class="command">gsstsig</strong></span> + <span class="command"><strong>gsstsig</strong></span> </span></dt> <dd><p> Use GSS-TSIG to sign the updated. This is equivalent to specifying <code class="option">-g</code> on the commandline. </p></dd> <dt><span class="term"> - <span><strong class="command">oldgsstsig</strong></span> + <span class="command"><strong>oldgsstsig</strong></span> </span></dt> <dd><p> Use the Windows 2000 version of GSS-TSIG to sign the updated. @@ -350,7 +349,7 @@ commandline. </p></dd> <dt><span class="term"> - <span><strong class="command">realm</strong></span> + <span class="command"><strong>realm</strong></span> {[<span class="optional">realm_name</span>]} </span></dt> <dd><p> @@ -359,7 +358,7 @@ realm is specified the saved realm is cleared. </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">prereq</span>] nxdomain</strong></span> + <span class="command"><strong>[<span class="optional">prereq</span>] nxdomain</strong></span> {domain-name} </span></dt> <dd><p> @@ -367,7 +366,7 @@ <em class="parameter"><code>domain-name</code></em>. </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">prereq</span>] yxdomain</strong></span> + <span class="command"><strong>[<span class="optional">prereq</span>] yxdomain</strong></span> {domain-name} </span></dt> <dd><p> @@ -376,7 +375,7 @@ exists (has as at least one resource record, of any type). </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">prereq</span>] nxrrset</strong></span> + <span class="command"><strong>[<span class="optional">prereq</span>] nxrrset</strong></span> {domain-name} [class] {type} @@ -392,7 +391,7 @@ is omitted, IN (internet) is assumed. </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span> + <span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span> {domain-name} [class] {type} @@ -409,7 +408,7 @@ is omitted, IN (internet) is assumed. </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span> + <span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span> {domain-name} [class] {type} @@ -438,7 +437,7 @@ RDATA. </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span> + <span class="command"><strong>[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span> {domain-name} [ttl] [class] @@ -459,7 +458,7 @@ is ignored, and is only allowed for compatibility. </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">update</span>] add</strong></span> + <span class="command"><strong>[<span class="optional">update</span>] add</strong></span> {domain-name} {ttl} [class] @@ -474,7 +473,7 @@ <em class="parameter"><code>data</code></em>. </p></dd> <dt><span class="term"> - <span><strong class="command">show</strong></span> + <span class="command"><strong>show</strong></span> </span></dt> <dd><p> Displays the current message, containing all of the @@ -482,32 +481,32 @@ updates specified since the last send. </p></dd> <dt><span class="term"> - <span><strong class="command">send</strong></span> + <span class="command"><strong>send</strong></span> </span></dt> <dd><p> Sends the current message. This is equivalent to entering a blank line. </p></dd> <dt><span class="term"> - <span><strong class="command">answer</strong></span> + <span class="command"><strong>answer</strong></span> </span></dt> <dd><p> Displays the answer. </p></dd> <dt><span class="term"> - <span><strong class="command">debug</strong></span> + <span class="command"><strong>debug</strong></span> </span></dt> <dd><p> Turn on debugging. </p></dd> <dt><span class="term"> - <span><strong class="command">version</strong></span> + <span class="command"><strong>version</strong></span> </span></dt> <dd><p> Print version number. </p></dd> <dt><span class="term"> - <span><strong class="command">help</strong></span> + <span class="command"><strong>help</strong></span> </span></dt> <dd><p> Print a list of commands. @@ -519,11 +518,11 @@ Lines beginning with a semicolon are comments and are ignored. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2683271"></a><h2>EXAMPLES</h2> +<div class="refsection"> +<a name="id-1.14.20.10"></a><h2>EXAMPLES</h2> <p> The examples below show how - <span><strong class="command">nsupdate</strong></span> + <span class="command"><strong>nsupdate</strong></span> could be used to insert and delete resource records from the <span class="type">example.com</span> zone. @@ -573,9 +572,9 @@ RRSIG, DNSKEY and NSEC records.) </p> </div> -<div class="refsect1" lang="en"> -<a name="id2683321"></a><h2>FILES</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.20.11"></a><h2>FILES</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt> <dd><p> used to identify default name server @@ -596,8 +595,8 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2683408"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.20.12"></a><h2>SEE ALSO</h2> <p> <em class="citetitle">RFC 2136</em>, <em class="citetitle">RFC 3007</em>, @@ -611,8 +610,8 @@ <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2683533"></a><h2>BUGS</h2> +<div class="refsection"> +<a name="id-1.14.20.13"></a><h2>BUGS</h2> <p> The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library @@ -640,6 +639,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index db1cfa8a5ee7..697e44cda784 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>rndc-confgen</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.rndc.conf.html" title="rndc.conf"> <link rel="next" href="man.ddns-confgen.html" title="ddns-confgen"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.rndc-confgen"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,57 +48,57 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2649297"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">rndc-confgen</strong></span> +<div class="refsection"> +<a name="id-1.14.23.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>rndc-confgen</strong></span> generates configuration files - for <span><strong class="command">rndc</strong></span>. It can be used as a + for <span class="command"><strong>rndc</strong></span>. It can be used as a convenient alternative to writing the <code class="filename">rndc.conf</code> file - and the corresponding <span><strong class="command">controls</strong></span> - and <span><strong class="command">key</strong></span> + and the corresponding <span class="command"><strong>controls</strong></span> + and <span class="command"><strong>key</strong></span> statements in <code class="filename">named.conf</code> by hand. - Alternatively, it can be run with the <span><strong class="command">-a</strong></span> + Alternatively, it can be run with the <span class="command"><strong>-a</strong></span> option to set up a <code class="filename">rndc.key</code> file and avoid the need for a <code class="filename">rndc.conf</code> file - and a <span><strong class="command">controls</strong></span> statement altogether. + and a <span class="command"><strong>controls</strong></span> statement altogether. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2649363"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.23.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-a</span></dt> <dd> <p> - Do automatic <span><strong class="command">rndc</strong></span> configuration. + Do automatic <span class="command"><strong>rndc</strong></span> configuration. This creates a file <code class="filename">rndc.key</code> in <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code> was specified as when <acronym class="acronym">BIND</acronym> was built) - that is read by both <span><strong class="command">rndc</strong></span> - and <span><strong class="command">named</strong></span> on startup. The + that is read by both <span class="command"><strong>rndc</strong></span> + and <span class="command"><strong>named</strong></span> on startup. The <code class="filename">rndc.key</code> file defines a default command channel and authentication key allowing - <span><strong class="command">rndc</strong></span> to communicate with - <span><strong class="command">named</strong></span> on the local host + <span class="command"><strong>rndc</strong></span> to communicate with + <span class="command"><strong>named</strong></span> on the local host with no further configuration. </p> <p> - Running <span><strong class="command">rndc-confgen -a</strong></span> allows - BIND 9 and <span><strong class="command">rndc</strong></span> to be used as + Running <span class="command"><strong>rndc-confgen -a</strong></span> allows + BIND 9 and <span class="command"><strong>rndc</strong></span> to be used as drop-in - replacements for BIND 8 and <span><strong class="command">ndc</strong></span>, + replacements for BIND 8 and <span class="command"><strong>ndc</strong></span>, with no changes to the existing BIND 8 <code class="filename">named.conf</code> file. </p> <p> If a more elaborate configuration than that - generated by <span><strong class="command">rndc-confgen -a</strong></span> + generated by <span class="command"><strong>rndc-confgen -a</strong></span> is required, for example if rndc is to be used remotely, - you should run <span><strong class="command">rndc-confgen</strong></span> without + you should run <span class="command"><strong>rndc-confgen</strong></span> without the - <span><strong class="command">-a</strong></span> option and set up a + <span class="command"><strong>-a</strong></span> option and set up a <code class="filename">rndc.conf</code> and <code class="filename">named.conf</code> as directed. @@ -112,13 +111,13 @@ </p></dd> <dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt> <dd><p> - Used with the <span><strong class="command">-a</strong></span> option to specify + Used with the <span class="command"><strong>-a</strong></span> option to specify an alternate location for <code class="filename">rndc.key</code>. </p></dd> <dt><span class="term">-h</span></dt> <dd><p> Prints a short summary of the options and arguments to - <span><strong class="command">rndc-confgen</strong></span>. + <span class="command"><strong>rndc-confgen</strong></span>. </p></dd> <dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt> <dd><p> @@ -128,8 +127,8 @@ </p></dd> <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> <dd><p> - Specifies the command channel port where <span><strong class="command">named</strong></span> - listens for connections from <span><strong class="command">rndc</strong></span>. + Specifies the command channel port where <span class="command"><strong>named</strong></span> + listens for connections from <span class="command"><strong>rndc</strong></span>. The default is 953. </p></dd> <dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt> @@ -147,61 +146,56 @@ </p></dd> <dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt> <dd><p> - Specifies the IP address where <span><strong class="command">named</strong></span> + Specifies the IP address where <span class="command"><strong>named</strong></span> listens for command channel connections from - <span><strong class="command">rndc</strong></span>. The default is the loopback + <span class="command"><strong>rndc</strong></span>. The default is the loopback address 127.0.0.1. </p></dd> <dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt> <dd><p> - Used with the <span><strong class="command">-a</strong></span> option to specify - a directory where <span><strong class="command">named</strong></span> will run + Used with the <span class="command"><strong>-a</strong></span> option to specify + a directory where <span class="command"><strong>named</strong></span> will run chrooted. An additional copy of the <code class="filename">rndc.key</code> will be written relative to this directory so that - it will be found by the chrooted <span><strong class="command">named</strong></span>. + it will be found by the chrooted <span class="command"><strong>named</strong></span>. </p></dd> <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> <dd><p> - Used with the <span><strong class="command">-a</strong></span> option to set the + Used with the <span class="command"><strong>-a</strong></span> option to set the owner of the <code class="filename">rndc.key</code> file generated. If - <span><strong class="command">-t</strong></span> is also specified only the file + <span class="command"><strong>-t</strong></span> is also specified only the file in the chroot area has its owner changed. </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2652411"></a><h2>EXAMPLES</h2> +<div class="refsection"> +<a name="id-1.14.23.9"></a><h2>EXAMPLES</h2> <p> - To allow <span><strong class="command">rndc</strong></span> to be used with + To allow <span class="command"><strong>rndc</strong></span> to be used with no manual configuration, run </p> <p><strong class="userinput"><code>rndc-confgen -a</code></strong> </p> <p> To print a sample <code class="filename">rndc.conf</code> file and - corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span> + corresponding <span class="command"><strong>controls</strong></span> and <span class="command"><strong>key</strong></span> statements to be manually inserted into <code class="filename">named.conf</code>, run </p> <p><strong class="userinput"><code>rndc-confgen</code></strong> </p> </div> -<div class="refsect1" lang="en"> -<a name="id2652468"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.23.10"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2659196"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -222,6 +216,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 2a3aa393ec93..877c1e4dffdf 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>rndc.conf</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.rndc.html" title="rndc"> <link rel="next" href="man.rndc-confgen.html" title="rndc-confgen"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.rndc.conf"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,10 +48,10 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2617745"></a><h2>DESCRIPTION</h2> +<div class="refsection"> +<a name="id-1.14.22.7"></a><h2>DESCRIPTION</h2> <p><code class="filename">rndc.conf</code> is the configuration file - for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control + for <span class="command"><strong>rndc</strong></span>, the BIND 9 name server control utility. This file has a similar structure and syntax to <code class="filename">named.conf</code>. Statements are enclosed in braces and terminated with a semi-colon. Clauses in @@ -78,7 +77,7 @@ The <code class="option">default-server</code> clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to - <span><strong class="command">rndc</strong></span>. The <code class="option">default-key</code> + <span class="command"><strong>rndc</strong></span>. The <code class="option">default-key</code> clause is followed by the name of a key which is identified by a <code class="option">key</code> statement. If no <code class="option">keyid</code> is provided on the rndc command line, @@ -114,7 +113,7 @@ The <code class="option">key</code> statement begins with an identifying string, the name of the key. The statement has two clauses. <code class="option">algorithm</code> identifies the encryption algorithm - for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5 + for <span class="command"><strong>rndc</strong></span> to use; currently only HMAC-MD5 is supported. This is followed by a secret clause which contains the base-64 encoding of the algorithm's encryption key. The @@ -122,20 +121,20 @@ </p> <p> There are two common ways to generate the base-64 string for the - secret. The BIND 9 program <span><strong class="command">rndc-confgen</strong></span> + secret. The BIND 9 program <span class="command"><strong>rndc-confgen</strong></span> can be used to generate a random key, or the - <span><strong class="command">mmencode</strong></span> program, also known as - <span><strong class="command">mimencode</strong></span>, can be used to generate a + <span class="command"><strong>mmencode</strong></span> program, also known as + <span class="command"><strong>mimencode</strong></span>, can be used to generate a base-64 - string from known input. <span><strong class="command">mmencode</strong></span> does + string from known input. <span class="command"><strong>mmencode</strong></span> does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2646384"></a><h2>EXAMPLE</h2> +<div class="refsection"> +<a name="id-1.14.22.8"></a><h2>EXAMPLE</h2> <pre class="programlisting"> options { default-server localhost; @@ -176,7 +175,7 @@ <p> </p> <p> - In the above example, <span><strong class="command">rndc</strong></span> will by + In the above example, <span class="command"><strong>rndc</strong></span> will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which @@ -186,11 +185,11 @@ base-64 encoding of the HMAC-MD5 secret enclosed in double quotes. </p> <p> - If <span><strong class="command">rndc -s testserver</strong></span> is used then <span><strong class="command">rndc</strong></span> will + If <span class="command"><strong>rndc -s testserver</strong></span> is used then <span class="command"><strong>rndc</strong></span> will connect to server on localhost port 5353 using the key testkey. </p> <p> - To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>: + To generate a random secret with <span class="command"><strong>rndc-confgen</strong></span>: </p> <p><strong class="userinput"><code>rndc-confgen</code></strong> </p> @@ -203,13 +202,13 @@ <code class="filename">named.conf</code> are also printed. </p> <p> - To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>: + To generate a base-64 secret with <span class="command"><strong>mmencode</strong></span>: </p> <p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong> </p> </div> -<div class="refsect1" lang="en"> -<a name="id2647324"></a><h2>NAME SERVER CONFIGURATION</h2> +<div class="refsection"> +<a name="id-1.14.22.9"></a><h2>NAME SERVER CONFIGURATION</h2> <p> The name server must be configured to accept rndc connections and to recognize the key specified in the <code class="filename">rndc.conf</code> @@ -218,19 +217,14 @@ BIND 9 Administrator Reference Manual for details. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2647350"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.22.10"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2647388"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -251,6 +245,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 731a560c7207..59a1360e7ecb 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>rndc</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> <link rel="prev" href="man.nsupdate.html" title="nsupdate"> <link rel="next" href="man.rndc.conf.html" title="rndc.conf"> @@ -39,7 +38,7 @@ </table> <hr> </div> -<div class="refentry" lang="en"> +<div class="refentry"> <a name="man.rndc"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -49,22 +48,22 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2644753"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">rndc</strong></span> +<div class="refsection"> +<a name="id-1.14.21.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>rndc</strong></span> controls the operation of a name - server. It supersedes the <span><strong class="command">ndc</strong></span> utility + server. It supersedes the <span class="command"><strong>ndc</strong></span> utility that was provided in old BIND releases. If - <span><strong class="command">rndc</strong></span> is invoked with no command line + <span class="command"><strong>rndc</strong></span> is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments. </p> -<p><span><strong class="command">rndc</strong></span> +<p><span class="command"><strong>rndc</strong></span> communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of - <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>, + <span class="command"><strong>rndc</strong></span> and <span class="command"><strong>named</strong></span>, the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command @@ -72,15 +71,15 @@ over the channel must be signed by a key_id known to the server. </p> -<p><span><strong class="command">rndc</strong></span> +<p><span class="command"><strong>rndc</strong></span> reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2644803"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.14.21.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt> <dd><p> Use <em class="replaceable"><code>source-address</code></em> @@ -108,9 +107,9 @@ <dd><p><em class="replaceable"><code>server</code></em> is the name or address of the server which matches a server statement in the configuration file for - <span><strong class="command">rndc</strong></span>. If no server is supplied on the + <span class="command"><strong>rndc</strong></span>. If no server is supplied on the command line, the host named by the default-server clause - in the options statement of the <span><strong class="command">rndc</strong></span> + in the options statement of the <span class="command"><strong>rndc</strong></span> configuration file will be used. </p></dd> <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> @@ -130,10 +129,10 @@ from the configuration file. <em class="replaceable"><code>key_id</code></em> must be - known by <span><strong class="command">named</strong></span> with the same algorithm and secret string + known by <span class="command"><strong>named</strong></span> with the same algorithm and secret string in order for control message validation to succeed. If no <em class="replaceable"><code>key_id</code></em> - is specified, <span><strong class="command">rndc</strong></span> will first look + is specified, <span class="command"><strong>rndc</strong></span> will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default-key clause of the options statement. @@ -144,22 +143,22 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2645564"></a><h2>COMMANDS</h2> +<div class="refsection"> +<a name="id-1.14.21.9"></a><h2>COMMANDS</h2> <p> - A list of commands supported by <span><strong class="command">rndc</strong></span> can - be seen by running <span><strong class="command">rndc</strong></span> without arguments. + A list of commands supported by <span class="command"><strong>rndc</strong></span> can + be seen by running <span class="command"><strong>rndc</strong></span> without arguments. </p> <p> Currently supported commands are: </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt> <dd> <p> Add a zone while the server is running. This command requires the - <span><strong class="command">allow-new-zones</strong></span> option to be set + <span class="command"><strong>allow-new-zones</strong></span> option to be set to <strong class="userinput"><code>yes</code></strong>. The <em class="replaceable"><code>configuration</code></em> string specified on the command line is the zone @@ -171,13 +170,13 @@ <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>, where <em class="replaceable"><code>hash</code></em> is a cryptographic hash generated from the name of - the view. When <span><strong class="command">named</strong></span> is + the view. When <span class="command"><strong>named</strong></span> is restarted, the file will be loaded into the view configuration, so that zones that were added can persist after a restart. </p> <p> - This sample <span><strong class="command">addzone</strong></span> command + This sample <span class="command"><strong>addzone</strong></span> command would add the zone <code class="literal">example.com</code> to the default view: </p> @@ -189,7 +188,7 @@ configuration text.) </p> <p> - See also <span><strong class="command">rndc delzone</strong></span>. + See also <span class="command"><strong>rndc delzone</strong></span>. </p> </dd> <dt><span class="term"><strong class="userinput"><code>delzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt> @@ -197,11 +196,11 @@ <p> Delete a zone while the server is running. Only zones that were originally added via - <span><strong class="command">rndc addzone</strong></span> can be deleted - in this manner. + <span class="command"><strong>rndc addzone</strong></span> can be deleted + in this manner. </p> <p> - See also <span><strong class="command">rndc addzone</strong></span> + See also <span class="command"><strong>rndc addzone</strong></span> </p> </dd> <dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt> @@ -211,7 +210,7 @@ dump file for the specified views. If no view is specified, all views are dumped. - (See the <span><strong class="command">dump-file</strong></span> option in + (See the <span class="command"><strong>dump-file</strong></span> option in the BIND 9 Administrator Reference Manual.) </p></dd> <dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt> @@ -243,7 +242,7 @@ the zone is frozen. </p> <p> - See also <span><strong class="command">rndc thaw</strong></span>. + See also <span class="command"><strong>rndc thaw</strong></span>. </p> </dd> <dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt> @@ -253,12 +252,12 @@ made through dynamic update or IXFR are not saved to the master files, but will be rolled forward from the journal files when the server is restarted. - If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned. - This allows an external process to determine when <span><strong class="command">named</strong></span> + If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned. + This allows an external process to determine when <span class="command"><strong>named</strong></span> had completed halting. </p> <p> - See also <span><strong class="command">rndc stop</strong></span>. + See also <span class="command"><strong>rndc stop</strong></span>. </p> </dd> <dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> @@ -267,14 +266,14 @@ Fetch all DNSSEC keys for the given zone from the key directory. If they are within their publication period, merge them into the - zone's DNSKEY RRset. Unlike <span><strong class="command">rndc + zone's DNSKEY RRset. Unlike <span class="command"><strong>rndc sign</strong></span>, however, the zone is not immediately re-signed by the new keys, but is allowed to incrementally re-sign over time. </p> <p> This command requires that the - <span><strong class="command">auto-dnssec</strong></span> zone option + <span class="command"><strong>auto-dnssec</strong></span> zone option be set to <code class="literal">maintain</code>, and also requires the zone to be configured to allow dynamic DNS. @@ -292,7 +291,7 @@ Sets the server's debugging level to 0. </p> <p> - See also <span><strong class="command">rndc trace</strong></span>. + See also <span class="command"><strong>rndc trace</strong></span>. </p> </dd> <dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt> @@ -304,13 +303,13 @@ </p> <p> Query logging can also be enabled - by explicitly directing the <span><strong class="command">queries</strong></span> - <span><strong class="command">category</strong></span> to a - <span><strong class="command">channel</strong></span> in the - <span><strong class="command">logging</strong></span> section of + by explicitly directing the <span class="command"><strong>queries</strong></span> + <span class="command"><strong>category</strong></span> to a + <span class="command"><strong>channel</strong></span> in the + <span class="command"><strong>logging</strong></span> section of <code class="filename">named.conf</code> or by specifying - <span><strong class="command">querylog yes;</strong></span> in the - <span><strong class="command">options</strong></span> section of + <span class="command"><strong>querylog yes;</strong></span> in the + <span class="command"><strong>options</strong></span> section of <code class="filename">named.conf</code>. </p> </dd> @@ -319,14 +318,14 @@ Reload the configuration file and load new zones, but do not reload existing zone files even if they have changed. - This is faster than a full <span><strong class="command">reload</strong></span> when there + This is faster than a full <span class="command"><strong>reload</strong></span> when there is a large number of zones because it avoids the need to examine the modification times of the zones files. </p></dd> <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt> <dd><p> - Dump the list of queries <span><strong class="command">named</strong></span> is currently + Dump the list of queries <span class="command"><strong>named</strong></span> is currently recursing on, and the list of domains to which iterative queries are currently being sent. (The second list includes the number of fetches currently active for the given domain, @@ -352,7 +351,7 @@ </p> <p> If the zone is configured to use - <span><strong class="command">inline-signing</strong></span>, the signed + <span class="command"><strong>inline-signing</strong></span>, the signed version of the zone is discarded; after the retransfer of the unsigned version is complete, the signed version will be regenerated with all new @@ -370,8 +369,8 @@ <dd> <p> Fetch all DNSSEC keys for the given zone - from the key directory (see the - <span><strong class="command">key-directory</strong></span> option in + from the key directory (see the + <span class="command"><strong>key-directory</strong></span> option in the BIND 9 Administrator Reference Manual). If they are within their publication period, merge them into the zone's DNSKEY RRset. If the DNSKEY RRset @@ -380,7 +379,7 @@ </p> <p> This command requires that the - <span><strong class="command">auto-dnssec</strong></span> zone option be set + <span class="command"><strong>auto-dnssec</strong></span> zone option be set to <code class="literal">allow</code> or <code class="literal">maintain</code>, and also requires the zone to be configured to @@ -389,7 +388,7 @@ Reference Manual for more details.) </p> <p> - See also <span><strong class="command">rndc loadkeys</strong></span>. + See also <span class="command"><strong>rndc loadkeys</strong></span>. </p> </dd> <dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt> @@ -400,33 +399,33 @@ operations (such as signing or generating NSEC3 chains) is stored in the zone in the form of DNS resource records of type - <span><strong class="command">sig-signing-type</strong></span>. - <span><strong class="command">rndc signing -list</strong></span> converts + <span class="command"><strong>sig-signing-type</strong></span>. + <span class="command"><strong>rndc signing -list</strong></span> converts these records into a human-readable form, indicating which keys are currently signing or have finished signing the zone, and which NSEC3 chains are being created or removed. </p> <p> - <span><strong class="command">rndc signing -clear</strong></span> can remove + <span class="command"><strong>rndc signing -clear</strong></span> can remove a single key (specified in the same format that - <span><strong class="command">rndc signing -list</strong></span> uses to + <span class="command"><strong>rndc signing -list</strong></span> uses to display it), or all keys. In either case, only completed keys are removed; any record indicating that a key has not yet finished signing the zone will be retained. </p> <p> - <span><strong class="command">rndc signing -nsec3param</strong></span> sets + <span class="command"><strong>rndc signing -nsec3param</strong></span> sets the NSEC3 parameters for a zone. This is the only supported mechanism for using NSEC3 with - <span><strong class="command">inline-signing</strong></span> zones. + <span class="command"><strong>inline-signing</strong></span> zones. Parameters are specified in the same format as an NSEC3PARAM resource record: hash algorithm, flags, iterations, and salt, in that order. </p> <p> - Currently, the only defined value for hash algorithm + Currently, the only defined value for hash algorithm is <code class="literal">1</code>, representing SHA-1. The <code class="option">flags</code> may be set to <code class="literal">0</code> or <code class="literal">1</code>, @@ -442,13 +441,13 @@ So, for example, to create an NSEC3 chain using the SHA-1 hash algorithm, no opt-out flag, 10 iterations, and a salt value of "FFFF", use: - <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>. + <span class="command"><strong>rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>. To set the opt-out flag, 15 iterations, and no salt, use: - <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>. + <span class="command"><strong>rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>. </p> <p> - <span><strong class="command">rndc signing -nsec3param none</strong></span> + <span class="command"><strong>rndc signing -nsec3param none</strong></span> removes an existing NSEC3 chain and replaces it with NSEC. </p> @@ -456,14 +455,14 @@ <dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt> <dd><p> Write server statistics to the statistics file. - (See the <span><strong class="command">statistics-file</strong></span> option in + (See the <span class="command"><strong>statistics-file</strong></span> option in the BIND 9 Administrator Reference Manual.) </p></dd> <dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt> <dd><p> Display status of the server. - Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone - and the default <span><strong class="command">./IN</strong></span> + Note that the number of zones includes the internal <span class="command"><strong>bind/CH</strong></span> zone + and the default <span class="command"><strong>./IN</strong></span> hint zone if there is not an explicit root zone configured. </p></dd> @@ -473,11 +472,11 @@ Stop the server, making sure any recent changes made through dynamic update or IXFR are first saved to the master files of the updated zones. - If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned. - This allows an external process to determine when <span><strong class="command">named</strong></span> + If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned. + This allows an external process to determine when <span class="command"><strong>named</strong></span> had completed stopping. </p> -<p>See also <span><strong class="command">rndc halt</strong></span>.</p> +<p>See also <span class="command"><strong>rndc halt</strong></span>.</p> </dd> <dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> <dd><p> @@ -496,13 +495,13 @@ load has completed. After a zone is thawed, dynamic updates will no longer be refused. If the zone has changed and the - <span><strong class="command">ixfr-from-differences</strong></span> option is + <span class="command"><strong>ixfr-from-differences</strong></span> option is in use, then the journal file will be updated to reflect changes in the zone. Otherwise, if the zone has changed, any existing journal file will be removed. </p> -<p>See also <span><strong class="command">rndc freeze</strong></span>.</p> +<p>See also <span class="command"><strong>rndc freeze</strong></span>.</p> </dd> <dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt> <dd><p> @@ -515,7 +514,7 @@ value. </p> <p> - See also <span><strong class="command">rndc notrace</strong></span>. + See also <span class="command"><strong>rndc notrace</strong></span>. </p> </dd> <dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt> @@ -527,7 +526,7 @@ <dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt> <dd><p> List the names of all TSIG keys currently configured - for use by <span><strong class="command">named</strong></span> in each view. The + for use by <span class="command"><strong>named</strong></span> in each view. The list both statically configured keys and dynamic TKEY-negotiated keys. </p></dd> @@ -535,15 +534,15 @@ <dd><p> Enable, disable, or check the current status of DNSSEC validation. - Note <span><strong class="command">dnssec-enable</strong></span> also needs to be + Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be set to <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong> to be effective. It defaults to enabled. </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2687854"></a><h2>LIMITATIONS</h2> +<div class="refsection"> +<a name="id-1.14.21.10"></a><h2>LIMITATIONS</h2> <p> There is currently no way to provide the shared secret for a <code class="option">key_id</code> without using the configuration file. @@ -552,8 +551,8 @@ Several error messages could be clearer. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2687873"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.14.21.11"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, @@ -562,11 +561,6 @@ <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2687928"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div> <div class="navfooter"> <hr> @@ -587,6 +581,6 @@ </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> diff --git a/doc/arm/managed-keys.xml b/doc/arm/managed-keys.xml index 51949487fbb4..d1335eaf4b9d 100644 --- a/doc/arm/managed-keys.xml +++ b/doc/arm/managed-keys.xml @@ -1,6 +1,5 @@ -<?xml version="1.0" encoding="utf-8"?> <!-- - - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2010, 2015 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -15,28 +14,29 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: managed-keys.xml,v 1.3 2010/02/03 23:49:07 tbox Exp $ --> +<!-- $Id$ --> + +<!-- Converted by db4-upgrade version 1.0 --> +<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="rfc5011.support"><info><title>Dynamic Trust Anchor Management</title></info> -<sect1 id="rfc5011.support"> - <title>Dynamic Trust Anchor Management</title> <para>BIND 9.7.0 introduces support for RFC 5011, dynamic trust - anchor management. Using this feature allows + anchor management. Using this feature allows <command>named</command> to keep track of changes to critical DNSSEC keys without any need for the operator to make changes to configuration files.</para> - <sect2> - <title>Validating Resolver</title> + <section><info><title>Validating Resolver</title></info> + <!-- TODO: command tag is overloaded for configuration and executables --> <para>To configure a validating resolver to use RFC 5011 to - maintain a trust anchor, configure the trust anchor using a + maintain a trust anchor, configure the trust anchor using a <command>managed-keys</command> statement. Information about - this can be found in - <xref linkend="managed-keys" />.</para> + this can be found in + <xref linkend="managed-keys"/>.</para> <!-- TODO: managed-keys examples also in DNSSEC section above here in ARM --> - </sect2> - <sect2> - <title>Authoritative Server</title> + </section> + <section><info><title>Authoritative Server</title></info> + <para>To set up an authoritative zone for RFC 5011 trust anchor maintenance, generate two (or more) key signing keys (KSKs) for the zone. Sign the zone with one of them; this is the "active" @@ -52,21 +52,21 @@ also in DNSSEC section above here in ARM --> timer has completed, the active KSK can be revoked, and the zone can be "rolled over" to the newly accepted key.</para> <para>The easiest way to place a stand-by key in a zone is to - use the "smart signing" features of - <command>dnssec-keygen</command> and + use the "smart signing" features of + <command>dnssec-keygen</command> and <command>dnssec-signzone</command>. If a key with a publication date in the past, but an activation date which is unset or in - the future, " + the future, " <command>dnssec-signzone -S</command>" will include the DNSKEY record in the zone, but will not sign with it:</para> <screen> $ <userinput>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</userinput> $ <userinput>dnssec-signzone -S -K keys example.net</userinput> </screen> - <para>To revoke a key, the new command + <para>To revoke a key, the new command <command>dnssec-revoke</command> has been added. This adds the - REVOKED bit to the key flags and re-generates the - <filename>K*.key</filename> and + REVOKED bit to the key flags and re-generates the + <filename>K*.key</filename> and <filename>K*.private</filename> files.</para> <para>After revoking the active key, the zone must be signed with both the revoked KSK and the new active KSK. (Smart @@ -84,7 +84,7 @@ $ <userinput>dnssec-signzone -S -K keys example.net</userinput> "<filename>Kexample.com.+005+10128</filename>".</para> <para>If two keys have ID's exactly 128 apart, and one is revoked, then the two key ID's will collide, causing several - problems. To prevent this, + problems. To prevent this, <command>dnssec-keygen</command> will not generate a new key if another key is present which may collide. This checking will only occur if the new keys are written to the same directory @@ -96,5 +96,5 @@ $ <userinput>dnssec-signzone -S -K keys example.net</userinput> <para>It is expected that a future release of BIND 9 will address this problem in a different way, by storing revoked keys with their original unrevoked key ID's.</para> - </sect2> -</sect1> + </section> +</section> diff --git a/doc/arm/notes-wrapper.xml b/doc/arm/notes-wrapper.xml index 9d31ef8b6d58..db5f01c19eae 100644 --- a/doc/arm/notes-wrapper.xml +++ b/doc/arm/notes-wrapper.xml @@ -1,6 +1,5 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" - "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" - [<!ENTITY mdash "—">]> +<!DOCTYPE book [ +<!ENTITY mdash "—">]> <!-- - Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC") - @@ -17,13 +16,8 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<article xmlns:xi="http://www.w3.org/2001/XInclude"> - <title/> - <xi:include href="notes.xml"/> -</article> +<!-- Converted by db4-upgrade version 1.0 --> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"><info><title/></info> -<!-- - - Local variables: - - mode: sgml - - End: - --> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes.xml"/> +</article> diff --git a/doc/arm/notes.conf b/doc/arm/notes.conf new file mode 100644 index 000000000000..f8dd8326f5a5 --- /dev/null +++ b/doc/arm/notes.conf @@ -0,0 +1,3 @@ +TexInputs: ../tex// +TexStyle: notestyle +XslParam: ../xsl/notes-param.xsl diff --git a/doc/arm/notes.html b/doc/arm/notes.html index da38378d3218..d0639bc21fb8 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -17,119 +17,112 @@ <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title></title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> </head> -<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article" lang="en"><div class="sect1" lang="en"> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2542126"></a>Release Notes for BIND Version 9.9.8-P4</h2></div></div></div> -<div class="sect2" lang="en"> +<a name="id-1.2"></a>Release Notes for BIND Version 9.9.9-P3</h2></div></div></div> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_intro"></a>Introduction</h3></div></div></div> <p> - This document summarizes changes since BIND 9.9.8: + This document summarizes changes since BIND 9.9.9: </p> <p> - BIND 9.9.8-P4 addresses the security issues described in - CVE-2016-1285 and CVE-2016-1286. + BIND 9.10.9-P3 addresses the security issue described in + CVE-2016-2776. </p> <p> - BIND 9.9.8-P3 addresses the security issue described in CVE-2015-8704. - It also fixes a serious regression in authoritative server selection - that was introduced in 9.9.8. + BIND 9.9.9-P2 addresses the security issue described in + CVE-2016-2775. </p> <p> - BIND 9.9.8-P2 addresses security issues described in CVE-2015-3193 - (OpenSSL), CVE-2015-8000 and CVE-2015-8461. - </p> -<p> - BIND 9.9.8-P1 was incomplete and was withdrawn prior to publication. + BIND 9.9.9-P1 addresses Windows installation issues and a race + condition in the rbt/rbtdb implementation resulting in named + exiting due to assertion failures being detected. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_download"></a>Download</h3></div></div></div> <p> The latest versions of BIND 9 software can always be found at - <a href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>. + <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_security"></a>Security Fixes</h3></div></div></div> -<div class="itemizedlist"><ul type="disc"> -<li><p> - The resolver could abort with an assertion failure due to - improper DNAME handling when parsing fetch reply - messages. This flaw is disclosed in CVE-2016-1286. [RT #41753] - </p></li> -<li><p> - Malformed control messages can trigger assertions in named - and rndc. This flaw is disclosed in CVE-2016-1285. [RT - #41666] - </p></li> -<li><p> - Specific APL data could trigger an INSIST. This flaw - is disclosed in CVE-2015-8704. [RT #41396] +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"><p> + It was possible to trigger a assertion when rendering a + message using a specially crafted request. This flaw is + disclosed in CVE-2016-2776. [RT #43139] </p></li> -<li><p> - Named is potentially vulnerable to the OpenSSL vulnerability - described in CVE-2015-3193. - </p></li> -<li><p> - Incorrect reference counting could result in an INSIST - failure if a socket error occurred while performing a - lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] - </p></li> -<li><p> - Insufficient testing when parsing a message allowed - records with an incorrect class to be be accepted, - triggering a REQUIRE failure when those records - were subsequently cached. This flaw is disclosed - in CVE-2015-8000. [RT #40987] +<li class="listitem"><p> + getrrsetbyname with a non absolute name could trigger an + infinite recursion bug in lwresd and named with lwres + configured if when combined with a search list entry the + resulting name is too long. This flaw is disclosed in + CVE-2016-2775. [RT #42694] </p></li> </ul></div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_features"></a>New Features</h3></div></div></div> -<div class="itemizedlist"><ul type="disc"><li><p>None</p></li></ul></div> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + None. + </p></li></ul></div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div> -<div class="itemizedlist"><ul type="disc"><li><p> - Updated the compiled in addresses for H.ROOT-SERVERS.NET. +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + None. </p></li></ul></div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div> -<div class="itemizedlist"><ul type="disc"><li><p> - Authoritative servers that were marked as bogus (e.g. blackholed - in configuration or with invalid addresses) were being queried - anyway. [RT #41321] +<a name="relnotes_port"></a>Porting Changes</h3></div></div></div> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + None. </p></li></ul></div> </div> -<div class="sect2" lang="en"> +<div class="section"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"><p> + Windows installs were failing due to triggering UAC without + the installation binary being signed. + </p></li> +<li class="listitem"><p> + A race condition in rbt/rbtdb was leading to INSISTs being + triggered. + </p></li> +</ul></div> +</div> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="end_of_life"></a>End of Life</h3></div></div></div> <p> - The BIND 9.9 (Extended Support Version) will be supported until + BIND 9.9 (Extended Support Version) will be supported until December, 2017. - <a href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a> + <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a> </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_thanks"></a>Thank You</h3></div></div></div> <p> Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at - <a href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>. + <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>. </p> </div> </div></div></body> diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf Binary files differindex 01b320bfb75b..228070f438e8 100644 --- a/doc/arm/notes.pdf +++ b/doc/arm/notes.pdf diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 0e7d95fdd436..72cebb286a77 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -1,4 +1,6 @@ -<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE book [ +<!ENTITY mdash "—"> +<!ENTITY ouml "ö">]> <!-- - Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC") - @@ -15,135 +17,121 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<sect1 xmlns:xi="http://www.w3.org/2001/XInclude"> - <xi:include href="noteversion.xml"/> - <sect2 id="relnotes_intro"> - <title>Introduction</title> +<section xmlns="http://docbook.org/ns/docbook" version="5.0"><info/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/> + <section xml:id="relnotes_intro"><info><title>Introduction</title></info> <para> - This document summarizes changes since BIND 9.9.8: + This document summarizes changes since BIND 9.9.9: </para> <para> - BIND 9.9.8-P4 addresses the security issues described in - CVE-2016-1285 and CVE-2016-1286. + BIND 9.10.9-P3 addresses the security issue described in + CVE-2016-2776. </para> <para> - BIND 9.9.8-P3 addresses the security issue described in CVE-2015-8704. - It also fixes a serious regression in authoritative server selection - that was introduced in 9.9.8. + BIND 9.9.9-P2 addresses the security issue described in + CVE-2016-2775. </para> <para> - BIND 9.9.8-P2 addresses security issues described in CVE-2015-3193 - (OpenSSL), CVE-2015-8000 and CVE-2015-8461. + BIND 9.9.9-P1 addresses Windows installation issues and a race + condition in the rbt/rbtdb implementation resulting in named + exiting due to assertion failures being detected. </para> - <para> - BIND 9.9.8-P1 was incomplete and was withdrawn prior to publication. - </para> - </sect2> - <sect2 id="relnotes_download"> - <title>Download</title> + + </section> + + <section xml:id="relnotes_download"><info><title>Download</title></info> <para> The latest versions of BIND 9 software can always be found at - <ulink url="http://www.isc.org/downloads/" - >http://www.isc.org/downloads/</ulink>. + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. </para> - </sect2> - <sect2 id="relnotes_security"> - <title>Security Fixes</title> + </section> + + <section xml:id="relnotes_security"><info><title>Security Fixes</title></info> <itemizedlist> <listitem> <para> - The resolver could abort with an assertion failure due to - improper DNAME handling when parsing fetch reply - messages. This flaw is disclosed in CVE-2016-1286. [RT #41753] + It was possible to trigger a assertion when rendering a + message using a specially crafted request. This flaw is + disclosed in CVE-2016-2776. [RT #43139] </para> </listitem> <listitem> <para> - Malformed control messages can trigger assertions in named - and rndc. This flaw is disclosed in CVE-2016-1285. [RT - #41666] - </para> - </listitem> - <listitem> - <para> - Specific APL data could trigger an INSIST. This flaw - is disclosed in CVE-2015-8704. [RT #41396] - </para> - </listitem> - <listitem> - <para> - Named is potentially vulnerable to the OpenSSL vulnerability - described in CVE-2015-3193. + getrrsetbyname with a non absolute name could trigger an + infinite recursion bug in lwresd and named with lwres + configured if when combined with a search list entry the + resulting name is too long. This flaw is disclosed in + CVE-2016-2775. [RT #42694] </para> </listitem> + </itemizedlist> + + </section> + + <section xml:id="relnotes_features"><info><title>New Features</title></info> + <itemizedlist> <listitem> <para> - Incorrect reference counting could result in an INSIST - failure if a socket error occurred while performing a - lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] + None. </para> </listitem> + </itemizedlist> + </section> + + <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info> + <itemizedlist> <listitem> <para> - Insufficient testing when parsing a message allowed - records with an incorrect class to be be accepted, - triggering a REQUIRE failure when those records - were subsequently cached. This flaw is disclosed - in CVE-2015-8000. [RT #40987] + None. </para> </listitem> </itemizedlist> - </sect2> - <sect2 id="relnotes_features"> - <title>New Features</title> + </section> + + <section xml:id="relnotes_port"><info><title>Porting Changes</title></info> <itemizedlist> <listitem> - <para>None</para> + <para> + None. + </para> </listitem> </itemizedlist> - </sect2> - <sect2 id="relnotes_changes"> - <title>Feature Changes</title> + </section> + + <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info> <itemizedlist> <listitem> - <para> - Updated the compiled in addresses for H.ROOT-SERVERS.NET. + <para> + Windows installs were failing due to triggering UAC without + the installation binary being signed. </para> </listitem> - </itemizedlist> - </sect2> - <sect2 id="relnotes_bugs"> - <title>Bug Fixes</title> - <itemizedlist> <listitem> <para> - Authoritative servers that were marked as bogus (e.g. blackholed - in configuration or with invalid addresses) were being queried - anyway. [RT #41321] + A race condition in rbt/rbtdb was leading to INSISTs being + triggered. </para> </listitem> </itemizedlist> - </sect2> - <sect2 id="end_of_life"> - <title>End of Life</title> + </section> + + <section xml:id="end_of_life"><info><title>End of Life</title></info> <para> - The BIND 9.9 (Extended Support Version) will be supported until + BIND 9.9 (Extended Support Version) will be supported until December, 2017. - <ulink url="https://www.isc.org/downloads/software-support-policy/" - >https://www.isc.org/downloads/software-support-policy/</ulink> + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link> </para> - </sect2> - <sect2 id="relnotes_thanks"> - <title>Thank You</title> + </section> + + <section xml:id="relnotes_thanks"><info><title>Thank You</title></info> <para> Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at - <ulink url="http://www.isc.org/donate/" - >http://www.isc.org/donate/</ulink>. + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>. </para> - </sect2> -</sect1> + </section> +</section> diff --git a/doc/arm/noteversion.xml.in b/doc/arm/noteversion.xml.in new file mode 100644 index 000000000000..e42aeb2b3612 --- /dev/null +++ b/doc/arm/noteversion.xml.in @@ -0,0 +1,17 @@ +<!-- + - Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<title>Release Notes for BIND Version @BIND9_VERSION@</title> diff --git a/doc/arm/pkcs11.xml b/doc/arm/pkcs11.xml index d5a841295a5a..86a7305e36b0 100644 --- a/doc/arm/pkcs11.xml +++ b/doc/arm/pkcs11.xml @@ -1,8 +1,5 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" - "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" - [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2010, 2012-2014 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2010, 2012-2016 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -17,10 +14,9 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: pkcs11.xml,v 1.7 2012/01/16 22:50:12 each Exp $ --> +<!-- Converted by db4-upgrade version 1.0 --> +<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pkcs11"><info><title>PKCS #11 (Cryptoki) support</title></info> -<sect1 id="pkcs11"> - <title>PKCS #11 (Cryptoki) support</title> <para>PKCS #11 (Public Key Cryptography Standard #11) defines a platform- independent API for the control of hardware security modules (HSMs) and other cryptographic support devices.</para> @@ -28,8 +24,8 @@ cryptographic acceleration board, tested under Solaris x86, and the AEP Keyper network-attached key storage device, tested with Debian Linux, Solaris x86 and Windows Server 2003.</para> - <sect2> - <title>Prerequisites</title> + <section><info><title>Prerequisites</title></info> + <para>See the HSM vendor documentation for information about installing, initializing, testing and troubleshooting the HSM.</para> @@ -60,7 +56,7 @@ function primarily as secure key storage devices, but lack hardware acceleration. These devices are highly secure, but are not necessarily any faster at cryptography than the - system CPU — often, they are slower. It is therefore + system CPU — often, they are slower. It is therefore most efficient to use them only for those cryptographic functions that require access to the secured private key, such as zone signing, and to use the system CPU for all @@ -71,15 +67,15 @@ <para> The modified OpenSSL code is included in the BIND 9 release, in the form of a context diff against the latest versions of - OpenSSL. OpenSSL 0.9.8, 1.0.0, and 1.0.1 are supported; there are - separate diffs for each version. In the examples to follow, - we use OpenSSL 0.9.8, but the same methods work with OpenSSL - 1.0.0 and 1.0.1. + OpenSSL. OpenSSL 0.9.8, 1.0.0, 1.0.1 and 1.0.2 are supported; + there are separate diffs for each version. In the examples to + follow, we use OpenSSL 0.9.8, but the same methods work with + OpenSSL 1.0.0 through 1.0.2. </para> <note> - The latest OpenSSL versions at the time of the BIND release - are 0.9.8y, 1.0.0k and 1.0.1e. - ISC will provide an updated patch as new versions of OpenSSL + The OpenSSL patches as of this writing (January 2016) + support versions 0.9.8zh, 1.0.0t, 1.0.1q and 1.0.2f. + ISC will provide updated patches as new versions of OpenSSL are released. The version number in the following examples is expected to change.</note> <para> @@ -89,7 +85,7 @@ library.</para> <para>Obtain OpenSSL 0.9.8s:</para> <screen> -$ <userinput>wget <ulink>http://www.openssl.org/source/openssl-0.9.8s.tar.gz</ulink></userinput> +$ <userinput>wget <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="">http://www.openssl.org/source/openssl-0.9.8s.tar.gz</link></userinput> </screen> <para>Extract the tarball:</para> <screen> @@ -108,9 +104,9 @@ $ <userinput>patch -p1 -d openssl-0.9.8s \ elsewhere on the system. In the following examples, we choose to install into "/opt/pkcs11/usr". We will use this location when we configure BIND 9.</para> - <sect3> + <section><info><title>Building OpenSSL for the AEP Keyper on Linux</title></info> <!-- Example 1 --> - <title>Building OpenSSL for the AEP Keyper on Linux</title> + <para>The AEP Keyper is a highly secure key storage device, but does not provide hardware cryptographic acceleration. It can carry out cryptographic operations, but it is probably @@ -139,10 +135,10 @@ $ <userinput>./Configure linux-generic32 -m32 -pthread \ and "<command>make test</command>". If "<command>make test</command>" fails with "pthread_atfork() not found", you forgot to add the -pthread above.</para> - </sect3> - <sect3> + </section> + <section><info><title>Building OpenSSL for the SCA 6000 on Solaris</title></info> <!-- Example 2 --> - <title>Building OpenSSL for the SCA 6000 on Solaris</title> + <para>The SCA-6000 PKCS #11 provider is installed as a system library, libpkcs11. It is a true crypto accelerator, up to 4 times faster than any CPU, so the flavor shall be @@ -158,13 +154,13 @@ $ <userinput>./Configure solaris64-x86_64-cc \ </screen> <para>(For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)</para> - <para>After configuring, run - <command>make</command> and + <para>After configuring, run + <command>make</command> and <command>make test</command>.</para> - </sect3> - <sect3> + </section> + <section><info><title>Building OpenSSL for SoftHSM</title></info> <!-- Example 3 --> - <title>Building OpenSSL for SoftHSM</title> + <para>SoftHSM is a software library provided by the OpenDNSSEC project (http://www.opendnssec.org) which provides a PKCS#11 interface to a virtual HSM, implemented in the form of encrypted @@ -183,7 +179,7 @@ $ <userinput> configure --prefix=/opt/pkcs11/usr </userinput> $ <userinput> make </userinput> $ <userinput> make install </userinput> $ <userinput> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </userinput> -$ <userinput> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </userinput> +$ <userinput> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </userinput> $ <userinput> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </userinput> </screen> <para>SoftHSM can perform all cryptographic operations, but @@ -199,7 +195,7 @@ $ <userinput>./Configure linux-x86_64 -pthread \ </screen> <para>After configuring, run "<command>make</command>" and "<command>make test</command>".</para> - </sect3> + </section> <para>Once you have built OpenSSL, run "<command>apps/openssl engine pkcs11</command>" to confirm that PKCS #11 support was compiled in correctly. The output @@ -219,16 +215,16 @@ $ <userinput>./Configure linux-x86_64 -pthread \ <quote><literal>[ available ]</literal></quote>.</para> <para>If the output is correct, run "<command>make install</command>" which will install the - modified OpenSSL suite to + modified OpenSSL suite to <filename>/opt/pkcs11/usr</filename>.</para> - </sect2> - <sect2> - <title>Building BIND 9 with PKCS#11</title> + </section> + <section><info><title>Building BIND 9 with PKCS#11</title></info> + <para>When building BIND 9, the location of the custom-built OpenSSL library must be specified via configure.</para> - <sect3> + <section><info><title>Configuring BIND 9 for Linux with the AEP Keyper</title></info> <!-- Example 4 --> - <title>Configuring BIND 9 for Linux with the AEP Keyper</title> + <para>To link with the PKCS #11 provider, threads must be enabled in the BIND 9 build.</para> <para>The PKCS #11 library for the AEP Keyper is currently @@ -241,10 +237,10 @@ $ <userinput>./configure CC="gcc -m32" --enable-threads \ --with-openssl=/opt/pkcs11/usr \ --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</userinput> </screen> - </sect3> - <sect3> + </section> + <section><info><title>Configuring BIND 9 for Solaris with the SCA 6000</title></info> <!-- Example 5 --> - <title>Configuring BIND 9 for Solaris with the SCA 6000</title> + <para>To link with the PKCS #11 provider, threads must be enabled in the BIND 9 build.</para> <screen> @@ -259,32 +255,32 @@ $ <userinput>./configure CC="cc -xarch=amd64" --enable-threads \ incorrectly specified the path to OpenSSL (it should be the same as the --prefix argument to the OpenSSL Configure).</para> - </sect3> - <sect3> + </section> + <section><info><title>Configuring BIND 9 for SoftHSM</title></info> <!-- Example 6 --> - <title>Configuring BIND 9 for SoftHSM</title> + <screen> $ <userinput>cd ../bind9</userinput> $ <userinput>./configure --enable-threads \ --with-openssl=/opt/pkcs11/usr \ --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</userinput> </screen> - </sect3> + </section> <para>After configuring, run "<command>make</command>", "<command>make test</command>" and "<command>make install</command>".</para> <para>(Note: If "make test" fails in the "pkcs11" system test, you may have forgotten to set the SOFTHSM_CONF environment variable.)</para> - </sect2> - <sect2> - <title>PKCS #11 Tools</title> + </section> + <section><info><title>PKCS #11 Tools</title></info> + <para>BIND 9 includes a minimal set of tools to operate the - HSM, including + HSM, including <command>pkcs11-keygen</command> to generate a new key pair - within the HSM, + within the HSM, <command>pkcs11-list</command> to list objects currently - available, and + available, and <command>pkcs11-destroy</command> to remove objects.</para> <para>In UNIX/Linux builds, these tools are built only if BIND 9 is configured with the --with-pkcs11 option. (NOTE: If @@ -293,9 +289,9 @@ $ <userinput>./configure --enable-threads \ provider will be left undefined. Use the -m option or the PKCS11_PROVIDER environment variable to specify the path to the provider.)</para> - </sect2> - <sect2> - <title>Using the HSM</title> + </section> + <section><info><title>Using the HSM</title></info> + <para>First, we must set up the runtime environment so the OpenSSL and PKCS #11 libraries can be loaded:</para> <screen> @@ -304,7 +300,7 @@ $ <userinput>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</user <para>When operating an AEP Keyper, it is also necessary to specify the location of the "machine" file, which stores information about the Keyper for use by PKCS #11 provider - library. If the machine file is in + library. If the machine file is in <filename>/opt/Keyper/PKCS11Provider/machine</filename>, use:</para> <screen> @@ -312,14 +308,14 @@ $ <userinput>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</userinput> </screen> <!-- TODO: why not defined at compile time? --> <para>These environment variables must be set whenever running - any tool that uses the HSM, including - <command>pkcs11-keygen</command>, - <command>pkcs11-list</command>, - <command>pkcs11-destroy</command>, - <command>dnssec-keyfromlabel</command>, - <command>dnssec-signzone</command>, + any tool that uses the HSM, including + <command>pkcs11-keygen</command>, + <command>pkcs11-list</command>, + <command>pkcs11-destroy</command>, + <command>dnssec-keyfromlabel</command>, + <command>dnssec-signzone</command>, <command>dnssec-keygen</command>(which will use the HSM for - random number generation), and + random number generation), and <command>named</command>.</para> <para>We can now create and use keys in the HSM. In this case, we will create a 2048 bit key and give it the label @@ -367,9 +363,9 @@ $ <userinput>dnssec-keygen example.net</userinput> rolled more frequently, if you wish, to compensate for a reduction in key security.</para> <para>Now you can sign the zone. (Note: If not using the -S - option to + option to <command>dnssec-signzone</command>, it will be necessary to add - the contents of both + the contents of both <filename>K*.key</filename> files to the zone master file before signing it.)</para> <screen> @@ -381,35 +377,35 @@ Zone signing complete: Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by example.net.signed </screen> - </sect2> - <sect2> - <title>Specifying the engine on the command line</title> - <para>The OpenSSL engine can be specified in - <command>named</command> and all of the BIND + </section> + <section><info><title>Specifying the engine on the command line</title></info> + + <para>The OpenSSL engine can be specified in + <command>named</command> and all of the BIND <command>dnssec-*</command> tools by using the "-E <engine>" command line option. If BIND 9 is built with the --with-pkcs11 option, this option defaults to "pkcs11". Specifying the engine will generally not be necessary unless for some reason you wish to use a different OpenSSL engine.</para> - <para>If you wish to disable use of the "pkcs11" engine — + <para>If you wish to disable use of the "pkcs11" engine — for troubleshooting purposes, or because the HSM is unavailable - — set the engine to the empty string. For example:</para> + — set the engine to the empty string. For example:</para> <screen> $ <userinput>dnssec-signzone -E '' -S example.net</userinput> </screen> - <para>This causes + <para>This causes <command>dnssec-signzone</command> to run as if it were compiled without the --with-pkcs11 option.</para> - </sect2> - <sect2> - <title>Running named with automatic zone re-signing</title> - <para>If you want + </section> + <section><info><title>Running named with automatic zone re-signing</title></info> + + <para>If you want <command>named</command> to dynamically re-sign zones using HSM keys, and/or to to sign new records inserted via nsupdate, then named must have access to the HSM PIN. This can be accomplished by placing the PIN into the openssl.cnf file (in the above - examples, + examples, <filename>/opt/pkcs11/usr/ssl/openssl.cnf</filename>).</para> <para>The location of the openssl.cnf file can be overridden by setting the OPENSSL_CONF environment variable before running @@ -428,7 +424,7 @@ $ <userinput>dnssec-signzone -E '' -S example.net</userinput> without PIN entry. (The pkcs11-* tools access the HSM directly, not via OpenSSL, so a PIN will still be required to use them.)</para> -<!-- +<!-- If the PIN is not known, I believe the first time named needs the PIN to open a key, it'll ask you to type in the PIN, which will be a problem because it probably won't be running on a terminal @@ -439,7 +435,7 @@ a problem because it probably won't be running on a terminal HSM. Be sure this is what you want to do before configuring OpenSSL in this way.</para> </warning> - </sect2> + </section> <!-- TODO: what is alternative then for named dynamic re-signing? --> <!-- TODO: what happens if PIN is not known? named will log about it? --> -</sect1> +</section> diff --git a/doc/arm/pkgversion.xml.in b/doc/arm/pkgversion.xml.in new file mode 100644 index 000000000000..1329f53ad8f3 --- /dev/null +++ b/doc/arm/pkgversion.xml.in @@ -0,0 +1,17 @@ +<!-- + - Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + + <para>This version of the manual corresponds to BIND version @PACKAGE_VERSION@.</para> diff --git a/doc/arm/releaseinfo.xml.in b/doc/arm/releaseinfo.xml.in new file mode 100644 index 000000000000..a3bbd20a93b7 --- /dev/null +++ b/doc/arm/releaseinfo.xml.in @@ -0,0 +1,17 @@ +<!-- + - Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<releaseinfo>BIND Version @BIND9_VERSION@</releaseinfo> diff --git a/doc/misc/options b/doc/misc/options index 66df0bd60c63..f23568cda1c3 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -32,7 +32,7 @@ logging { print-time <boolean>; severity <log_severity>; stderr; - syslog <optional_facility>; + syslog [ <syslog_facility> ]; }; }; @@ -41,7 +41,7 @@ lwres { [ port <integer> ]; ... }; ndots <integer>; search { <string>; ... }; - view <string> <optional_class>; + view <string> [ <class> ]; }; managed-keys { <string> <string> <integer> <integer> <integer> @@ -92,14 +92,14 @@ options { check-wildcard <boolean>; cleaning-interval <integer>; clients-per-query <integer>; - coresize <size>; - datasize <size>; + coresize ( unlimited | default | <sizeval> ); + datasize ( unlimited | default | <sizeval> ); deallocate-on-exit <boolean>; // obsolete deny-answer-addresses { <address_match_element>; ... } [ except-from { <quoted_string>; ... } ]; deny-answer-aliases { <quoted_string>; ... } [ except-from { <quoted_string>; ... } ]; - dialup <dialuptype>; + dialup ( notify | notify-passive | refresh | passive | <boolean> ); directory <quoted_string>; disable-algorithms <string> { <string>; ... }; disable-empty-zone <string>; @@ -132,9 +132,13 @@ options { empty-zones-enable <boolean>; fake-iquery <boolean>; // obsolete fetch-glue <boolean>; // obsolete - files <size>; + fetch-quota-params <integer> <fixedpoint> + <fixedpoint> <fixedpoint>; // not configured + fetches-per-server <integer> [ ( drop | fail ) ]; // not configured + fetches-per-zone <integer> [ ( drop | fail ) ]; // not configured + files ( unlimited | default | <sizeval> ); filter-aaaa { <address_match_element>; ... }; // not configured - filter-aaaa-on-v4 <v4_aaaa>; // not configured + filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured flush-zones-on-shutdown <boolean>; forward ( first | only ); forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) @@ -146,7 +150,7 @@ options { hostname ( <quoted_string> | none ); inline-signing <boolean>; interface-interval <integer>; - ixfr-from-differences <ixfrdiff>; + ixfr-from-differences ( master | slave | <boolean> ); key-directory <quoted_string>; lame-ttl <integer>; listen-on [ port <integer> ] { <address_match_element>; ... }; @@ -159,7 +163,7 @@ options { max-cache-size <size_no_default>; max-cache-ttl <integer>; max-clients-per-query <integer>; - max-ixfr-log-size <size>; // obsolete + max-ixfr-log-size ( unlimited | default | <sizeval> ); // obsolete max-journal-size <size_no_default>; max-ncache-ttl <integer>; max-recursion-depth <integer>; @@ -182,7 +186,7 @@ options { multiple-cnames <boolean>; // obsolete named-xfer <quoted_string>; // obsolete no-case-compress { <address_match_element>; ... }; - notify <notifytype>; + notify ( explicit | master-only | <boolean> ); notify-delay <integer>; notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ]; notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]; @@ -227,7 +231,7 @@ options { sig-signing-type <integer>; sig-validity-interval <integer> [ <integer> ]; sortlist { <address_match_element>; ... }; - stacksize <size>; + stacksize ( unlimited | default | <sizeval> ); statistics-file <quoted_string>; statistics-interval <integer>; // not yet implemented suppress-initial-notify <boolean>; // not yet implemented @@ -249,14 +253,14 @@ options { update-check-ksk <boolean>; use-alt-transfer-source <boolean>; use-id-pool <boolean>; // obsolete - use-ixfr <boolean>; + use-ixfr <boolean>; // obsolete use-queryport-pool <boolean>; // obsolete use-v4-udp-ports { <portrange>; ... }; use-v6-udp-ports { <portrange>; ... }; version ( <quoted_string> | none ); zero-no-soa-ttl <boolean>; zero-no-soa-ttl-cache <boolean>; - zone-statistics <zonestat>; + zone-statistics ( full | terse | none | <boolean> ); }; server <netprefix> { @@ -285,7 +289,7 @@ statistics-channels { trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; -view <string> <optional_class> { +view <string> [ <class> ] { acache-cleaning-interval <integer>; acache-enable <boolean>; additional-from-auth <boolean>; @@ -327,7 +331,7 @@ view <string> <optional_class> { except-from { <quoted_string>; ... } ]; deny-answer-aliases { <quoted_string>; ... } [ except-from { <quoted_string>; ... } ]; - dialup <dialuptype>; + dialup ( notify | notify-passive | refresh | passive | <boolean> ); disable-algorithms <string> { <string>; ... }; disable-empty-zone <string>; dlz <string> { @@ -360,13 +364,17 @@ view <string> <optional_class> { empty-server <string>; empty-zones-enable <boolean>; fetch-glue <boolean>; // obsolete + fetch-quota-params <integer> <fixedpoint> + <fixedpoint> <fixedpoint>; // not configured + fetches-per-server <integer> [ ( drop | fail ) ]; // not configured + fetches-per-zone <integer> [ ( drop | fail ) ]; // not configured filter-aaaa { <address_match_element>; ... }; // not configured - filter-aaaa-on-v4 <v4_aaaa>; // not configured + filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured forward ( first | only ); forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... }; inline-signing <boolean>; - ixfr-from-differences <ixfrdiff>; + ixfr-from-differences ( master | slave | <boolean> ); key <string> { algorithm <string>; secret <string>; @@ -384,7 +392,7 @@ view <string> <optional_class> { max-cache-size <size_no_default>; max-cache-ttl <integer>; max-clients-per-query <integer>; - max-ixfr-log-size <size>; // obsolete + max-ixfr-log-size ( unlimited | default | <sizeval> ); // obsolete max-journal-size <size_no_default>; max-ncache-ttl <integer>; max-recursion-depth <integer>; @@ -402,7 +410,7 @@ view <string> <optional_class> { minimal-responses <boolean>; multi-master <boolean>; no-case-compress { <address_match_element>; ... }; - notify <notifytype>; + notify ( explicit | master-only | <boolean> ); notify-delay <integer>; notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ]; notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]; @@ -468,7 +476,7 @@ view <string> <optional_class> { use-queryport-pool <boolean>; // obsolete zero-no-soa-ttl <boolean>; zero-no-soa-ttl-cache <boolean>; - zone <string> <optional_class> { + zone <string> [ <class> ] { allow-notify { <address_match_element>; ... }; allow-query { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; @@ -494,7 +502,8 @@ view <string> <optional_class> { check-wildcard <boolean>; database <string>; delegation-only <boolean>; - dialup <dialuptype>; + dialup ( notify | notify-passive | refresh | passive | + <boolean> ); dnssec-dnskey-kskonly <boolean>; dnssec-loadkeys-interval <integer>; dnssec-secure-to-insecure <boolean>; @@ -514,7 +523,8 @@ view <string> <optional_class> { masters [ port <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; - max-ixfr-log-size <size>; // obsolete + max-ixfr-log-size ( unlimited | default | + <sizeval> ); // obsolete max-journal-size <size_no_default>; max-refresh-time <integer>; max-retry-time <integer>; @@ -525,7 +535,7 @@ view <string> <optional_class> { min-refresh-time <integer>; min-retry-time <integer>; multi-master <boolean>; - notify <notifytype>; + notify ( explicit | master-only | <boolean> ); notify-delay <integer>; notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ]; @@ -559,12 +569,12 @@ view <string> <optional_class> { ] <rrtypelist>; ... }; use-alt-transfer-source <boolean>; zero-no-soa-ttl <boolean>; - zone-statistics <zonestat>; + zone-statistics ( full | terse | none | <boolean> ); }; - zone-statistics <zonestat>; + zone-statistics ( full | terse | none | <boolean> ); }; -zone <string> <optional_class> { +zone <string> [ <class> ] { allow-notify { <address_match_element>; ... }; allow-query { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; @@ -589,7 +599,7 @@ zone <string> <optional_class> { check-wildcard <boolean>; database <string>; delegation-only <boolean>; - dialup <dialuptype>; + dialup ( notify | notify-passive | refresh | passive | <boolean> ); dnssec-dnskey-kskonly <boolean>; dnssec-loadkeys-interval <integer>; dnssec-secure-to-insecure <boolean>; @@ -609,7 +619,7 @@ zone <string> <optional_class> { masters [ port <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; - max-ixfr-log-size <size>; // obsolete + max-ixfr-log-size ( unlimited | default | <sizeval> ); // obsolete max-journal-size <size_no_default>; max-refresh-time <integer>; max-retry-time <integer>; @@ -620,7 +630,7 @@ zone <string> <optional_class> { min-refresh-time <integer>; min-retry-time <integer>; multi-master <boolean>; - notify <notifytype>; + notify ( explicit | master-only | <boolean> ); notify-delay <integer>; notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ]; notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]; @@ -648,6 +658,6 @@ zone <string> <optional_class> { | zonesub | external ) [ <string> ] <rrtypelist>; ... }; use-alt-transfer-source <boolean>; zero-no-soa-ttl <boolean>; - zone-statistics <zonestat>; + zone-statistics ( full | terse | none | <boolean> ); }; diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index 18e6e8ba2089..766cd23fac5e 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -85,7 +85,7 @@ or Best Current Practice (BCP) documents. RFC6891 RFC7043 RFC7314 - RFC7314 + RFC7477 The following DNS related RFC have been obsoleted |