diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index b1698c2c96..474147e657 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -7053,18 +7053,24 @@ options {
allow-notify
- Specifies which hosts are allowed to
- notify this server, a slave, of zone changes in addition
- to the zone masters.
- allow-notify may also be
- specified in the
- zone statement, in which case
- it overrides the
- options allow-notify
- statement. It is only meaningful
- for a slave zone. If not specified, the default is to
- process notify messages
- only from a zone's master.
+ This ACL specifies which hosts may send NOTIFY messages
+ to inform this server of changes to zones for which it
+ is acting as a secondary server. This is only
+ applicable for secondary zones (i.e., type
+ secondary or slave).
+
+
+ If this option is set in view or
+ options, it is globally applied to
+ all secondary zones. If set in the zone
+ statement, the global value is overridden.
+
+
+ If not specified, the default is to process NOTIFY
+ messages only from the configured
+ masters for the zone.
+ allow-notify can be used to expand the
+ list of permitted hosts, not to reduce it.
@@ -7199,11 +7205,16 @@ options {
allow-update
- Specifies which hosts are allowed to
- submit Dynamic DNS updates for master zones. The default is
- to deny
- updates from all hosts. Note that allowing updates based
- on the requestor's IP address is insecure; see
+ When set in the zone statement for
+ a master zone, specifies which hosts are allowed to
+ submit Dynamic DNS updates to that zone. The default
+ is to deny updates from all hosts. This can only
+ be set at the zone level, not in
+ options or view.
+
+
+ Note that allowing updates based on the
+ requestor's IP address is insecure; see
for details.
@@ -7213,29 +7224,30 @@ options {
allow-update-forwarding
- Specifies which hosts are allowed to
- submit Dynamic DNS updates to slave zones to be forwarded to
- the
- master. The default is { none; },
- which
- means that no update forwarding will be performed. To
- enable
- update forwarding, specify
+ When set in the zone statement for
+ a slave zone, specifies which hosts are allowed to
+ submit Dynamic DNS updates and have them be forwarded
+ to the master. The default is
+ { none; }, which means that no
+ update forwarding will be performed. This can only be
+ set at the zone level, not in
+ options or view.
+
+
+ To enable update forwarding, specify
allow-update-forwarding { any; };.
- Specifying values other than { none; } or
- { any; } is usually
- counterproductive, since
- the responsibility for update access control should rest
- with the
- master server, not the slaves.
+ in the zone statement.
+ Specifying values other than { none; }
+ or { any; } is usually
+ counterproductive; the responsibility for update
+ access control should rest with the master server, not
+ the slave.
Note that enabling the update forwarding feature on a slave
- server
- may expose master servers relying on insecure IP address
- based
- access control to attacks; see
- for more details.
+ server may expose master servers to attacks if they rely
+ on insecure IP-address-based access control; see
+ for more details.
@@ -7259,13 +7271,14 @@ options {
allow-transfer
- Specifies which hosts are allowed to
- receive zone transfers from the server. allow-transfer may
- also be specified in the zone
- statement, in which
- case it overrides the options allow-transfer statement.
- If not specified, the default is to allow transfers to all
- hosts.
+ Specifies which hosts are allowed to receive zone
+ transfers from the server. allow-transfer
+ may also be specified in the zone
+ statement, in which case it overrides the
+ allow-transfer statement set in
+ options or view.
+ If not specified, the default is to allow transfers to
+ all hosts.