- For the complete set of commands supported by rndc, - see the BIND 9 Administrator Reference Manual or run - rndc without arguments to see its help - message. -
rndc - does not yet support all the commands of - the BIND 8 ndc utility. +
+ A list of commands supported by rndc can + be seen by running rndc without arguments.
++ Currently supported commands are: +
+reload+ Reload configuration file and zones. +
reload zone [class [view]]+ Reload the given zone. +
refresh zone [class [view]]+ Schedule zone maintenance for the given zone. +
retransfer zone [class [view]]+ Retransfer the given zone from the master. +
sign zone [class [view]]+ Fetch all DNSSEC keys for the given zone + from the key directory (see the + key-directory option in + the BIND 9 Administrator Reference Manual). If they are within + their publication period, merge them into the + zone's DNSKEY RRset. If the DNSKEY RRset + is changed, then the zone is automatically + re-signed with the new key set. +
+
+ This command requires that the
+ auto-dnssec zone option be set
+ to allow or
+ maintain,
+ and also requires the zone to be configured to
+ allow dynamic DNS.
+ (See "Dynamic Update Policies" in the Administrator
+ Reference Manual for more details.)
+
loadkeys zone [class [view]]+ Fetch all DNSSEC keys for the given zone + from the key directory. If they are within + their publication period, merge them into the + zone's DNSKEY RRset. Unlike rndc + sign, however, the zone is not + immediately re-signed by the new keys, but is + allowed to incrementally re-sign over time. +
+
+ This command requires that the
+ auto-dnssec zone option
+ be set to maintain,
+ and also requires the zone to be configured to
+ allow dynamic DNS.
+ (See "Dynamic Update Policies" in the Administrator
+ Reference Manual for more details.)
+
freeze [zone [class [view]]]+ Suspend updates to a dynamic zone. If no zone is + specified, then all zones are suspended. This allows + manual edits to be made to a zone normally updated by + dynamic update. It also causes changes in the + journal file to be synced into the master file. + All dynamic update attempts will be refused while + the zone is frozen. +
thaw [zone [class [view]]]+ Enable updates to a frozen dynamic zone. If no + zone is specified, then all frozen zones are + enabled. This causes the server to reload the zone + from disk, and re-enables dynamic updates after the + load has completed. After a zone is thawed, + dynamic updates will no longer be refused. If + the zone has changed and the + ixfr-from-differences option is + in use, then the journal file will be updated to + reflect changes in the zone. Otherwise, if the + zone has changed, any existing journal file will be + removed. +
sync [-clean] [zone [class [view]]]+ Sync changes in the journal file for a dynamic zone + to the master file. If the "-clean" option is + specified, the journal file is also removed. If + no zone is specified, then all zones are synced. +
notify zone [class [view]]+ Resend NOTIFY messages for the zone. +
reconfig+ Reload the configuration file and load new zones, + but do not reload existing zone files even if they + have changed. + This is faster than a full reload when there + is a large number of zones because it avoids the need + to examine the + modification times of the zones files. +
zonestatus [zone [class [view]]]+ Displays the current status of the given zone, + including the master file name and any include + files from which it was loaded, when it was most + recently loaded, the current serial number, the + number of nodes, whether the zone supports + dynamic updates, whether the zone is DNSSEC + signed, whether it uses automatic DNSSEC key + management or inline signing, and the scheduled + refresh or expiry times for the zone. +
stats+ Write server statistics to the statistics file. +
querylog [on|off] + Enable or disable query logging. (For backward + compatibility, this command can also be used without + an argument to toggle query logging on and off.) +
+
+ Query logging can also be enabled
+ by explicitly directing the queries
+ category to a
+ channel in the
+ logging section of
+ named.conf or by specifying
+ querylog yes; in the
+ options section of
+ named.conf.
+
dumpdb [-all|-cache|-zone] [view ...]+ Dump the server's caches (default) and/or zones to + the + dump file for the specified views. If no view is + specified, all + views are dumped. +
secroots [view ...]+ Dump the server's security roots to the secroots + file for the specified views. If no view is + specified, security roots for all + views are dumped. +
stop [-p]
+ Stop the server, making sure any recent changes
+ made through dynamic update or IXFR are first saved to
+ the master files of the updated zones.
+ If -p is specified named's process id is returned.
+ This allows an external process to determine when named
+ had completed stopping.
+
halt [-p]
+ Stop the server immediately. Recent changes
+ made through dynamic update or IXFR are not saved to
+ the master files, but will be rolled forward from the
+ journal files when the server is restarted.
+ If -p is specified named's process id is returned.
+ This allows an external process to determine when named
+ had completed halting.
+
trace+ Increment the servers debugging level by one. +
trace level+ Sets the server's debugging level to an explicit + value. +
notrace+ Sets the server's debugging level to 0. +
flush+ Flushes the server's cache. +
flushname name [view] + Flushes the given name from the server's DNS cache + and, if applicable, from the server's nameserver address + database or bad-server cache. +
flushtree name [view] + Flushes the given name, and all of its subdomains, + from the server's DNS cache. Note that this does + not affect he server's address + database or bad-server cache. +
status+ Display status of the server. + Note that the number of zones includes the internal bind/CH zone + and the default ./IN + hint zone if there is not an + explicit root zone configured. +
recursing+ Dump the list of queries named is currently recursing + on. +
validation ( on | off | check ) [view ...]
+ Enable, disable, or check the current status of
+ DNSSEC validation.
+ Note dnssec-enable also needs to be
+ set to yes or
+ auto to be effective.
+ It defaults to enabled.
+
tsig-list+ List the names of all TSIG keys currently configured + for use by named in each view. The + list both statically configured keys and dynamic + TKEY-negotiated keys. +
tsig-delete keyname [view]+ Delete a given TKEY-negotiated key from the server. + (This does not apply to statically configured TSIG + keys.) +
addzone zone [class [view]] configuration
+ Add a zone while the server is running. This
+ command requires the
+ allow-new-zones option to be set
+ to yes. The
+ configuration string
+ specified on the command line is the zone
+ configuration text that would ordinarily be
+ placed in named.conf.
+
+ The configuration is saved in a file called
+ hash.nzfhash is a
+ cryptographic hash generated from the name of
+ the view. When named is
+ restarted, the file will be loaded into the view
+ configuration, so that zones that were added
+ can persist after a restart.
+
+ This sample addzone command
+ would add the zone example.com
+ to the default view:
+
+$ rndc addzone example.com '{ type master; file "example.com.db"; };'
+
+ (Note the brackets and semi-colon around the zone + configuration text.) +
+delzone [-clean] zone [class [view]] + Delete a zone while the server is running. + Only zones that were originally added via + rndc addzone can be deleted + in this manner. +
+
+ If the -clean is specified,
+ the zone's master file (and journal file, if any)
+ will be deleted along with the zone. Without the
+ -clean option, zone files must
+ be cleaned up by hand. (If the zone is of
+ type "slave" or "stub", the files needing to
+ be cleaned up will be reported in the output
+ of the rndc delzone command.)
+
signing [( -list | -clear keyid/algorithm | -clear all | -nsec3param ( parameters | none ) ) ] zone [class [view]] + List, edit, or remove the DNSSEC signing state for + the specified zone. The status of ongoing DNSSEC + operations (such as signing or generating + NSEC3 chains) is stored in the zone in the form + of DNS resource records of type + sig-signing-type. + rndc signing -list converts + these records into a human-readable form, + indicating which keys are currently signing + or have finished signing the zone, and which NSEC3 + chains are being created or removed. +
++ rndc signing -clear can remove + a single key (specified in the same format that + rndc signing -list uses to + display it), or all keys. In either case, only + completed keys are removed; any record indicating + that a key has not yet finished signing the zone + will be retained. +
++ rndc signing -nsec3param sets + the NSEC3 parameters for a zone. This is the + only supported mechanism for using NSEC3 with + inline-signing zones. + Parameters are specified in the same format as + an NSEC3PARAM resource record: hash algorithm, + flags, iterations, and salt, in that order. +
+
+ Currently, the only defined value for hash algorithm
+ is 1, representing SHA-1.
+ The flags may be set to
+ 0 or 1,
+ depending on whether you wish to set the opt-out
+ bit in the NSEC3 chain. iterations
+ defines the number of additional times to apply
+ the algorithm when generating an NSEC3 hash. The
+ salt is a string of data expressed
+ in hexidecimal, or a hyphen (`-') if no salt is
+ to be used.
+
+ So, for example, to create an NSEC3 chain using
+ the SHA-1 hash algorithm, no opt-out flag,
+ 10 iterations, and a salt value of "FFFF", use:
+ rndc signing -nsec3param 1 0 10 FFFF zone.
+ To set the opt-out flag, 15 iterations, and no
+ salt, use:
+ rndc signing -nsec3param 1 1 15 - zone.
+
+ rndc signing -nsec3param none + removes an existing NSEC3 chain and replaces it + with NSEC. +
+
There is currently no way to provide the shared secret for a
key_id without using the configuration file.
@@ -149,7 +506,7 @@
rndc [-c config] [-s server] [-p port] [-y key] command [command...]
The command - is one of the following: +
See rndc(8) for details of + the available rndc commands.
-reload- Reload configuration file and zones. -
reload zone
- [class
- [view]]- Reload the given zone. -
refresh zone
- [class
- [view]]- Schedule zone maintenance for the given zone. -
retransfer zone
-
- [class
- [view]]- Retransfer the given zone from the master. -
sign zone
- [class
- [view]]- Fetch all DNSSEC keys for the given zone - from the key directory (see - key-directory in - the section called “options Statement Definition and - Usage”). If they are within - their publication period, merge them into the - zone's DNSKEY RRset. If the DNSKEY RRset - is changed, then the zone is automatically - re-signed with the new key set. -
-
- This command requires that the
- auto-dnssec zone option be set
- to allow or
- maintain,
- and also requires the zone to be configured to
- allow dynamic DNS.
- See the section called “Dynamic Update Policies” for
- more details.
-
loadkeys zone
- [class
- [view]]- Fetch all DNSSEC keys for the given zone - from the key directory (see - key-directory in - the section called “options Statement Definition and - Usage”). If they are within - their publication period, merge them into the - zone's DNSKEY RRset. Unlike rndc - sign, however, the zone is not - immediately re-signed by the new keys, but is - allowed to incrementally re-sign over time. -
-
- This command requires that the
- auto-dnssec zone option
- be set to maintain,
- and also requires the zone to be configured to
- allow dynamic DNS.
- See the section called “Dynamic Update Policies” for
- more details.
-
freeze
- [zone
- [class
- [view]]]- Suspend updates to a dynamic zone. If no zone is - specified, then all zones are suspended. This allows - manual edits to be made to a zone normally updated by - dynamic update. It also causes changes in the - journal file to be synced into the master file. - All dynamic update attempts will be refused while - the zone is frozen. -
thaw
- [zone
- [class
- [view]]]- Enable updates to a frozen dynamic zone. If no - zone is specified, then all frozen zones are - enabled. This causes the server to reload the zone - from disk, and re-enables dynamic updates after the - load has completed. After a zone is thawed, - dynamic updates will no longer be refused. If - the zone has changed and the - ixfr-from-differences option is - in use, then the journal file will be updated to - reflect changes in the zone. Otherwise, if the - zone has changed, any existing journal file will be - removed. -
sync
- [-clean]
- [zone
- [class
- [view]]]- Sync changes in the journal file for a dynamic zone - to the master file. If the "-clean" option is - specified, the journal file is also removed. If - no zone is specified, then all zones are synced. -
notify zone
- [class
- [view]]- Resend NOTIFY messages for the zone. -
reconfig- Reload the configuration file and load new zones, - but do not reload existing zone files even if they - have changed. - This is faster than a full reload when there - is a large number of zones because it avoids the need - to examine the - modification times of the zones files. -
zonestatus
- [zone
- [class
- [view]]]- Displays the current status of the given zone, - including the master file name and any include - files from which it was loaded, when it was most - recently loaded, the current serial number, the - number of nodes, whether the zone supports - dynamic updates, whether the zone is DNSSEC - signed, whether it uses automatic DNSSEC key - management or inline signing, and the scheduled - refresh or expiry times for the zone. -
stats- Write server statistics to the statistics file. -
querylog
- [on|off]
- - Enable or disable query logging. (For backward - compatibility, this command can also be used without - an argument to toggle query logging on and off.) -
-
- Query logging can also be enabled
- by explicitly directing the queries
- category to a
- channel in the
- logging section of
- named.conf or by specifying
- querylog yes; in the
- options section of
- named.conf.
-
dumpdb
- [-all|-cache|-zone]
- [view ...]- Dump the server's caches (default) and/or zones to - the - dump file for the specified views. If no view is - specified, all - views are dumped. -
secroots
- [view ...]- Dump the server's security roots to the secroots - file for the specified views. If no view is - specified, security roots for all - views are dumped. -
stop [-p]
- Stop the server, making sure any recent changes
- made through dynamic update or IXFR are first saved to
- the master files of the updated zones.
- If -p is specified named's process id is returned.
- This allows an external process to determine when named
- had completed stopping.
-
halt [-p]
- Stop the server immediately. Recent changes
- made through dynamic update or IXFR are not saved to
- the master files, but will be rolled forward from the
- journal files when the server is restarted.
- If -p is specified named's process id is returned.
- This allows an external process to determine when named
- had completed halting.
-
trace- Increment the servers debugging level by one. -
trace level- Sets the server's debugging level to an explicit - value. -
notrace- Sets the server's debugging level to 0. -
flush- Flushes the server's cache. -
flushname
- name
- [view]
- - Flushes the given name from the server's DNS cache, - and from the server's nameserver address database - if applicable. -
flushtree
- name
- [view]
- - Flushes the given name, and all of its subdomains, - from the server's DNS cache. (The server's - nameserver address database is not affected.) -
status- Display status of the server. - Note that the number of zones includes the internal bind/CH zone - and the default ./IN - hint zone if there is not an - explicit root zone configured. -
recursing- Dump the list of queries named is currently recursing - on. -
validation
- ( on | off | check )
- [view ...]
-
- Enable, disable, or check the current status of
- DNSSEC validation.
- Note dnssec-enable also needs to be
- set to yes or
- auto to be effective.
- It defaults to enabled.
-
tsig-list- List the names of all TSIG keys currently configured - for use by named in each view. The - list both statically configured keys and dynamic - TKEY-negotiated keys. -
tsig-delete
- keyname
- [view]- Delete a given TKEY-negotiated key from the server. - (This does not apply to statically configured TSIG - keys.) -
addzone
- zone
- [class
- [view]]
- configuration
-
- Add a zone while the server is running. This
- command requires the
- allow-new-zones option to be set
- to yes. The
- configuration string
- specified on the command line is the zone
- configuration text that would ordinarily be
- placed in named.conf.
-
- The configuration is saved in a file called
- hash.nzfhash is a
- cryptographic hash generated from the name of
- the view. When named is
- restarted, the file will be loaded into the view
- configuration, so that zones that were added
- can persist after a restart.
-
- This sample addzone command
- would add the zone example.com
- to the default view:
-
-$ rndc addzone example.com '{ type master; file "example.com.db"; };'
-
- (Note the brackets and semi-colon around the zone - configuration text.) -
-delzone
- [-clean]
- zone
- [class
- [view]]
- - Delete a zone while the server is running. - Only zones that were originally added via - rndc addzone can be deleted - in this matter. -
-
- If the -clean is specified,
- the zone's master file (and journal file, if any)
- will be deleted along with the zone. Without the
- -clean option, zone files must
- be cleaned up by hand. (If the zone is of
- type "slave" or "stub", the files needing to
- be cleaned up will be reported in the output
- of the rndc delzone command.)
-
signing
- [( -list | -clear keyid/algorithm | -clear all | -nsec3param ( parameters | none ) ) ]
- zone
- [class
- [view]]
- - List, edit, or remove the DNSSEC signing state for - the specified zone. The status of ongoing DNSSEC - operations (such as signing or generating - NSEC3 chains) is stored in the zone in the form - of DNS resource records of type - sig-signing-type. - rndc signing -list converts - these records into a human-readable form, - indicating which keys are currently signing - or have finished signing the zone, and which NSEC3 - NSEC3 chains are being created or removed. -
-- rndc signing -clear can remove - a single key (specified in the same format that - rndc signing -list uses to - display it), or all keys. In either case, only - completed keys are removed; any record indicating - that a key has not yet finished signing the zone - will be retained. -
-- rndc signing -nsec3param sets - the NSEC3 parameters for a zone. This is the - only supported mechanism for using NSEC3 with - inline-signing zones. - Parameters are specified in the same format as - an NSEC3PARAM resource record: hash algorithm, - flags, iterations, and salt, in that order. -
-
- Currently, the only defined value for hash algorithm
- is 1, representing SHA-1.
- The flags may be set to
- 0 or 1,
- depending on whether you wish to set the opt-out
- bit in the NSEC3 chain. iterations
- defines the number of additional times to apply
- the algorithm when generating an NSEC3 hash. The
- salt is a string of data expressed
- in hexidecimal, or a hyphen (`-') if no salt is
- to be used.
-
- So, for example, to create an NSEC3 chain using - the SHA-1 hash algorithm, no opt-out flag, - 10 iterations, and a salt value of "FFFF", use: - rndc signing -nsec3param 1 0 10 FFFF <zone>. - To set the opt-out flag, 15 iterations, and no - salt, use: - rndc signing -nsec3param 1 1 15 - <zone>. -
-- rndc signing -nsec3param none - removes an existing NSEC3 chain and replaces it - with NSEC. -
-- A configuration file is required, since all + rndc requires a configuration file, + since all communication with the server is authenticated with digital signatures that rely on a shared secret, and there is no way to provide that secret other than with a @@ -1024,7 +606,7 @@ controls {
Certain UNIX signals cause the name server to take specific actions, as described in the following table. These signals can diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 069a37a1a1..0f278ec217 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -49,64 +49,64 @@
Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a @@ -291,7 +291,7 @@
Let's say a company named Example, Inc.
(example.com)
@@ -548,7 +548,7 @@ nameserver 172.16.72.4
A shared secret is generated to be shared between host1 and host2. An arbitrary key name is chosen: "host1-host2.". The key name must @@ -556,7 +556,7 @@ nameserver 172.16.72.4
The following command will generate a 128-bit (16 byte) HMAC-SHA256 key as described above. Longer keys are better, but shorter keys @@ -580,7 +580,7 @@ nameserver 172.16.72.4
The shared secret is simply a random sequence of bits, encoded in base-64. Most ASCII strings are valid base-64 strings (assuming @@ -595,7 +595,7 @@ nameserver 172.16.72.4
This is beyond the scope of DNS. A secure transport mechanism should be used. This could be secure FTP, ssh, telephone, etc. @@ -603,7 +603,7 @@ nameserver 172.16.72.4
Imagine host1 and host 2 are @@ -630,7 +630,7 @@ key host1-host2. {
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the named.conf file
@@ -662,7 +662,7 @@ server 10.1.2.3 {
BIND allows IP addresses and ranges to be specified in ACL @@ -689,7 +689,7 @@ allow-update { key host1-host2. ;};
The processing of TSIG signed messages can result in several errors. If a signed message is sent to a non-TSIG aware @@ -715,7 +715,7 @@ allow-update { key host1-host2. ;};
TKEY is a mechanism for automatically generating a shared secret between two hosts. There are several "modes" of @@ -751,7 +751,7 @@ allow-update { key host1-host2. ;};
BIND 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535 and RFC 2931. @@ -812,7 +812,7 @@ allow-update { key host1-host2. ;};
The dnssec-keygen program is used to generate keys. @@ -868,7 +868,7 @@ allow-update { key host1-host2. ;};
The dnssec-signzone program is used to sign a zone. @@ -910,7 +910,7 @@ allow-update { key host1-host2. ;};
To enable named to respond appropriately to DNS requests from DNSSEC aware clients, @@ -1070,7 +1070,7 @@ options { from insecure to signed and back again. A secure zone can use either NSEC or NSEC3 chains.
+Converting from insecure to secureChanging a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.
@@ -1096,7 +1096,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process. +Dynamic DNS update methodTo insert the keys via dynamic update:
% nsupdate
@@ -1132,7 +1132,7 @@ options {
While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.
+Fully automatic zone signing
To enable automatic signing, add the
auto-dnssec option to the zone statement in
named.conf.
@@ -1188,7 +1188,7 @@ options {
configuration. If this has not been done, the configuration will
fail.
+Private-type records
The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
signing is complete, these records will have a nonzero value for
@@ -1229,12 +1229,12 @@ options {
+DNSKEY rollovers
As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
auto-dnssec zone option.
+Dynamic DNS update method
To perform key rollovers via dynamic update, you need to add
the K* files for the new keys so that
named can find them. You can then add the new
@@ -1256,7 +1256,7 @@ options {
named will clean out any signatures generated
by the old key after the update completes.
+Automatic key rollovers
When a new key reaches its activation date (as set by
dnssec-keygen or dnssec-settime),
if the auto-dnssec zone option is set to
@@ -1271,27 +1271,27 @@ options {
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.
+NSEC3PARAM rollovers via UPDATE
Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.
+Converting from NSEC to NSEC3
To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.
+Converting from NSEC3 to NSEC
To do this, use nsupdate to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.
+Converting from secure to insecure
To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1306,14 +1306,14 @@ options {
allow instead (or it will re-sign).
+Periodic re-signing
In any secure zone which supports dynamic updates, named
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.
+NSEC3 and OPTOUT
named only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
@@ -1335,7 +1335,7 @@ options {
configuration files.
To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
managed-keys statement. Information about
@@ -1346,7 +1346,7 @@ options {
To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@@ -1420,7 +1420,7 @@ $ dnssec-signzone -S -K keys example.net<
Debian Linux, Solaris x86 and Windows Server 2003.
See the HSM vendor documentation for information about
installing, initializing, testing and troubleshooting the
HSM.
@@ -1498,7 +1498,7 @@ $ patch -p1 -d openssl-0.9.8s \
when we configure BIND 9.
The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
can carry out cryptographic operations, but it is probably
@@ -1530,7 +1530,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
The SCA-6000 PKCS #11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
times faster than any CPU, so the flavor shall be
@@ -1552,7 +1552,7 @@ $ ./Configure solaris64-x86_64-cc \
SoftHSM is a software library provided by the OpenDNSSEC
project (http://www.opendnssec.org) which provides a PKCS#11
interface to a virtual HSM, implemented in the form of encrypted
@@ -1612,12 +1612,12 @@ $ ./Configure linux-x86_64 -pthread \
When building BIND 9, the location of the custom-built
OpenSSL library must be specified via configure.
To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.
The PKCS #11 library for the AEP Keyper is currently
@@ -1633,7 +1633,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.
@@ -1651,7 +1651,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
$ cd ../bind9
$ ./configure --enable-threads \
@@ -1668,7 +1668,7 @@ $ ./configure --enable-threads \
BIND 9 includes a minimal set of tools to operate the
HSM, including
pkcs11-keygen to generate a new key pair
@@ -1686,7 +1686,7 @@ $ ./configure --enable-threads \
First, we must set up the runtime environment so the
OpenSSL and PKCS #11 libraries can be loaded:
@@ -1774,7 +1774,7 @@ example.net.signed
The OpenSSL engine can be specified in
named and all of the BIND
dnssec-* tools by using the "-E
@@ -1795,7 +1795,7 @@ $ dnssec-signzone -E '' -S example.net
If you want
named to dynamically re-sign zones using HSM
keys, and/or to to sign new records inserted via nsupdate, then
@@ -1869,7 +1869,7 @@ $ dnssec-signzone -E '' -S example.net
A DLZ database is configured with a dlz
statement in named.conf:
@@ -1918,7 +1918,7 @@ $ dnssec-signzone -E '' -S example.net
For guidance in implementation of DLZ modules, the directory
contrib/dlz/example contains a basic
@@ -1968,7 +1968,7 @@ $ dnssec-signzone -E '' -S example.net
BIND 9 fully supports all currently
defined forms of IPv6 name to address and address to name
@@ -2006,7 +2006,7 @@ $ dnssec-signzone -E '' -S example.net
The IPv6 AAAA record is a parallel to the IPv4 A record,
and, unlike the deprecated A6 record, specifies the entire
@@ -2025,7 +2025,7 @@ host 3600 IN AAAA 2001:db8::1
When looking up an address in nibble format, the address
components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index b8f8475e1f..294502090a 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -45,13 +45,13 @@
Table of Contents
Traditionally applications have been linked with a stub resolver
library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index b85b672d43..0fcc07b2ab 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -48,58 +48,58 @@
Configuration File Elements
Configuration File Grammar
-- acl Statement Grammar
+- acl Statement Grammar
- acl Statement Definition and
Usage
-- controls Statement Grammar
+- controls Statement Grammar
- controls Statement Definition and
Usage
-- include Statement Grammar
-- include Statement Definition and
+
- include Statement Grammar
+- include Statement Definition and
Usage
-- key Statement Grammar
-- key Statement Definition and Usage
-- logging Statement Grammar
-- logging Statement Definition and
+
- key Statement Grammar
+- key Statement Definition and Usage
+- logging Statement Grammar
+- logging Statement Definition and
Usage
-- lwres Statement Grammar
-- lwres Statement Definition and Usage
-- masters Statement Grammar
-- masters Statement Definition and
+
- lwres Statement Grammar
+- lwres Statement Definition and Usage
+- masters Statement Grammar
+- masters Statement Definition and
Usage
-- options Statement Grammar
+- options Statement Grammar
- options Statement Definition and
Usage
- server Statement Grammar
- server Statement Definition and
Usage
- statistics-channels Statement Grammar
-- statistics-channels Statement Definition and
+
- statistics-channels Statement Definition and
Usage
- trusted-keys Statement Grammar
-- trusted-keys Statement Definition
+
- trusted-keys Statement Definition
and Usage
-- managed-keys Statement Grammar
+- managed-keys Statement Grammar
- managed-keys Statement Definition
and Usage
- view Statement Grammar
-- view Statement Definition and Usage
+- view Statement Definition and Usage
- zone
Statement Grammar
-- zone Statement Definition and Usage
+- zone Statement Definition and Usage
Zone File
+Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics
@@ -503,7 +503,7 @@
Address Match Lists
address_match_list = address_match_list_element ;
[ address_match_list_element; ... ]
address_match_list_element = [ ! ] (ip_address [/length] |
@@ -512,7 +512,7 @@
Address match lists are primarily used to determine access
control for various server operations. They are also used in
@@ -596,7 +596,7 @@
The BIND 9 comment syntax allows for
comments to appear
@@ -606,7 +606,7 @@
/* This is a BIND comment as in C */
@@ -622,7 +622,7 @@
Comments may appear anywhere that whitespace may appear in
a BIND configuration file.
@@ -876,7 +876,7 @@
acl acl-name {
address_match_list
};
@@ -1012,7 +1012,7 @@ geoip org "Internet Systems Consortium";
controls {
[ inet ( ip_addr | * ) [ port ip_port ]
allow { address_match_list }
@@ -1136,12 +1136,12 @@ geoip org "Internet Systems Consortium";
include filename;
The include statement inserts the
@@ -1156,7 +1156,7 @@ geoip org "Internet Systems Consortium";
key key_id {
algorithm string;
secret string;
@@ -1165,7 +1165,7 @@ geoip org "Internet Systems Consortium";
The key statement defines a shared
secret key for use with TSIG (see the section called “TSIG”)
@@ -1212,7 +1212,7 @@ geoip org "Internet Systems Consortium";
logging {
[ channel channel_name {
( file path_name
@@ -1236,7 +1236,7 @@ geoip org "Internet Systems Consortium";
The logging statement configures a
@@ -1270,7 +1270,7 @@ geoip org "Internet Systems Consortium";
All log output goes to one or more channels;
you can make as many of them as you want.
@@ -1880,7 +1880,7 @@ category notify { null; };
The query-errors category is
specifically intended for debugging purposes: To identify
@@ -2108,7 +2108,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the lwres
statement in the named.conf file:
@@ -2124,7 +2124,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
The lwres statement configures the
name
@@ -2175,7 +2175,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
masters name [port ip_port] [dscp ip_dscp] { ( masters_list |
ip_addr [port ip_port] [key key] ) ; [...] };
@@ -2183,7 +2183,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
masters
lists allow for a common set of masters to be easily used by
@@ -2193,7 +2193,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the options
statement in the named.conf file:
@@ -3952,7 +3952,7 @@ options {
The forwarding facility can be used to create a large site-wide
cache on a few servers, reducing traffic over links to external
@@ -3996,7 +3996,7 @@ options {
Dual-stack servers are used as servers of last resort to work
around
@@ -4213,7 +4213,7 @@ options {
The interfaces and ports that the server will answer queries
from may be specified using the listen-on option. listen-on takes
@@ -4674,7 +4674,7 @@ avoid-v6-udp-ports {};
use-v4-udp-ports,
avoid-v4-udp-ports,
@@ -4716,7 +4716,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The server's usage of many system resources can be limited.
Scaled values are allowed when specifying resource limits. For
@@ -4877,7 +4877,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
- cleaning-interval
@@ -5817,7 +5817,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
BIND 9 provides the ability to filter
out DNS responses from external DNS servers containing
@@ -5940,7 +5940,7 @@ deny-answer-aliases { "example.net"; };
BIND 9 includes a limited
mechanism to modify DNS responses for requests
@@ -6230,7 +6230,7 @@ ns.domain.com.rpz-nsdname CNAME .
Excessive almost identical UDP responses
can be controlled by configuring a
@@ -6643,7 +6643,7 @@ ns.domain.com.rpz-nsdname CNAME .
The statistics-channels statement
@@ -6742,7 +6742,7 @@ ns.domain.com.rpz-nsdname CNAME .
The trusted-keys statement defines
@@ -6782,7 +6782,7 @@ ns.domain.com.rpz-nsdname CNAME .
managed-keys {
name initial-key flags protocol algorithm key-data ;
[ name initial-key flags protocol algorithm key-data ; [...]]
@@ -6920,7 +6920,7 @@ ns.domain.com.rpz-nsdname CNAME .
The view statement is a powerful
feature
@@ -7236,10 +7236,10 @@ zone zone_name [
zone_name [
The zone's name may optionally be followed by a class. If
a class is not specified, class IN (for Internet),
@@ -7579,7 +7579,7 @@ zone zone_name [
- allow-notify
@@ -8495,7 +8495,7 @@ example.com. NS ns2.example.net.
@@ -8508,7 +8508,7 @@ example.com. NS ns2.example.net.
A domain name identifies a node. Each node has a set of
resource information, which may be empty. The set of resource
@@ -9245,7 +9245,7 @@ example.com. NS ns2.example.net.
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
@@ -9448,7 +9448,7 @@ example.com. NS ns2.example.net.
As described above, domain servers store information as a
series of resource records, each of which contains a particular
@@ -9704,7 +9704,7 @@ example.com. NS ns2.example.net.
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the in-addr.arpa domain
@@ -9765,7 +9765,7 @@ example.com. NS ns2.example.net.
The Master File Format was initially defined in RFC 1035 and
has subsequently been extended. While the Master File Format
@@ -9780,7 +9780,7 @@ example.com. NS ns2.example.net.
When used in the label (or name) field, the asperand or
at-sign (@) symbol represents the current origin.
@@ -9791,7 +9791,7 @@ example.com. NS ns2.example.net.
Syntax: $ORIGIN
domain-name
@@ -9820,7 +9820,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $INCLUDE
filename
@@ -9856,7 +9856,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $TTL
default-ttl
@@ -9875,7 +9875,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $GENERATE
range
@@ -10317,7 +10317,7 @@ HOST-127.EXAMPLE. MX 0 .
Socket I/O statistics counters are defined per socket
types, which are
@@ -11605,7 +11605,7 @@ HOST-127.EXAMPLE. MX 0 .
Most statistics counters that were available
in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 60228dc99c..2d1693c672 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -46,10 +46,10 @@
Table of Contents
@@ -114,7 +114,7 @@ zone "example.com" {
On UNIX servers, it is possible to run BIND
@@ -140,7 +140,7 @@ zone "example.com" {
In order for a chroot environment
to
@@ -168,7 +168,7 @@ zone "example.com" {
Prior to running the named daemon,
use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 367ac588c5..e8cdc4e28d 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -45,18 +45,18 @@
Table of Contents
The best solution to solving installation and
configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
Zone serial numbers are just numbers — they aren't
date related. A lot of people set them to a number that
@@ -95,7 +95,7 @@
The Internet Systems Consortium
(ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 489644c4b6..24b78405d6 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -45,31 +45,31 @@
Table of Contents
Standards
-[RFC974] Mail Routing and the Domain System. January 1986.
+[RFC974] Mail Routing and the Domain System. January 1986.
@@ -278,42 +278,42 @@
Proposed Standards
-[RFC1995] Incremental Zone Transfer in DNS. August 1996.
+[RFC1995] Incremental Zone Transfer in DNS. August 1996.
-[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
+[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
-[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
+[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
-[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
+[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
-[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
+[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
-[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
+[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
-[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
+[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
-[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
+[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
-[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
+[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
-[RFC3645] Generic Security Service Algorithm for Secret
+[RFC3645] Generic Security Service Algorithm for Secret
Key Transaction Authentication for DNS
(GSS-TSIG). October 2003.
@@ -322,19 +322,19 @@
DNS Security Proposed Standards
-[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
+[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
-[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
+[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
-[RFC4033] DNS Security Introduction and Requirements. March 2005.
+[RFC4033] DNS Security Introduction and Requirements. March 2005.
-[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
+[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
-[RFC4035] Protocol Modifications for the DNS
+[RFC4035] Protocol Modifications for the DNS
Security Extensions. March 2005.
@@ -342,146 +342,146 @@
Other Important RFCs About DNS
Implementation
-[RFC1535] A Security Problem and Proposed Correction With Widely
+[RFC1535] A Security Problem and Proposed Correction With Widely
Deployed DNS Software.. October 1993.
-[RFC1536] Common DNS Implementation
+[RFC1536] Common DNS Implementation
Errors and Suggested Fixes. October 1993.
-[RFC4074] Common Misbehaviour Against DNS
+[RFC4074] Common Misbehaviour Against DNS
Queries for IPv6 Addresses. May 2005.
Resource Record Types
-[RFC1706] DNS NSAP Resource Records. October 1994.
+[RFC1706] DNS NSAP Resource Records. October 1994.
-[RFC2168] Resolution of Uniform Resource Identifiers using
+[RFC2168] Resolution of Uniform Resource Identifiers using
the Domain Name System. June 1997.
-[RFC1876] A Means for Expressing Location Information in the
+[RFC1876] A Means for Expressing Location Information in the
Domain
Name System. January 1996.
-[RFC2052] A DNS RR for Specifying the
+[RFC2052] A DNS RR for Specifying the
Location of
Services.. October 1996.
-[RFC2163] Using the Internet DNS to
+[RFC2163] Using the Internet DNS to
Distribute MIXER
Conformant Global Address Mapping. January 1998.
-[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
+[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
-[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
+[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
-[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
+[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
-[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
+[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
-[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
+[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
-[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
+[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
-[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
+[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
-[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
+[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
DNS and the Internet
-[RFC1101] DNS Encoding of Network Names
+[RFC1101] DNS Encoding of Network Names
and Other Types. April 1989.
-[RFC1123] Requirements for Internet Hosts - Application and
+[RFC1123] Requirements for Internet Hosts - Application and
Support. October 1989.
-[RFC1591] Domain Name System Structure and Delegation. March 1994.
+[RFC1591] Domain Name System Structure and Delegation. March 1994.
-[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
+[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
DNS Operations
-[RFC1033] Domain administrators operations guide.. November 1987.
+[RFC1033] Domain administrators operations guide.. November 1987.
-[RFC1912] Common DNS Operational and
+[RFC1912] Common DNS Operational and
Configuration Errors. February 1996.
Internationalized Domain Names
-[RFC2825] A Tangled Web: Issues of I18N, Domain Names,
+[RFC2825] A Tangled Web: Issues of I18N, Domain Names,
and the Other Internet protocols. May 2000.
-[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
+[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
@@ -497,47 +497,47 @@
-[RFC1464] Using the Domain Name System To Store Arbitrary String
+[RFC1464] Using the Domain Name System To Store Arbitrary String
Attributes. May 1993.
-[RFC1713] Tools for DNS Debugging. November 1994.
+[RFC1713] Tools for DNS Debugging. November 1994.
-[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
+[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
-[RFC2345] Domain Names and Company Name Retrieval. May 1998.
+[RFC2345] Domain Names and Company Name Retrieval. May 1998.
-[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
+[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
-[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
+[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
-[RFC3258] Distributing Authoritative Name Servers via
+[RFC3258] Distributing Authoritative Name Servers via
Shared Unicast Addresses. April 2002.
-[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
+[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
Obsolete and Unimplemented Experimental RFC
-[RFC1712] DNS Encoding of Geographical
+[RFC1712] DNS Encoding of Geographical
Location. November 1994.
@@ -551,39 +551,39 @@
-[RFC2065] Domain Name System Security Extensions. January 1997.
+[RFC2065] Domain Name System Security Extensions. January 1997.
-[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
+[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
-[RFC2535] Domain Name System Security Extensions. March 1999.
+[RFC2535] Domain Name System Security Extensions. March 1999.
-[RFC3008] Domain Name System Security (DNSSEC)
+[RFC3008] Domain Name System Security (DNSSEC)
Signing Authority. November 2000.
-[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
+[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
-[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
+[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
-[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
+[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
-[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
+[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
-[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
+[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
-[RFC3757] Domain Name System KEY (DNSKEY) Resource Record
+[RFC3757] Domain Name System KEY (DNSKEY) Resource Record
(RR) Secure Entry Point (SEP) Flag. April 2004.
-[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
+[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
@@ -604,14 +604,14 @@
-DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
+DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
@@ -648,7 +648,7 @@
GNU make is required to build the export libraries (other
part of BIND 9 can still be built with other types of make). In
the reminder of this document, "make" means GNU make. Note that
@@ -657,7 +657,7 @@
$ ./configure --enable-exportlib [other flags]
$ make
@@ -672,7 +672,7 @@ $ make
$ cd lib/export
$ make install
@@ -694,7 +694,7 @@ $ make install
Currently, win32 is not supported for the export
library. (Normal BIND 9 application can be built as
@@ -734,7 +734,7 @@ $ make
The IRS library supports an "advanced" configuration file
related to the DNS library for configuration parameters that
would be beyond the capability of the
@@ -752,14 +752,14 @@ $ make
Some sample application programs using this API are
provided for reference. The following is a brief description of
these applications.
It sends a query of a given name (of a given optional RR type) to a
specified recursive server, and prints the result as a list of
@@ -823,7 +823,7 @@ $ make
Similar to "sample", but accepts a list
of (query) domain names as a separate file and resolves the names
@@ -864,7 +864,7 @@ $ make
It sends a query to a specified server, and
prints the response with minimal processing. It doesn't act as a
@@ -905,7 +905,7 @@ $ make
This is a test program
to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -922,7 +922,7 @@ $ make
It accepts a single update command as a
command-line argument, sends an update request message to the
@@ -1017,7 +1017,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
It checks a set
of domains to see the name servers of the domains behave
@@ -1074,7 +1074,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
As of this writing, there is no formal "manual" of the
libraries, except this document, header files (some of them
provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 27775ecbbb..a51b7ced8d 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -83,7 +83,7 @@
Name Server Operations
4. Advanced DNS Features
@@ -92,69 +92,69 @@
Dynamic Update
Incremental Zone Transfers (IXFR)
-Split DNS
-Split DNS
+TSIG
-- Generate Shared Keys for Each Pair of Hosts
-- Copying the Shared Secret to Both Machines
-- Informing the Servers of the Key's Existence
-- Instructing the Server to Use the Key
-- TSIG Key Based Access Control
-- Errors
+- Generate Shared Keys for Each Pair of Hosts
+- Copying the Shared Secret to Both Machines
+- Informing the Servers of the Key's Existence
+- Instructing the Server to Use the Key
+- TSIG Key Based Access Control
+- Errors
TKEY
-SIG(0)
+TKEY
+SIG(0)
DNSSEC
DNSSEC, Dynamic Zones, and Automatic Signing
-- Converting from insecure to secure
-- Dynamic DNS update method
-- Fully automatic zone signing
-- Private-type records
-- DNSKEY rollovers
-- Dynamic DNS update method
-- Automatic key rollovers
-- NSEC3PARAM rollovers via UPDATE
-- Converting from NSEC to NSEC3
-- Converting from NSEC3 to NSEC
-- Converting from secure to insecure
-- Periodic re-signing
-- NSEC3 and OPTOUT
+- Converting from insecure to secure
+- Dynamic DNS update method
+- Fully automatic zone signing
+- Private-type records
+- DNSKEY rollovers
+- Dynamic DNS update method
+- Automatic key rollovers
+- NSEC3PARAM rollovers via UPDATE
+- Converting from NSEC to NSEC3
+- Converting from NSEC3 to NSEC
+- Converting from secure to insecure
+- Periodic re-signing
+- NSEC3 and OPTOUT
Dynamic Trust Anchor Management
PKCS #11 (Cryptoki) support
-- Prerequisites
-- Building BIND 9 with PKCS#11
-- PKCS #11 Tools
-- Using the HSM
-- Specifying the engine on the command line
-- Running named with automatic zone re-signing
+- Prerequisites
+- Building BIND 9 with PKCS#11
+- PKCS #11 Tools
+- Using the HSM
+- Specifying the engine on the command line
+- Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
IPv6 Support in BIND 9
+IPv6 Support in BIND 9
5. The BIND 9 Lightweight Resolver
6. BIND 9 Configuration Reference
@@ -162,58 +162,58 @@
Configuration File Elements
Configuration File Grammar
-- acl Statement Grammar
+- acl Statement Grammar
- acl Statement Definition and
Usage
-- controls Statement Grammar
+- controls Statement Grammar
- controls Statement Definition and
Usage
-- include Statement Grammar
-- include Statement Definition and
+
- include Statement Grammar
+- include Statement Definition and
Usage
-- key Statement Grammar
-- key Statement Definition and Usage
-- logging Statement Grammar
-- logging Statement Definition and
+
- key Statement Grammar
+- key Statement Definition and Usage
+- logging Statement Grammar
+- logging Statement Definition and
Usage
-- lwres Statement Grammar
-- lwres Statement Definition and Usage
-- masters Statement Grammar
-- masters Statement Definition and
+
- lwres Statement Grammar
+- lwres Statement Definition and Usage
+- masters Statement Grammar
+- masters Statement Definition and
Usage
-- options Statement Grammar
+- options Statement Grammar
- options Statement Definition and
Usage
- server Statement Grammar
- server Statement Definition and
Usage
- statistics-channels Statement Grammar
-- statistics-channels Statement Definition and
+
- statistics-channels Statement Definition and
Usage
- trusted-keys Statement Grammar
-- trusted-keys Statement Definition
+
- trusted-keys Statement Definition
and Usage
-- managed-keys Statement Grammar
+- managed-keys Statement Grammar
- managed-keys Statement Definition
and Usage
- view Statement Grammar
-- view Statement Definition and Usage
+- view Statement Definition and Usage
- zone
Statement Grammar
-- zone Statement Definition and Usage
+- zone Statement Definition and Usage
Zone File
+Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics
@@ -222,41 +222,41 @@
7. BIND 9 Security Considerations
8. Troubleshooting
A. Appendices
I. Manual pages
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 124125d6d2..f96d9025d6 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -50,20 +50,20 @@
arpaname {ipaddress ...}
-DESCRIPTION
+DESCRIPTION
arpaname translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index c4bb71bdee..31bab568c4 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -50,7 +50,7 @@
ddns-confgen [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name | -z zone ] [-q] [name]
-DESCRIPTION
+DESCRIPTION
ddns-confgen
generates a key for use by nsupdate
and named. It simplifies configuration
@@ -77,7 +77,7 @@
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index cce9d80f0f..08e1bf39e3 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
dig [global-queryopt...] [query...]
-DESCRIPTION
+DESCRIPTION
dig
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@@ -99,7 +99,7 @@
-OPTIONS
+OPTIONS
The -b option sets the source IP address of the query
to address. This must be a valid
@@ -256,7 +256,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
dig
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@@ -607,7 +607,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig
supports
@@ -653,7 +653,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -667,14 +667,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1),
named(8),
dnssec-keygen(8),
@@ -682,7 +682,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 094245cd1e..c6023134e7 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -51,14 +51,14 @@
dnssec-dsfromkey {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-T TTL] [-f file] [-A] [-v level] {dnsname}
-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiii or the full file name
@@ -164,13 +164,13 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -180,7 +180,7 @@
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index b1c80d014f..956fe31ac1 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -50,7 +50,7 @@
dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] [-y] {name}
-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -239,7 +239,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes
successfully,
@@ -278,7 +278,7 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -286,7 +286,7 @@
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 20c8e6c033..6067bbe2b0 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -50,7 +50,7 @@
dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-z] {name}
-DESCRIPTION
+DESCRIPTION
dnssec-keygen
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -345,7 +345,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be
@@ -412,7 +412,7 @@
-SEE ALSO
+SEE ALSO
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
RFC 2539,
@@ -421,7 +421,7 @@
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 6c45bf12ef..da7c985a7f 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -50,7 +50,7 @@
dnssec-revoke [-hr] [-v level] [-K directory] [-E engine] [-f] [-R] {keyfile}
-DESCRIPTION
+DESCRIPTION
dnssec-revoke
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index e6856b3820..d5d5a5adf0 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -50,7 +50,7 @@
dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
-DESCRIPTION
+DESCRIPTION
dnssec-settime
reads a DNSSEC private key file and sets the key timing metadata
as specified by the -P, -A,
@@ -76,7 +76,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -197,7 +197,7 @@
-PRINTING OPTIONS
+PRINTING OPTIONS
dnssec-settime can also be used to print the
timing metadata associated with a key.
@@ -223,7 +223,7 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -231,7 +231,7 @@
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index fdedc6ad28..82112cb376 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -50,7 +50,7 @@
dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
-DESCRIPTION
+DESCRIPTION
dnssec-signzone
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
-EXAMPLE
+EXAMPLE
The following command signs the example.com
zone with the DSA key generated by dnssec-keygen
@@ -496,14 +496,14 @@ db.example.com.signed
%
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index e974eeeba7..b48584f8af 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -50,7 +50,7 @@
dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-x] [-z] {zonefile}
-DESCRIPTION
+DESCRIPTION
dnssec-verify
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index ac58a05d7e..0c571e6a3a 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -50,7 +50,7 @@
genrandom [-n number] {size} {filename}
-DESCRIPTION
+DESCRIPTION
genrandom
generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 9ecbb42a6b..f3648915df 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -50,7 +50,7 @@
host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
-DESCRIPTION
+DESCRIPTION
host
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -216,12 +216,12 @@
-SEE ALSO
+SEE ALSO
dig(1),
named(8).
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index 4fd8d6982f..a721177cd2 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -50,7 +50,7 @@
isc-hmac-fixup {algorithm} {secret}
-DESCRIPTION
+DESCRIPTION
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
-SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
Secrets that have been converted by isc-hmac-fixup
are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index cb96c62a88..3af52b03ac 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -50,7 +50,7 @@
named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]
-DESCRIPTION
+DESCRIPTION
named-checkconf
checks the syntax, but not the semantics, of a
named configuration file. The file is parsed
@@ -70,7 +70,7 @@
-RETURN VALUES
+RETURN VALUES
named-checkconf
returns an exit status of 1 if
errors were detected and 0 otherwise.
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 4e35c20960..c37ed0f86b 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -51,7 +51,7 @@
named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}
-DESCRIPTION
+DESCRIPTION
named-checkzone
checks the syntax and integrity of a zone file. It performs the
same checks as named does when loading a
@@ -71,7 +71,7 @@
-RETURN VALUES
+RETURN VALUES
named-checkzone
returns an exit status of 1 if
errors were detected and 0 otherwise.
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 2aa224b261..f5ea1070a7 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -50,7 +50,7 @@
named-journalprint {journal}
-DESCRIPTION
+DESCRIPTION
named-journalprint
prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 4f2d053613..8ccd7c3451 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -50,7 +50,7 @@
named [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]
-DESCRIPTION
+DESCRIPTION
named
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control
the nameserver; rndc should be used
@@ -277,7 +277,7 @@
-CONFIGURATION
+CONFIGURATION
The named configuration file is too complex
to describe in detail here. A complete description is provided
@@ -294,7 +294,7 @@
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index d0d441df9c..9ace5f6104 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -48,7 +48,7 @@
nsec3hash {salt} {algorithm} {iterations} {domain}
-DESCRIPTION
+DESCRIPTION
nsec3hash generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
@@ -56,7 +56,7 @@
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index aeef0f99dd..759f6e5750 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -50,7 +50,7 @@
nsupdate [-d] [-D] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [filename]
-DESCRIPTION
+DESCRIPTION
nsupdate
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
@@ -226,7 +226,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index ad1e8e1802..d75f2a77df 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
rndc-confgen [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
-DESCRIPTION
+DESCRIPTION
rndc-confgen
generates configuration files
for rndc. It can be used as a
@@ -66,7 +66,7 @@
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 8a8a8f97ee..b243d23902 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
rndc.conf
-DESCRIPTION
+DESCRIPTION
rndc.conf is the configuration file
for rndc, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
-NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and
to recognize the key specified in the rndc.conf
@@ -220,7 +220,7 @@
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 58042982dd..492af6f9ff 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
-DESCRIPTION
+DESCRIPTION
rndc
controls the operation of a name
server. It supersedes the ndc utility
@@ -81,7 +81,7 @@
-OPTIONS
+OPTIONS
- -b
source-address
@@ -145,19 +145,376 @@
or write access.
-
- For the complete set of commands supported by rndc,
- see the BIND 9 Administrator Reference Manual or run
- rndc without arguments to see its help
- message.
-
-LIMITATIONS
-rndc
- does not yet support all the commands of
- the BIND 8 ndc utility.
+
COMMANDS
+
+ A list of commands supported by rndc can
+ be seen by running rndc without arguments.
+
+ Currently supported commands are:
+
+
+reload
+ Reload configuration file and zones.
+
reload zone [class [view]]
+ Reload the given zone.
+
refresh zone [class [view]]
+ Schedule zone maintenance for the given zone.
+
retransfer zone [class [view]]
+ Retransfer the given zone from the master.
+
sign zone [class [view]]-
+
+ Fetch all DNSSEC keys for the given zone
+ from the key directory (see the
+ key-directory option in
+ the BIND 9 Administrator Reference Manual). If they are within
+ their publication period, merge them into the
+ zone's DNSKEY RRset. If the DNSKEY RRset
+ is changed, then the zone is automatically
+ re-signed with the new key set.
+
+
+ This command requires that the
+ auto-dnssec zone option be set
+ to allow or
+ maintain,
+ and also requires the zone to be configured to
+ allow dynamic DNS.
+ (See "Dynamic Update Policies" in the Administrator
+ Reference Manual for more details.)
+
+
+loadkeys zone [class [view]]-
+
+ Fetch all DNSSEC keys for the given zone
+ from the key directory. If they are within
+ their publication period, merge them into the
+ zone's DNSKEY RRset. Unlike rndc
+ sign, however, the zone is not
+ immediately re-signed by the new keys, but is
+ allowed to incrementally re-sign over time.
+
+
+ This command requires that the
+ auto-dnssec zone option
+ be set to maintain,
+ and also requires the zone to be configured to
+ allow dynamic DNS.
+ (See "Dynamic Update Policies" in the Administrator
+ Reference Manual for more details.)
+
+
+freeze [zone [class [view]]]
+ Suspend updates to a dynamic zone. If no zone is
+ specified, then all zones are suspended. This allows
+ manual edits to be made to a zone normally updated by
+ dynamic update. It also causes changes in the
+ journal file to be synced into the master file.
+ All dynamic update attempts will be refused while
+ the zone is frozen.
+
thaw [zone [class [view]]]
+ Enable updates to a frozen dynamic zone. If no
+ zone is specified, then all frozen zones are
+ enabled. This causes the server to reload the zone
+ from disk, and re-enables dynamic updates after the
+ load has completed. After a zone is thawed,
+ dynamic updates will no longer be refused. If
+ the zone has changed and the
+ ixfr-from-differences option is
+ in use, then the journal file will be updated to
+ reflect changes in the zone. Otherwise, if the
+ zone has changed, any existing journal file will be
+ removed.
+
sync [-clean] [zone [class [view]]]
+ Sync changes in the journal file for a dynamic zone
+ to the master file. If the "-clean" option is
+ specified, the journal file is also removed. If
+ no zone is specified, then all zones are synced.
+
notify zone [class [view]]
+ Resend NOTIFY messages for the zone.
+
reconfig
+ Reload the configuration file and load new zones,
+ but do not reload existing zone files even if they
+ have changed.
+ This is faster than a full reload when there
+ is a large number of zones because it avoids the need
+ to examine the
+ modification times of the zones files.
+
zonestatus [zone [class [view]]]
+ Displays the current status of the given zone,
+ including the master file name and any include
+ files from which it was loaded, when it was most
+ recently loaded, the current serial number, the
+ number of nodes, whether the zone supports
+ dynamic updates, whether the zone is DNSSEC
+ signed, whether it uses automatic DNSSEC key
+ management or inline signing, and the scheduled
+ refresh or expiry times for the zone.
+
stats
+ Write server statistics to the statistics file.
+
querylog [on|off] -
+
+ Enable or disable query logging. (For backward
+ compatibility, this command can also be used without
+ an argument to toggle query logging on and off.)
+
+
+ Query logging can also be enabled
+ by explicitly directing the queries
+ category to a
+ channel in the
+ logging section of
+ named.conf or by specifying
+ querylog yes; in the
+ options section of
+ named.conf.
+
+
+dumpdb [-all|-cache|-zone] [view ...]
+ Dump the server's caches (default) and/or zones to
+ the
+ dump file for the specified views. If no view is
+ specified, all
+ views are dumped.
+
secroots [view ...]
+ Dump the server's security roots to the secroots
+ file for the specified views. If no view is
+ specified, security roots for all
+ views are dumped.
+
stop [-p]
+ Stop the server, making sure any recent changes
+ made through dynamic update or IXFR are first saved to
+ the master files of the updated zones.
+ If -p is specified named's process id is returned.
+ This allows an external process to determine when named
+ had completed stopping.
+
halt [-p]
+ Stop the server immediately. Recent changes
+ made through dynamic update or IXFR are not saved to
+ the master files, but will be rolled forward from the
+ journal files when the server is restarted.
+ If -p is specified named's process id is returned.
+ This allows an external process to determine when named
+ had completed halting.
+
trace
+ Increment the servers debugging level by one.
+
trace level
+ Sets the server's debugging level to an explicit
+ value.
+
notrace
+ Sets the server's debugging level to 0.
+
flush
+ Flushes the server's cache.
+
flushname name [view]
+ Flushes the given name from the server's DNS cache
+ and, if applicable, from the server's nameserver address
+ database or bad-server cache.
+
flushtree name [view]
+ Flushes the given name, and all of its subdomains,
+ from the server's DNS cache. Note that this does
+ not affect he server's address
+ database or bad-server cache.
+
status
+ Display status of the server.
+ Note that the number of zones includes the internal bind/CH zone
+ and the default ./IN
+ hint zone if there is not an
+ explicit root zone configured.
+
recursing
+ Dump the list of queries named is currently recursing
+ on.
+
validation ( on | off | check ) [view ...]
+ Enable, disable, or check the current status of
+ DNSSEC validation.
+ Note dnssec-enable also needs to be
+ set to yes or
+ auto to be effective.
+ It defaults to enabled.
+
tsig-list
+ List the names of all TSIG keys currently configured
+ for use by named in each view. The
+ list both statically configured keys and dynamic
+ TKEY-negotiated keys.
+
tsig-delete keyname [view]
+ Delete a given TKEY-negotiated key from the server.
+ (This does not apply to statically configured TSIG
+ keys.)
+
addzone zone [class [view]] configuration -
+
+ Add a zone while the server is running. This
+ command requires the
+ allow-new-zones option to be set
+ to yes. The
+ configuration string
+ specified on the command line is the zone
+ configuration text that would ordinarily be
+ placed in named.conf.
+
+
+ The configuration is saved in a file called
+ hash.nzfhash is a
+ cryptographic hash generated from the name of
+ the view. When named is
+ restarted, the file will be loaded into the view
+ configuration, so that zones that were added
+ can persist after a restart.
+
+
+ This sample addzone command
+ would add the zone example.com
+ to the default view:
+
+
+$ rndc addzone example.com '{ type master; file "example.com.db"; };'
+
+
+ (Note the brackets and semi-colon around the zone
+ configuration text.)
+
+
+delzone [-clean] zone [class [view]] -
+
+ Delete a zone while the server is running.
+ Only zones that were originally added via
+ rndc addzone can be deleted
+ in this manner.
+
+
+ If the -clean is specified,
+ the zone's master file (and journal file, if any)
+ will be deleted along with the zone. Without the
+ -clean option, zone files must
+ be cleaned up by hand. (If the zone is of
+ type "slave" or "stub", the files needing to
+ be cleaned up will be reported in the output
+ of the rndc delzone command.)
+
+
+signing [( -list | -clear keyid/algorithm | -clear all | -nsec3param ( parameters | none ) ) ] zone [class [view]] -
+
+ List, edit, or remove the DNSSEC signing state for
+ the specified zone. The status of ongoing DNSSEC
+ operations (such as signing or generating
+ NSEC3 chains) is stored in the zone in the form
+ of DNS resource records of type
+ sig-signing-type.
+ rndc signing -list converts
+ these records into a human-readable form,
+ indicating which keys are currently signing
+ or have finished signing the zone, and which NSEC3
+ chains are being created or removed.
+
+
+ rndc signing -clear can remove
+ a single key (specified in the same format that
+ rndc signing -list uses to
+ display it), or all keys. In either case, only
+ completed keys are removed; any record indicating
+ that a key has not yet finished signing the zone
+ will be retained.
+
+
+ rndc signing -nsec3param sets
+ the NSEC3 parameters for a zone. This is the
+ only supported mechanism for using NSEC3 with
+ inline-signing zones.
+ Parameters are specified in the same format as
+ an NSEC3PARAM resource record: hash algorithm,
+ flags, iterations, and salt, in that order.
+
+
+ Currently, the only defined value for hash algorithm
+ is 1, representing SHA-1.
+ The flags may be set to
+ 0 or 1,
+ depending on whether you wish to set the opt-out
+ bit in the NSEC3 chain. iterations
+ defines the number of additional times to apply
+ the algorithm when generating an NSEC3 hash. The
+ salt is a string of data expressed
+ in hexidecimal, or a hyphen (`-') if no salt is
+ to be used.
+
+
+ So, for example, to create an NSEC3 chain using
+ the SHA-1 hash algorithm, no opt-out flag,
+ 10 iterations, and a salt value of "FFFF", use:
+ rndc signing -nsec3param 1 0 10 FFFF zone.
+ To set the opt-out flag, 15 iterations, and no
+ salt, use:
+ rndc signing -nsec3param 1 1 15 - zone.
+
+
+ rndc signing -nsec3param none
+ removes an existing NSEC3 chain and replaces it
+ with NSEC.
+
+
+
+
+