named-checkzone — zone file validity checking tool
+named-checkzone, named-compilezone — zone file validity checking or converting tool
named-checkzone [-d] [-j] [-q] [-v] [-c ] [class-i ] [mode-k ] [mode-m ] [mode-n ] [mode-o ] [filename-t ] [directory-w ] [directory-D] [-W ] {zonename} {filename}mode
named-checkzone [-d] [-j] [-q] [-v] [-c ] [class-f ] [format-F ] [format-i ] [mode-k ] [mode-m ] [mode-n ] [mode-o ] [filename-s ] [style-t ] [directory-w ] [directory-D] [-W ] {zonename} {filename}mode
named-compilezone [-d] [-j] [-q] [-v] [-c ] [class-f ] [format-F ] [format-i ] [mode-k ] [mode-m ] [mode-n ] [mode-o ] [filename-s ] [style-t ] [directory-w ] [directory-D] [-W ] {zonename} {filename}mode
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a zone. This makes named-checkzone useful for checking zone files before configuring them into a name server.
++ named-compilezone is similar to + named-checkzone, but it always dumps the + zone contents to a specified file in a specified format. + Additionally, it applies stricter check levels by default, + since the dump output will be used as an actual zone file + loaded by named. + When manaully specified otherwise, the check levels must at + least be as strict as those specified in the + named configuration file. +
@@ -97,12 +109,29 @@ Mode "none" disables the checks.
format+ Specify the format of the zone file. + Possible formats are "text" (default) + and "raw". +
format+ Specify the format of the output file specified. + Possible formats are "text" (default) + and "raw". + For named-checkzone, + this does not cause any effects unless it dumps the zone + contents. +
mode- Perform "check-name" checks with - the specified failure mode. - Possible modes are "fail", - "warn" (default) and + Perform "check-name" checks with the + specified failure mode. + Possible modes are "fail" + (default for named-compilezone), + "warn" + (default for named-checkzone) and "ignore".
modemodeSpecify whether NS records should be checked to see if they - are addresses. Possible modes are "fail", - "warn" (default) and + are addresses. + Possible modes are "fail" + (default for named-compilezone), + "warn" + (default for named-checkzone) and "ignore".
filename
Write zone output to filename.
+ This is mandatory for named-compilezone.
style+ Specify the style of the dumped zone file. + Possible styles are "full" (default) + and "default". + The full format is most suitable for processing + automatically by a separate script. + On the other hand, the default format is more + human-readable and is thus suitable for editing by hand. + For named-checkzone + this does not cause any effects unless it dumps the zone + contents. + It also does not have any meaning if the output format + is not text. +
directory
chroot to directory so that
@@ -141,6 +189,7 @@
Dump zone file in canonical format. + This is always enabled for named-compilezone.
mode@@ -162,21 +211,21 @@
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named-checkzone [-djqvD] [-c class] [-o output] [-t directory] [-w directory] [-k (ignore|warn|fail)] [-n (ignore|warn|fail)] [-W (ignore|warn)] zone [filename]
+ Similar to named-checkzone, but + it always dumps the zone content to a specified file + (typically in a different format). +
Certain UNIX signals cause the name server to take specific actions, as described in the following table. These signals can diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index f755e8f33a..63b72a0b9f 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -49,28 +49,28 @@Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a Split DNS setup. There are several reasons an organization @@ -467,7 +467,7 @@ nameserver 172.16.72.4
A shared secret is generated to be shared between host1 and host2. An arbitrary key name is chosen: "host1-host2.". The key name must @@ -475,7 +475,7 @@ nameserver 172.16.72.4
The following command will generate a 128 bit (16 byte) HMAC-MD5 key as described above. Longer keys are better, but shorter keys @@ -500,7 +500,7 @@ nameserver 172.16.72.4
The shared secret is simply a random sequence of bits, encoded in base-64. Most ASCII strings are valid base-64 strings (assuming @@ -515,7 +515,7 @@ nameserver 172.16.72.4
This is beyond the scope of DNS. A secure transport mechanism should be used. This could be secure FTP, ssh, telephone, etc. @@ -523,7 +523,7 @@ nameserver 172.16.72.4
Imagine host1 and host 2 are @@ -552,7 +552,7 @@ key host1-host2. {
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the named.conf file
@@ -584,7 +584,7 @@ server 10.1.2.3 {
BIND allows IP addresses and ranges to be specified in ACL @@ -612,7 +612,7 @@ allow-update { key host1-host2. ;};
The processing of TSIG signed messages can result in several errors. If a signed message is sent to a non-TSIG aware @@ -638,7 +638,7 @@ allow-update { key host1-host2. ;};
TKEY is a mechanism for automatically generating a shared secret between two hosts. There are several "modes" of @@ -674,7 +674,7 @@ allow-update { key host1-host2. ;};
BIND 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535 and RFC2931. @@ -736,7 +736,7 @@ allow-update { key host1-host2. ;};
The dnssec-keygen program is used to generate keys. @@ -787,7 +787,7 @@ allow-update { key host1-host2. ;};
The dnssec-signzone program is used to @@ -831,7 +831,7 @@ allow-update { key host1-host2. ;};
Unlike BIND 8, BIND 9 does not verify signatures on @@ -848,7 +848,7 @@ allow-update { key host1-host2. ;};
BIND 9 fully supports all currently defined forms of IPv6 @@ -892,7 +892,7 @@ allow-update { key host1-host2. ;};
The AAAA record is a parallel to the IPv4 A record. It specifies the entire address in a single record. For @@ -912,7 +912,7 @@ host 3600 IN AAAA 2001:db8::1
When looking up an address in nibble format, the address components are simply reversed, just as in IPv4, and diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 644471f633..c8ff701471 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -45,13 +45,13 @@Table of Contents
Traditionally applications have been linked with a stub resolver library that sends recursive DNS queries to a local caching name diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 60123ed303..0ba4352cb4 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -48,52 +48,53 @@address_match_list= address_match_list_element ; [ address_match_list_element; ... ]address_match_list_element= [ ! ] (ip_address [/length] | @@ -420,7 +421,7 @@Address match lists are primarily used to determine access control for various server operations. They are also used in @@ -497,7 +498,7 @@
The BIND 9 comment syntax allows for comments to appear @@ -507,7 +508,7 @@
/* This is a BIND comment as in C */@@ -522,7 +523,7 @@Comments may appear anywhere that whitespace may appear in a BIND configuration file. @@ -756,7 +757,7 @@
acl acl-name { address_match_list }; @@ -839,7 +840,7 @@controls { inet ( ip_addr | * ) [ port ip_port ] allow {address_match_list} keys {key_list}; @@ -979,12 +980,12 @@includefilename;The include statement inserts the @@ -999,7 +1000,7 @@
keykey_id{ algorithmstring; secretstring; @@ -1008,7 +1009,7 @@The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) @@ -1051,7 +1052,7 @@
logging { [ channel@@ -2693,7 +2695,7 @@ options {channel_name{ ( filepath name@@ -1075,7 +1076,7 @@The logging statement configures a @@ -1109,7 +1110,7 @@
All log output goes to one or more channels; you can make as many of them as you want. @@ -1628,7 +1629,7 @@ category notify { null; };
This is the grammar of the lwres statement in the
named.conffile: @@ -1643,7 +1644,7 @@ category notify { null; };The lwres statement configures the name @@ -1694,14 +1695,14 @@ category notify { null; };
mastersname[portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] } ;masters lists allow for a common set of masters to be easily used by @@ -1710,7 +1711,7 @@ category notify { null; };
This is the grammar of the options statement in the
named.conffile: @@ -1831,6 +1832,7 @@ category notify { null; }; [ use-additional-cacheyes_or_no; ] [ acache-cleaning-intervalnumber; ] [ max-acache-sizesize_spec; ] + [ masterfile-format (text|raw) ; ] };The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -2737,7 +2739,7 @@ options {
Dual-stack servers are used as servers of last resort to work around @@ -2902,7 +2904,7 @@ options {
The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -2982,7 +2984,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
If the server doesn't know the answer to a question, it will query other name servers. query-source specifies @@ -3237,7 +3239,7 @@ query-source-v6 address * port *;
avoid-v4-udp-ports and avoid-v6-udp-ports specify a list of IPv4 and IPv6 UDP ports that will not be used as system @@ -3251,7 +3253,7 @@ query-source-v6 address * port *;
The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -3311,7 +3313,7 @@ query-source-v6 address * port *;
The following options set limits on the server's resource consumption that are enforced internally by the @@ -3390,7 +3392,7 @@ query-source-v6 address * port *;
- cleaning-interval
- +
@@ -3783,6 +3785,31 @@ query-source-v6 address * port *; packets and/or block UDP packets that are greater than 512 bytes.
- masterfile-format
+masterfile-format specifies + the file format of zone files (see + the section called “Additional File Formats”). + The default value is
text, which is the + standard textual representation. Files in other formats + thantextare typically expected + to be generated by the named-compilezone. + Note that when a zone file in a different format than +textis loaded, named + may omit some of the checks which would be performed for a + file in thetextformat. In particular, + check-names checks do not apply + for therawformat. This means + a zone file in therawformat + must be generated with the same check level as that + specified in the named configuration + file. This statement sets the + masterfile-format for all zones, + but can be overridden on a per-zone / per-view basis + by including a masterfile-format + statement within the zone or + view block in the configuration + file. +@@ -4222,7 +4249,7 @@ query-source-v6 address * port *;trusted-keys {stringnumbernumbernumberstring; [stringnumbernumbernumberstring; [...]] @@ -4231,7 +4258,7 @@ query-source-v6 address * port *;The trusted-keys statement defines @@ -4270,7 +4297,7 @@ query-source-v6 address * port *;
The view statement is a powerful new feature @@ -4406,6 +4433,7 @@ view "external" { [ dialup
dialup_option; ] [ delegation-onlyyes_or_no; ] [ filestring; ] + [ masterfile-format (text|raw) ; ] [ journalstring; ] [ forward (only|first) ; ] [ forwarders {ip_addr[portip_port] ; [ip_addr[portip_port] ; ... ] }; ] @@ -4442,10 +4470,10 @@ view "external" {