mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

prep 9.15.3

Browse Source
This commit is contained in:
Tinderbox User 2019-08-12 14:08:12 +00:00
parent d6a9407908
commit 1b9b826518
70 changed files with 499 additions and 346 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
bin/delv/delv.1
View File

@ -53,7 +53,7 @@ is a tool for sending DNS queries and validating the results, using the same int
\fBnamed\fR\&.
.PP
\fBdelv\fR
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
.PP
By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
\fBdelv\fR
@ -139,9 +139,7 @@ BIND
.sp
Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
\fB+root=NAME\fR
options\&. DNSSEC Lookaside Validation can also be turned on by using the
\fB+dlv=NAME\fR
to specify the name of a zone containing DLV records\&.
options\&.
.sp
Note: When reading the trust anchor file,
\fBdelv\fR
@ -392,25 +390,16 @@ output\&. The default is to do so\&. Note that (unlike in
control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
\fB\-i\fR
or
\fB+noroot\fR
and
\fB+nodlv\fR\&.
\fB+noroot\fR\&.
.RE
.PP
\fB+[no]root[=ROOT]\fR
.RS 4
Indicates whether to perform conventional (non\-lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
\fB\-a\fR
must be used to specify a file containing the key\&.
.RE
.PP
\fB+[no]dlv[=DLV]\fR
.RS 4
Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The
\fB\-a\fR
option must also be used to specify a file containing the DLV key\&.
.RE
.PP
\fB+[no]tcp\fR
.RS 4
Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&.

21
bin/delv/delv.html
View File

@ -83,7 +83,7 @@
<span class="command"><strong>delv</strong></span> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
CNAME or DNAME chains, and queries for DNSKEY and DS records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
@ -193,10 +193,7 @@
<p>
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<code class="option">+root=NAME</code> options. DNSSEC Lookaside
Validation can also be turned on by using the
<code class="option">+dlv=NAME</code> to specify the name of a
zone containing DLV records.
<code class="option">+root=NAME</code> options.
</p>
<p>
Note: When reading the trust anchor file,
@ -520,14 +517,13 @@
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<code class="option">-i</code> or <code class="option">+noroot</code> and
<code class="option">+nodlv</code>.
<code class="option">-i</code> or <code class="option">+noroot</code>.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
<dd>
<p>
Indicates whether to perform conventional (non-lookaside)
Indicates whether to perform conventional
DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
@ -536,15 +532,6 @@
containing the key.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
<dd>
<p>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The <code class="option">-a</code> option must also be used to specify
a file containing the DLV key.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
<dd>
<p>

20
bin/dig/dig.1
View File

@ -361,14 +361,20 @@ Display [do not display] the CLASS when printing the record\&.
.PP
\fB+[no]cmd\fR
.RS 4
Toggles the printing of the initial comment in the output identifying the version of
Toggles the printing of the initial comment in the output, identifying the version of
\fBdig\fR
and the query options that have been applied\&. This comment is printed by default\&.
and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&.
.RE
.PP
\fB+[no]comments\fR
.RS 4
Toggle the display of comment lines in the output\&. The default is to print comments\&.
Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&.
.sp
Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include
\fB+[no]cmd\fR,
\fB+[no]question\fR,
\fB+[no]stats\fR, and
\fB+[no]rrcomments\fR\&.
.RE
.PP
\fB+[no]cookie\fR\fB[=####]\fR
@ -566,12 +572,12 @@ would cause a 48\-byte query to be padded to 64 bytes\&. The default block size
.PP
\fB+[no]qr\fR
.RS 4
Print [do not print] the query as it is sent\&. By default, the query is not printed\&.
Toggles the display of the query message as it is sent\&. By default, the query is not printed\&.
.RE
.PP
\fB+[no]question\fR
.RS 4
Print [do not print] the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
.RE
.PP
\fB+[no]raflag\fR
@ -624,7 +630,7 @@ determines if the name will be treated as relative or not and hence whether a se
.PP
\fB+[no]short\fR
.RS 4
Provide a terse answer\&. The default is to print the answer in a verbose form\&.
Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&.
.RE
.PP
\fB+[no]showsearch\fR
@ -654,7 +660,7 @@ causes fields not to be split at all\&. The default is 56 characters, or 44 char
.PP
\fB+[no]stats\fR
.RS 4
This query option toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics\&.
Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&.
.RE
.PP
\fB+[no]subnet=addr[/prefix\-length]\fR

39
bin/dig/dig.html
View File

@ -481,16 +481,28 @@
<dd>
<p>
Toggles the printing of the initial comment in the
output identifying the version of <span class="command"><strong>dig</strong></span>
and the query options that have been applied. This
comment is printed by default.
output, identifying the version of <span class="command"><strong>dig</strong></span>
and the query options that have been applied. This option
always has global effect; it cannot be set globally
and then overridden on a per-lookup basis. The default
is to print this comment.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
<dd>
<p>
Toggle the display of comment lines in the output.
The default is to print comments.
Toggles the display of some comment lines in the output,
containing information about the packet header and
OPT pseudosection, and the names of the response
section. The default is to print these comments.
</p>
<p>
Other types of comments in the output are not affected by
this option, but can be controlled using other command
line switches. These include <span class="command"><strong>+[no]cmd</strong></span>,
<span class="command"><strong>+[no]question</strong></span>,
<span class="command"><strong>+[no]stats</strong></span>, and
<span class="command"><strong>+[no]rrcomments</strong></span>.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
@ -764,14 +776,14 @@
<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
<dd>
<p>
Print [do not print] the query as it is sent. By
default, the query is not printed.
Toggles the display of the query message as it is sent.
By default, the query is not printed.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]question</code></span></dt>
<dd>
<p>
Print [do not print] the question section of a query
Toggles the display of the question section of a query
when an answer is returned. The default is to print
the question section as a comment.
</p>
@ -841,7 +853,9 @@
<dd>
<p>
Provide a terse answer. The default is to print the
answer in a verbose form.
answer in a verbose form. This option always has global
effect; it cannot be set globally and then overridden on
a per-lookup basis.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
@ -874,10 +888,9 @@
<dt><span class="term"><code class="option">+[no]stats</code></span></dt>
<dd>
<p>
This query option toggles the printing of statistics:
when the query was made, the size of the reply and
so on. The default behavior is to print the query
statistics.
Toggles the printing of statistics: when the query was made,
the size of the reply and so on. The default behavior is to
print the query statistics as a comment after each lookup.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>

21
bin/dnssec/dnssec-dsfromkey.8
View File

@ -50,11 +50,9 @@ dnssec-dsfromkey \- DNSSEC DS RR generation tool
.PP
The
\fBdnssec\-dsfromkey\fR
command outputs DS (Delegation Signer) resource records (RRs) and other similarly\-constructed RRs: with the
\fB\-l\fR
option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the
command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the
\fB\-C\fR
it outputs CDS (Child DS) RRs\&.
option\&.
.PP
The input keys can be specified in a number of ways:
.PP
@ -119,9 +117,7 @@ zone file mode\&.
.PP
\-C
.RS 4
Generate CDS records rather than DS records\&. This is mutually exclusive with the
\fB\-l\fR
option for generating DLV records\&.
Generate CDS records rather than DS records\&.
.RE
.PP
\-f \fIfile\fR
@ -156,15 +152,6 @@ files in
\fBdirectory\fR\&.
.RE
.PP
\-l \fIdomain\fR
.RS 4
Generate a DLV set instead of a DS set\&. The specified
\fIdomain\fR
is appended to the name for each record in the set\&. This is mutually exclusive with the
\fB\-C\fR
option for generating CDS records\&.
.RE
.PP
\-s
.RS 4
Keyset mode:
@ -224,8 +211,6 @@ A keyfile error can give a "file not found" even if the file exists\&.
BIND 9 Administrator Reference Manual,
RFC 3658
(DS RRs),
RFC 4431
(DLV RRs),
RFC 4509
(SHA\-256 for DS RRs),
RFC 6605

21
bin/dnssec/dnssec-dsfromkey.html
View File

@ -97,10 +97,8 @@
<p>
The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
Signer) resource records (RRs) and other similarly-constructed RRs:
with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
DS) RRs.
Signer) resource records (RRs), or CDS (Child DS) RRs with the
<code class="option">-C</code> option.
</p>
<p>
@ -182,9 +180,7 @@
<dt><span class="term">-C</span></dt>
<dd>
<p>
Generate CDS records rather than DS records. This is mutually
exclusive with the <code class="option">-l</code> option for generating DLV
records.
Generate CDS records rather than DS records.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
@ -219,16 +215,6 @@
<code class="option">directory</code>.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
Generate a DLV set instead of a DS set. The specified
<em class="replaceable"><code>domain</code></em> is appended to the name for each
record in the set.
This is mutually exclusive with the <code class="option">-C</code> option
for generating CDS records.
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd>
<p>
@ -311,7 +297,6 @@
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 3658</em> (DS RRs),
<em class="citetitle">RFC 4431</em> (DLV RRs),
<em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
<em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
<em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).

14
bin/dnssec/dnssec-signzone.8
View File

@ -39,7 +39,7 @@
dnssec-signzone \- DNSSEC zone signing tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-signzone\fR\ 'u
\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-M\ \fR\fB\fImaxttl\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-P\fR] [\fB\-Q\fR] [\fB\-R\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-M\ \fR\fB\fImaxttl\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-P\fR] [\fB\-Q\fR] [\fB\-q\fR] [\fB\-R\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
.SH "DESCRIPTION"
.PP
\fBdnssec\-signzone\fR
@ -113,11 +113,6 @@ Key repository: Specify a directory to search for DNSSEC keys\&. If not specifie
Treat specified key as a key signing key ignoring any key flags\&. This option may be specified multiple times\&.
.RE
.PP
\-l \fIdomain\fR
.RS 4
Generate a DLV set in addition to the key (DNSKEY) and DS sets\&. The domain is appended to the name of the records\&.
.RE
.PP
\-M \fImaxttl\fR
.RS 4
Sets the maximum TTL for the signed zone\&. Any TTL higher than
@ -296,6 +291,13 @@ forces
to remove signatures from keys that are no longer active\&. This enables ZSK rollover using the procedure described in RFC 4641, section 4\&.2\&.1\&.1 ("Pre\-Publish Key Rollover")\&.
.RE
.PP
\-q
.RS 4
Quiet mode: Suppresses unnecessary output\&. Without this option, when
\fBdnssec\-signzone\fR
is run it will print to standard output the number of keys in use, the algorithms used to verify the zone was signed correctly and other status information, and finally the filename containing the signed zone\&. With it, that output is suppressed, leaving only the filename\&.
.RE
.PP
\-R
.RS 4
Remove signatures from keys that are no longer published\&.

20
bin/dnssec/dnssec-signzone.html
View File

@ -55,6 +55,7 @@
[<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
[<code class="option">-P</code>]
[<code class="option">-Q</code>]
[<code class="option">-q</code>]
[<code class="option">-R</code>]
[<code class="option">-S</code>]
[<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
@ -173,13 +174,6 @@
key flags. This option may be specified multiple times.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
Generate a DLV set in addition to the key (DNSKEY) and DS sets.
The domain is appended to the name of the records.
</p>
</dd>
<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
<dd>
<p>
@ -429,6 +423,18 @@
RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet mode: Suppresses unnecessary output. Without this
option, when <span class="command"><strong>dnssec-signzone</strong></span> is run it
will print to standard output the number of keys in use,
the algorithms used to verify the zone was signed correctly
and other status information, and finally the filename
containing the signed zone. With it, that output is
suppressed, leaving only the filename.
</p>
</dd>
<dt><span class="term">-R</span></dt>
<dd>
<p>

9
bin/dnssec/dnssec-verify.8
View File

@ -39,7 +39,7 @@
dnssec-verify \- DNSSEC zone verification tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-verify\fR\ 'u
\fBdnssec\-verify\fR [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-x\fR] [\fB\-z\fR] {zonefile}
\fBdnssec\-verify\fR [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-q\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-x\fR] [\fB\-z\fR] {zonefile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-verify\fR
@ -81,6 +81,13 @@ Sets the debugging level\&.
Prints version information\&.
.RE
.PP
\-q
.RS 4
Quiet mode: Suppresses output\&. Without this option, when
\fBdnssec\-verify\fR
is run it will print to standard output the number of keys in use, the algorithms used to verify the zone was signed correctly and other status information\&. With it, all non\-error output is suppressed, and only the exit code will indicate success\&.
.RE
.PP
\-x
.RS 4
Only verify that the DNSKEY RRset is signed with key\-signing keys\&. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys\&. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone\-signing keys\&. This corresponds to the

12
bin/dnssec/dnssec-verify.html
View File

@ -37,6 +37,7 @@
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
[<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
[<code class="option">-q</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-x</code>]
@ -112,6 +113,17 @@
Prints version information.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet mode: Suppresses output. Without this option, when
<span class="command"><strong>dnssec-verify</strong></span> is run it will print to
standard output the number of keys in use, the algorithms
used to verify the zone was signed correctly and other
status information. With it, all non-error output is
suppressed, and only the exit code will indicate success.
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd>
<p>

14
bin/named/named.conf.5
View File

@ -10,12 +10,12 @@
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2019-06-28
.\" Date: 2019-08-07
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\&.CONF" "5" "2019\-06\-28" "ISC" "BIND9"
.TH "NAMED\&.CONF" "5" "2019\-08\-07" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -243,7 +243,7 @@ options {
check\-srv\-cname ( fail | warn | ignore );
check\-wildcard \fIboolean\fR;
clients\-per\-query \fIinteger\fR;
cookie\-algorithm ( aes | sha1 | sha256 );
cookie\-algorithm ( aes | siphash24 );
cookie\-secret \fIstring\fR;
coresize ( default | unlimited | \fIsizeval\fR );
datasize ( default | unlimited | \fIsizeval\fR );
@ -274,9 +274,6 @@ options {
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-lookaside ( \fIstring\fR
trust\-anchor \fIstring\fR |
auto | no ); deprecated
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
@ -661,9 +658,6 @@ view \fIstring\fR [ \fIclass\fR ] {
initial\-key ) \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-lookaside ( \fIstring\fR
trust\-anchor \fIstring\fR |
auto | no ); deprecated
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
@ -913,7 +907,6 @@ view \fIstring\fR [ \fIclass\fR ] {
masters [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR
| \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [
port \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
max\-ixfr\-log\-size ( default | unlimited |
max\-journal\-size ( default | unlimited | \fIsizeval\fR );
max\-records \fIinteger\fR;
max\-refresh\-time \fIinteger\fR;
@ -933,7 +926,6 @@ view \fIstring\fR [ \fIclass\fR ] {
notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR
| * ) ] [ dscp \fIinteger\fR ];
notify\-to\-soa \fIboolean\fR;
pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR
request\-expire \fIboolean\fR;
request\-ixfr \fIboolean\fR;
serial\-update\-method ( date | increment | unixtime );

11
bin/named/named.conf.html
View File

@ -139,7 +139,6 @@ logging
</p></div>
</div>
<div class="refsection">
<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
@ -210,7 +209,7 @@ options
check-srv-cname ( fail | warn | ignore );<br>
check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
cookie-algorithm ( aes | sha1 | sha256 );<br>
cookie-algorithm ( aes | siphash24 );<br>
cookie-secret <em class="replaceable"><code>string</code></em>;<br>
coresize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
datasize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
@ -241,9 +240,6 @@ options
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside ( <em class="replaceable"><code>string</code></em><br>
    trust-anchor <em class="replaceable"><code>string</code></em> |<br>
    auto | no ); deprecated<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
@ -607,9 +603,6 @@ view
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside ( <em class="replaceable"><code>string</code></em><br>
    trust-anchor <em class="replaceable"><code>string</code></em> |<br>
    auto | no ); deprecated<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
@ -859,7 +852,6 @@ view
masters [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em><br>
    | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [<br>
    port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
max-ixfr-log-size ( default | unlimited |<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
@ -879,7 +871,6 @@ view
notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em><br>
    | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
request-expire <em class="replaceable"><code>boolean</code></em>;<br>
request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
serial-update-method ( date | increment | unixtime );<br>

9
bin/python/dnssec-checkds.8
View File

@ -43,12 +43,12 @@ dnssec-checkds \- DNSSEC delegation consistency checking tool
.SH "DESCRIPTION"
.PP
\fBdnssec\-checkds\fR
verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified zone\&.
verifies the correctness of Delegation Signer (DS) resource records for keys in a specified zone\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specify a digest algorithm to use when converting the zone\*(Aqs DNSKEY records to expected DS or DLV records\&. This option can be repeated, so that multiple records are checked for each DNSKEY record\&.
Specify a digest algorithm to use when converting the zone\*(Aqs DNSKEY records to expected DS records\&. This option can be repeated, so that multiple records are checked for each DNSKEY record\&.
.sp
The
\fIalgorithm\fR
@ -62,11 +62,6 @@ If a
is specified, then the zone is read from that file to find the DNSKEY records\&. If not, then the DNSKEY records for the zone are looked up in the DNS\&.
.RE
.PP
\-l \fIdomain\fR
.RS 4
Check for a DLV record in the specified lookaside domain, instead of checking for a DS record in the zone\*(Aqs parent\&.
.RE
.PP
\-s \fIfile\fR
.RS 4
Specifies a prepared dsset file, such as would be generated by

14
bin/python/dnssec-checkds.html
View File

@ -46,9 +46,8 @@
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-checkds</strong></span>
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
zone.
verifies the correctness of Delegation Signer (DS)
resource records for keys in a specified zone.
</p>
</div>
@ -60,7 +59,7 @@
<dd>
<p>
Specify a digest algorithm to use when converting the
zone's DNSKEY records to expected DS or DLV records. This
zone's DNSKEY records to expected DS records. This
option can be repeated, so that multiple records are
checked for each DNSKEY record.
</p>
@ -79,13 +78,6 @@
then the DNSKEY records for the zone are looked up in the DNS.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>

2
doc/arm/Bv9ARM.ch01.html
View File

@ -614,6 +614,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch02.html
View File

@ -146,6 +146,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch03.html
View File

@ -856,6 +856,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

12
doc/arm/Bv9ARM.ch04.html
View File

@ -1012,11 +1012,11 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</p>
<p><span class="command"><strong>dnssec-signzone</strong></span>
will also produce a keyset and dsset files and optionally a
dlvset file. These are used to provide the parent zone
administrators with the <code class="literal">DNSKEYs</code> (or their
corresponding <code class="literal">DS</code> records) that are the
secure entry point to the zone.
will also produce a keyset and dsset files. These are used
to provide the parent zone administrators with the
<code class="literal">DNSKEYs</code> (or their corresponding
<code class="literal">DS</code> records) that are the secure entry
point to the zone.
</p>
</div>
@ -2840,6 +2840,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

88
doc/arm/Bv9ARM.ch05.html
View File

@ -2431,7 +2431,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<span class="command"><strong>check-srv-cname</strong></span> ( fail | warn | ignore );
<span class="command"><strong>check-wildcard</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>clients-per-query</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>cookie-algorithm</strong></span> ( aes | sha1 | sha256 );
<span class="command"><strong>cookie-algorithm</strong></span> ( aes | siphash24 );
<span class="command"><strong>cookie-secret</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>coresize</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
<span class="command"><strong>datasize</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
@ -2462,9 +2462,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<span class="command"><strong>dnssec-accept-expired</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-lookaside</strong></span> ( <em class="replaceable"><code>string</code></em>
<span class="command"><strong>trust-anchor</strong></span> <em class="replaceable"><code>string</code></em> |
<span class="command"><strong>auto</strong></span> | no ); deprecated
<span class="command"><strong>dnssec-must-be-secure</strong></span> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
@ -3450,7 +3447,7 @@ options {
<dt><span class="term"><span class="command"><strong>disable-ds-digests</strong></span></span></dt>
<dd>
<p>
Disable the specified DS/DLV digest types at and below the
Disable the specified DS digest types at and below the
specified name.
Multiple <span class="command"><strong>disable-ds-digests</strong></span>
statements are allowed.
@ -3463,37 +3460,6 @@ options {
as insecure.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>dnssec-lookaside</strong></span></span></dt>
<dd>
<p>
When set, <span class="command"><strong>dnssec-lookaside</strong></span> provides the
validator with an alternate method to validate DNSKEY
records at the top of a zone. When a DNSKEY is at or
below a domain specified by the deepest
<span class="command"><strong>dnssec-lookaside</strong></span>, and the normal DNSSEC
validation has left the key untrusted, the trust-anchor
will be appended to the key name and a DLV record will be
looked up to see if it can validate the key. If the DLV
record validates a DNSKEY (similarly to the way a DS
record does) the DNSKEY RRset is deemed to be trusted.
</p>
<p>
If <span class="command"><strong>dnssec-lookaside</strong></span> is set to
<strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
is not used.
</p>
<p>
This option is deprecated and its use is discouraged.
</p>
<p>
NOTE: The ISC-provided DLV service at
<code class="literal">dlv.isc.org</code>, has been shut down.
The <span class="command"><strong>dnssec-lookaside auto;</strong></span>
configuration option, which set <span class="command"><strong>named</strong></span>
up to use ISC DLV with minimal configuration, has
accordingly been removed.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>dnssec-must-be-secure</strong></span></span></dt>
<dd>
<p>
@ -3520,7 +3486,9 @@ options {
</p>
<p>
Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
64 and 96 as per RFC 6052.
64 and 96 as per RFC 6052. Bits 64..71 inclusive must
be zero with the most significate bit of the prefix in
position 0.
</p>
<p>
Additionally a reverse IP6.ARPA zone will be created for
@ -6729,8 +6697,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
appear, they are not combined &#8212; the last one applies.
</p>
<p>
By default, records are returned in indeterminate but
consistent order (see <span class="command"><strong>none</strong></span> above).
By default, records are returned in <span class="command"><strong>random</strong></span> order.
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
@ -7653,6 +7620,14 @@ deny-answer-aliases { "example.net"; };
than that is a configuration error.
</p>
<p>
Rules encoded in response policy zones are processed after
<a class="link" href="Bv9ARM.ch05.html#access_control" title="Access Control">Access Control Lists
(ACLs)</a>. All queries from clients which are not
permitted access to the resolver will be answered with a
status code of REFUSED, regardless of configured RPZ rules.
</p>
<p>
Five policy triggers can be encoded in RPZ records.
</p>
@ -11463,7 +11438,7 @@ view external {
</td>
<td>
<p>
A DNS Look-aside Validation record which contains
A DNS Lookaside Validation record which contains
the records that are used as trust anchors for
zones in a DLV namespace. Described in RFC 4431.
</p>
@ -13413,14 +13388,29 @@ HOST-127.EXAMPLE. MX 0 .
</td>
<td>
<p>
The number of RRsets per RR type and nonexistent
names stored in the cache database.
If the exclamation mark (!) is printed for a RR
type, it means that particular type of RRset is
known to be nonexistent (this is also known as
"NXRRSET"). If a hash mark (#) is present then
the RRset is marked for garbage collection.
Maintained per view.
Statistics counters related to cache contents;
maintained per view.
</p>
<p>
The "NXDOMAIN" counter is the number of names
that have been cached as nonexistent.
Counters named for RR types indicate the
number of active RRsets for each type in the cache
database.
</p>
<p>
If an RR type name is preceded by an exclamation
mark (!), it represents the number of records in the
cache which indicate that the type does not exist
for a particular name (this is also known as "NXRRSET").
If an RR type name is preceded by a hash mark (#), it
represents the number of RRsets for this type that are
present in the cache but whose TTLs have expired; these
RRsets may only be used if stale answers are enabled.
If an RR type name is preceded by a tilde (~), it
represents the number of RRsets for this type that are
present in the cache database but are marked for garbage
collection; these RRsets cannot be used.
</p>
</td>
</tr>
@ -14934,6 +14924,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch06.html
View File

@ -360,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; };
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch07.html
View File

@ -191,6 +191,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

99
doc/arm/Bv9ARM.ch08.html
View File

@ -36,7 +36,7 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.2</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.3</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@ -55,7 +55,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.2</h2></div></div></div>
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.3</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@ -234,6 +234,11 @@
as a result of a zone update. [GL #513]
</p>
</li>
<li class="listitem">
<p>
Statistics channel groups are now toggleable. [GL #1030]
</p>
</li>
</ul></div>
</div>
@ -256,8 +261,13 @@
</li>
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-lookaside</strong></span> option has been deprecated.
The feature still works, but it is discouraged to use it. [GL #7]
DNSSEC Lookaside Validation (DLV) is now obsolete.
The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
marked as deprecated; when used in <code class="filename">named.conf</code>,
it will generate a warning but will otherwise be ignored.
All code enabling the use of lookaside validation has been removed
from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
[GL #7]
</p>
</li>
</ul></div>
@ -270,9 +280,7 @@
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now log a warning if
a static key is configured for the root zone, or if
any key is configured for "dlv.isc.org", which has been shut
down. [GL #6]
a static key is configured for the root zone. [GL #6]
</p>
</li>
<li class="listitem">
@ -315,6 +323,40 @@
installation path as an optional argument.
</p>
</li>
<li class="listitem">
<p>
A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
made default. Old non-default HMAC-SHA based DNS Cookie algorithms
have been removed, and only the default AES algorithm is being kept
for legacy reasons. This changes doesn't have any operational impact
in most common scenarios. [GL #605]
</p>
<p>
If you are running multiple DNS Servers (different versions of BIND 9
or DNS server from multiple vendors) responding from the same IP
address (anycast or load-balancing scenarios), you'll have to make
sure that all the servers are configured with the same DNS Cookie
algorithm and same Server Secret for the best performance.
</p>
</li>
<li class="listitem">
<p>
The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
<span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
output. The standard error output is only used to print warnings and
errors, and in case the user requests the signed zone to be printed to
standard output with <span class="command"><strong>-f -</strong></span> option. A new
configuration option <span class="command"><strong>-q</strong></span> has been added to silence
all output on standard output except for the name of the signed zone.
</p>
</li>
<li class="listitem">
<p>
DS records included in DNS referral messages can now be validated
and cached immediately, reducing the number of queries needed for
a DNSSEC validation. [GL #964]
</p>
</li>
</ul></div>
</div>
@ -360,6 +402,47 @@
to root priming queries; this has been corrected. [GL #1092]
</p>
</li>
<li class="listitem">
<p>
Cache database statistics counters could report invalid values
when stale answers were enabled, because of a bug in counter
maintenance when cache data becomes stale. The statistics counters
have been corrected to report the number of RRsets for each
RR type that are active, stale but still potentially served,
or stale and marked for deletion. [GL #602]
</p>
</li>
<li class="listitem">
<p>
Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
cause unexpected results; this has been fixed. [GL #1106]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
to ensure bits 64-71 are zero. [GL #1159]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now correctly reports missing
<span class="command"><strong>dnstap-output</strong></span> option when
<span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
</p>
</li>
<li class="listitem">
<p>
Handle ETIMEDOUT error on connect() with a non-blocking
socket. [GL #1133]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
</p>
</li>
</ul></div>
</div>
@ -435,6 +518,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch09.html
View File

@ -148,6 +148,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch10.html
View File

@ -914,6 +914,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch11.html
View File

@ -537,6 +537,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch12.html
View File

@ -210,6 +210,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

6
doc/arm/Bv9ARM.html
View File

@ -32,7 +32,7 @@
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
<div><p class="releaseinfo">BIND Version 9.15.2</p></div>
<div><p class="releaseinfo">BIND Version 9.15.3</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
@ -245,7 +245,7 @@
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.2</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.3</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@ -443,6 +443,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

BIN
doc/arm/Bv9ARM.pdf
View File

Binary file not shown.

2
doc/arm/man.arpaname.html
View File

@ -90,6 +90,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.ddns-confgen.html
View File

@ -220,6 +220,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

23
doc/arm/man.delv.html
View File

@ -101,7 +101,7 @@
<span class="command"><strong>delv</strong></span> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
CNAME or DNAME chains, and queries for DNSKEY and DS records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
@ -211,10 +211,7 @@
<p>
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<code class="option">+root=NAME</code> options. DNSSEC Lookaside
Validation can also be turned on by using the
<code class="option">+dlv=NAME</code> to specify the name of a
zone containing DLV records.
<code class="option">+root=NAME</code> options.
</p>
<p>
Note: When reading the trust anchor file,
@ -538,14 +535,13 @@
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<code class="option">-i</code> or <code class="option">+noroot</code> and
<code class="option">+nodlv</code>.
<code class="option">-i</code> or <code class="option">+noroot</code>.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
<dd>
<p>
Indicates whether to perform conventional (non-lookaside)
Indicates whether to perform conventional
DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
@ -554,15 +550,6 @@
containing the key.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
<dd>
<p>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The <code class="option">-a</code> option must also be used to specify
a file containing the DLV key.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
<dd>
<p>
@ -628,6 +615,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

41
doc/arm/man.dig.html
View File

@ -499,16 +499,28 @@
<dd>
<p>
Toggles the printing of the initial comment in the
output identifying the version of <span class="command"><strong>dig</strong></span>
and the query options that have been applied. This
comment is printed by default.
output, identifying the version of <span class="command"><strong>dig</strong></span>
and the query options that have been applied. This option
always has global effect; it cannot be set globally
and then overridden on a per-lookup basis. The default
is to print this comment.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
<dd>
<p>
Toggle the display of comment lines in the output.
The default is to print comments.
Toggles the display of some comment lines in the output,
containing information about the packet header and
OPT pseudosection, and the names of the response
section. The default is to print these comments.
</p>
<p>
Other types of comments in the output are not affected by
this option, but can be controlled using other command
line switches. These include <span class="command"><strong>+[no]cmd</strong></span>,
<span class="command"><strong>+[no]question</strong></span>,
<span class="command"><strong>+[no]stats</strong></span>, and
<span class="command"><strong>+[no]rrcomments</strong></span>.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
@ -782,14 +794,14 @@
<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
<dd>
<p>
Print [do not print] the query as it is sent. By
default, the query is not printed.
Toggles the display of the query message as it is sent.
By default, the query is not printed.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]question</code></span></dt>
<dd>
<p>
Print [do not print] the question section of a query
Toggles the display of the question section of a query
when an answer is returned. The default is to print
the question section as a comment.
</p>
@ -859,7 +871,9 @@
<dd>
<p>
Provide a terse answer. The default is to print the
answer in a verbose form.
answer in a verbose form. This option always has global
effect; it cannot be set globally and then overridden on
a per-lookup basis.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
@ -892,10 +906,9 @@
<dt><span class="term"><code class="option">+[no]stats</code></span></dt>
<dd>
<p>
This query option toggles the printing of statistics:
when the query was made, the size of the reply and
so on. The default behavior is to print the query
statistics.
Toggles the printing of statistics: when the query was made,
the size of the reply and so on. The default behavior is to
print the query statistics as a comment after each lookup.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>
@ -1160,6 +1173,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-cds.html
View File

@ -376,6 +376,6 @@ nsupdate -l
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

16
doc/arm/man.dnssec-checkds.html
View File

@ -64,9 +64,8 @@
<a name="id-1.13.7.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-checkds</strong></span>
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
zone.
verifies the correctness of Delegation Signer (DS)
resource records for keys in a specified zone.
</p>
</div>
@ -78,7 +77,7 @@
<dd>
<p>
Specify a digest algorithm to use when converting the
zone's DNSKEY records to expected DS or DLV records. This
zone's DNSKEY records to expected DS records. This
option can be repeated, so that multiple records are
checked for each DNSKEY record.
</p>
@ -97,13 +96,6 @@
then the DNSKEY records for the zone are looked up in the DNS.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
@ -164,6 +156,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-coverage.html
View File

@ -270,6 +270,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

23
doc/arm/man.dnssec-dsfromkey.html
View File

@ -115,10 +115,8 @@
<p>
The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
Signer) resource records (RRs) and other similarly-constructed RRs:
with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
DS) RRs.
Signer) resource records (RRs), or CDS (Child DS) RRs with the
<code class="option">-C</code> option.
</p>
<p>
@ -200,9 +198,7 @@
<dt><span class="term">-C</span></dt>
<dd>
<p>
Generate CDS records rather than DS records. This is mutually
exclusive with the <code class="option">-l</code> option for generating DLV
records.
Generate CDS records rather than DS records.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
@ -237,16 +233,6 @@
<code class="option">directory</code>.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
Generate a DLV set instead of a DS set. The specified
<em class="replaceable"><code>domain</code></em> is appended to the name for each
record in the set.
This is mutually exclusive with the <code class="option">-C</code> option
for generating CDS records.
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd>
<p>
@ -329,7 +315,6 @@
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 3658</em> (DS RRs),
<em class="citetitle">RFC 4431</em> (DLV RRs),
<em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
<em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
<em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
@ -356,6 +341,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-importkey.html
View File

@ -250,6 +250,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keyfromlabel.html
View File

@ -498,6 +498,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keygen.html
View File

@ -555,6 +555,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keymgr.html
View File

@ -405,6 +405,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-revoke.html
View File

@ -171,6 +171,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-settime.html
View File

@ -349,6 +349,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

22
doc/arm/man.dnssec-signzone.html
View File

@ -73,6 +73,7 @@
[<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
[<code class="option">-P</code>]
[<code class="option">-Q</code>]
[<code class="option">-q</code>]
[<code class="option">-R</code>]
[<code class="option">-S</code>]
[<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
@ -191,13 +192,6 @@
key flags. This option may be specified multiple times.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
Generate a DLV set in addition to the key (DNSKEY) and DS sets.
The domain is appended to the name of the records.
</p>
</dd>
<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
<dd>
<p>
@ -447,6 +441,18 @@
RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet mode: Suppresses unnecessary output. Without this
option, when <span class="command"><strong>dnssec-signzone</strong></span> is run it
will print to standard output the number of keys in use,
the algorithms used to verify the zone was signed correctly
and other status information, and finally the filename
containing the signed zone. With it, that output is
suppressed, leaving only the filename.
</p>
</dd>
<dt><span class="term">-R</span></dt>
<dd>
<p>
@ -701,6 +707,6 @@ db.example.com.signed
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

14
doc/arm/man.dnssec-verify.html
View File

@ -55,6 +55,7 @@
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
[<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
[<code class="option">-q</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-x</code>]
@ -130,6 +131,17 @@
Prints version information.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet mode: Suppresses output. Without this option, when
<span class="command"><strong>dnssec-verify</strong></span> is run it will print to
standard output the number of keys in use, the algorithms
used to verify the zone was signed correctly and other
status information. With it, all non-error output is
suppressed, and only the exit code will indicate success.
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd>
<p>
@ -202,6 +214,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnstap-read.html
View File

@ -143,6 +143,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.filter-aaaa.html
View File

@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.host.html
View File

@ -366,6 +366,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.mdig.html
View File

@ -604,6 +604,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-checkconf.html
View File

@ -214,6 +214,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-checkzone.html
View File

@ -463,6 +463,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-journalprint.html
View File

@ -117,6 +117,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-nzd2nzf.html
View File

@ -119,6 +119,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-rrchecker.html
View File

@ -121,6 +121,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

13
doc/arm/man.named.conf.html
View File

@ -157,7 +157,6 @@ logging
</p></div>
</div>
<div class="refsection">
<a name="id-1.13.27.15"></a><h2>MANAGED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
@ -228,7 +227,7 @@ options
check-srv-cname ( fail | warn | ignore );<br>
check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
cookie-algorithm ( aes | sha1 | sha256 );<br>
cookie-algorithm ( aes | siphash24 );<br>
cookie-secret <em class="replaceable"><code>string</code></em>;<br>
coresize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
datasize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
@ -259,9 +258,6 @@ options
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside ( <em class="replaceable"><code>string</code></em><br>
    trust-anchor <em class="replaceable"><code>string</code></em> |<br>
    auto | no ); deprecated<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
@ -625,9 +621,6 @@ view
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside ( <em class="replaceable"><code>string</code></em><br>
    trust-anchor <em class="replaceable"><code>string</code></em> |<br>
    auto | no ); deprecated<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
@ -877,7 +870,6 @@ view
masters [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em><br>
    | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [<br>
    port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
max-ixfr-log-size ( default | unlimited |<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
@ -897,7 +889,6 @@ view
notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em><br>
    | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
request-expire <em class="replaceable"><code>boolean</code></em>;<br>
request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
serial-update-method ( date | increment | unixtime );<br>
@ -1078,6 +1069,6 @@ zone
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named.html
View File

@ -492,6 +492,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nsec3hash.html
View File

@ -155,6 +155,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nslookup.html
View File

@ -437,6 +437,6 @@ nslookup -query=hinfo -timeout=10
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nsupdate.html
View File

@ -818,6 +818,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-destroy.html
View File

@ -162,6 +162,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-keygen.html
View File

@ -200,6 +200,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-list.html
View File

@ -158,6 +158,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-tokens.html
View File

@ -123,6 +123,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc-confgen.html
View File

@ -260,6 +260,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc.conf.html
View File

@ -268,6 +268,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc.html
View File

@ -1017,6 +1017,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.3 (Development Release)</p>
</body>
</html>

95
doc/arm/notes.html
View File

@ -15,7 +15,7 @@
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2"></a>Release Notes for BIND Version 9.15.2</h2></div></div></div>
<a name="id-1.2"></a>Release Notes for BIND Version 9.15.3</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@ -194,6 +194,11 @@
as a result of a zone update. [GL #513]
</p>
</li>
<li class="listitem">
<p>
Statistics channel groups are now toggleable. [GL #1030]
</p>
</li>
</ul></div>
</div>
@ -216,8 +221,13 @@
</li>
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-lookaside</strong></span> option has been deprecated.
The feature still works, but it is discouraged to use it. [GL #7]
DNSSEC Lookaside Validation (DLV) is now obsolete.
The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
marked as deprecated; when used in <code class="filename">named.conf</code>,
it will generate a warning but will otherwise be ignored.
All code enabling the use of lookaside validation has been removed
from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
[GL #7]
</p>
</li>
</ul></div>
@ -230,9 +240,7 @@
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now log a warning if
a static key is configured for the root zone, or if
any key is configured for "dlv.isc.org", which has been shut
down. [GL #6]
a static key is configured for the root zone. [GL #6]
</p>
</li>
<li class="listitem">
@ -275,6 +283,40 @@
installation path as an optional argument.
</p>
</li>
<li class="listitem">
<p>
A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
made default. Old non-default HMAC-SHA based DNS Cookie algorithms
have been removed, and only the default AES algorithm is being kept
for legacy reasons. This changes doesn't have any operational impact
in most common scenarios. [GL #605]
</p>
<p>
If you are running multiple DNS Servers (different versions of BIND 9
or DNS server from multiple vendors) responding from the same IP
address (anycast or load-balancing scenarios), you'll have to make
sure that all the servers are configured with the same DNS Cookie
algorithm and same Server Secret for the best performance.
</p>
</li>
<li class="listitem">
<p>
The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
<span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
output. The standard error output is only used to print warnings and
errors, and in case the user requests the signed zone to be printed to
standard output with <span class="command"><strong>-f -</strong></span> option. A new
configuration option <span class="command"><strong>-q</strong></span> has been added to silence
all output on standard output except for the name of the signed zone.
</p>
</li>
<li class="listitem">
<p>
DS records included in DNS referral messages can now be validated
and cached immediately, reducing the number of queries needed for
a DNSSEC validation. [GL #964]
</p>
</li>
</ul></div>
</div>
@ -320,6 +362,47 @@
to root priming queries; this has been corrected. [GL #1092]
</p>
</li>
<li class="listitem">
<p>
Cache database statistics counters could report invalid values
when stale answers were enabled, because of a bug in counter
maintenance when cache data becomes stale. The statistics counters
have been corrected to report the number of RRsets for each
RR type that are active, stale but still potentially served,
or stale and marked for deletion. [GL #602]
</p>
</li>
<li class="listitem">
<p>
Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
cause unexpected results; this has been fixed. [GL #1106]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
to ensure bits 64-71 are zero. [GL #1159]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now correctly reports missing
<span class="command"><strong>dnstap-output</strong></span> option when
<span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
</p>
</li>
<li class="listitem">
<p>
Handle ETIMEDOUT error on connect() with a non-blocking
socket. [GL #1133]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
</p>
</li>
</ul></div>
</div>

BIN
doc/arm/notes.pdf
View File

Binary file not shown.

59
doc/arm/notes.txt
View File

@ -1,4 +1,4 @@
Release Notes for BIND Version 9.15.2
Release Notes for BIND Version 9.15.3
Introduction
@ -107,6 +107,8 @@ New Features
maintenance, as opposed to having been generated as a result of a zone
update. [GL #513]
* Statistics channel groups are now toggleable. [GL #1030]
Removed Features
* The dnssec-enable option has been obsoleted and no longer has any
@ -115,14 +117,16 @@ Removed Features
* The cleaning-interval option has been removed. [GL !1731]
* The dnssec-lookaside option has been deprecated. The feature still
works, but it is discouraged to use it. [GL #7]
* DNSSEC Lookaside Validation (DLV) is now obsolete. The
dnssec-lookaside option has been marked as deprecated; when used in
named.conf, it will generate a warning but will otherwise be ignored.
All code enabling the use of lookaside validation has been removed
from the validator, delv, and the DNSSEC tools. [GL #7]
Feature Changes
* named will now log a warning if a static key is configured for the
root zone, or if any key is configured for "dlv.isc.org", which has
been shut down. [GL #6]
root zone. [GL #6]
* When static and managed DNSSEC keys were both configured for the same
name, or when a static key was used to configure a trust anchor for
@ -146,6 +150,29 @@ Feature Changes
custom path to the json-c library as the new configure option does not
take the library installation path as an optional argument.
* A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
made default. Old non-default HMAC-SHA based DNS Cookie algorithms
have been removed, and only the default AES algorithm is being kept
for legacy reasons. This changes doesn't have any operational impact
in most common scenarios. [GL #605]
If you are running multiple DNS Servers (different versions of BIND 9
or DNS server from multiple vendors) responding from the same IP
address (anycast or load-balancing scenarios), you'll have to make
sure that all the servers are configured with the same DNS Cookie
algorithm and same Server Secret for the best performance.
* The information from the dnssec-signzone and dnssec-verify commands is
now printed to standard output. The standard error output is only used
to print warnings and errors, and in case the user requests the signed
zone to be printed to standard output with -f - option. A new
configuration option -q has been added to silence all output on
standard output except for the name of the signed zone.
* DS records included in DNS referral messages can now be validated and
cached immediately, reducing the number of queries needed for a DNSSEC
validation. [GL #964]
Bug Fixes
* The allow-update and allow-update-forwarding options were
@ -167,6 +194,28 @@ Bug Fixes
* Glue address records were not being returned in responses to root
priming queries; this has been corrected. [GL #1092]
* Cache database statistics counters could report invalid values when
stale answers were enabled, because of a bug in counter maintenance
when cache data becomes stale. The statistics counters have been
corrected to report the number of RRsets for each RR type that are
active, stale but still potentially served, or stale and marked for
deletion. [GL #602]
* Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
unexpected results; this has been fixed. [GL #1106]
* named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are
zero. [GL #1159]
* named-checkconf now correctly reports missing dnstap-output option
when dnstap is set. [GL #1136]
* Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #
1133]
* dig now correctly expands the IPv6 address when run with +expandaaaa
+short. [GL #1152]
License
BIND is open source software licensed under the terms of the Mozilla

6
doc/misc/options
View File

@ -193,7 +193,7 @@ options {
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured
geoip-directory ( <quoted_string> | none );
geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // ancient
@ -214,7 +214,7 @@ options {
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
@ -565,7 +565,7 @@ view <string> [ <class> ] {
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> (
static-key | initial-key

6
doc/misc/options.active
View File

@ -175,7 +175,7 @@ options {
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured
geoip-directory ( <quoted_string> | none );
geoip-directory ( <quoted_string> | none ); // not configured
glue-cache <boolean>;
heartbeat-interval <integer>;
hostname ( <quoted_string> | none );
@ -192,7 +192,7 @@ options {
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
managed-keys-directory <quoted_string>;
masterfile-format ( map | raw | text );
@ -506,7 +506,7 @@ view <string> [ <class> ] {
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
managed-keys { <string> (
static-key | initial-key
) <integer> <integer>