source-address
- Use source-address
- as the source address for the connection to the server.
- Multiple instances are permitted to allow setting of both
- the IPv4 and IPv6 source addresses.
-
source-address
+ as the source address for the connection to the server.
+ Multiple instances are permitted to allow setting of both
+ the IPv4 and IPv6 source addresses.
+
config-file
- Use config-file
- as the configuration file instead of the default,
- /etc/rndc.conf.
-
config-file
+ as the configuration file instead of the default,
+ /etc/rndc.conf.
+
key-file
- Use key-file
- as the key file instead of the default,
- /etc/rndc.key. The key in
- /etc/rndc.key will be used to
- authenticate
- commands sent to the server if the config-file
- does not exist.
-
key-file
+ as the key file instead of the default,
+ /etc/rndc.key. The key in
+ /etc/rndc.key will be used to
+ authenticate
+ commands sent to the server if the config-file
+ does not exist.
+
serverserver is
- the name or address of the server which matches a
- server statement in the configuration file for
- rndc. If no server is supplied on the
- command line, the host named by the default-server clause
- in the options statement of the rndc
- configuration file will be used.
-
port
- Send commands to TCP port
- port
- instead
- of BIND 9's default control channel port, 953.
-
port
+ instead
+ of BIND 9's default control channel port, 953.
+
- Quiet mode: Message text returned by the server - will not be printed except when there is an error. -
- Enable verbose logging. -
key_id
- Use the key key_id
- from the configuration file.
- key_id
- must be
- known by named with the same algorithm and secret string
- in order for control message validation to succeed.
- If no key_id
- is specified, rndc will first look
- for a key clause in the server statement of the server
- being used, or if no server statement is present for that
- host, then the default-key clause of the options statement.
- Note that the configuration file contains shared secrets
- which are used to send authenticated control commands
- to name servers. It should therefore not have general read
- or write access.
-
key_id
+ from the configuration file.
+ key_id
+ must be
+ known by named with the same algorithm and secret string
+ in order for control message validation to succeed.
+ If no key_id
+ is specified, rndc will first look
+ for a key clause in the server statement of the server
+ being used, or if no server statement is present for that
+ host, then the default-key clause of the options statement.
+ Note that the configuration file contains shared secrets
+ which are used to send authenticated control commands
+ to name servers. It should therefore not have general read
+ or write access.
+
A list of commands supported by rndc can be seen by running rndc without arguments. @@ -145,246 +145,269 @@
reload- Reload configuration file and zones. -
reload zone [class [view]]- Reload the given zone. -
refresh zone [class [view]]- Schedule zone maintenance for the given zone. -
retransfer zone [class [view]]- Retransfer the given slave zone from the master server. -
+ Retransfer the given slave zone from the master server. +- If the zone is configured to use - inline-signing, the signed - version of the zone is discarded; after the - retransfer of the unsigned version is complete, the - signed version will be regenerated with all new - signatures. -
+ If the zone is configured to use + inline-signing, the signed + version of the zone is discarded; after the + retransfer of the unsigned version is complete, the + signed version will be regenerated with all new + signatures. +sign zone [class [view]]- Fetch all DNSSEC keys for the given zone - from the key directory (see the - key-directory option in - the BIND 9 Administrator Reference Manual). If they are within - their publication period, merge them into the - zone's DNSKEY RRset. If the DNSKEY RRset - is changed, then the zone is automatically - re-signed with the new key set. -
+ Fetch all DNSSEC keys for the given zone + from the key directory (see the + key-directory option in + the BIND 9 Administrator Reference Manual). If they are within + their publication period, merge them into the + zone's DNSKEY RRset. If the DNSKEY RRset + is changed, then the zone is automatically + re-signed with the new key set. +
- This command requires that the
- auto-dnssec zone option be set
- to allow or
- maintain,
- and also requires the zone to be configured to
- allow dynamic DNS.
- (See "Dynamic Update Policies" in the Administrator
- Reference Manual for more details.)
-
allow or
+ maintain,
+ and also requires the zone to be configured to
+ allow dynamic DNS.
+ (See "Dynamic Update Policies" in the Administrator
+ Reference Manual for more details.)
+
loadkeys zone [class [view]]- Fetch all DNSSEC keys for the given zone - from the key directory. If they are within - their publication period, merge them into the - zone's DNSKEY RRset. Unlike rndc - sign, however, the zone is not - immediately re-signed by the new keys, but is - allowed to incrementally re-sign over time. -
+ Fetch all DNSSEC keys for the given zone + from the key directory. If they are within + their publication period, merge them into the + zone's DNSKEY RRset. Unlike rndc + sign, however, the zone is not + immediately re-signed by the new keys, but is + allowed to incrementally re-sign over time. +
- This command requires that the
- auto-dnssec zone option
- be set to maintain,
- and also requires the zone to be configured to
- allow dynamic DNS.
- (See "Dynamic Update Policies" in the Administrator
- Reference Manual for more details.)
-
maintain,
+ and also requires the zone to be configured to
+ allow dynamic DNS.
+ (See "Dynamic Update Policies" in the Administrator
+ Reference Manual for more details.)
+
freeze [zone [class [view]]]- Suspend updates to a dynamic zone. If no zone is - specified, then all zones are suspended. This allows - manual edits to be made to a zone normally updated by - dynamic update. It also causes changes in the - journal file to be synced into the master file. - All dynamic update attempts will be refused while - the zone is frozen. -
thaw [zone [class [view]]]- Enable updates to a frozen dynamic zone. If no - zone is specified, then all frozen zones are - enabled. This causes the server to reload the zone - from disk, and re-enables dynamic updates after the - load has completed. After a zone is thawed, - dynamic updates will no longer be refused. If - the zone has changed and the - ixfr-from-differences option is - in use, then the journal file will be updated to - reflect changes in the zone. Otherwise, if the - zone has changed, any existing journal file will be - removed. -
scan- Scan the list of available network interfaces - for changes, without performing a full - reconfig or waiting for the - interface-interval timer. -
sync [-clean] [zone [class [view]]]- Sync changes in the journal file for a dynamic zone - to the master file. If the "-clean" option is - specified, the journal file is also removed. If - no zone is specified, then all zones are synced. -
notify zone [class [view]]- Resend NOTIFY messages for the zone. -
reconfig- Reload the configuration file and load new zones, - but do not reload existing zone files even if they - have changed. - This is faster than a full reload when there - is a large number of zones because it avoids the need - to examine the - modification times of the zones files. -
zonestatus [zone [class [view]]]- Displays the current status of the given zone, - including the master file name and any include - files from which it was loaded, when it was most - recently loaded, the current serial number, the - number of nodes, whether the zone supports - dynamic updates, whether the zone is DNSSEC - signed, whether it uses automatic DNSSEC key - management or inline signing, and the scheduled - refresh or expiry times for the zone. -
managed-keys (status | refresh | sync) [class [view]]
+ When run with the "status" keyword, print the current
+ status of the managed-keys database for the specified
+ view, or for all views if none is specified. When run
+ with the "refresh" keyword, force an immediate refresh
+ of all the managed-keys in the specified view, or all
+ views. When run with the "sync" keyword, force an
+ immediate dump of the managed-keys database to disk (in
+ the file managed-keys.bind or
+ (viewname.mkeys
stats- Write server statistics to the statistics file. -
querylog [on|off] - Enable or disable query logging. (For backward - compatibility, this command can also be used without - an argument to toggle query logging on and off.) -
+ Enable or disable query logging. (For backward + compatibility, this command can also be used without + an argument to toggle query logging on and off.) +
- Query logging can also be enabled
- by explicitly directing the queries
- category to a
- channel in the
- logging section of
- named.conf or by specifying
- querylog yes; in the
- options section of
- named.conf.
-
named.conf or by specifying
+ querylog yes; in the
+ options section of
+ named.conf.
+
dumpdb [-all|-cache|-zone] [view ...]- Dump the server's caches (default) and/or zones to - the - dump file for the specified views. If no view is - specified, all - views are dumped. -
secroots [view ...]- Dump the server's security roots and negative trust anchors - to the secroots file for the specified views. If no view is - specified, all views are dumped. -
secroots [-] [view ...]+ Dump the server's security roots and negative trust anchors + for the specified views. If no view is specified, all views + are dumped. +
+
+ If the first argument is "-", then the output is
+ returned via the rndc response channel
+ and printed to the standard output.
+ Otherwise, it is written to the secroots dump file, which
+ defaults to named.secroots, but can be
+ overridden via the secroots-file option in
+ named.conf.
+
stop [-p]
- Stop the server, making sure any recent changes
- made through dynamic update or IXFR are first saved to
- the master files of the updated zones.
- If -p is specified named's process id is returned.
- This allows an external process to determine when named
- had completed stopping.
-
-p is specified named's process id is returned.
+ This allows an external process to determine when named
+ had completed stopping.
+
halt [-p]
- Stop the server immediately. Recent changes
- made through dynamic update or IXFR are not saved to
- the master files, but will be rolled forward from the
- journal files when the server is restarted.
- If -p is specified named's process id is returned.
- This allows an external process to determine when named
- had completed halting.
-
-p is specified named's process id is returned.
+ This allows an external process to determine when named
+ had completed halting.
+
trace- Increment the servers debugging level by one. -
trace level- Sets the server's debugging level to an explicit - value. -
notrace- Sets the server's debugging level to 0. -
flush- Flushes the server's cache. -
flushname name [view] - Flushes the given name from the view's DNS cache - and, if applicable, from the view's nameserver address - database, bad server cache and SERVFAIL cache. -
flushtree name [view] - Flushes the given name, and all of its subdomains, - from the view's DNS cache, address database, - bad server cache, and SERVFAIL cache. -
status- Display status of the server. - Note that the number of zones includes the internal bind/CH zone - and the default ./IN - hint zone if there is not an - explicit root zone configured. -
recursing- Dump the list of queries named is currently recursing - on. -
validation ( on | off | check ) [view ...]
- Enable, disable, or check the current status of
- DNSSEC validation.
- Note dnssec-enable also needs to be
- set to yes or
- auto to be effective.
- It defaults to enabled.
-
yes or
+ auto to be effective.
+ It defaults to enabled.
+
nta
[( -d | -f | -r | -l duration)]
domain
@@ -392,135 +415,135 @@
- Sets a DNSSEC negative trust anchor (NTA)
- for domain, with a lifetime of
- duration. The default lifetime is
- configured in named.conf via the
- nta-lifetime option, and defaults to
- one hour. The lifetime cannot exceed one week.
-
domain, with a lifetime of
+ duration. The default lifetime is
+ configured in named.conf via the
+ nta-lifetime option, and defaults to
+ one hour. The lifetime cannot exceed one week.
+
- A negative trust anchor selectively disables - DNSSEC validation for zones that are known to be - failing because of misconfiguration rather than - an attack. When data to be validated is - at or below an active NTA (and above any other - configured trust anchors), named will - abort the DNSSEC validation process and treat the data as - insecure rather than bogus. This continues until the - NTA's lifetime is elapsed. -
+ A negative trust anchor selectively disables + DNSSEC validation for zones that are known to be + failing because of misconfiguration rather than + an attack. When data to be validated is + at or below an active NTA (and above any other + configured trust anchors), named will + abort the DNSSEC validation process and treat the data as + insecure rather than bogus. This continues until the + NTA's lifetime is elapsed. +
- NTAs persist across restarts of the named server.
- The NTAs for a view are saved in a file called
- name.ntaname is the
- name of the view, or if it contains characters
- that are incompatible with use as a file name, a
- cryptographic hash generated from the name
- of the view.
-
name.ntaname is the
+ name of the view, or if it contains characters
+ that are incompatible with use as a file name, a
+ cryptographic hash generated from the name
+ of the view.
+
- An existing NTA can be removed by using the
- -remove option.
-
-remove option.
+
- An NTA's lifetime can be specified with the
- -lifetime option. TTL-style
- suffixes can be used to specify the lifetime in
- seconds, minutes, or hours. If the specified NTA
- already exists, its lifetime will be updated to the
- new value. Setting lifetime to zero
- is equivalent to -remove.
-
-lifetime option. TTL-style
+ suffixes can be used to specify the lifetime in
+ seconds, minutes, or hours. If the specified NTA
+ already exists, its lifetime will be updated to the
+ new value. Setting lifetime to zero
+ is equivalent to -remove.
+
- If -dump is used, any other arguments
- are ignored, and a list of existing NTAs is printed
- (note that this may include NTAs that are expired but
- have not yet been cleaned up).
-
-dump is used, any other arguments
+ are ignored, and a list of existing NTAs is printed
+ (note that this may include NTAs that are expired but
+ have not yet been cleaned up).
+
- Normally, named will periodically
- test to see whether data below an NTA can now be
- validated (see the nta-recheck option
- in the Administrator Reference Manual for details).
- If data can be validated, then the NTA is regarded as
- no longer necessary, and will be allowed to expire
- early. The -force overrides this
- behavior and forces an NTA to persist for its entire
- lifetime, regardless of whether data could be
- validated if the NTA were not present.
-
nta-recheck option
+ in the Administrator Reference Manual for details).
+ If data can be validated, then the NTA is regarded as
+ no longer necessary, and will be allowed to expire
+ early. The -force overrides this
+ behavior and forces an NTA to persist for its entire
+ lifetime, regardless of whether data could be
+ validated if the NTA were not present.
+
- All of these options can be shortened, i.e., to
- -l, -r, -d,
- and -f.
-
-l, -r, -d,
+ and -f.
+
tsig-list- List the names of all TSIG keys currently configured - for use by named in each view. The - list both statically configured keys and dynamic - TKEY-negotiated keys. -
tsig-delete keyname [view]- Delete a given TKEY-negotiated key from the server. - (This does not apply to statically configured TSIG - keys.) -
addzone zone [class [view]] configuration
- Add a zone while the server is running. This
- command requires the
- allow-new-zones option to be set
- to yes. The
- configuration string
- specified on the command line is the zone
- configuration text that would ordinarily be
- placed in named.conf.
-
yes. The
+ configuration string
+ specified on the command line is the zone
+ configuration text that would ordinarily be
+ placed in named.conf.
+
- The configuration is saved in a file called
- name.nzfname is the
- name of the view, or if it contains characters
- that are incompatible with use as a file name, a
- cryptographic hash generated from the name
- of the view.
- When named is
- restarted, the file will be loaded into the view
- configuration, so that zones that were added
- can persist after a restart.
-
name.nzfname is the
+ name of the view, or if it contains characters
+ that are incompatible with use as a file name, a
+ cryptographic hash generated from the name
+ of the view.
+ When named is
+ restarted, the file will be loaded into the view
+ configuration, so that zones that were added
+ can persist after a restart.
+
- This sample addzone command
- would add the zone example.com
- to the default view:
-
example.com
+ to the default view:
+
$ rndc addzone example.com '{ type master; file "example.com.db"; };'
-
- (Note the brackets and semi-colon around the zone - configuration text.) -
+ (Note the brackets and semi-colon around the zone + configuration text.) +modzone zone [class [view]] configuration
- Modify the configuration of a zone while the server
+ Modify the configuration of a zone while the server
is running. This command requires the
- allow-new-zones option to be
+ allow-new-zones option to be
set to yes. As with
addzone, the
- configuration string
- specified on the command line is the zone
- configuration text that would ordinarily be
- placed in named.conf.
-
configuration string
+ specified on the command line is the zone
+ configuration text that would ordinarily be
+ placed in named.conf.
+
If the zone was originally added via
rndc addzone, the configuration
@@ -533,25 +556,25 @@
its original configuration. To make the changes
permanent, it must also be modified in
named.conf
-
delzone [-clean] zone [class [view]] - Delete a zone while the server is running. -
+ Delete a zone while the server is running. +
- If the -clean is specified,
- the zone's master file (and journal file, if any)
- will be deleted along with the zone. Without the
- -clean option, zone files must
- be cleaned up by hand. (If the zone is of
- type "slave" or "stub", the files needing to
- be cleaned up will be reported in the output
- of the rndc delzone command.)
-
-clean is specified,
+ the zone's master file (and journal file, if any)
+ will be deleted along with the zone. Without the
+ -clean option, zone files must
+ be cleaned up by hand. (If the zone is of
+ type "slave" or "stub", the files needing to
+ be cleaned up will be reported in the output
+ of the rndc delzone command.)
+
- If the zone was originally added via
+ If the zone was originally added via
rndc addzone, then it will be
removed permanently. However, if it was originally
configured in named.conf, then
@@ -563,72 +586,72 @@
showzone zone [class [view]] - Print the configuration of a running zone. -
signing [( -list | -clear keyid/algorithm | -clear all | -nsec3param ( parameters | none ) | -serial value ) ] zone [class [view]] - List, edit, or remove the DNSSEC signing state records - for the specified zone. The status of ongoing DNSSEC - operations (such as signing or generating - NSEC3 chains) is stored in the zone in the form - of DNS resource records of type - sig-signing-type. - rndc signing -list converts - these records into a human-readable form, - indicating which keys are currently signing - or have finished signing the zone, and which NSEC3 - chains are being created or removed. -
+ List, edit, or remove the DNSSEC signing state records + for the specified zone. The status of ongoing DNSSEC + operations (such as signing or generating + NSEC3 chains) is stored in the zone in the form + of DNS resource records of type + sig-signing-type. + rndc signing -list converts + these records into a human-readable form, + indicating which keys are currently signing + or have finished signing the zone, and which NSEC3 + chains are being created or removed. +- rndc signing -clear can remove - a single key (specified in the same format that - rndc signing -list uses to - display it), or all keys. In either case, only - completed keys are removed; any record indicating - that a key has not yet finished signing the zone - will be retained. -
+ rndc signing -clear can remove + a single key (specified in the same format that + rndc signing -list uses to + display it), or all keys. In either case, only + completed keys are removed; any record indicating + that a key has not yet finished signing the zone + will be retained. +- rndc signing -nsec3param sets - the NSEC3 parameters for a zone. This is the - only supported mechanism for using NSEC3 with - inline-signing zones. - Parameters are specified in the same format as - an NSEC3PARAM resource record: hash algorithm, - flags, iterations, and salt, in that order. -
+ rndc signing -nsec3param sets + the NSEC3 parameters for a zone. This is the + only supported mechanism for using NSEC3 with + inline-signing zones. + Parameters are specified in the same format as + an NSEC3PARAM resource record: hash algorithm, + flags, iterations, and salt, in that order. +
- Currently, the only defined value for hash algorithm
- is 1, representing SHA-1.
- The flags may be set to
- 0 or 1,
- depending on whether you wish to set the opt-out
- bit in the NSEC3 chain. iterations
- defines the number of additional times to apply
- the algorithm when generating an NSEC3 hash. The
- salt is a string of data expressed
- in hexadecimal, a hyphen (`-') if no salt is
- to be used, or the keyword auto,
- which causes named to generate a
- random 64-bit salt.
-
1, representing SHA-1.
+ The flags may be set to
+ 0 or 1,
+ depending on whether you wish to set the opt-out
+ bit in the NSEC3 chain. iterations
+ defines the number of additional times to apply
+ the algorithm when generating an NSEC3 hash. The
+ salt is a string of data expressed
+ in hexadecimal, a hyphen (`-') if no salt is
+ to be used, or the keyword auto,
+ which causes named to generate a
+ random 64-bit salt.
+
- So, for example, to create an NSEC3 chain using
- the SHA-1 hash algorithm, no opt-out flag,
- 10 iterations, and a salt value of "FFFF", use:
- rndc signing -nsec3param 1 0 10 FFFF zone.
- To set the opt-out flag, 15 iterations, and no
- salt, use:
- rndc signing -nsec3param 1 1 15 - zone.
-
zone.
+ To set the opt-out flag, 15 iterations, and no
+ salt, use:
+ rndc signing -nsec3param 1 1 15 - zone.
+
- rndc signing -nsec3param none - removes an existing NSEC3 chain and replaces it - with NSEC. -
+ rndc signing -nsec3param none + removes an existing NSEC3 chain and replaces it + with NSEC. +- rndc signing -serial value sets + rndc signing -serial value sets the serial number of the zone to value. If the value would cause the serial number to go backwards it will be rejected. The primary use is to set the serial on @@ -638,7 +661,7 @@
There is currently no way to provide the shared secret for a
key_id without using the configuration file.
@@ -648,7 +671,7 @@
+ To enable better monitoring and troubleshooting of RFC 5011 + trust anchor management, the new rndc managed-keys + can be used to check status of trust anchors or to force keys + to be refreshed. Also, the managed-keys data file now has + easier-to-read comments. [RT #38458] +
+ Fixed some bugs in RFC 5011 trust anchor management, + including a memory leak and a possible loss of state + information.[RT #38458] +
GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -98,7 +98,7 @@
$./configure --enable-exportlib$[other flags]make@@ -113,7 +113,7 @@ $make$cd lib/export$make install@@ -135,7 +135,7 @@ $make install
Currently, win32 is not supported for the export library. (Normal BIND 9 application can be built as @@ -175,7 +175,7 @@ $
makeThe IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the @@ -193,14 +193,14 @@ $
makeSome sample application programs using this API are provided for reference. The following is a brief description of these applications.
It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of @@ -264,7 +264,7 @@ $
makeSimilar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names @@ -305,7 +305,7 @@ $
makeIt sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a @@ -346,7 +346,7 @@ $
makeThis is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a @@ -363,7 +363,7 @@ $
makeIt accepts a single update command as a command-line argument, sends an update request message to the @@ -458,7 +458,7 @@ $
sample-update -a sample-update -k Kxxx.+nnn+mmIt checks a set of domains to see the name servers of the domains behave @@ -515,7 +515,7 @@ $
+sample-update -a sample-update -k Kxxx.+nnn+mmAs of this writing, there is no formal "manual" of the libraries, except this document, header files (some of them provide pretty detailed explanations), and sample application diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 44a12b6648..5b663db08e 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -268,13 +268,13 @@
I. Manual pages diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index e3e4526cf7..cada7fac6a 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -50,20 +50,20 @@
arpaname{ipaddress...}-diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 9bf4f53e66..de63a9e038 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -51,7 +51,7 @@DESCRIPTION
+DESCRIPTION
arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
ddns-confgen[-a] [algorithm-h] [-k] [keyname-q] [-r] [ -srandomfilename| -zzone]-diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index 754754ed38..cdcc6c9a12 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -53,7 +53,7 @@DESCRIPTION
+DESCRIPTION
tsig-keygen and ddns-confgen are invocation methods for a utility that generates keys for use @@ -87,7 +87,7 @@
delv[queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
delv (Domain Entity Lookup & Validation) is a tool for sending DNS queries and validating the results, using the the same internal @@ -96,7 +96,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
delv provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed. @@ -471,12 +471,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8), RFC4034, diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 5239ba6853..6dc331b7c4 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -52,7 +52,7 @@
dig[global-queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -99,7 +99,7 @@
-OPTIONS
+OPTIONS
The
-boption sets the source IP address of the query toaddress. This must be a valid @@ -260,7 +260,7 @@-QUERY OPTIONS
+QUERY OPTIONS
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -688,7 +688,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig supports @@ -734,7 +734,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -748,14 +748,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1), named(8), dnssec-keygen(8), @@ -763,7 +763,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 1fbe74e18e..c598a9d126 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -51,7 +51,7 @@
dnssec-dsfromkey[-l] [domain-f] [file-d] [dig path-D] {zone}dsfromkey path-diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index ae4b2c313b..4aa5198546 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified @@ -59,7 +59,7 @@
dnssec-coverage[-K] [directory-l] [length-f] [file-d] [DNSKEY TTL-m] [max TTL-r] [interval-c] [compilezone path-k] [-z] [zone]-diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 6c9e48371c..a35a8bf159 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -52,14 +52,14 @@DESCRIPTION
+DESCRIPTION
dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC @@ -78,7 +78,7 @@
dnssec-dsfromkey[-h] [-V]-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -173,13 +173,13 @@-diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index 5c4ea0cfa2..17d5572e9d 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -51,7 +51,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -189,7 +189,7 @@
dnssec-importkey{-f} [filename-K] [directory-L] [ttl-P] [date/offset-D] [date/offset-h] [-v] [level-V] [dnsname]-DESCRIPTION
+DESCRIPTION
dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an @@ -71,7 +71,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -142,7 +142,7 @@
-FILES
+FILES
A keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -151,7 +151,7 @@-diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index d543aeb794..38383bd723 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -159,7 +159,7 @@
dnssec-keyfromlabel{-llabel} [-3] [-a] [algorithm-A] [date/offset-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-I] [date/offset-i] [interval-k] [-K] [directory-L] [ttl-n] [nametype-P] [date/offset-p] [protocol-R] [date/offset-S] [key-t] [type-v] [level-V] [-y] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key @@ -66,7 +66,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -315,7 +315,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes successfully, @@ -354,7 +354,7 @@
-diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index db6c65b495..836cc9df12 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -363,7 +363,7 @@
dnssec-keygen[-a] [algorithm-b] [keysize-n] [nametype-3] [-A] [date/offset-C] [-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-g] [generator-h] [-I] [date/offset-i] [interval-K] [directory-L] [ttl-k] [-P] [date/offset-p] [protocol-q] [-R] [date/offset-r] [randomdev-S] [key-s] [strength-t] [type-v] [level-V] [-z] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -361,7 +361,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be @@ -428,7 +428,7 @@-diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index b5398c43ce..f815bb7783 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -437,7 +437,7 @@
dnssec-revoke[-hr] [-v] [level-V] [-K] [directory-E] [engine-f] [-R] {keyfile}-diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index b827a99b56..9b99376ed0 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@
dnssec-settime[-f] [-K] [directory-L] [ttl-P] [date/offset-A] [date/offset-R] [date/offset-I] [date/offset-D] [date/offset-h] [-V] [-v] [level-E] {keyfile}engine-DESCRIPTION
+DESCRIPTION
dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the
-P,-A, @@ -76,7 +76,7 @@-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -212,7 +212,7 @@
-PRINTING OPTIONS
+PRINTING OPTIONS
dnssec-settime can also be used to print the timing metadata associated with a key. @@ -238,7 +238,7 @@
-diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index d1c1a04080..a5aeede1bb 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -246,7 +246,7 @@
dnssec-signzone[-a] [-c] [class-d] [directory-D] [-E] [engine-e] [end-time-f] [output-file-g] [-h] [-K] [directory-k] [key-L] [serial-l] [domain-M] [domain-i] [interval-I] [input-format-j] [jitter-N] [soa-serial-format-o] [origin-O] [output-format-P] [-p] [-Q] [-R] [-r] [randomdev-S] [-s] [start-time-T] [ttl-t] [-u] [-v] [level-V] [-X] [extended end-time-x] [-z] [-3] [salt-H] [iterations-A] {zonefile} [key...]-DESCRIPTION
+DESCRIPTION
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@
-diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index dbc88be0cc..653b4461d2 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -50,7 +50,7 @@EXAMPLE
+EXAMPLE
The following command signs the
example.comzone with the DSA key generated by dnssec-keygen @@ -542,14 +542,14 @@ db.example.com.signed %
dnssec-verify[-c] [class-E] [engine-I] [input-format-o] [origin-v] [level-V] [-x] [-z] {zonefile}-diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index 2b5b469060..2204e804b1 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 @@ -58,7 +58,7 @@
genrandom[-n] {numbersize} {filename}-diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index ef7fc421aa..c300a477cd 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
genrandom generates a file or a set of files containing a specified quantity @@ -59,7 +59,7 @@
host[-aCdlnrsTwv] [-c] [class-N] [ndots-R] [number-t] [type-W] [wait-m] [flag-4] [-6] [-v] [-V] {name} [server]-DESCRIPTION
+DESCRIPTION
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -214,7 +214,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -228,12 +228,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8).
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index c50a0416bb..0afc9535fb 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -50,7 +50,7 @@
isc-hmac-fixup{algorithm} {secret}-DESCRIPTION
+DESCRIPTION
Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@
-diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index faadad0b04..fff660172e 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -50,7 +50,7 @@SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@
named-checkconf[-h] [-v] [-j] [-t] {filename} [directory-p] [-x] [-z]-DESCRIPTION
+DESCRIPTION
named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -70,7 +70,7 @@
-diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index c53fd66bca..6add6b60d3 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -51,7 +51,7 @@RETURN VALUES
+RETURN VALUES
named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.
named-compilezone[-d] [-j] [-q] [-v] [-c] [class-C] [mode-f] [format-F] [format-J] [filename-i] [mode-k] [mode-m] [mode-n] [mode-l] [ttl-L] [serial-r] [mode-s] [style-t] [directory-T] [mode-w] [directory-D] [-W] {mode-o} {zonename} {filename}filename-DESCRIPTION
+DESCRIPTION
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@
-diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 7d184ed435..1df3374b1b 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -50,7 +50,7 @@RETURN VALUES
+RETURN VALUES
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named-journalprint{journal}-diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 8054f0b3ba..146e68e7c9 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
named-journalprint prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@
named-rrchecker[-h] [-o] [origin-p] [-u] [-C] [-T] [-P]-DESCRIPTION
+DESCRIPTION
named-rrchecker read a individual DNS resource record from standard input and checks if it is syntactically correct. @@ -78,7 +78,7 @@
-SEE ALSO
+SEE ALSO
RFC 1034, RFC 1035, diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index ae3ddb6b9b..140bcbc5f4 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -50,7 +50,7 @@
named[-4] [-6] [-c] [config-file-d] [debug-level-D] [string-E] [engine-name-f] [-g] [-L] [logfile-m] [flag-n] [#cpus-p] [port-s] [-S] [#max-socks-t] [directory-U] [#listeners-u] [user-v] [-V] [-X] [lock-file-x]cache-file-DESCRIPTION
+DESCRIPTION
named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -309,7 +309,7 @@
-diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 107fe24f2d..f5a4d26902 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -48,7 +48,7 @@CONFIGURATION
+CONFIGURATION
The named configuration file is too complex to describe in detail here. A complete description is provided @@ -326,7 +326,7 @@
nsec3hash{salt} {algorithm} {iterations} {domain}-diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index e21d7dab64..f78af51b32 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@
nsupdate[-d] [-D] [[-g] | [-o] | [-l] | [-y] | [[hmac:]keyname:secret-k]] [keyfile-t] [timeout-u] [udptimeout-r] [udpretries-R] [randomdev-v] [-T] [-P] [-V] [filename]-DESCRIPTION
+DESCRIPTION
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -236,7 +236,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index eba55e8c39..f809838b2a 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -50,7 +50,7 @@
rndc-confgen[-a] [-A] [algorithm-b] [keysize-c] [keyfile-h] [-k] [keyname-p] [port-r] [randomfile-s] [address-t] [chrootdir-u]user-diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 6d14b98e2f..e4f71c49ff 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@
rndc.conf-DESCRIPTION
+DESCRIPTION
rndc.confis the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -136,7 +136,7 @@-diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index b55c716737..d2669b36bd 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -50,7 +50,7 @@NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to recognize the key specified in the
rndc.conf@@ -220,7 +220,7 @@
rndc[-b] [source-address-c] [config-file-k] [key-file-s] [server-p] [port-q] [-V] [-y] {command}key_id-DESCRIPTION
+DESCRIPTION
rndc controls the operation of a name server. It supersedes the ndc utility @@ -81,78 +81,78 @@
-OPTIONS
+OPTIONS
- -b
source-address- + Use
- Use
source-address- as the source address for the connection to the server. - Multiple instances are permitted to allow setting of both - the IPv4 and IPv6 source addresses. -source-address+ as the source address for the connection to the server. + Multiple instances are permitted to allow setting of both + the IPv4 and IPv6 source addresses. +- -c
config-file- + Use
- Use
config-file- as the configuration file instead of the default, -/etc/rndc.conf. -config-file+ as the configuration file instead of the default, +/etc/rndc.conf. +- -k
key-file- + Use
- Use
key-file- as the key file instead of the default, -/etc/rndc.key. The key in -/etc/rndc.keywill be used to - authenticate - commands sent to the server if theconfig-file- does not exist. -key-file+ as the key file instead of the default, +/etc/rndc.key. The key in +/etc/rndc.keywill be used to + authenticate + commands sent to the server if theconfig-file+ does not exist. +- -s
server- + the name or address of the server which matches a + server statement in the configuration file for + rndc. If no server is supplied on the + command line, the host named by the default-server clause + in the options statement of the rndc + configuration file will be used. +
serveris - the name or address of the server which matches a - server statement in the configuration file for - rndc. If no server is supplied on the - command line, the host named by the default-server clause - in the options statement of the rndc - configuration file will be used. -- -p
port- + Send commands to TCP port +
- Send commands to TCP port -
port- instead - of BIND 9's default control channel port, 953. -port+ instead + of BIND 9's default control channel port, 953. +- -q
- + Quiet mode: Message text returned by the server + will not be printed except when there is an error. +
- Quiet mode: Message text returned by the server - will not be printed except when there is an error. -
- -V
- + Enable verbose logging. +
- Enable verbose logging. -
- -y
key_id- + Use the key
- Use the key
key_id- from the configuration file. -key_id- must be - known by named with the same algorithm and secret string - in order for control message validation to succeed. - If nokey_id- is specified, rndc will first look - for a key clause in the server statement of the server - being used, or if no server statement is present for that - host, then the default-key clause of the options statement. - Note that the configuration file contains shared secrets - which are used to send authenticated control commands - to name servers. It should therefore not have general read - or write access. -key_id+ from the configuration file. +key_id+ must be + known by named with the same algorithm and secret string + in order for control message validation to succeed. + If nokey_id+ is specified, rndc will first look + for a key clause in the server statement of the server + being used, or if no server statement is present for that + host, then the default-key clause of the options statement. + Note that the configuration file contains shared secrets + which are used to send authenticated control commands + to name servers. It should therefore not have general read + or write access. +-diff --git a/doc/arm/notes.html b/doc/arm/notes.html index a7e4595db2..74eb35553f 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -276,6 +276,13 @@ queries and then waits for responses, instead of sending one query and waiting the response before sending the next. [RT #38261]COMMANDS
+COMMANDS
A list of commands supported by rndc can be seen by running rndc without arguments. @@ -163,246 +163,269 @@
reload- + Reload configuration file and zones. +
- Reload configuration file and zones. -
reloadzone[class[view]]- + Reload the given zone. +
- Reload the given zone. -
refreshzone[class[view]]- + Schedule zone maintenance for the given zone. +
- Schedule zone maintenance for the given zone. -
retransferzone[class[view]]- Retransfer the given slave zone from the master server. -
+ Retransfer the given slave zone from the master server. +- If the zone is configured to use - inline-signing, the signed - version of the zone is discarded; after the - retransfer of the unsigned version is complete, the - signed version will be regenerated with all new - signatures. -
+ If the zone is configured to use + inline-signing, the signed + version of the zone is discarded; after the + retransfer of the unsigned version is complete, the + signed version will be regenerated with all new + signatures. +signzone[class[view]]- Fetch all DNSSEC keys for the given zone - from the key directory (see the - key-directory option in - the BIND 9 Administrator Reference Manual). If they are within - their publication period, merge them into the - zone's DNSKEY RRset. If the DNSKEY RRset - is changed, then the zone is automatically - re-signed with the new key set. -
+ Fetch all DNSSEC keys for the given zone + from the key directory (see the + key-directory option in + the BIND 9 Administrator Reference Manual). If they are within + their publication period, merge them into the + zone's DNSKEY RRset. If the DNSKEY RRset + is changed, then the zone is automatically + re-signed with the new key set. +- This command requires that the - auto-dnssec zone option be set - to
+ This command requires that the + auto-dnssec zone option be set + toallowor -maintain, - and also requires the zone to be configured to - allow dynamic DNS. - (See "Dynamic Update Policies" in the Administrator - Reference Manual for more details.) -allowor +maintain, + and also requires the zone to be configured to + allow dynamic DNS. + (See "Dynamic Update Policies" in the Administrator + Reference Manual for more details.) +loadkeyszone[class[view]]- Fetch all DNSSEC keys for the given zone - from the key directory. If they are within - their publication period, merge them into the - zone's DNSKEY RRset. Unlike rndc - sign, however, the zone is not - immediately re-signed by the new keys, but is - allowed to incrementally re-sign over time. -
+ Fetch all DNSSEC keys for the given zone + from the key directory. If they are within + their publication period, merge them into the + zone's DNSKEY RRset. Unlike rndc + sign, however, the zone is not + immediately re-signed by the new keys, but is + allowed to incrementally re-sign over time. +- This command requires that the - auto-dnssec zone option - be set to
+ This command requires that the + auto-dnssec zone option + be set tomaintain, - and also requires the zone to be configured to - allow dynamic DNS. - (See "Dynamic Update Policies" in the Administrator - Reference Manual for more details.) -maintain, + and also requires the zone to be configured to + allow dynamic DNS. + (See "Dynamic Update Policies" in the Administrator + Reference Manual for more details.) +freeze [zone[class[view]]]- + Suspend updates to a dynamic zone. If no zone is + specified, then all zones are suspended. This allows + manual edits to be made to a zone normally updated by + dynamic update. It also causes changes in the + journal file to be synced into the master file. + All dynamic update attempts will be refused while + the zone is frozen. +
- Suspend updates to a dynamic zone. If no zone is - specified, then all zones are suspended. This allows - manual edits to be made to a zone normally updated by - dynamic update. It also causes changes in the - journal file to be synced into the master file. - All dynamic update attempts will be refused while - the zone is frozen. -
thaw [zone[class[view]]]- + Enable updates to a frozen dynamic zone. If no + zone is specified, then all frozen zones are + enabled. This causes the server to reload the zone + from disk, and re-enables dynamic updates after the + load has completed. After a zone is thawed, + dynamic updates will no longer be refused. If + the zone has changed and the + ixfr-from-differences option is + in use, then the journal file will be updated to + reflect changes in the zone. Otherwise, if the + zone has changed, any existing journal file will be + removed. +
- Enable updates to a frozen dynamic zone. If no - zone is specified, then all frozen zones are - enabled. This causes the server to reload the zone - from disk, and re-enables dynamic updates after the - load has completed. After a zone is thawed, - dynamic updates will no longer be refused. If - the zone has changed and the - ixfr-from-differences option is - in use, then the journal file will be updated to - reflect changes in the zone. Otherwise, if the - zone has changed, any existing journal file will be - removed. -
scan- + Scan the list of available network interfaces + for changes, without performing a full + reconfig or waiting for the + interface-interval timer. +
- Scan the list of available network interfaces - for changes, without performing a full - reconfig or waiting for the - interface-interval timer. -
sync [-clean] [zone[class[view]]]- + Sync changes in the journal file for a dynamic zone + to the master file. If the "-clean" option is + specified, the journal file is also removed. If + no zone is specified, then all zones are synced. +
- Sync changes in the journal file for a dynamic zone - to the master file. If the "-clean" option is - specified, the journal file is also removed. If - no zone is specified, then all zones are synced. -
notifyzone[class[view]]- + Resend NOTIFY messages for the zone. +
- Resend NOTIFY messages for the zone. -
reconfig- + Reload the configuration file and load new zones, + but do not reload existing zone files even if they + have changed. + This is faster than a full reload when there + is a large number of zones because it avoids the need + to examine the + modification times of the zones files. +
- Reload the configuration file and load new zones, - but do not reload existing zone files even if they - have changed. - This is faster than a full reload when there - is a large number of zones because it avoids the need - to examine the - modification times of the zones files. -
zonestatus [zone[class[view]]]- + Displays the current status of the given zone, + including the master file name and any include + files from which it was loaded, when it was most + recently loaded, the current serial number, the + number of nodes, whether the zone supports + dynamic updates, whether the zone is DNSSEC + signed, whether it uses automatic DNSSEC key + management or inline signing, and the scheduled + refresh or expiry times for the zone. + +
- Displays the current status of the given zone, - including the master file name and any include - files from which it was loaded, when it was most - recently loaded, the current serial number, the - number of nodes, whether the zone supports - dynamic updates, whether the zone is DNSSEC - signed, whether it uses automatic DNSSEC key - management or inline signing, and the scheduled - refresh or expiry times for the zone. -
- +
managed-keys(status | refresh | sync)[class[view]]+ When run with the "status" keyword, print the current + status of the managed-keys database for the specified + view, or for all views if none is specified. When run + with the "refresh" keyword, force an immediate refresh + of all the managed-keys in the specified view, or all + views. When run with the "sync" keyword, force an + immediate dump of the managed-keys database to disk (in + the file
managed-keys.bindor + (). +viewname.mkeysstats- + Write server statistics to the statistics file. +
- Write server statistics to the statistics file. -
querylog[on|off]- Enable or disable query logging. (For backward - compatibility, this command can also be used without - an argument to toggle query logging on and off.) -
+ Enable or disable query logging. (For backward + compatibility, this command can also be used without + an argument to toggle query logging on and off.) +- Query logging can also be enabled - by explicitly directing the queries - category to a - channel in the - logging section of -
+ Query logging can also be enabled + by explicitly directing the queries + category to a + channel in the + logging section of +named.confor by specifying - querylog yes; in the - options section of -named.conf. -named.confor by specifying + querylog yes; in the + options section of +named.conf. +dumpdb [-all|-cache|-zone] [view ...]- -
- Dump the server's caches (default) and/or zones to - the - dump file for the specified views. If no view is - specified, all - views are dumped. -
- -
secroots [view ...]- + Dump the server's caches (default) and/or zones to + the + dump file for the specified views. If no view is + specified, all + views are dumped. + +
- Dump the server's security roots and negative trust anchors - to the secroots file for the specified views. If no view is - specified, all views are dumped. -
- +
secroots [-] [view ...]- +
+ Dump the server's security roots and negative trust anchors + for the specified views. If no view is specified, all views + are dumped. +
++ If the first argument is "-", then the output is + returned via the rndc response channel + and printed to the standard output. + Otherwise, it is written to the secroots dump file, which + defaults to
+named.secroots, but can be + overridden via thesecroots-fileoption in +named.conf. +stop [-p]- + Stop the server, making sure any recent changes + made through dynamic update or IXFR are first saved to + the master files of the updated zones. + If
- Stop the server, making sure any recent changes - made through dynamic update or IXFR are first saved to - the master files of the updated zones. - If
-pis specified named's process id is returned. - This allows an external process to determine when named - had completed stopping. --pis specified named's process id is returned. + This allows an external process to determine when named + had completed stopping. +halt [-p]- + Stop the server immediately. Recent changes + made through dynamic update or IXFR are not saved to + the master files, but will be rolled forward from the + journal files when the server is restarted. + If
- Stop the server immediately. Recent changes - made through dynamic update or IXFR are not saved to - the master files, but will be rolled forward from the - journal files when the server is restarted. - If
-pis specified named's process id is returned. - This allows an external process to determine when named - had completed halting. --pis specified named's process id is returned. + This allows an external process to determine when named + had completed halting. +trace- + Increment the servers debugging level by one. +
- Increment the servers debugging level by one. -
tracelevel- + Sets the server's debugging level to an explicit + value. +
- Sets the server's debugging level to an explicit - value. -
notrace- + Sets the server's debugging level to 0. +
- Sets the server's debugging level to 0. -
flush- + Flushes the server's cache. +
- Flushes the server's cache. -
flushnamename[view]- + Flushes the given name from the view's DNS cache + and, if applicable, from the view's nameserver address + database, bad server cache and SERVFAIL cache. +
- Flushes the given name from the view's DNS cache - and, if applicable, from the view's nameserver address - database, bad server cache and SERVFAIL cache. -
flushtreename[view]- + Flushes the given name, and all of its subdomains, + from the view's DNS cache, address database, + bad server cache, and SERVFAIL cache. +
- Flushes the given name, and all of its subdomains, - from the view's DNS cache, address database, - bad server cache, and SERVFAIL cache. -
status- + Display status of the server. + Note that the number of zones includes the internal bind/CH zone + and the default ./IN + hint zone if there is not an + explicit root zone configured. +
- Display status of the server. - Note that the number of zones includes the internal bind/CH zone - and the default ./IN - hint zone if there is not an - explicit root zone configured. -
recursing- + Dump the list of queries named is currently recursing + on. +
- Dump the list of queries named is currently recursing - on. -
validation ( on | off | check ) [view ...]- + Enable, disable, or check the current status of + DNSSEC validation. + Note dnssec-enable also needs to be + set to
- Enable, disable, or check the current status of - DNSSEC validation. - Note dnssec-enable also needs to be - set to
yesor -autoto be effective. - It defaults to enabled. -yesor +autoto be effective. + It defaults to enabled. +nta [( -d | -f | -r | -lduration)]domain@@ -410,135 +433,135 @@- Sets a DNSSEC negative trust anchor (NTA) - for
+ Sets a DNSSEC negative trust anchor (NTA) + fordomain, with a lifetime of -duration. The default lifetime is - configured innamed.confvia the -nta-lifetimeoption, and defaults to - one hour. The lifetime cannot exceed one week. -domain, with a lifetime of +duration. The default lifetime is + configured innamed.confvia the +nta-lifetimeoption, and defaults to + one hour. The lifetime cannot exceed one week. +- A negative trust anchor selectively disables - DNSSEC validation for zones that are known to be - failing because of misconfiguration rather than - an attack. When data to be validated is - at or below an active NTA (and above any other - configured trust anchors), named will - abort the DNSSEC validation process and treat the data as - insecure rather than bogus. This continues until the - NTA's lifetime is elapsed. -
+ A negative trust anchor selectively disables + DNSSEC validation for zones that are known to be + failing because of misconfiguration rather than + an attack. When data to be validated is + at or below an active NTA (and above any other + configured trust anchors), named will + abort the DNSSEC validation process and treat the data as + insecure rather than bogus. This continues until the + NTA's lifetime is elapsed. +- NTAs persist across restarts of the named server. - The NTAs for a view are saved in a file called -
+ NTAs persist across restarts of the named server. + The NTAs for a view are saved in a file called +, - wherename.ntanameis the - name of the view, or if it contains characters - that are incompatible with use as a file name, a - cryptographic hash generated from the name - of the view. -, + wherename.ntanameis the + name of the view, or if it contains characters + that are incompatible with use as a file name, a + cryptographic hash generated from the name + of the view. +- An existing NTA can be removed by using the -
+ An existing NTA can be removed by using the +-removeoption. --removeoption. +- An NTA's lifetime can be specified with the -
+ An NTA's lifetime can be specified with the +-lifetimeoption. TTL-style - suffixes can be used to specify the lifetime in - seconds, minutes, or hours. If the specified NTA - already exists, its lifetime will be updated to the - new value. Settinglifetimeto zero - is equivalent to-remove. --lifetimeoption. TTL-style + suffixes can be used to specify the lifetime in + seconds, minutes, or hours. If the specified NTA + already exists, its lifetime will be updated to the + new value. Settinglifetimeto zero + is equivalent to-remove. +- If
+ If-dumpis used, any other arguments - are ignored, and a list of existing NTAs is printed - (note that this may include NTAs that are expired but - have not yet been cleaned up). --dumpis used, any other arguments + are ignored, and a list of existing NTAs is printed + (note that this may include NTAs that are expired but + have not yet been cleaned up). +- Normally, named will periodically - test to see whether data below an NTA can now be - validated (see the
+ Normally, named will periodically + test to see whether data below an NTA can now be + validated (see thenta-recheckoption - in the Administrator Reference Manual for details). - If data can be validated, then the NTA is regarded as - no longer necessary, and will be allowed to expire - early. The-forceoverrides this - behavior and forces an NTA to persist for its entire - lifetime, regardless of whether data could be - validated if the NTA were not present. -nta-recheckoption + in the Administrator Reference Manual for details). + If data can be validated, then the NTA is regarded as + no longer necessary, and will be allowed to expire + early. The-forceoverrides this + behavior and forces an NTA to persist for its entire + lifetime, regardless of whether data could be + validated if the NTA were not present. +- All of these options can be shortened, i.e., to -
+ All of these options can be shortened, i.e., to +-l,-r,-d, - and-f. --l,-r,-d, + and-f. +tsig-list- + List the names of all TSIG keys currently configured + for use by named in each view. The + list both statically configured keys and dynamic + TKEY-negotiated keys. +
- List the names of all TSIG keys currently configured - for use by named in each view. The - list both statically configured keys and dynamic - TKEY-negotiated keys. -
tsig-deletekeyname[view]- + Delete a given TKEY-negotiated key from the server. + (This does not apply to statically configured TSIG + keys.) +
- Delete a given TKEY-negotiated key from the server. - (This does not apply to statically configured TSIG - keys.) -
addzonezone[class[view]]configuration- Add a zone while the server is running. This - command requires the - allow-new-zones option to be set - to
+ Add a zone while the server is running. This + command requires the + allow-new-zones option to be set + toyes. The -configurationstring - specified on the command line is the zone - configuration text that would ordinarily be - placed innamed.conf. -yes. The +configurationstring + specified on the command line is the zone + configuration text that would ordinarily be + placed innamed.conf. +- The configuration is saved in a file called -
+ The configuration is saved in a file called +, - wherename.nzfnameis the - name of the view, or if it contains characters - that are incompatible with use as a file name, a - cryptographic hash generated from the name - of the view. - When named is - restarted, the file will be loaded into the view - configuration, so that zones that were added - can persist after a restart. -, + wherename.nzfnameis the + name of the view, or if it contains characters + that are incompatible with use as a file name, a + cryptographic hash generated from the name + of the view. + When named is + restarted, the file will be loaded into the view + configuration, so that zones that were added + can persist after a restart. +- This sample addzone command - would add the zone
+ This sample addzone command + would add the zoneexample.com- to the default view: -example.com+ to the default view: ++
$rndc addzone example.com '{ type master; file "example.com.db"; };'-- (Note the brackets and semi-colon around the zone - configuration text.) -
+ (Note the brackets and semi-colon around the zone + configuration text.) +modzonezone[class[view]]configuration- Modify the configuration of a zone while the server + Modify the configuration of a zone while the server is running. This command requires the - allow-new-zones option to be + allow-new-zones option to be set to
+yes. As with addzone, the -configurationstring - specified on the command line is the zone - configuration text that would ordinarily be - placed innamed.conf. -configurationstring + specified on the command line is the zone + configuration text that would ordinarily be + placed innamed.conf. +If the zone was originally added via rndc addzone, the configuration @@ -551,25 +574,25 @@ its original configuration. To make the changes permanent, it must also be modified in
+named.conf-delzone [-clean]zone[class[view]]- Delete a zone while the server is running. -
+ Delete a zone while the server is running. +- If the
+ If the-cleanis specified, - the zone's master file (and journal file, if any) - will be deleted along with the zone. Without the --cleanoption, zone files must - be cleaned up by hand. (If the zone is of - type "slave" or "stub", the files needing to - be cleaned up will be reported in the output - of the rndc delzone command.) --cleanis specified, + the zone's master file (and journal file, if any) + will be deleted along with the zone. Without the +-cleanoption, zone files must + be cleaned up by hand. (If the zone is of + type "slave" or "stub", the files needing to + be cleaned up will be reported in the output + of the rndc delzone command.) +- If the zone was originally added via + If the zone was originally added via rndc addzone, then it will be removed permanently. However, if it was originally configured in
named.conf, then @@ -581,72 +604,72 @@showzonezone[class[view]]- + Print the configuration of a running zone. +
- Print the configuration of a running zone. -
signing [( -list | -clearkeyid/algorithm| -clearall| -nsec3param (parameters|none) | -serialvalue) ]zone[class[view]]- List, edit, or remove the DNSSEC signing state records - for the specified zone. The status of ongoing DNSSEC - operations (such as signing or generating - NSEC3 chains) is stored in the zone in the form - of DNS resource records of type - sig-signing-type. - rndc signing -list converts - these records into a human-readable form, - indicating which keys are currently signing - or have finished signing the zone, and which NSEC3 - chains are being created or removed. -
+ List, edit, or remove the DNSSEC signing state records + for the specified zone. The status of ongoing DNSSEC + operations (such as signing or generating + NSEC3 chains) is stored in the zone in the form + of DNS resource records of type + sig-signing-type. + rndc signing -list converts + these records into a human-readable form, + indicating which keys are currently signing + or have finished signing the zone, and which NSEC3 + chains are being created or removed. +- rndc signing -clear can remove - a single key (specified in the same format that - rndc signing -list uses to - display it), or all keys. In either case, only - completed keys are removed; any record indicating - that a key has not yet finished signing the zone - will be retained. -
+ rndc signing -clear can remove + a single key (specified in the same format that + rndc signing -list uses to + display it), or all keys. In either case, only + completed keys are removed; any record indicating + that a key has not yet finished signing the zone + will be retained. +- rndc signing -nsec3param sets - the NSEC3 parameters for a zone. This is the - only supported mechanism for using NSEC3 with - inline-signing zones. - Parameters are specified in the same format as - an NSEC3PARAM resource record: hash algorithm, - flags, iterations, and salt, in that order. -
+ rndc signing -nsec3param sets + the NSEC3 parameters for a zone. This is the + only supported mechanism for using NSEC3 with + inline-signing zones. + Parameters are specified in the same format as + an NSEC3PARAM resource record: hash algorithm, + flags, iterations, and salt, in that order. +- Currently, the only defined value for hash algorithm - is
+ Currently, the only defined value for hash algorithm + is1, representing SHA-1. - Theflagsmay be set to -0or1, - depending on whether you wish to set the opt-out - bit in the NSEC3 chain.iterations- defines the number of additional times to apply - the algorithm when generating an NSEC3 hash. The -saltis a string of data expressed - in hexadecimal, a hyphen (`-') if no salt is - to be used, or the keywordauto, - which causes named to generate a - random 64-bit salt. -1, representing SHA-1. + Theflagsmay be set to +0or1, + depending on whether you wish to set the opt-out + bit in the NSEC3 chain.iterations+ defines the number of additional times to apply + the algorithm when generating an NSEC3 hash. The +saltis a string of data expressed + in hexadecimal, a hyphen (`-') if no salt is + to be used, or the keywordauto, + which causes named to generate a + random 64-bit salt. +- So, for example, to create an NSEC3 chain using - the SHA-1 hash algorithm, no opt-out flag, - 10 iterations, and a salt value of "FFFF", use: - rndc signing -nsec3param 1 0 10 FFFF
+ So, for example, to create an NSEC3 chain using + the SHA-1 hash algorithm, no opt-out flag, + 10 iterations, and a salt value of "FFFF", use: + rndc signing -nsec3param 1 0 10 FFFFzone. - To set the opt-out flag, 15 iterations, and no - salt, use: - rndc signing -nsec3param 1 1 15 -zone. -zone. + To set the opt-out flag, 15 iterations, and no + salt, use: + rndc signing -nsec3param 1 1 15 -zone. +- rndc signing -nsec3param none - removes an existing NSEC3 chain and replaces it - with NSEC. -
+ rndc signing -nsec3param none + removes an existing NSEC3 chain and replaces it + with NSEC. +- rndc signing -serial value sets + rndc signing -serial value sets the serial number of the zone to value. If the value would cause the serial number to go backwards it will be rejected. The primary use is to set the serial on @@ -656,7 +679,7 @@
+ To enable better monitoring and troubleshooting of RFC 5011 + trust anchor management, the new rndc managed-keys + can be used to check status of trust anchors or to force keys + to be refreshed. Also, the managed-keys data file now has + easier-to-read comments. [RT #38458] +
@@ -435,6 +442,11 @@ Two leaks were fixed that could cause named processes to grow to very large sizes. [RT #38454] ++ Fixed some bugs in RFC 5011 trust anchor management, + including a memory leak and a possible loss of state + information.[RT #38458] +