ISC BIND 9 compiles and runs on a large number - of Unix-like operating systems and on + of Unix-like operating systems and on Microsoft Windows Server 2003 and 2008, and Windows XP and Vista. For an up-to-date list of supported systems, see the README file in the top level diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index a59cfccf68..ba9a9efe50 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -49,8 +49,8 @@
Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a @@ -301,7 +301,7 @@
Let's say a company named Example, Inc.
(example.com)
@@ -761,7 +761,7 @@ allow-update { key host1-host2. ;};
BIND 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535 and RFC 2931. @@ -822,7 +822,7 @@ allow-update { key host1-host2. ;};
The dnssec-keygen program is used to
generate keys.
@@ -931,7 +931,7 @@ allow-update { key host1-host2. ;};
To enable named to validate answers from
other servers, the dnssec-enable option
must be set to yes, and the
- dnssec-validation options must be set to
+ dnssec-validation options must be set to
yes or auto.
@@ -1047,7 +1047,7 @@ options { including missing, expired, or invalid signatures, a key which does not match the DS RRset in the parent zone, or an insecure response from a zone which, according to its parent, should have - been secure. + been secure.
While the initial signing and NSEC/NSEC3 chain generation is happening, other updates are possible as well.
+Fully automatic zone signingTo enable automatic signing, add the
auto-dnssec option to the zone statement in
named.conf.
@@ -1205,7 +1205,7 @@ options {
configuration. If this has not been done, the configuration will
fail.
The state of the signing process is signaled by private-type records (with a default type value of 65534). When signing is complete, these records will have a nonzero value for @@ -1246,12 +1246,12 @@ options {
+DNSKEY rollovers
As with insecure-to-secure conversions, rolling DNSSEC keys can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.
+Dynamic DNS update method To perform key rollovers via dynamic update, you need to add
the K* files for the new keys so that
named can find them. You can then add the new
@@ -1273,7 +1273,7 @@ options {
named will clean out any signatures generated
by the old key after the update completes.
When a new key reaches its activation date (as set by dnssec-keygen or dnssec-settime), if the auto-dnssec zone option is set to @@ -1288,27 +1288,27 @@ options { completes in 30 days, after which it will be safe to remove the old key from the DNSKEY RRset.
+NSEC3PARAM rollovers via UPDATEAdd the new NSEC3PARAM record via dynamic update. When the new NSEC3 chain has been generated, the NSEC3PARAM flag field will be zero. At this point you can remove the old NSEC3PARAM record. The old chain will be removed after the update request completes.
+Converting from NSEC to NSEC3To do this, you just need to add an NSEC3PARAM record. When the conversion is complete, the NSEC chain will have been removed and the NSEC3PARAM record will have a zero flag field. The NSEC3 chain will be generated before the NSEC chain is destroyed.
+Converting from NSEC3 to NSECTo do this, use nsupdate to remove all NSEC3PARAM records with a zero flag field. The NSEC chain will be generated before the NSEC3 chain is removed.
+Converting from secure to insecureTo convert a signed zone to unsigned using dynamic DNS, delete all the DNSKEY records from the zone apex using nsupdate. All signatures, NSEC or NSEC3 chains, @@ -1323,14 +1323,14 @@ options { allow instead (or it will re-sign).
+Periodic re-signingIn any secure zone which supports dynamic updates, named will periodically re-sign RRsets which have not been re-signed as a result of some update action. The signature lifetimes will be adjusted so as to spread the re-sign load over time rather than all at once.
+NSEC3 and OPTOUTnamed only supports creating new NSEC3 chains where all the NSEC3 records in the zone have the same OPTOUT @@ -1352,7 +1352,7 @@ options { configuration files.
To configure a validating resolver to use RFC 5011 to maintain a trust anchor, configure the trust anchor using a managed-keys statement. Information about @@ -1363,7 +1363,7 @@ options {
To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@@ -1460,7 +1460,7 @@ $ dnssec-signzone -S -K keys example.net<
See the documentation provided by your HSM vendor for
information about installing, initializing, testing and
@@ -1502,7 +1502,7 @@ $ ./configure --enable-native-pkcs11 \
SoftHSMv2, the latest development version of SoftHSM, is available
from
@@ -1540,7 +1540,7 @@ $
OpenSSL-based PKCS#11 mode uses a modified version of the
OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1598,7 +1598,7 @@ $
The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
@@ -1673,7 +1673,7 @@ $
The SCA-6000 PKCS#11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1702,7 +1702,7 @@ $
SoftHSM (version 1) is a software library developed by the
OpenDNSSEC project
@@ -1777,7 +1777,7 @@ $
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1797,7 +1797,7 @@ $
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1819,7 +1819,7 @@ $
BIND 9 includes a minimal set of tools to operate the
HSM, including
@@ -1863,7 +1863,7 @@ $
For OpenSSL-based PKCS#11, we must first set up the runtime
environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1984,7 +1984,7 @@ example.net.signed
When using OpenSSL-based PKCS#11, the "engine" to be used by
OpenSSL can be specified in named and all of
@@ -2016,7 +2016,7 @@ $
If you want named to dynamically re-sign zones
using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2224,7 +2224,7 @@ $
The number of client queries that the lwresd
daemon is able to serve can be set using the
- /opt/pkcs11/usr/bin/softhsm-util --init-token
/opt/pkcs11/usr/bin/softhsm-util --init-token
$
@@ -1631,7 +1631,7 @@ $ wget http://www.openssl.org/source/openssl-0.9.8zc.tar.gz
patch -p1 -d openssl-0.9.8zc \
./Configure linux-generic32 -m32 -pthread \
./Configure solaris64-x86_64-cc \
./Configure linux-x86_64 -pthread \
./configure CC="gcc -m32" --enable-threads \
./configure CC="cc -xarch=amd64" --enable-thre
$
cd ../bind9
$ ./configure --enable-threads \
@@ -1840,7 +1840,7 @@ $ ./configure --enable-threads \
./configure --enable-threads \
dnssec-signzone -E '' -S example.net
dnssec-signzone -E '' -S example.netip6.arpa domain, as well as the older, deprecated
ip6.int domain.
- Older versions of BIND 9
+ Older versions of BIND 9
supported the "binary label" (also known as "bitstring") format,
but support of binary labels has been completely removed per
RFC 3363.
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 0a9484391d..0d6c4cf2d2 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -123,7 +123,7 @@
lwres-tasks and lwres-clients
+ lwres-tasks and lwres-clients
statements in the configuration.
size_spec
- for details on how they interpret its use.
+ for details on how they interpret its use.
Numeric values can optionally be followed by a @@ -458,7 +458,7 @@ way to safely set a very large number.
- default
+ default
uses the limit that was in force when the server was started.
defines a named masters list for inclusion in stub and slave zones' - masters or + masters or also-notify lists.
@@ -2179,7 +2179,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] of worker threads the lightweight resolver will dedicate to serving clients. By default the number is the same as the number of CPUs on the system; this can be overridden using the-n
- command line option when starting the server.
+ command line option when starting the server.
The lwres-clients specifies
@@ -2204,13 +2204,13 @@ badresp:1,adberr:0,findfail:0,valfail:0]
-mastersname[portip_port] [dscpip_dscp] { (masters_list| +mastersname[portip_port] [dscpip_dscp] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] };
masters lists allow for a common set of masters to be easily used by @@ -2220,7 +2220,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the options
statement in the named.conf file:
@@ -2285,7 +2285,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ forwarders { [ ip_addr [port ip_port] [dscp ip_dscp] ; ... ] }; ]
[ dual-stack-servers [port ip_port] [dscp ip_dscp] {
( domain_name [port ip_port] [dscp ip_dscp] |
- ip_addr [port ip_port] [dscp ip_dscp]) ;
+ ip_addr [port ip_port] [dscp ip_dscp]) ;
... }; ]
[ check-names ( master | slave | response )
( warn | fail | ignore ); ]
@@ -2336,7 +2336,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ query-source-v6 ( ( ip6_addr | * )
[ port ( ip_port | * ) ]
[ dscp ip_dscp] |
- [ address ( ip6_addr | * ) ]
+ [ address ( ip6_addr | * ) ]
[ port ( ip_port | * ) ] )
[ dscp ip_dscp] ; ]
[ use-queryport-pool yes_or_no; ]
@@ -2789,7 +2789,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
The pathname of a file to override the built-in trusted
keys provided by named.
See the discussion of dnssec-lookaside
- and dnssec-validation for details.
+ and dnssec-validation for details.
If not specified, the default is
/etc/bind.keys.
Each dns64 supports an optional
mapped ACL that selects which
- IPv4 addresses are to be mapped in the corresponding
+ IPv4 addresses are to be mapped in the corresponding
A RRset. If not defined it defaults to
any;.
Species the default lifetime, in seconds, that will be used for negative trust anchors added - via rndc nta. + via rndc nta.
A negative trust anchor selectively disables
@@ -3160,7 +3160,7 @@ options {
domain has stopped validating due to operator error;
it temporarily disables DNSSEC validation for that
domain. In the interest of ensuring that DNSSEC
- validation is turned back on as soon as possible,
+ validation is turned back on as soon as possible,
named will periodically send a
query to the domain, ignoring negative trust anchors,
to find out whether it can now be validated. If so,
@@ -3233,7 +3233,7 @@ options {
option can also accept yes
or no; yes
has the same meaning as full.
- As of BIND 9.10,
+ As of BIND 9.10,
no has the same meaning
as none; previously, it
was the same as terse.
@@ -3539,7 +3539,7 @@ options {
with "geoip" ACL elements, this option indicates whether
the EDNS Client Subnet option, if present in a request,
should be used for matching against the GeoIP database.
- The default is
+ The default is
geoip-use-ecs yes.
If yes, then an empty EDNS(0)
- NSID (Name Server Identifier) option is sent with all
+ NSID (Name Server Identifier) option is sent with all
queries to authoritative name servers during iterative
resolution. If the authoritative server returns an NSID
option in its response, then its contents are logged in
@@ -3886,7 +3886,7 @@ options {
If yes,
the DNS client is at an IPv4 address, in filter-aaaa,
- and if the response does not include DNSSEC signatures,
+ and if the response does not include DNSSEC signatures,
then all AAAA records are deleted from the response.
This filtering applies to all responses and not only
authoritative responses.
@@ -3898,8 +3898,8 @@ options {
because the DNSSEC protocol is designed detect deletions.
- This mechanism can erroneously cause other servers to - not give AAAA records to their clients. + This mechanism can erroneously cause other servers to + not give AAAA records to their clients. A recursing server with both IPv6 and IPv4 network connections that queries an authoritative server using this mechanism via IPv4 will be denied AAAA records even if its client is @@ -4262,7 +4262,7 @@ options {
Dual-stack servers are used as servers of last resort to work around @@ -4538,7 +4538,7 @@ options {
The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4697,7 +4697,7 @@ avoid-v6-udp-ports {};
Note: BIND 9.5.0 introduced - the use-queryport-pool + the use-queryport-pool option to support a pool of such random ports, but this option is now obsolete because reusing the same ports in the pool may not be sufficiently secure. @@ -5015,7 +5015,7 @@ avoid-v6-udp-ports {};
use-v4-udp-ports, avoid-v4-udp-ports, @@ -5057,7 +5057,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -5172,7 +5172,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
A "soft quota" is also set. When this lower
quota is exceeded, incoming requests are accepted, but
- for each one, a pending request will be dropped.
+ for each one, a pending request will be dropped.
If recursive-clients is greater than
1000, the soft quota is set to
recursive-clients minus 100;
@@ -5376,7 +5376,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
or the value 0, will place no limit on cache size;
records will be purged from the cache only when their
TTLs expire.
- Any positive values less than 2MB will be ignored
+ Any positive values less than 2MB will be ignored
and reset to 2MB.
In a server with multiple views, the limit applies
separately to the cache of each view.
@@ -5391,7 +5391,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
waiting for
some data before being passed to accept. Nonzero values
less than 10 will be silently raised. A value of 0 may also
- be used; on most platforms this sets the listen queue
+ be used; on most platforms this sets the listen queue
length to a system-defined default value.
BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -6564,7 +6564,7 @@ deny-answer-aliases { "example.net"; };
BIND 9 includes a limited
mechanism to modify DNS responses for requests
@@ -6617,7 +6617,7 @@ deny-answer-aliases { "example.net"; };
to the standard IPv6 text representation,
prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-client-ip.
Each of W8,...,W1 is a one to four digit hexadecimal number
- representing 16 bits of the IPv6 address as in the standard
+ representing 16 bits of the IPv6 address as in the standard
text representation of IPv6 addresses, but reversed as in
IP6.ARPA. (Note that this representation of IPv6
address is different from IP6.ARPA where each hex
@@ -7340,7 +7340,7 @@ example.com CNAME rpz-tcp-only.
when a secondary server transfers a zone from another
secondary server; when transferring from the primary, the
expiration timer is set from the EXPIRE field of the SOA
- record instead.
+ record instead.
The default is yes.
@@ -7481,7 +7481,7 @@ example.com CNAME rpz-tcp-only. whether the local server will add a NSID EDNS option to requests sent to the server. This overrides request-nsid set at the view or - option level. + option level.
The send-cookie clause determines @@ -7562,16 +7562,16 @@ example.com CNAME rpz-tcp-only. port 8888, then the statistics are accessible in XML format at http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is - included which can format the XML statistics into tables - when viewed with a stylesheet-capable browser, and into + included which can format the XML statistics into tables + when viewed with a stylesheet-capable browser, and into charts and graphs using the Google Charts API when using a javascript-capable browser.
Applications that depend on a particular XML schema - can request + can request http://127.0.0.1:8888/xml/v2 for version 2 - of the statistics XML schema or + of the statistics XML schema or http://127.0.0.1:8888/xml/v3 for version 3. If the requested schema is supported by the server, then it will respond; if not, it will return a "page not found" @@ -7625,7 +7625,7 @@ example.com CNAME rpz-tcp-only.
The trusted-keys statement defines @@ -7681,7 +7681,7 @@ example.com CNAME rpz-tcp-only. managed-keys Statement Definition and Usage
- The managed-keys statement, like
+ The managed-keys statement, like
trusted-keys, defines DNSSEC
security roots. The difference is that
managed-keys can be kept up to date
@@ -7727,7 +7727,7 @@ example.com CNAME rpz-tcp-only.
initial-key. The difference is, whereas the
keys listed in a trusted-keys continue to be
trusted until they are removed from
- named.conf, an initializing key listed
+ named.conf, an initializing key listed
in a managed-keys statement is only trusted
once: for as long as it takes to load the
managed key database and start the RFC 5011 key maintenance
@@ -8098,7 +8098,7 @@ zone zone_name [ allow-query { address_match_list }; ]
[ server-addresses { [ ip_addr ; ... ] }; ]
- [ server-names { [ namelist ] }; ]
+ [ server-names { [ namelist ] }; ]
[ zone-statistics yes_or_no ; ]
};
@@ -8303,7 +8303,7 @@ zone zone_name [
Each static-stub zone is configured with
internally generated NS and (if necessary)
- glue A or AAAA RRs
+ glue A or AAAA RRs
zone_name ["*. IN A 100.100.100.2"
and
"*. IN AAAA 2001:ffff:ffff::100.100.100.2".
@@ -8395,7 +8395,7 @@ zone zone_name [
To redirect all Spanish names (under .ES) one
would use similar entries but with the names
- "*.ES." instead of "*.". To redirect all
+ "*.ES." instead of "*.". To redirect all
commercial Spanish names (under COM.ES) one
would use wildcard entries called "*.COM.ES.".
@@ -8905,7 +8905,7 @@ example.com. NS ns2.example.net.
zonename causes
named to load keys from the key
repository and sign the zone with all keys that are
- active.
+ active.
rndc loadkeys
zonename causes
named to load keys from the key
@@ -8936,7 +8936,7 @@ example.com. NS ns2.example.net.
the zone is updated.
- When set to + When set to serial-update-method unixtime;, the SOA serial number will be set to the number of seconds since the UNIX epoch, unless the serial number is @@ -8944,7 +8944,7 @@ example.com. NS ns2.example.net. case it is simply incremented by one.
- When set to + When set to serial-update-method date;, the new SOA serial number will be the current date in the form "YYYYMMDD", followed by two zeroes, @@ -9242,7 +9242,7 @@ example.com. NS ns2.example.net.
This rule takes a Windows machine principal
(machine$@REALM) for machine in REALM and
- and converts it machine.realm allowing the machine
+ and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
is specified in the identity
field.
@@ -9257,7 +9257,7 @@ example.com. NS ns2.example.net.
- This rule takes a Windows machine principal + This rule takes a Windows machine principal (machine$@REALM) for machine in REALM and converts it to machine.realm allowing the machine to update subdomains of machine.realm. The REALM @@ -9276,7 +9276,7 @@ example.com. NS ns2.example.net.
This rule takes a Kerberos machine principal
(host/machine@REALM) for machine in REALM and
- and converts it machine.realm allowing the machine
+ and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
is specified in the identity
field.
@@ -9291,7 +9291,7 @@ example.com. NS ns2.example.net.
- This rule takes a Kerberos machine principal + This rule takes a Kerberos machine principal (host/machine@REALM) for machine in REALM and converts it to machine.realm allowing the machine to update subdomains of machine.realm. The REALM @@ -9403,7 +9403,7 @@ example.com. NS ns2.example.net.
When multiple views are in use, a zone may be referenced by more than one of them. Often, the views @@ -9465,7 +9465,7 @@ view external {
A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -10673,7 +10673,7 @@ view external {
Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain @@ -10734,7 +10734,7 @@ view external {
The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -10749,18 +10749,18 @@ view external {
When used in the label (or name) field, the asperand or
at-sign (@) symbol represents the current origin.
- At the start of the zone file, it is the
+ At the start of the zone file, it is the
<zone_name> (followed by
trailing dot).
Syntax: $ORIGIN
domain-name
@@ -10789,7 +10789,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $INCLUDE
filename
@@ -10825,7 +10825,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $TTL
default-ttl
@@ -10844,7 +10844,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $GENERATE
range
@@ -11041,7 +11041,7 @@ HOST-127.EXAMPLE. MX 0 .
In addition to the standard textual format, BIND 9 supports the ability to read or dump to zone files in - other formats. + other formats.
The raw format is
@@ -11061,7 +11061,7 @@ HOST-127.EXAMPLE. MX 0 .
For a primary server, a zone file in
raw or map
format is expected to be generated from a textual zone
- file by the named-compilezone command.
+ file by the named-compilezone command.
For a secondary server or for a dynamic zone, it is automatically
generated (if this format is specified by the
masterfile-format option) when
@@ -11083,7 +11083,7 @@ HOST-127.EXAMPLE. MX 0 .
with different pointer size, endianness or data alignment
than the system on which it was generated, and should in
general be used only inside a single system.
- While raw format uses
+ While raw format uses
network byte order and avoids architecture-dependent
data alignment so that it is as portable as
possible, it is also primarily expected to be used
@@ -11910,7 +11910,7 @@ HOST-127.EXAMPLE. MX 0 .