Rebuild documentation

2025-08-30 05:57:52 +00:00 · 2020-02-23 20:48:55 -08:00 · 2020-02-23 20:48:55 -08:00 · 89ff6cabf9
commit 89ff6cabf9
parent b273ed8a63
65 changed files with 575 additions and 2096 deletions
--- a/8
+++ b/8
@ -228,11 +228,9 @@ developers.google.com/protocol-buffers, and BIND must be configured with
 --enable-dnstap.
 Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
+values better suited to small machines, e.g. OpenWRT boxes, by specifying
-64-bit servers with 12G or more of memory) by specifying --with-tuning=
+--with-tuning=small on the configure command line. This will decrease
-large on the configure command line. This can improve performance on big
+memory usage by using smaller structures, but will degrade performance.
 servers, but will consume more memory and may degrade performance on
 smaller systems.
 On Linux, process capabilities are managed in user space using the libcap
 library, which can be installed on most Linux systems via the libcap-dev
--- a/bin/dig/nslookup.1
+++ b/bin/dig/nslookup.1
@ -233,7 +233,10 @@ Change the default TCP/UDP name server port to
 .RS 4
 Change the type of the information query\&.
 .sp
-(Default = A; abbreviations = q, ty)
+(Default = A and then AAAA; abbreviations = q, ty)
 .sp
 \fBNote:\fR
 It is only possible to specify one query type, only the default behavior looks up both when an alternative is not specified\&.
 .RE
 .PP
 \fB\fI[no]\fR\fR\fBrecurse\fR
--- a/bin/dig/nslookup.html
+++ b/bin/dig/nslookup.html
@ -290,7 +290,13 @@ nslookup -query=hinfo  -timeout=10
                    Change the type of the information query.
                  </p>
                  <p>
-                    (Default = A; abbreviations = q, ty)
+                    (Default = A and then AAAA; abbreviations = q, ty)
                  </p>
                    <p>
                      <span class="bold"><strong>Note:</strong></span> It is
                      only possible to specify one query type, only
                      the default behavior looks up both when an
                      alternative is not specified.
                    </p>
                </dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
--- a/bin/dnssec/dnssec-keyfromlabel.8
+++ b/bin/dnssec/dnssec-keyfromlabel.8
@ -92,7 +92,7 @@ Specifies the label for a key pair in the crypto hardware\&.
 .sp
 When
 BIND
-9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&. It may be preceded by an optional OpenSSL engine name, followed by a colon, as in "pkcs11:\fIkeylabel\fR"\&.
+9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&.
 .sp
 When
 BIND
--- a/bin/dnssec/dnssec-keyfromlabel.html
+++ b/bin/dnssec/dnssec-keyfromlabel.html
@ -146,9 +146,7 @@
 	  <p>
 	    When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
 	    PKCS#11 support, the label is an arbitrary string that
-	    identifies a particular key.  It may be preceded by an
+	    identifies a particular key.
 	    optional OpenSSL engine name, followed by a colon, as in
 	    "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
 	  </p>
 	  <p>
 	    When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
--- a/bin/named/named.8
+++ b/bin/named/named.8
@ -187,7 +187,7 @@ Allow
 \fBnamed\fR
 to use up to
 \fI#max\-socks\fR
-sockets\&. The default value is 4096 on systems built with default configuration options, and 21000 on systems built with "configure \-\-with\-tuning=large"\&.
+sockets\&. The default value is 21000 on systems built with default configuration options, and 4096 on systems built with "configure \-\-with\-tuning=small"\&.
 .if n \{\
 .sp
 .\}
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@ -10,12 +10,12 @@
 .\"     Title: named.conf
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2019-08-12
+.\"      Date: 2020-02-07
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "NAMED\&.CONF" "5" "2019\-08\-12" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2020\-02\-07" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@ -97,6 +97,31 @@ dlz \fIstring\fR {
 .if n \{\
 .RE
 .\}
 .SH "DNSSEC-POLICY"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
 dnssec\-policy \fIstring\fR {
 	dnskey\-ttl \fIduration\fR;
 	keys { ( csk | ksk | zsk ) ( key\-directory ) lifetime ( \fIduration\fR | unlimited )
 	    algorithm \fIinteger\fR [ \fIinteger\fR ]; \&.\&.\&. };
 	max\-zone\-ttl \fIduration\fR;
 	parent\-ds\-ttl \fIduration\fR;
 	parent\-propagation\-delay \fIduration\fR;
 	parent\-registration\-delay \fIduration\fR;
 	publish\-safety \fIduration\fR;
 	retire\-safety \fIduration\fR;
 	signatures\-refresh \fIduration\fR;
 	signatures\-validity \fIduration\fR;
 	signatures\-validity\-dnskey \fIduration\fR;
 	zone\-propagation\-delay \fIduration\fR;
 };
 .fi
 .if n \{\
 .RE
 .\}
 .SH "DYNDB"
 .sp
 .if n \{\
@ -150,7 +175,7 @@ logging {
 .\}
 .SH "MANAGED-KEYS"
 .PP
-Deprecated \- see TRUST\-ANCHORS\&.
+Deprecated \- see DNSSEC\-KEYS\&.
 .sp
 .if n \{\
 .RS 4
@ -262,6 +287,7 @@ options {
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	dnssec\-loadkeys\-interval \fIinteger\fR;
 	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
 	dnssec\-policy \fIstring\fR;
 	dnssec\-secure\-to\-insecure \fIboolean\fR;
 	dnssec\-update\-mode ( maintain | no\-resign );
 	dnssec\-validation ( yes | no | auto );
@ -411,8 +437,8 @@ options {
 	    \fIinteger\fR;
 	response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
 	    \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
-	    \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
+	    \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op
-	    nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
+	    | nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
 	    recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
 	    nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
 	    break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
@ -567,7 +593,7 @@ trust\-anchors { \fIstring\fR ( static\-key |
 .\}
 .SH "TRUSTED-KEYS"
 .PP
-Deprecated \- see TRUST\-ANCHORS\&.
+Deprecated \- see DNSSEC\-KEYS\&.
 .sp
 .if n \{\
 .RS 4
@ -657,6 +683,7 @@ view \fIstring\fR [ \fIclass\fR ] {
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	dnssec\-loadkeys\-interval \fIinteger\fR;
 	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
 	dnssec\-policy \fIstring\fR;
 	dnssec\-secure\-to\-insecure \fIboolean\fR;
 	dnssec\-update\-mode ( maintain | no\-resign );
 	dnssec\-validation ( yes | no | auto );
@ -780,8 +807,8 @@ view \fIstring\fR [ \fIclass\fR ] {
 	    \fIinteger\fR;
 	response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
 	    \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
-	    \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
+	    \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op
-	    nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
+	    | nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
 	    recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
 	    nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
 	    break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
@ -1067,30 +1094,6 @@ zone \fIstring\fR [ \fIclass\fR ] {
 .if n \{\
 .RE
 .\}
 .SH "DNSSEC-POLICY"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
 dnssec\-policy \fIstring\fR {
 	dnskey\-ttl \fIduration\fR;
 	keys { ( csk | ksk | zsk ) key\-directory lifetime \fIduration\fR algorithm \fIinteger\fR [ \fIinteger\fR ] ; \&.\&.\&. };
 	parent\-ds\-ttl \fIduration\fR;
 	parent\-propagation\-delay \fIduration\fR;
 	parent\-registration\-delay \fIduration\fR;
 	publish\-safety \fIduration\fR;
 	retire\-safety \fIduration\fR;
 	signatures\-refresh \fIduration\fR;
 	signatures\-validity \fIduration\fR;
 	signatures\-validity\-dnskey \fIduration\fR;
 	zone\-max\-ttl \fIduration\fR;
 	zone\-propagation\-delay \fIduration\fR;
 };
 .fi
 .if n \{\
 .RE
 .\}
 .SH "FILES"
 .PP
 /etc/named\&.conf
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@ -13,7 +13,7 @@
 <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
  <info>
-    <date>2019-12-12</date>
+    <date>2020-02-07</date>
  </info>
  <refentryinfo>
    <corpname>ISC</corpname>
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@ -92,7 +92,28 @@ dlz
  </div>
  <div class="refsection">
-<a name="id-1.11"></a><h2>DYNDB</h2>
+<a name="id-1.11"></a><h2>DNSSEC-POLICY</h2>
    <div class="literallayout"><p><br>
 dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
 	dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
 	keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( <em class="replaceable"><code>duration</code></em> | unlimited )<br>
 	    algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 	max-zone-ttl <em class="replaceable"><code>duration</code></em>;<br>
 	parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
 	parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
 	parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
 	publish-safety <em class="replaceable"><code>duration</code></em>;<br>
 	retire-safety <em class="replaceable"><code>duration</code></em>;<br>
 	signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
 	signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
 	signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
 	zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
 };<br>
 </p></div>
  </div>
  <div class="refsection">
 <a name="id-1.12"></a><h2>DYNDB</h2>
    <div class="literallayout"><p><br>
 dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
     <em class="replaceable"><code>unspecified-text</code></em> };<br>
@ -100,7 +121,7 @@ dyndb
  </div>
  <div class="refsection">
-<a name="id-1.12"></a><h2>KEY</h2>
+<a name="id-1.13"></a><h2>KEY</h2>
    <div class="literallayout"><p><br>
 key <em class="replaceable"><code>string</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
@ -110,7 +131,7 @@ key
  </div>
  <div class="refsection">
-<a name="id-1.13"></a><h2>LOGGING</h2>
+<a name="id-1.14"></a><h2>LOGGING</h2>
    <div class="literallayout"><p><br>
 logging {<br>
 	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
@ -131,8 +152,8 @@ logging
  </div>
  <div class="refsection">
-<a name="id-1.14"></a><h2>MANAGED-KEYS</h2>
+<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
-  <p>Deprecated - see TRUST-ANCHORS.</p>
+  <p>Deprecated - see DNSSEC-KEYS.</p>
    <div class="literallayout"><p><br>
 managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
     | initial-key | static-ds |<br>
@ -142,7 +163,7 @@ managed-keys
  </div>
  <div class="refsection">
-<a name="id-1.15"></a><h2>MASTERS</h2>
+<a name="id-1.16"></a><h2>MASTERS</h2>
    <div class="literallayout"><p><br>
 masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
     <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
@ -152,7 +173,7 @@ masters
  </div>
  <div class="refsection">
-<a name="id-1.16"></a><h2>OPTIONS</h2>
+<a name="id-1.17"></a><h2>OPTIONS</h2>
    <div class="literallayout"><p><br>
 options {<br>
 	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -232,6 +253,7 @@ options
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
 	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
 	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-update-mode ( maintain | no-resign );<br>
 	dnssec-validation ( yes | no | auto );<br>
@ -381,8 +403,8 @@ options
 	    <em class="replaceable"><code>integer</code></em>;<br>
 	response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
 	    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
-	    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
+	    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op<br>
-	    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+	    | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
 	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
@ -451,7 +473,7 @@ options
  </div>
  <div class="refsection">
-<a name="id-1.17"></a><h2>PLUGIN</h2>
+<a name="id-1.18"></a><h2>PLUGIN</h2>
    <div class="literallayout"><p><br>
 plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
     } ];<br>
@ -459,7 +481,7 @@ plugin
  </div>
  <div class="refsection">
-<a name="id-1.18"></a><h2>SERVER</h2>
+<a name="id-1.19"></a><h2>SERVER</h2>
    <div class="literallayout"><p><br>
 server <em class="replaceable"><code>netprefix</code></em> {<br>
 	bogus <em class="replaceable"><code>boolean</code></em>;<br>
@ -497,7 +519,7 @@ server
  </div>
  <div class="refsection">
-<a name="id-1.19"></a><h2>STATISTICS-CHANNELS</h2>
+<a name="id-1.20"></a><h2>STATISTICS-CHANNELS</h2>
    <div class="literallayout"><p><br>
 statistics-channels {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -509,7 +531,7 @@ statistics-channels
  </div>
  <div class="refsection">
-<a name="id-1.20"></a><h2>TRUST-ANCHORS</h2>
+<a name="id-1.21"></a><h2>TRUST-ANCHORS</h2>
    <div class="literallayout"><p><br>
 trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
     initial-key | static-ds | initial-ds )<br>
@ -519,8 +541,8 @@ trust-anchors
  </div>
  <div class="refsection">
-<a name="id-1.21"></a><h2>TRUSTED-KEYS</h2>
+<a name="id-1.22"></a><h2>TRUSTED-KEYS</h2>
-  <p>Deprecated - see TRUST-ANCHORS.</p>
+  <p>Deprecated - see DNSSEC-KEYS.</p>
    <div class="literallayout"><p><br>
 trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
@ -529,7 +551,7 @@ trusted-keys
  </div>
  <div class="refsection">
-<a name="id-1.22"></a><h2>VIEW</h2>
+<a name="id-1.23"></a><h2>VIEW</h2>
    <div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -602,6 +624,7 @@ view
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
 	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
 	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-update-mode ( maintain | no-resign );<br>
 	dnssec-validation ( yes | no | auto );<br>
@ -725,8 +748,8 @@ view
 	    <em class="replaceable"><code>integer</code></em>;<br>
 	response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
 	    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
-	    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
+	    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op<br>
-	    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+	    | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
 	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
@ -908,7 +931,7 @@ view
  </div>
  <div class="refsection">
-<a name="id-1.23"></a><h2>ZONE</h2>
+<a name="id-1.24"></a><h2>ZONE</h2>
    <div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -1007,27 +1030,6 @@ zone
 </p></div>
  </div>
  <div class="refsection">
 <a name="id-1.24"></a><h2>DNSSEC-POLICY</h2>
    <div class="literallayout"><p><br>
 dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
 	dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
 	keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
 	parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
 	parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
 	parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
 	publish-safety <em class="replaceable"><code>duration</code></em>;<br>
 	retire-safety <em class="replaceable"><code>duration</code></em>;<br>
 	signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
 	signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
 	signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
 	zone-max-ttl <em class="replaceable"><code>duration</code></em>;<br>
 	zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
 };<br>
 </p></div>
  </div>
  <div class="refsection">
 <a name="id-1.25"></a><h2>FILES</h2>
--- a/bin/named/named.html
+++ b/bin/named/named.html
@ -230,9 +230,9 @@
          <p>
            Allow <span class="command"><strong>named</strong></span> to use up to
            <em class="replaceable"><code>#max-socks</code></em> sockets.
-            The default value is 4096 on systems built with default
+            The default value is 21000 on systems built with default
-            configuration options, and 21000 on systems built with
+            configuration options, and 4096 on systems built with
-            "configure --with-tuning=large".
+            "configure --with-tuning=small".
          </p>
          <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
--- a/52
+++ b/52
@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for BIND 9.15.
+# Generated by GNU Autoconf 2.69 for BIND 9.17.
 #
 # Report bugs to <info@isc.org>.
 #
@ -589,10 +589,10 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='BIND'
 PACKAGE_TARNAME='bind'
-PACKAGE_VERSION='9.15'
+PACKAGE_VERSION='9.17'
-PACKAGE_STRING='BIND 9.15'
+PACKAGE_STRING='BIND 9.17'
 PACKAGE_BUGREPORT='info@isc.org'
-PACKAGE_URL='https://www.isc.org/downloads/BIND/'
+PACKAGE_URL='https://www.isc.org/downloads/'
 # Factoring default headers for most tests.
 ac_includes_default="\
@ -852,7 +852,6 @@ infodir
 docdir
 oldincludedir
 includedir
 runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@ -1026,7 +1025,6 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
 runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@ -1279,15 +1277,6 @@ do
  | -silent | --silent | --silen | --sile | --sil)
    silent=yes ;;
  -runstatedir | --runstatedir | --runstatedi | --runstated \
  | --runstate | --runstat | --runsta | --runst | --runs \
  | --run | --ru | --r)
    ac_prev=runstatedir ;;
  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
  | --run=* | --ru=* | --r=*)
    runstatedir=$ac_optarg ;;
  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
    ac_prev=sbindir ;;
  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@ -1425,7 +1414,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir runstatedir
+		libdir localedir mandir
 do
  eval ac_val=\$$ac_var
  # Remove trailing slashes.
@ -1538,7 +1527,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures BIND 9.15 to adapt to many kinds of systems.
+\`configure' configures BIND 9.17 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1578,7 +1567,6 @@ Fine tuning of the installation directories:
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@ -1604,7 +1592,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of BIND 9.15:";;
+     short | recursive ) echo "Configuration of BIND 9.17:";;
   esac
  cat <<\_ACEOF
@ -1775,7 +1763,7 @@ Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
 Report bugs to <info@isc.org>.
-BIND home page: <https://www.isc.org/downloads/BIND/>.
+BIND home page: <https://www.isc.org/downloads/>.
 _ACEOF
 ac_status=$?
 fi
@ -1838,7 +1826,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-BIND configure 9.15
+BIND configure 9.17
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@ -2261,7 +2249,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by BIND $as_me 9.15, which was
+It was created by BIND $as_me 9.17, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@ -4023,7 +4011,7 @@ else
    We can't simply define LARGE_OFF_T to be 9223372036854775807,
    since some C++ compilers masquerading as C compilers
    incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@ -4069,7 +4057,7 @@ else
    We can't simply define LARGE_OFF_T to be 9223372036854775807,
    since some C++ compilers masquerading as C compilers
    incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@ -4093,7 +4081,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
    We can't simply define LARGE_OFF_T to be 9223372036854775807,
    since some C++ compilers masquerading as C compilers
    incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@ -4138,7 +4126,7 @@ else
    We can't simply define LARGE_OFF_T to be 9223372036854775807,
    since some C++ compilers masquerading as C compilers
    incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@ -4162,7 +4150,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
    We can't simply define LARGE_OFF_T to be 9223372036854775807,
    since some C++ compilers masquerading as C compilers
    incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@ -24193,7 +24181,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by BIND $as_me 9.15, which was
+This file was extended by BIND $as_me 9.17, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@ -24254,13 +24242,13 @@ Configuration commands:
 $config_commands
 Report bugs to <info@isc.org>.
-BIND home page: <https://www.isc.org/downloads/BIND/>."
+BIND home page: <https://www.isc.org/downloads/>."
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-BIND config.status 9.15
+BIND config.status 9.17
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
@ -26012,7 +26000,7 @@ report() {
    if test "yes" = "$enable_full_report" -o "standard" = "$locktype"; then
 	echo "        Mutex lock type: $locktype"
    fi
-    test "large" = "$use_tuning" && echo "    Large-system tuning (--with-tuning)"
+    test "small" = "$with_tuning" && echo "    Small-system tuning (--with-tuning)"
    test "no" = "$use_dnstap" || \
 	    echo "    Allow 'dnstap' packet logging (--enable-dnstap)"
    test -z "$MAXMINDDB_LIBS" || echo "    GeoIP2 access control (--enable-geoip)"
@ -26072,7 +26060,7 @@ report() {
    echo "Features disabled or unavailable on this platform:"
    test "no" = "$found_ipv6" && echo "    IPv6 support (--enable-ipv6)"
-    test "large" = "$use_tuning" || echo "    Large-system tuning (--with-tuning)"
+    test "small" = "$with_tuning" || echo "    Small-system tuning (--with-tuning)"
    test "no" = "$use_dnstap" && \
 	    echo "    Allow 'dnstap' packet logging (--enable-dnstap)"
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@ -614,6 +614,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@ -146,6 +146,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@ -856,6 +856,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@ -2915,6 +2915,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@ -71,8 +71,7 @@
 <dt><span class="section"><a href="Bv9ARM.ch05.html#trust-anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Definition
            and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
+<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition and Usage</a></span></dt>
            and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
            and Usage</a></span></dt>
@ -2142,41 +2141,40 @@ category notify { null; };
 <a name="query_errors"></a>The <span class="command"><strong>query-errors</strong></span> Category</h4></div></div></div>
          <p>
            The <span class="command"><strong>query-errors</strong></span> category is
-            specifically intended for debugging purposes: To identify
+            used to indicate why and how specific queries resulted in
-            why and how specific queries result in responses which
+            responses which indicate an error.  Normally, these messages
-            indicate an error.
+            will be logged at <span class="command"><strong>debug</strong></span> logging levels;
-            Messages of this category are therefore only logged
+            note, however, that if query logging is active, some will be
-            with <span class="command"><strong>debug</strong></span> levels.
+            logged at <span class="command"><strong>info</strong></span>. The logging levels are
            described below:
          </p>
          <p>
-            At the debug levels of 1 or higher, each response with the
+            At <span class="command"><strong>debug</strong></span> level 1 or higher - or at
-            rcode of SERVFAIL is logged as follows:
+            <span class="command"><strong>info</strong></span>, when query logging is active - each
            response with response code SERVFAIL will be logged as follows:
          </p>
          <p>
            <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
          </p>
          <p>
-            This means an error resulting in SERVFAIL was
+            This means an error resulting in SERVFAIL was detected at line
-            detected at line 3880 of source file
+            3880 of source file <code class="filename">query.c</code>.  Log messages
-            <code class="filename">query.c</code>.
+            of this level will particularly help identify the cause of
-            Log messages of this level will particularly
+            SERVFAIL for an authoritative server.
            help identify the cause of SERVFAIL for an
            authoritative server.
          </p>
          <p>
-            At the debug levels of 2 or higher, detailed context
+            At <span class="command"><strong>debug</strong></span> level 2 or higher, detailed
-            information of recursive resolutions that resulted in
+            context information about recursive resolutions that resulted in
-            SERVFAIL is logged.
+            SERVFAIL will be logged.  The log message will look like this:
            The log message will look like as follows:
          </p>
          <p>
            </p>
 <pre class="programlisting">
 fetch completed at resolver.c:2970 for www.example.com/A
-in 30.000183: timed out/success [domain:example.com,
+in 10.000183: timed out/success [domain:example.com,
-referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
+referral:2,restart:7,qrysent:8,timeout:5,lame:0,quota:0,neterr:0,
 badresp:1,adberr:0,findfail:0,valfail:0]
            </pre>
 <p>
@ -2184,29 +2182,25 @@ badresp:1,adberr:0,findfail:0,valfail:0]
          <p>
            The first part before the colon shows that a recursive
            resolution for AAAA records of www.example.com completed
-            in 30.000183 seconds and the final result that led to the
+            in 10.000183 seconds and the final result that led to the
            SERVFAIL was determined at line 2970 of source file
            <code class="filename">resolver.c</code>.
          </p>
          <p>
            The following part shows the detected final result and the
-            latest result of DNSSEC validation.
+            latest result of DNSSEC validation.  The latter is always
-            The latter is always success when no validation attempt
+            "success" when no validation attempt was made.  In this example,
-            is made.
+            this query probably resulted in SERVFAIL because all name
-            In this example, this query resulted in SERVFAIL probably
+            servers are down or unreachable, leading to a timeout in 10
-            because all name servers are down or unreachable, leading
+            seconds.  DNSSEC validation was probably not attempted.
            to a timeout in 30 seconds.
            DNSSEC validation was probably not attempted.
          </p>
          <p>
-            The last part enclosed in square brackets shows statistics
+            The last part, enclosed in square brackets, shows statistics
-            information collected for this particular resolution
+            collected for this particular resolution attempt.
-            attempt.
+            The <code class="varname">domain</code> field shows the deepest zone that
-            The <code class="varname">domain</code> field shows the deepest zone
+            the resolver reached; it is the zone where the error was
-            that the resolver reached;
+            finally detected.  The meaning of the other fields is
-            it is the zone where the error was finally detected.
+            summarized in the following table.
            The meaning of the other fields is summarized in the
            following table.
          </p>
          <div class="informaltable">
@ -2283,6 +2277,18 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                  </td>
 </tr>
 <tr>
 <td>
                    <p><code class="varname">quota</code></p>
                  </td>
 <td>
                    <p>
                      The number of times the resolver was unable
                      to send a query because it had exceeded the
                      permissible fetch quota for a server.
                    </p>
                  </td>
 </tr>
 <tr>
 <td>
                    <p><code class="varname">neterr</code></p>
                  </td>
@ -2352,20 +2358,17 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 </table>
          </div>
          <p>
-            At the debug levels of 3 or higher, the same messages
+            At <span class="command"><strong>debug</strong></span> level 3 or higher, the same
-            as those at the debug 1 level are logged for other errors
+            messages as those at <span class="command"><strong>debug</strong></span> level 1 will be
-            than SERVFAIL.
+            logged for other errors than SERVFAIL. Note that negative
-            Note that negative responses such as NXDOMAIN are not
+            responses such as NXDOMAIN are not errors, and are not logged
-            regarded as errors here.
+            at this debug level.
          </p>
          <p>
-            At the debug levels of 4 or higher, the same messages
+            At <span class="command"><strong>debug</strong></span> level 4 or higher, the
-            as those at the debug 2 level are logged for other errors
+            detailed context information logged at <span class="command"><strong>debug</strong></span>
-            than SERVFAIL.
+            level 2 will be logged for other errors than SERVFAIL and
-            Unlike the above case of level 3, messages are logged for
+            for negative resonses such as NXDOMAIN.
            negative responses.
            This is because any unexpected results can be difficult to
            debug in the recursion case.
          </p>
        </div>
      </div>
@ -2480,6 +2483,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>dnssec-must-be-secure</strong></span> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em>;
 	<span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
 	<span class="command"><strong>dnssec-validation</strong></span> ( yes | no | auto );
@ -2629,8 +2633,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log
 	    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval
-	    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |
+	    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op
-	    <span class="command"><strong>nodata</strong></span> | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
+	    | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
 	    <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
 	    <span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [
 	    <span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [
@ -4781,11 +4785,22 @@ options {
 <dt><span class="term"><span class="command"><strong>querylog</strong></span></span></dt>
 <dd>
                <p>
-                  Specify whether query logging should be started when <span class="command"><strong>named</strong></span>
+                  Query logging provides a complete log of all incoming
-                  starts.
+                  queries and all query errors. This provides more insight
-                  If <span class="command"><strong>querylog</strong></span> is not specified,
+                  into the server's activity, but with a cost to
-                  then the query logging
+                  performance which may be significant on heavily-loaded
-                  is determined by the presence of the logging category <span class="command"><strong>queries</strong></span>.
+                  servers.
                </p>
                <p>
                  The <span class="command"><strong>querylog</strong></span> option specifies
                  whether query logging should be active when
                  <span class="command"><strong>named</strong></span> first starts.
                  If <span class="command"><strong>querylog</strong></span> is not specified, then
                  query logging is determined by the presence of the
                  logging category <span class="command"><strong>queries</strong></span>.
                  Query logging can also be activated at runtime using the
                  command <span class="command"><strong>rndc querylog on</strong></span>, or
                  deactivated with <span class="command"><strong>rndc querylog off</strong></span>.
                </p>
              </dd>
 <dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt>
@ -5064,9 +5079,11 @@ options {
 <dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt>
 <dd>
                <p>
-                  Specifies the IP addresses to be used
+                  Specifies a list of IP addresses to which queries shall be
-                  for forwarding. The default is the empty list (no
+                  forwarded. The default is the empty list (no forwarding).
-                  forwarding).
+                  Each address in the list can be associated with an optional
                  port number and/or DSCP value, and a default port number and
                  DSCP value can be set for the entire list.
                </p>
              </dd>
 </dl></div>
@ -7286,6 +7303,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                  Specifying <span class="command"><strong>version none</strong></span>
                  disables processing of the queries.
                </p>
                <p>
                  Setting <span class="command"><strong>version</strong></span> to any value
                  (including <code class="literal">none</code>) will also
                  disable queries for <code class="literal">authors.bind TXT CH</code>.
                </p>
              </dd>
 <dt><span class="term"><span class="command"><strong>hostname</strong></span></span></dt>
 <dd>
@ -9074,7 +9096,8 @@ example.com                 CNAME   rpz-tcp-only.
        <pre class="programlisting">
 <span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em> {
    <span class="command"><strong>dnskey-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
-    <span class="command"><strong>keys</strong></span> { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };
+    <span class="command"><strong>keys</strong></span> { ( csk | ksk | zsk ) key-directory lifetime ( <em class="replaceable"><code>duration</code></em> | unlimited ) algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };
    <span class="command"><strong>max-zone-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
    <span class="command"><strong>parent-ds-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
    <span class="command"><strong>parent-propagation-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
    <span class="command"><strong>parent-registration-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
@ -9083,7 +9106,6 @@ example.com                 CNAME   rpz-tcp-only.
    <span class="command"><strong>signatures-refresh</strong></span> <em class="replaceable"><code>duration</code></em>;
    <span class="command"><strong>signatures-validity</strong></span> <em class="replaceable"><code>duration</code></em>;
    <span class="command"><strong>signatures-validity-dnskey</strong></span> <em class="replaceable"><code>duration</code></em>;
    <span class="command"><strong>zone-max-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
    <span class="command"><strong>zone-propagation-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
 };
 </pre>
@ -9091,136 +9113,232 @@ example.com                 CNAME   rpz-tcp-only.
        <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="dnssec_policy"></a><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
+<a name="dnssec_policy"></a><span class="command"><strong>dnssec-policy</strong></span> Statement Definition and Usage</h3></div></div></div>
            and Usage</h3></div></div></div>
          <p>
            The <span class="command"><strong>dnssec-policy</strong></span> statement defines a key and
            signing policy (KASP) for zones.
          </p>
          <p>
-            KASP is used to determine how one or more zones need to be signed
+            A KASP determines how one or more zones will be signed
-            with DNSSEC.  For example, how often RRSIG records need to be
+            with DNSSEC. For example, it specifies how often keys should
-            refreshed, or what cryptographic algorithms to use.
+            roll, which cryptographic algorithms to use, and how often RRSIG
            records need to be refreshed.
          </p>
          <p>
-            You can configure multiple policies.  To attach a policy to a zone
+            Multiple key and signing policies can be configured.  To
-            simply add <strong class="userinput"><code>dnssec-policy "policy_name"</code></strong>
+            attach a policy to a zone, add a <span class="command"><strong>dnssec-policy</strong></span>
-            option to the <span class="command"><strong>zone</strong></span> statement with a matching
+            option to the <span class="command"><strong>zone</strong></span> statement, specifying he
-            policy name.
+            name of the policy that should be used.
          </p>
          <p>
            Key rollover timing is computed for each key according to
            the key lifetime defined in the KASP.  The lifetime may be
            modified by zone TTLs and propagation delays, in order to
            prevent validation failures.  When a key reaches the end of its
            lifetime,
            <span class="command"><strong>named</strong></span> will generate and publish a new key
            automatically, then deactivate the old key and activate the
            new one, and finally retire the old key according to a computed
            schedule.
          </p>
          <p>
            Zone-signing key (ZSK) rollovers require no operator input.
            Key-signing key (KSK) and combined signing key (CSK) rollovers
            require action to be taken to submit a DS record to the parent.
            Rollover timing for KSKs and CSKs is adjusted to take into account
            delays in processing and propagating DS updates.
          </p>
          <p>
            There are two predefined <span class="command"><strong>dnssec-policy</strong></span> names:
            <span class="command"><strong>none</strong></span> and <span class="command"><strong>default</strong></span>.
            Setting a zone's policy to
            <span class="command"><strong>none</strong></span> is the same as not setting
            <span class="command"><strong>dnssec-policy</strong></span> at all; the zone will not
            be signed.  Policy <span class="command"><strong>default</strong></span> causes the
            zone to be signed with a single combined signing key (CSK)
            using algorithm ECDSAP256SHA256; this key will have an
            unlimited lifetime. (A verbose copy of this policy
            may be found in the source tree, in the file
            <code class="filename">doc/misc/dnssec-policy.default.conf</code>.)
            </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
              The default signing policy may change in future releases.
              This could result in changes to your signing policy
              occurring when you upgrade to a new version of BIND. Check
              the release notes carefully when upgrading to be informed
              of such changes. To prevent policy changes on upgrade,
              use an explicitly defined <span class="command"><strong>dnssec-policy</strong></span>
              rather than <span class="command"><strong>default</strong></span>.
            </div>
 <p>
          </p>
          <p>
            If a <span class="command"><strong>dnssec-policy</strong></span> statement is modified
            and the server restarted or reconfigured, <span class="command"><strong>named</strong></span>
            will attempt to change the policy smoothly from the old one to
            the new. For example, if the key algorithm is changed, then
            a new key will be generated with the new algorithm, and the old
            algorithm will be retired when the existing key's lifetime ends.
            </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
              Rolling to a new policy while another key rollover is
              already in progress is not yet supported, and may result in
              unexpected behavior.
            </div>
 <p>
          </p>
          <p>
            The following options can be specified in a
            <span class="command"><strong>dnssec-policy</strong></span> statement:
          </p>
          <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>dnskey-ttl</strong></span></span></dt>
 <dd>
                <p>
-                  The TTL of the DNSKEY resource records.
+                  The TTL to use when generating DNSKEY resource records.
-                  Default is <code class="constant">3600</code> seconds.
+                  The default is 1 hour (3600 seconds).
                </p>
              </dd>
 <dt><span class="term"><span class="command"><strong>keys</strong></span></span></dt>
 <dd>
                <p>
-                  A list of keys to use.  Each line represents one key. Here is
+                  A list specifying the algorithms and roles to use when
-                  an example (for illustration purposes only) of some possible
+                  generating keys and signing the zone.
-                  keys in a <span class="command"><strong>dnssec-policy</strong></span>:
+                  Entries in this list do not represent specific
                  DNSSEC keys, which may be changed on a regular basis,
                  but the roles that keys will play in the signing policy.
                  For example, configuring a KSK of algorithm RSASHA256 ensures
                  that the DNSKEY RRset will always include a key-signing key
                  for that algorithm.
                </p>
                <p>
                  Here is an example (for illustration purposes only) of
                  some possible entries in a <span class="command"><strong>keys</strong></span>
                  list:
                </p>
 <pre class="programlisting">keys {
-    ksk key-directory lifetime P5Y algorithm 8 2048;
+    ksk key-directory lifetime unlimited algorithm rsasha1 2048;
-    zsk key-directory lifetime P30D algorithm 8;
+    zsk lifetime P30D algorithm 8;
-    csk key-directory lifetime P6MT12H3M15S algorithm 13;
+    csk lifetime P6MT12H3M15S algorithm ecdsa256;
 };
 </pre>
                <p>
-                  This example lists three keys. The first token determines
+                  This example specifies that three keys should be used
-                  what RRsets the key will sign. If set to
+                  in the zone. The first token determines which role the
-                  <strong class="userinput"><code>ksk</code></strong> the key will sign the DNSKEY, CDS,
+                  key will play in signing RRsets.  If set to
-                  and CDNSKEY RRsets, if set to <strong class="userinput"><code>zsk</code></strong> the
+                  <strong class="userinput"><code>ksk</code></strong>, then this will be
-                  key will sign the other RRsets, and if set to
+                  a key-signing key; it will have the KSK flag set and
-                  <strong class="userinput"><code>csk</code></strong> the key will sign all RRsets.
+                  will only be used to sign DNSKEY, CDS, and CDNSKEY RRsets.
                  If set to <strong class="userinput"><code>zsk</code></strong>, this will be
                  a zone-signing key; the KSK flag will be unset, and
                  the key will sign all RRsets <span class="emphasis"><em>except</em></span>
                  DNSKEY, CDS, and CDNSKEY. If set to
                  <strong class="userinput"><code>csk</code></strong> the key will have the KSK
                  flag set and will be used to sign all RRsets.
                </p>
                <p>
-                  The following part determines where the key will be stored.
+                  An optional second token determines where the key will
-                  Currently keys can only be stored in the configured
+                  be stored.  Currently, keys can only be stored in the
-                  <span class="command"><strong>key-directory</strong></span>.
+                  configured <span class="command"><strong>key-directory</strong></span>. This token
                  may be used in the future to store keys in hardware
                  service modules or separate directories.
                </p>
                <p>
-                  The third token tells how long the key may be used.  In the
+                  The <span class="command"><strong>lifetime</strong></span> parameter specifies how
-                  example the first key has a lifetime of 5 years, the second
+                  long a key may be used before rolling over.  In the
-                  key may be used for 30 days and the third key has a rather
+                  example above, the first key will have an unlimited
-                  peculiar lifetime of 6 months, 12 hours, 3 minutes and 15
+                  lifetime, the second key may be used for 30 days, and the
-                  seconds.
+                  third key has a rather peculiar lifetime of 6 months,
                  12 hours, 3 minutes and 15 seconds.  A lifetime of 0
                  seconds is the same as <span class="command"><strong>unlimited</strong></span>.
                </p>
                <p>
-                  The last token(s) are the key's algorithm and algorithm
+                  Note that the lifetime of a key may be extended if
-                  length.  The length may be omitted as shown in the
+                  retiring it too soon would cause validation failures.
-                  example for the second and third key.
+                  For example, if the key were configured to roll more
                  frequently than its own TTL, its lifetime would
                  automatically be extended to account for this.
                </p>
                <p>
                  The <span class="command"><strong>algorithm</strong></span> parameter specifies
                  the key's algorithm, expressed either as a string
                  ("rsasha256", "ecdsa384", etc) or as a decimal number.
                  An optional second parameter specifies the key's size
                  in size in bits. If it is omitted, as shown in the
                  example for the second and third keys, an appropriate
                  default size for the algorithm will be used.
                </p>
              </dd>
 <dt><span class="term"><span class="command"><strong>publish-safety</strong></span></span></dt>
 <dd>
                <p>
-                  A margin that is added to the publish interval in key
+                  A margin that is added to the pre-publication
-                  timing equations to give some extra time to cover
+                  interval in rollover timing calculations to give some
-                  unforeseen events.  Default is <code class="constant">PT1H</code>
+                  extra time to cover unforeseen events. This increases
-                  (1 hour).
+                  the time that keys are published before becoming active.
                  The default is <code class="constant">PT1H</code> (1 hour).
                </p>
              </dd>
 <dt><span class="term"><span class="command"><strong>retire-safety</strong></span></span></dt>
 <dd>
                <p>
-                  A margin that is added to the retire interval in key
+                  A margin that is added to the post-publication interval
-                  timing equations to give some extra time to cover
+                  in rollover timing calculations to give some extra time
-                  unforeseen events.  Default is <code class="constant">PT1H</code>
+                  to cover unforeseen events. This increases the time a key
-                  (1 hour).
+                  remains published after it is no longer active.  The
                  default is <code class="constant">PT1H</code> (1 hour).
                </p>
              </dd>
 <dt><span class="term"><span class="command"><strong>signatures-refresh</strong></span></span></dt>
 <dd>
                <p>
-                  This determines when a RRSIG record needs to be
+                  This determines how frequently an RRSIG record needs to be
-                  refreshed.  The signatures is renewed when the time until
+                  refreshed.  The signature is renewed when the time until
-                  the expiration time is closer than
+                  the expiration time is closer than the specified interval.
-                  <span class="command"><strong>signatures-refresh</strong></span>.
+                  The default is <code class="constant">P5D</code> (5 days), meaning
-                  <span class="command"><strong>signatures-resign</strong></span> interval.  Default
+                  signatures that will expire in 5 days or sooner will be
-                  is <code class="constant">P5D</code> (5 days), meaning a signature
+                  refreshed.
                  that will expire in 5 days or sooner will be refreshed.
                </p>
              </dd>
 <dt><span class="term"><span class="command"><strong>signatures-validity</strong></span></span></dt>
 <dd>
                <p>
-                  The validity period of an RRSIG record (minus the
+                  The validity period of an RRSIG record (subject to
-                  inception offset and jitter). Default is
+                  inception offset and jitter). The default is
                  <code class="constant">P2W</code> (2 weeks).
                </p>
              </dd>
 <dt><span class="term"><span class="command"><strong>signatures-validity-dnskey</strong></span></span></dt>
 <dd>
                <p>
-                  Like <span class="command"><strong>signatures-validity</strong></span> but for
+                  Similar to <span class="command"><strong>signatures-validity</strong></span> but for
-                  DNSKEY records. Default is <code class="constant">P2W</code> (2
+                  DNSKEY records. The default is <code class="constant">P2W</code>
-                  weeks).
+                  (2 weeks).
                </p>
              </dd>
-<dt><span class="term"><span class="command"><strong>zone-max-ttl</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>max-zone-ttl</strong></span></span></dt>
 <dd>
                <p>
-                  Like <span class="command"><strong>max-zone-ttl</strong></span>, specifies the
+                  Like the <span class="command"><strong>max-zone-ttl</strong></span> zone option,
-                  maximum permissible TTL value in seconds. When loading a
+                  this specifies the maximum permissible TTL value in
-                  zone file using a <code class="option">masterfile-format</code> or
+                  seconds for the zone. When loading a zone file using
                  a <code class="option">masterfile-format</code> of
                  <code class="constant">text</code> or <code class="constant">raw</code>,
                  any record encountered with a TTL higher than
-                  <code class="option">zone-max-ttl</code> will be capped to the
+                  <code class="option">max-zone-ttl</code> will be capped at the
                  maximum permissible TTL value.
                </p>
                <p>
                  This is needed in DNSSEC-maintained zones because when
                  rolling to a new DNSKEY, the old key needs to remain
                  available until RRSIG records have expired from caches.
-                  The <code class="option">zone-max-ttl</code> option guarantees that
+                  The <code class="option">max-zone-ttl</code> option guarantees that
                  the largest TTL in the zone will be no higher than the
                  set value.
                </p>
@ -9231,41 +9349,41 @@ example.com                 CNAME   rpz-tcp-only.
                </p>
                <p>
                  The default value is <code class="constant">PT24H</code> (24 hours).
-                  A <code class="option">zone-max-ttl</code> of zero is treated as if
+                  A <code class="option">max-zone-ttl</code> of zero is treated as if
-                  the default value is in use.
+                  the default value were in use.
                </p>
              </dd>
 <dt><span class="term"><span class="command"><strong>zone-propagation-delay</strong></span></span></dt>
 <dd>
                <p>
-                  The expected propagation delay from when a zone is
+                  The expected propagation delay from the time when a zone
-                  updated and when the new version of the zone is served by
+                  is first updated to the time when the new version of the
-                  all its name servers.  Default is
+                  zone will be served by all secondary servers.  The default
-                  <code class="constant">PT5M</code> (5 minutes).
+                  is <code class="constant">PT5M</code> (5 minutes).
                </p>
              </dd>
 <dt><span class="term"><span class="command"><strong>parent-ds-ttl</strong></span></span></dt>
 <dd>
                <p>
-                  The TTL of the DS RRset that the parent uses.  Default is
+                  The TTL of the DS RRset that the parent zone uses.  The
-                  <code class="constant">P1D</code> (1 day).
+                  default is <code class="constant">P1D</code> (1 day).
                </p>
              </dd>
 <dt><span class="term"><span class="command"><strong>parent-propagation-delay</strong></span></span></dt>
 <dd>
                <p>
-                  The expected propagation delay from when the parent zone
+                  The expected propagation delay from the time when the
-                  is updated and when the new version of the parent zone is
+                  parent zone is updated to the time when the new version
-                  served by all its name servers.  Default is
+                  is served by all of the parent zone's name servers.
-                  <code class="constant">PT1H</code> (1 hour).
+                  The default is <code class="constant">PT1H</code> (1 hour).
                </p>
              </dd>
 <dt><span class="term"><span class="command"><strong>parent-registration-delay</strong></span></span></dt>
 <dd>
                <p>
-                  The expected registration delay from when a DS RRset
+                  The expected registration delay from the time when a DS
-                  change is requested and when the DS RRset has been
+                  RRset change is requested to the time when the DS RRset
-                  updated in the parent zone.  Default is
+                  will be updated in the parent zone.  The default is
                  <code class="constant">P1D</code> (1 day).
              </p>
              </dd>
@ -10366,13 +10484,16 @@ view "external" {
 <dt><span class="term"><span class="command"><strong>dnssec-policy</strong></span></span></dt>
 <dd>
                  <p>
-                    The key and signing policy for this zone.  This is a string
+                    Specifies which key and signing policy (KASP) should
-                    referring to a <span class="command"><strong>dnssec-policy</strong></span> statement.
+                    be used for this zone.  This is a string referring to
                    a <span class="command"><strong>dnssec-policy</strong></span> statement.
                    There are two built-in policies:
-                    <strong class="userinput"><code>"default"</code></strong> allows you to use the
+                    <strong class="userinput"><code>default</code></strong> allows you to use the
-                    default policy, and <strong class="userinput"><code>"none"</code></strong> means
+                    default policy, and <strong class="userinput"><code>none</code></strong> means
                    not to use any DNSSEC policy, keeping the zone unsigned.
-                    The default is <strong class="userinput"><code>"none"</code></strong>.
+                    The default is <strong class="userinput"><code>none</code></strong>.
                    See <a class="xref" href="Bv9ARM.ch05.html#dnssec_policy_grammar" title="dnssec-policy Statement Grammar">the section called &#8220;<span class="command"><strong>dnssec-policy</strong></span> Statement Grammar&#8221;</a> for
                    more details.
                  </p>
                </dd>
 <dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
@ -15220,6 +15341,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@ -360,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; };
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@ -191,6 +191,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@ -36,21 +36,12 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.8</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.17.0</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.8">Notes for BIND 9.15.8</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.17.0">Notes for BIND 9.17.0</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.7">Notes for BIND 9.15.7</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.3">Notes for BIND 9.15.3</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.2">Notes for BIND 9.15.2</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.1">Notes for BIND 9.15.1</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.0">Notes for BIND 9.15.0</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
@ -59,38 +50,21 @@
 </div>
      <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.8</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.17.0</h2></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
  <p>
-    BIND 9.15 is an unstable development release of BIND.
+    BIND 9.17 is an unstable development release of BIND.
    This document summarizes new features and functional changes that
    have been introduced on this branch.  With each development release
-    leading up to the stable BIND 9.16 release, this document will be
+    leading up to the stable BIND 9.18 release, this document will be
    updated with additional features added and bugs fixed.
  </p>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
  <p>
-    Until BIND 9.12, new feature development releases were tagged
+    Please see the file <code class="filename">CHANGES</code> for a more
-    as "alpha" and "beta", leading up to the first stable release
+    detailed list of changes and bug fixes.
    for a given development branch, which always ended in ".0".
    More recently, BIND adopted the "odd-unstable/even-stable"
    release numbering convention. There will be no "alpha" or "beta"
    releases in the 9.15 branch, only increasing version numbers.
    So, for example, what would previously have been called 9.15.0a1,
    9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
    9.15.1, 9.15.2, etc.
  </p>
  <p>
    The first stable release from this development branch will be
    renamed as 9.16.0. Thereafter, maintenance releases will continue
    on the 9.16 branch, while unstable feature development proceeds in
    9.17.
  </p>
 </div>
  <div class="section">
@ -133,646 +107,7 @@
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.8"></a>Notes for BIND 9.15.8</h3></div></div></div>
+<a name="relnotes-9.17.0"></a>Notes for BIND 9.17.0</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.8-changes"></a>Feature Changes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          The <span class="command"><strong>trust-anchors</strong></span> statement no longer rejects
          a mix of both key-style and DS-style trust anchor entries for the
          same name. [GL #1237]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.8-bugs"></a>Bug Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          Fixed an intermittent crash in the validator that could occur
          when validating negative answers from the cache. [GL #1561]
        </p>
      </li>
 <li class="listitem">
        <p>
          Fixed a bug that could cause <span class="command"><strong>named</strong></span> to crash on
          machines with more than 40 CPUs. [GL #1493]
        </p>
      </li>
 <li class="listitem">
        <p>
          Socket-related statistics counters were not being updated by
          network manager sockets, but are now fully functional. [GL #1311]
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.7"></a>Notes for BIND 9.15.7</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.7-changes"></a>Feature Changes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          The <span class="command"><strong>dnssec-keys</strong></span> configuration statement,
          which was introduced in 9.15.1 and revised in 9.15.6, has now
          been renamed to the more descriptive
          <span class="command"><strong>trust-anchors</strong></span>. [GL !2702]
        </p>
        <p>
          (See release notes for
          <a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.1-new" title="New Features">BIND 9.15.1</a>
          and
          <a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.6-new" title="New Features">BIND 9.15.6</a>
          for prior discussion of this feature.)
        </p>
      </li>
 <li class="listitem">
        <p>
          Added support for multithreaded listening for TCP connections
          in the network manager. [GL !2659]
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.7-bugs"></a>Bug Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
          on reconfiguration when any GeoIP2 database was in use. [GL #1445]
        </p>
      </li>
 <li class="listitem">
        <p>
          Fixed several possible race conditions discovered by
          ThreadSanitizer.
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          Set a limit on the number of concurrently served pipelined TCP
          queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          A new asynchronous network communications system based on
          <span class="command"><strong>libuv</strong></span> is now used by <span class="command"><strong>named</strong></span>
          for listening for incoming requests and responding to them.
          This change will make it easier to improve performance and
          implement new protocol layers (for example, DNS over TLS) in
          the future. [GL #29]
        </p>
      </li>
 <li class="listitem">
        <p>
          The new <span class="command"><strong>dnssec-policy</strong></span> option allows the
          configuration key and signing policy (KASP) for zones. This
          option enables <span class="command"><strong>named</strong></span> to generate new keys
          as needed and automatically roll both ZSK and KSK keys.
          (Note that the syntax for this statement differs from the DNSSEC
          policy used by <span class="command"><strong>dnssec-keymgr</strong></span>.) [GL #1134]
        </p>
      </li>
 <li class="listitem">
        <p>
          Two new keywords have been added to the
          <span class="command"><strong>dnssec-keys</strong></span> statement:
          <span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
          These allow the use of trust anchors in DS format instead of
          DNSKEY format.  DS format allows trust anchors to be configured
          for keys that have not yet been published; this is the format
          used by IANA when announcing future root keys.
        </p>
        <p>
          As with the <span class="command"><strong>initial-key</strong></span> and
          <span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
          configures a dynamic trust anchor to be maintained via RFC 5011, and
          <span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
        </p>
        <p>
          (Note: Currently, DNSKEY-format and DS-format trust anchors
          cannot both be used for the same domain name.) [GL #6] [GL #622]
        </p>
      </li>
 <li class="listitem">
        <p>
          Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
          that reports the maximum number of simultaneous TCP clients BIND
          has handled while running. [GL #1206]
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.6-changes"></a>Feature Changes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
          because it was found to have a significant performance impact on the
          recursive service. The NSEC Aggressive Cache will be enable by default
          in the future releases. [GL #1265]
        </p>
      </li>
 <li class="listitem">
        <p>
          The DNSSEC validation code has been refactored for clarity and to
          reduce code duplication.  [GL #622]
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.5"></a>Notes for BIND 9.15.5</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.5-security"></a>Security Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          <span class="command"><strong>named</strong></span> could crash with an assertion failure
          if a forwarder returned a referral, rather than resolving the
          query, when QNAME minimization was enabled.  This flaw is
          disclosed in CVE-2019-6476. [GL #1051]
        </p>
      </li>
 <li class="listitem">
        <p>
          A flaw in DNSSEC verification when transferring mirror zones
          could allow data to be incorrectly marked valid. This flaw
          is disclosed in CVE-2019-6475. [GL #1252]
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.4"></a>Notes for BIND 9.15.4</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.4-new"></a>New Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          Added a new command line option to <span class="command"><strong>dig</strong></span>:
          <span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
          won't accept a reply from a source other than the one to which
          it sent the query.  Add the <span class="command"><strong>+unexpected</strong></span> argument
          to enable it to process replies from unexpected sources.
        </p>
      </li>
 <li class="listitem">
        <p>
          <span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
          <span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
          option to print output in a a detailed YAML format. [RT #1145]
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.4-bugs"></a>Bug Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
          that its policies are removed from the RPZ summary database.
          [GL #1146]
        </p>
      </li></ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.3"></a>Notes for BIND 9.15.3</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.3-new"></a>New Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
        Statistics channel groups are now toggleable. [GL #1030]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.3-removed"></a>Removed Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          DNSSEC Lookaside Validation (DLV) is now obsolete.
          The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
          marked as deprecated; when used in <code class="filename">named.conf</code>,
          it will generate a warning but will otherwise be ignored.
          All code enabling the use of lookaside validation has been removed
          from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
          [GL #7]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.3-changes"></a>Feature Changes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
          made default.  Old non-default HMAC-SHA based DNS Cookie algorithms
          have been removed, and only the default AES algorithm is being kept
          for legacy reasons.  This change doesn't have any operational impact
          in most common scenarios. [GL #605]
        </p>
        <p>
          If you are running multiple DNS Servers (different versions of BIND 9
          or DNS server from multiple vendors) responding from the same IP
          address (anycast or load-balancing scenarios), you'll have to make
          sure that all the servers are configured with the same DNS Cookie
          algorithm and same Server Secret for the best performance.
        </p>
      </li>
 <li class="listitem">
        <p>
          The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
          <span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
          output.  The standard error output is only used to print warnings and
          errors, and in case the user requests the signed zone to be printed to
          standard output with <span class="command"><strong>-f -</strong></span> option.  A new
          configuration option <span class="command"><strong>-q</strong></span> has been added to silence
          all output on standard output except for the name of the signed zone.
        </p>
      </li>
 <li class="listitem">
        <p>
          DS records included in DNS referral messages can now be validated
          and cached immediately, reducing the number of queries needed for
          a DNSSEC validation. [GL #964]
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.3-bugs"></a>Bug Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          Cache database statistics counters could report invalid values
          when stale answers were enabled, because of a bug in counter
          maintenance when cache data becomes stale. The statistics counters
          have been corrected to report the number of RRsets for each
          RR type that are active, stale but still potentially served,
          or stale and marked for deletion. [GL #602]
        </p>
      </li>
 <li class="listitem">
        <p>
          Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
          cause unexpected results; this has been fixed. [GL #1106]
        </p>
      </li>
 <li class="listitem">
        <p>
          <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
          to ensure bits 64-71 are zero. [GL #1159]
        </p>
      </li>
 <li class="listitem">
        <p>
          <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
          <span class="command"><strong>dnstap-output</strong></span> option when
          <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
        </p>
      </li>
 <li class="listitem">
        <p>
          Handle ETIMEDOUT error on connect() with a non-blocking
          socket. [GL #1133]
        </p>
      </li>
 <li class="listitem">
        <p>
          <span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
          when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.2"></a>Notes for BIND 9.15.2</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.2-new"></a>New Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          The GeoIP2 API from MaxMind is now supported. Geolocation support
          will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
          library is found at compile time, but can be turned off by using
          <span class="command"><strong>configure --disable-geoip</strong></span>.
        </p>
        <p>
          The default path to the GeoIP2 databases will be set based
          on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
          for example, if it is in <code class="filename">/usr/local/lib</code>,
          then the default path will be
          <code class="filename">/usr/local/share/GeoIP</code>.
          This value can be overridden in <code class="filename">named.conf</code>
          using the <span class="command"><strong>geoip-directory</strong></span> option.
        </p>
        <p>
          Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
          legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
          <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
          no longer work when using GeoIP2. Supported GeoIP2 database
          types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
          <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
          <span class="command"><strong>as</strong></span>. All of these databases support both IPv4
          and IPv6 lookups. [GL #182] [GL #1112]
        </p>
      </li>
 <li class="listitem">
        <p>
          Two new metrics have been added to the
          <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
          signing operations.  For each key in each zone, the
          <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
          number of signatures <span class="command"><strong>named</strong></span> has generated
          using that key since server startup, and the
          <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
          many of those signatures were refreshed during zone
          maintenance, as opposed to having been generated
          as a result of a zone update.  [GL #513]
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.2-bugs"></a>Bug Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          When <span class="command"><strong>qname-minimization</strong></span> was set to
          <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
          would fail to resolve, but would have succeeded when minimization
          was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
          resolution in such cases, and also uses type A rather than NS for
          minimal queries in order to reduce the likelihood of encountering
          the problem. [GL #1055]
        </p>
      </li>
 <li class="listitem">
        <p>
          <span class="command"><strong>./configure</strong></span> no longer sets
          <span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
          <span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
          when <span class="command"><strong>--prefix</strong></span> is not specified and the
          aforementioned options are not specified explicitly. Instead,
          Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
          <span class="command"><strong>$prefix/var</strong></span> are respected.
        </p>
      </li>
 <li class="listitem">
        <p>
          Glue address records were not being returned in responses
          to root priming queries; this has been corrected. [GL #1092]
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.1"></a>Notes for BIND 9.15.1</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.1-security"></a>Security Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          A race condition could trigger an assertion failure when
          a large number of incoming packets were being rejected.
          This flaw is disclosed in CVE-2019-6471. [GL #942]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.1-new"></a>New Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          In order to clarify the configuration of DNSSEC keys,
          the <span class="command"><strong>trusted-keys</strong></span> and
          <span class="command"><strong>managed-keys</strong></span> statements have been
          deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
          statement should now be used for both types of key.
        </p>
        <p>
          When used with the keyword <span class="command"><strong>initial-key</strong></span>,
          <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
          <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
          a trust anchor that is to be maintained via RFC 5011.
        </p>
        <p>
          When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
          has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
          configuring a permanent trust anchor that will not automatically
          be updated.  (This usage is not recommended for the root key.)
          [GL #6]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.1-removed"></a>Removed Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          The <span class="command"><strong>cleaning-interval</strong></span> option has been
          removed.  [GL !1731]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.1-changes"></a>Feature Changes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          <span class="command"><strong>named</strong></span> will now log a warning if
          a static key is configured for the root zone. [GL #6]
        </p>
      </li>
 <li class="listitem">
        <p>
          JSON-C is now the only supported library for enabling JSON
          support for BIND statistics. The <span class="command"><strong>configure</strong></span>
          option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
          to <span class="command"><strong>--with-json-c</strong></span>.  Use
          <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
          the <span class="command"><strong>json-c</strong></span> library as the new
          <span class="command"><strong>configure</strong></span> option does not take the library
          installation path as an optional argument.
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.0"></a>Notes for BIND 9.15.0</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.0-security"></a>Security Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          In certain configurations, <span class="command"><strong>named</strong></span> could crash
          with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
          was in use and a redirected query resulted in an NXDOMAIN from the
          cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
        </p>
      </li>
 <li class="listitem">
        <p>
          The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
          option could be exceeded in some cases. This could lead to
          exhaustion of file descriptors. This flaw is disclosed in
          CVE-2018-5743. [GL #615]
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.0-new"></a>New Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          The new <span class="command"><strong>add-soa</strong></span> option specifies whether
          or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
          should be included in the additional section of RPZ responses.
          [GL #865]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.0-removed"></a>Removed Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
          no longer has any effect. DNSSEC responses are always enabled
          if signatures and other DNSSEC data are present. [GL #866]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.0-changes"></a>Feature Changes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          When static and managed DNSSEC keys were both configured for the
          same name, or when a static key was used to
          configure a trust anchor for the root zone and
          <span class="command"><strong>dnssec-validation</strong></span> was set to the default
          value of <code class="literal">auto</code>, automatic RFC 5011 key
          rollovers would be disabled. This combination of settings was
          never intended to work, but there was no check for it in the
          parser. This has been corrected, and it is now a fatal
          configuration error. [GL #868]
        </p>
      </li>
 <li class="listitem">
        <p>
          DS and CDS records are now generated with SHA-256 digests
          only, instead of both SHA-1 and SHA-256. This affects the
          default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
          <code class="filename">dsset</code> files generated by
          <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
          a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
          <code class="filename">keyset</code> files, the CDS records added to
          a zone by <span class="command"><strong>named</strong></span> and
          <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
          parameters in key files, and the checks performed by
          <span class="command"><strong>dnssec-checkds</strong></span>.
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.0-bugs"></a>Bug Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          The <span class="command"><strong>allow-update</strong></span> and
          <span class="command"><strong>allow-update-forwarding</strong></span> options were
          inadvertently treated as configuration errors when used at the
          <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
          This has now been corrected.
          [GL #913]
        </p>
      </li></ul></div>
  </div>
 </div>
@ -780,7 +115,7 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License</h3></div></div></div>
  <p>
-    BIND is open source software licensed under the terms of the Mozilla
+    BIND 9 is open source software licensed under the terms of the Mozilla
    Public License, version 2.0 (see the <code class="filename">LICENSE</code>
    file for the full text).
  </p>
@ -795,23 +130,26 @@
  </p>
  <p>
    Those wishing to discuss license compliance may contact ISC at
-    <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
+    <a class="link" href="https://www.isc.org/contact/" target="_top">
-      https://www.isc.org/mission/contact/</a>.
+      https://www.isc.org/contact/</a>.
  </p>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
  <p>
-    BIND 9.15 is an unstable development branch. When its development
+    BIND 9.17 is an unstable development branch. When its development
-    is complete, it will be renamed to BIND 9.16, which will be a
+    is complete, it will be renamed to BIND 9.18, which will be a
    stable branch.
  </p>
  <p>
-    The end of life date for BIND 9.16 has not yet been determined.
+    The end of life date for BIND 9.18 has not yet been determined.
    For those needing long term support, the current Extended Support
    Version (ESV) is BIND 9.11, which will be supported until at
-    least December 2021. See
+    least December 2021.
  </p>
  <p>
    See
    <a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
    for details of ISC's software support policy.
  </p>
@ -843,6 +181,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@ -914,6 +914,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@ -538,6 +538,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@ -210,6 +210,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.15.8</p></div>
+<div><p class="releaseinfo">BIND Version 9.17.0</p></div>
 <div><p class="copyright">Copyright © 2000-2020 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
@ -196,8 +196,7 @@
 <dt><span class="section"><a href="Bv9ARM.ch05.html#trust-anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Definition
            and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
+<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition and Usage</a></span></dt>
            and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
            and Usage</a></span></dt>
@ -248,21 +247,12 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.8</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.17.0</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.8">Notes for BIND 9.15.8</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.17.0">Notes for BIND 9.17.0</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.7">Notes for BIND 9.15.7</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.3">Notes for BIND 9.15.3</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.2">Notes for BIND 9.15.2</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.1">Notes for BIND 9.15.1</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.0">Notes for BIND 9.15.0</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
@ -450,6 +440,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.pdf
+++ b/doc/arm/Bv9ARM.pdf
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@ -90,6 +90,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@ -220,6 +220,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@ -621,6 +621,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@ -1188,6 +1188,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-cds.html
+++ b/doc/arm/man.dnssec-cds.html
@ -376,6 +376,6 @@ nsupdate -l
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@ -156,6 +156,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@ -270,6 +270,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@ -341,6 +341,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@ -250,6 +250,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@ -164,9 +164,7 @@
 	  <p>
 	    When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
 	    PKCS#11 support, the label is an arbitrary string that
-	    identifies a particular key.  It may be preceded by an
+	    identifies a particular key.
 	    optional OpenSSL engine name, followed by a colon, as in
 	    "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
 	  </p>
 	  <p>
 	    When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
@ -498,6 +496,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@ -589,6 +589,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-keymgr.html
+++ b/doc/arm/man.dnssec-keymgr.html
@ -405,6 +405,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@ -171,6 +171,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@ -424,6 +424,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@ -707,6 +707,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@ -214,6 +214,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnstap-read.html
+++ b/doc/arm/man.dnstap-read.html
@ -143,6 +143,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.filter-aaaa.html
+++ b/doc/arm/man.filter-aaaa.html
@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@ -366,6 +366,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.mdig.html
+++ b/doc/arm/man.mdig.html
@ -610,6 +610,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@ -214,6 +214,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@ -463,6 +463,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@ -117,6 +117,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named-nzd2nzf.html
+++ b/doc/arm/man.named-nzd2nzf.html
@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@ -121,6 +121,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@ -110,7 +110,28 @@ dlz
  </div>
  <div class="refsection">
-<a name="id-1.13.27.11"></a><h2>DYNDB</h2>
+<a name="id-1.13.27.11"></a><h2>DNSSEC-POLICY</h2>
    <div class="literallayout"><p><br>
 dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
 	dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
 	keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( <em class="replaceable"><code>duration</code></em> | unlimited )<br>
 	    algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 	max-zone-ttl <em class="replaceable"><code>duration</code></em>;<br>
 	parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
 	parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
 	parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
 	publish-safety <em class="replaceable"><code>duration</code></em>;<br>
 	retire-safety <em class="replaceable"><code>duration</code></em>;<br>
 	signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
 	signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
 	signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
 	zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
 };<br>
 </p></div>
  </div>
  <div class="refsection">
 <a name="id-1.13.27.12"></a><h2>DYNDB</h2>
    <div class="literallayout"><p><br>
 dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
     <em class="replaceable"><code>unspecified-text</code></em> };<br>
@ -118,7 +139,7 @@ dyndb
  </div>
  <div class="refsection">
-<a name="id-1.13.27.12"></a><h2>KEY</h2>
+<a name="id-1.13.27.13"></a><h2>KEY</h2>
    <div class="literallayout"><p><br>
 key <em class="replaceable"><code>string</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
@ -128,7 +149,7 @@ key
  </div>
  <div class="refsection">
-<a name="id-1.13.27.13"></a><h2>LOGGING</h2>
+<a name="id-1.13.27.14"></a><h2>LOGGING</h2>
    <div class="literallayout"><p><br>
 logging {<br>
 	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
@ -149,8 +170,8 @@ logging
  </div>
  <div class="refsection">
-<a name="id-1.13.27.14"></a><h2>MANAGED-KEYS</h2>
+<a name="id-1.13.27.15"></a><h2>MANAGED-KEYS</h2>
-  <p>Deprecated - see TRUST-ANCHORS.</p>
+  <p>Deprecated - see DNSSEC-KEYS.</p>
    <div class="literallayout"><p><br>
 managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
     | initial-key | static-ds |<br>
@ -160,7 +181,7 @@ managed-keys
  </div>
  <div class="refsection">
-<a name="id-1.13.27.15"></a><h2>MASTERS</h2>
+<a name="id-1.13.27.16"></a><h2>MASTERS</h2>
    <div class="literallayout"><p><br>
 masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
     <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
@ -170,7 +191,7 @@ masters
  </div>
  <div class="refsection">
-<a name="id-1.13.27.16"></a><h2>OPTIONS</h2>
+<a name="id-1.13.27.17"></a><h2>OPTIONS</h2>
    <div class="literallayout"><p><br>
 options {<br>
 	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -250,6 +271,7 @@ options
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
 	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
 	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-update-mode ( maintain | no-resign );<br>
 	dnssec-validation ( yes | no | auto );<br>
@ -399,8 +421,8 @@ options
 	    <em class="replaceable"><code>integer</code></em>;<br>
 	response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
 	    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
-	    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
+	    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op<br>
-	    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+	    | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
 	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
@ -469,7 +491,7 @@ options
  </div>
  <div class="refsection">
-<a name="id-1.13.27.17"></a><h2>PLUGIN</h2>
+<a name="id-1.13.27.18"></a><h2>PLUGIN</h2>
    <div class="literallayout"><p><br>
 plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
     } ];<br>
@ -477,7 +499,7 @@ plugin
  </div>
  <div class="refsection">
-<a name="id-1.13.27.18"></a><h2>SERVER</h2>
+<a name="id-1.13.27.19"></a><h2>SERVER</h2>
    <div class="literallayout"><p><br>
 server <em class="replaceable"><code>netprefix</code></em> {<br>
 	bogus <em class="replaceable"><code>boolean</code></em>;<br>
@ -515,7 +537,7 @@ server
  </div>
  <div class="refsection">
-<a name="id-1.13.27.19"></a><h2>STATISTICS-CHANNELS</h2>
+<a name="id-1.13.27.20"></a><h2>STATISTICS-CHANNELS</h2>
    <div class="literallayout"><p><br>
 statistics-channels {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -527,7 +549,7 @@ statistics-channels
  </div>
  <div class="refsection">
-<a name="id-1.13.27.20"></a><h2>TRUST-ANCHORS</h2>
+<a name="id-1.13.27.21"></a><h2>TRUST-ANCHORS</h2>
    <div class="literallayout"><p><br>
 trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
     initial-key | static-ds | initial-ds )<br>
@ -537,8 +559,8 @@ trust-anchors
  </div>
  <div class="refsection">
-<a name="id-1.13.27.21"></a><h2>TRUSTED-KEYS</h2>
+<a name="id-1.13.27.22"></a><h2>TRUSTED-KEYS</h2>
-  <p>Deprecated - see TRUST-ANCHORS.</p>
+  <p>Deprecated - see DNSSEC-KEYS.</p>
    <div class="literallayout"><p><br>
 trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
@ -547,7 +569,7 @@ trusted-keys
  </div>
  <div class="refsection">
-<a name="id-1.13.27.22"></a><h2>VIEW</h2>
+<a name="id-1.13.27.23"></a><h2>VIEW</h2>
    <div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -620,6 +642,7 @@ view
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
 	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
 	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-update-mode ( maintain | no-resign );<br>
 	dnssec-validation ( yes | no | auto );<br>
@ -743,8 +766,8 @@ view
 	    <em class="replaceable"><code>integer</code></em>;<br>
 	response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
 	    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
-	    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
+	    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op<br>
-	    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+	    | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
 	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
@ -926,7 +949,7 @@ view
  </div>
  <div class="refsection">
-<a name="id-1.13.27.23"></a><h2>ZONE</h2>
+<a name="id-1.13.27.24"></a><h2>ZONE</h2>
    <div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -1025,27 +1048,6 @@ zone
 </p></div>
  </div>
  <div class="refsection">
 <a name="id-1.13.27.24"></a><h2>DNSSEC-POLICY</h2>
    <div class="literallayout"><p><br>
 dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
 	dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
 	keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
 	parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
 	parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
 	parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
 	publish-safety <em class="replaceable"><code>duration</code></em>;<br>
 	retire-safety <em class="replaceable"><code>duration</code></em>;<br>
 	signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
 	signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
 	signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
 	zone-max-ttl <em class="replaceable"><code>duration</code></em>;<br>
 	zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
 };<br>
 </p></div>
  </div>
  <div class="refsection">
 <a name="id-1.13.27.25"></a><h2>FILES</h2>
@ -1095,6 +1097,6 @@ dnssec-policy
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@ -248,9 +248,9 @@
          <p>
            Allow <span class="command"><strong>named</strong></span> to use up to
            <em class="replaceable"><code>#max-socks</code></em> sockets.
-            The default value is 4096 on systems built with default
+            The default value is 21000 on systems built with default
-            configuration options, and 21000 on systems built with
+            configuration options, and 4096 on systems built with
-            "configure --with-tuning=large".
+            "configure --with-tuning=small".
          </p>
          <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
@ -492,6 +492,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@ -155,6 +155,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.nslookup.html
+++ b/doc/arm/man.nslookup.html
@ -308,7 +308,13 @@ nslookup -query=hinfo  -timeout=10
                    Change the type of the information query.
                  </p>
                  <p>
-                    (Default = A; abbreviations = q, ty)
+                    (Default = A and then AAAA; abbreviations = q, ty)
                  </p>
                    <p>
                      <span class="bold"><strong>Note:</strong></span> It is
                      only possible to specify one query type, only
                      the default behavior looks up both when an
                      alternative is not specified.
                    </p>
                </dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
@ -437,6 +443,6 @@ nslookup -query=hinfo  -timeout=10
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@ -818,6 +818,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.pkcs11-destroy.html
+++ b/doc/arm/man.pkcs11-destroy.html
@ -162,6 +162,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.pkcs11-keygen.html
+++ b/doc/arm/man.pkcs11-keygen.html
@ -200,6 +200,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.pkcs11-list.html
+++ b/doc/arm/man.pkcs11-list.html
@ -158,6 +158,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.pkcs11-tokens.html
+++ b/doc/arm/man.pkcs11-tokens.html
@ -123,6 +123,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@ -260,6 +260,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@ -268,6 +268,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@ -1021,6 +1021,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@ -15,38 +15,21 @@
  <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.15.8</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.17.0</h2></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
  <p>
-    BIND 9.15 is an unstable development release of BIND.
+    BIND 9.17 is an unstable development release of BIND.
    This document summarizes new features and functional changes that
    have been introduced on this branch.  With each development release
-    leading up to the stable BIND 9.16 release, this document will be
+    leading up to the stable BIND 9.18 release, this document will be
    updated with additional features added and bugs fixed.
  </p>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
  <p>
-    Until BIND 9.12, new feature development releases were tagged
+    Please see the file <code class="filename">CHANGES</code> for a more
-    as "alpha" and "beta", leading up to the first stable release
+    detailed list of changes and bug fixes.
    for a given development branch, which always ended in ".0".
    More recently, BIND adopted the "odd-unstable/even-stable"
    release numbering convention. There will be no "alpha" or "beta"
    releases in the 9.15 branch, only increasing version numbers.
    So, for example, what would previously have been called 9.15.0a1,
    9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
    9.15.1, 9.15.2, etc.
  </p>
  <p>
    The first stable release from this development branch will be
    renamed as 9.16.0. Thereafter, maintenance releases will continue
    on the 9.16 branch, while unstable feature development proceeds in
    9.17.
  </p>
 </div>
  <div class="section">
@ -89,646 +72,7 @@
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.8"></a>Notes for BIND 9.15.8</h3></div></div></div>
+<a name="relnotes-9.17.0"></a>Notes for BIND 9.17.0</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.8-changes"></a>Feature Changes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          The <span class="command"><strong>trust-anchors</strong></span> statement no longer rejects
          a mix of both key-style and DS-style trust anchor entries for the
          same name. [GL #1237]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.8-bugs"></a>Bug Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          Fixed an intermittent crash in the validator that could occur
          when validating negative answers from the cache. [GL #1561]
        </p>
      </li>
 <li class="listitem">
        <p>
          Fixed a bug that could cause <span class="command"><strong>named</strong></span> to crash on
          machines with more than 40 CPUs. [GL #1493]
        </p>
      </li>
 <li class="listitem">
        <p>
          Socket-related statistics counters were not being updated by
          network manager sockets, but are now fully functional. [GL #1311]
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.7"></a>Notes for BIND 9.15.7</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.7-changes"></a>Feature Changes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          The <span class="command"><strong>dnssec-keys</strong></span> configuration statement,
          which was introduced in 9.15.1 and revised in 9.15.6, has now
          been renamed to the more descriptive
          <span class="command"><strong>trust-anchors</strong></span>. [GL !2702]
        </p>
        <p>
          (See release notes for
          <a class="xref" href="#relnotes-9.15.1-new" title="New Features">BIND 9.15.1</a>
          and
          <a class="xref" href="#relnotes-9.15.6-new" title="New Features">BIND 9.15.6</a>
          for prior discussion of this feature.)
        </p>
      </li>
 <li class="listitem">
        <p>
          Added support for multithreaded listening for TCP connections
          in the network manager. [GL !2659]
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.7-bugs"></a>Bug Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
          on reconfiguration when any GeoIP2 database was in use. [GL #1445]
        </p>
      </li>
 <li class="listitem">
        <p>
          Fixed several possible race conditions discovered by
          ThreadSanitizer.
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          Set a limit on the number of concurrently served pipelined TCP
          queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          A new asynchronous network communications system based on
          <span class="command"><strong>libuv</strong></span> is now used by <span class="command"><strong>named</strong></span>
          for listening for incoming requests and responding to them.
          This change will make it easier to improve performance and
          implement new protocol layers (for example, DNS over TLS) in
          the future. [GL #29]
        </p>
      </li>
 <li class="listitem">
        <p>
          The new <span class="command"><strong>dnssec-policy</strong></span> option allows the
          configuration key and signing policy (KASP) for zones. This
          option enables <span class="command"><strong>named</strong></span> to generate new keys
          as needed and automatically roll both ZSK and KSK keys.
          (Note that the syntax for this statement differs from the DNSSEC
          policy used by <span class="command"><strong>dnssec-keymgr</strong></span>.) [GL #1134]
        </p>
      </li>
 <li class="listitem">
        <p>
          Two new keywords have been added to the
          <span class="command"><strong>dnssec-keys</strong></span> statement:
          <span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
          These allow the use of trust anchors in DS format instead of
          DNSKEY format.  DS format allows trust anchors to be configured
          for keys that have not yet been published; this is the format
          used by IANA when announcing future root keys.
        </p>
        <p>
          As with the <span class="command"><strong>initial-key</strong></span> and
          <span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
          configures a dynamic trust anchor to be maintained via RFC 5011, and
          <span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
        </p>
        <p>
          (Note: Currently, DNSKEY-format and DS-format trust anchors
          cannot both be used for the same domain name.) [GL #6] [GL #622]
        </p>
      </li>
 <li class="listitem">
        <p>
          Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
          that reports the maximum number of simultaneous TCP clients BIND
          has handled while running. [GL #1206]
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.6-changes"></a>Feature Changes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
          because it was found to have a significant performance impact on the
          recursive service. The NSEC Aggressive Cache will be enable by default
          in the future releases. [GL #1265]
        </p>
      </li>
 <li class="listitem">
        <p>
          The DNSSEC validation code has been refactored for clarity and to
          reduce code duplication.  [GL #622]
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.5"></a>Notes for BIND 9.15.5</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.5-security"></a>Security Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          <span class="command"><strong>named</strong></span> could crash with an assertion failure
          if a forwarder returned a referral, rather than resolving the
          query, when QNAME minimization was enabled.  This flaw is
          disclosed in CVE-2019-6476. [GL #1051]
        </p>
      </li>
 <li class="listitem">
        <p>
          A flaw in DNSSEC verification when transferring mirror zones
          could allow data to be incorrectly marked valid. This flaw
          is disclosed in CVE-2019-6475. [GL #1252]
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.4"></a>Notes for BIND 9.15.4</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.4-new"></a>New Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          Added a new command line option to <span class="command"><strong>dig</strong></span>:
          <span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
          won't accept a reply from a source other than the one to which
          it sent the query.  Add the <span class="command"><strong>+unexpected</strong></span> argument
          to enable it to process replies from unexpected sources.
        </p>
      </li>
 <li class="listitem">
        <p>
          <span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
          <span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
          option to print output in a a detailed YAML format. [RT #1145]
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.4-bugs"></a>Bug Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
          that its policies are removed from the RPZ summary database.
          [GL #1146]
        </p>
      </li></ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.3"></a>Notes for BIND 9.15.3</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.3-new"></a>New Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
        Statistics channel groups are now toggleable. [GL #1030]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.3-removed"></a>Removed Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          DNSSEC Lookaside Validation (DLV) is now obsolete.
          The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
          marked as deprecated; when used in <code class="filename">named.conf</code>,
          it will generate a warning but will otherwise be ignored.
          All code enabling the use of lookaside validation has been removed
          from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
          [GL #7]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.3-changes"></a>Feature Changes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
          made default.  Old non-default HMAC-SHA based DNS Cookie algorithms
          have been removed, and only the default AES algorithm is being kept
          for legacy reasons.  This change doesn't have any operational impact
          in most common scenarios. [GL #605]
        </p>
        <p>
          If you are running multiple DNS Servers (different versions of BIND 9
          or DNS server from multiple vendors) responding from the same IP
          address (anycast or load-balancing scenarios), you'll have to make
          sure that all the servers are configured with the same DNS Cookie
          algorithm and same Server Secret for the best performance.
        </p>
      </li>
 <li class="listitem">
        <p>
          The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
          <span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
          output.  The standard error output is only used to print warnings and
          errors, and in case the user requests the signed zone to be printed to
          standard output with <span class="command"><strong>-f -</strong></span> option.  A new
          configuration option <span class="command"><strong>-q</strong></span> has been added to silence
          all output on standard output except for the name of the signed zone.
        </p>
      </li>
 <li class="listitem">
        <p>
          DS records included in DNS referral messages can now be validated
          and cached immediately, reducing the number of queries needed for
          a DNSSEC validation. [GL #964]
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.3-bugs"></a>Bug Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          Cache database statistics counters could report invalid values
          when stale answers were enabled, because of a bug in counter
          maintenance when cache data becomes stale. The statistics counters
          have been corrected to report the number of RRsets for each
          RR type that are active, stale but still potentially served,
          or stale and marked for deletion. [GL #602]
        </p>
      </li>
 <li class="listitem">
        <p>
          Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
          cause unexpected results; this has been fixed. [GL #1106]
        </p>
      </li>
 <li class="listitem">
        <p>
          <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
          to ensure bits 64-71 are zero. [GL #1159]
        </p>
      </li>
 <li class="listitem">
        <p>
          <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
          <span class="command"><strong>dnstap-output</strong></span> option when
          <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
        </p>
      </li>
 <li class="listitem">
        <p>
          Handle ETIMEDOUT error on connect() with a non-blocking
          socket. [GL #1133]
        </p>
      </li>
 <li class="listitem">
        <p>
          <span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
          when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.2"></a>Notes for BIND 9.15.2</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.2-new"></a>New Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          The GeoIP2 API from MaxMind is now supported. Geolocation support
          will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
          library is found at compile time, but can be turned off by using
          <span class="command"><strong>configure --disable-geoip</strong></span>.
        </p>
        <p>
          The default path to the GeoIP2 databases will be set based
          on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
          for example, if it is in <code class="filename">/usr/local/lib</code>,
          then the default path will be
          <code class="filename">/usr/local/share/GeoIP</code>.
          This value can be overridden in <code class="filename">named.conf</code>
          using the <span class="command"><strong>geoip-directory</strong></span> option.
        </p>
        <p>
          Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
          legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
          <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
          no longer work when using GeoIP2. Supported GeoIP2 database
          types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
          <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
          <span class="command"><strong>as</strong></span>. All of these databases support both IPv4
          and IPv6 lookups. [GL #182] [GL #1112]
        </p>
      </li>
 <li class="listitem">
        <p>
          Two new metrics have been added to the
          <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
          signing operations.  For each key in each zone, the
          <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
          number of signatures <span class="command"><strong>named</strong></span> has generated
          using that key since server startup, and the
          <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
          many of those signatures were refreshed during zone
          maintenance, as opposed to having been generated
          as a result of a zone update.  [GL #513]
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.2-bugs"></a>Bug Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          When <span class="command"><strong>qname-minimization</strong></span> was set to
          <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
          would fail to resolve, but would have succeeded when minimization
          was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
          resolution in such cases, and also uses type A rather than NS for
          minimal queries in order to reduce the likelihood of encountering
          the problem. [GL #1055]
        </p>
      </li>
 <li class="listitem">
        <p>
          <span class="command"><strong>./configure</strong></span> no longer sets
          <span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
          <span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
          when <span class="command"><strong>--prefix</strong></span> is not specified and the
          aforementioned options are not specified explicitly. Instead,
          Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
          <span class="command"><strong>$prefix/var</strong></span> are respected.
        </p>
      </li>
 <li class="listitem">
        <p>
          Glue address records were not being returned in responses
          to root priming queries; this has been corrected. [GL #1092]
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.1"></a>Notes for BIND 9.15.1</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.1-security"></a>Security Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          A race condition could trigger an assertion failure when
          a large number of incoming packets were being rejected.
          This flaw is disclosed in CVE-2019-6471. [GL #942]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.1-new"></a>New Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          In order to clarify the configuration of DNSSEC keys,
          the <span class="command"><strong>trusted-keys</strong></span> and
          <span class="command"><strong>managed-keys</strong></span> statements have been
          deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
          statement should now be used for both types of key.
        </p>
        <p>
          When used with the keyword <span class="command"><strong>initial-key</strong></span>,
          <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
          <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
          a trust anchor that is to be maintained via RFC 5011.
        </p>
        <p>
          When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
          has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
          configuring a permanent trust anchor that will not automatically
          be updated.  (This usage is not recommended for the root key.)
          [GL #6]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.1-removed"></a>Removed Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          The <span class="command"><strong>cleaning-interval</strong></span> option has been
          removed.  [GL !1731]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.1-changes"></a>Feature Changes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          <span class="command"><strong>named</strong></span> will now log a warning if
          a static key is configured for the root zone. [GL #6]
        </p>
      </li>
 <li class="listitem">
        <p>
          JSON-C is now the only supported library for enabling JSON
          support for BIND statistics. The <span class="command"><strong>configure</strong></span>
          option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
          to <span class="command"><strong>--with-json-c</strong></span>.  Use
          <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
          the <span class="command"><strong>json-c</strong></span> library as the new
          <span class="command"><strong>configure</strong></span> option does not take the library
          installation path as an optional argument.
        </p>
      </li>
 </ul></div>
  </div>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.0"></a>Notes for BIND 9.15.0</h3></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.0-security"></a>Security Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          In certain configurations, <span class="command"><strong>named</strong></span> could crash
          with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
          was in use and a redirected query resulted in an NXDOMAIN from the
          cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
        </p>
      </li>
 <li class="listitem">
        <p>
          The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
          option could be exceeded in some cases. This could lead to
          exhaustion of file descriptors. This flaw is disclosed in
          CVE-2018-5743. [GL #615]
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.0-new"></a>New Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          The new <span class="command"><strong>add-soa</strong></span> option specifies whether
          or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
          should be included in the additional section of RPZ responses.
          [GL #865]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.0-removed"></a>Removed Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
          no longer has any effect. DNSSEC responses are always enabled
          if signatures and other DNSSEC data are present. [GL #866]
        </p>
      </li></ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.0-changes"></a>Feature Changes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
          When static and managed DNSSEC keys were both configured for the
          same name, or when a static key was used to
          configure a trust anchor for the root zone and
          <span class="command"><strong>dnssec-validation</strong></span> was set to the default
          value of <code class="literal">auto</code>, automatic RFC 5011 key
          rollovers would be disabled. This combination of settings was
          never intended to work, but there was no check for it in the
          parser. This has been corrected, and it is now a fatal
          configuration error. [GL #868]
        </p>
      </li>
 <li class="listitem">
        <p>
          DS and CDS records are now generated with SHA-256 digests
          only, instead of both SHA-1 and SHA-256. This affects the
          default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
          <code class="filename">dsset</code> files generated by
          <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
          a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
          <code class="filename">keyset</code> files, the CDS records added to
          a zone by <span class="command"><strong>named</strong></span> and
          <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
          parameters in key files, and the checks performed by
          <span class="command"><strong>dnssec-checkds</strong></span>.
        </p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.0-bugs"></a>Bug Fixes</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
        <p>
          The <span class="command"><strong>allow-update</strong></span> and
          <span class="command"><strong>allow-update-forwarding</strong></span> options were
          inadvertently treated as configuration errors when used at the
          <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
          This has now been corrected.
          [GL #913]
        </p>
      </li></ul></div>
  </div>
 </div>
@ -736,7 +80,7 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License</h3></div></div></div>
  <p>
-    BIND is open source software licensed under the terms of the Mozilla
+    BIND 9 is open source software licensed under the terms of the Mozilla
    Public License, version 2.0 (see the <code class="filename">LICENSE</code>
    file for the full text).
  </p>
@ -751,23 +95,26 @@
  </p>
  <p>
    Those wishing to discuss license compliance may contact ISC at
-    <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
+    <a class="link" href="https://www.isc.org/contact/" target="_top">
-      https://www.isc.org/mission/contact/</a>.
+      https://www.isc.org/contact/</a>.
  </p>
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
  <p>
-    BIND 9.15 is an unstable development branch. When its development
+    BIND 9.17 is an unstable development branch. When its development
-    is complete, it will be renamed to BIND 9.16, which will be a
+    is complete, it will be renamed to BIND 9.18, which will be a
    stable branch.
  </p>
  <p>
-    The end of life date for BIND 9.16 has not yet been determined.
+    The end of life date for BIND 9.18 has not yet been determined.
    For those needing long term support, the current Extended Support
    Version (ESV) is BIND 9.11, which will be supported until at
-    least December 2021. See
+    least December 2021.
  </p>
  <p>
    See
    <a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
    for details of ISC's software support policy.
  </p>
--- a/doc/arm/notes.pdf
+++ b/doc/arm/notes.pdf
--- a/doc/arm/notes.txt
+++ b/doc/arm/notes.txt
@ -1,27 +1,15 @@
-Release Notes for BIND Version 9.15.8
+Release Notes for BIND Version 9.17.0
 Introduction
-BIND 9.15 is an unstable development release of BIND. This document
+BIND 9.17 is an unstable development release of BIND. This document
 summarizes new features and functional changes that have been introduced
 on this branch. With each development release leading up to the stable
-BIND 9.16 release, this document will be updated with additional features
+BIND 9.18 release, this document will be updated with additional features
 added and bugs fixed.
-Note on Version Numbering
+Please see the file CHANGES for a more detailed list of changes and bug
-
+fixes.
 Until BIND 9.12, new feature development releases were tagged as "alpha"
 and "beta", leading up to the first stable release for a given development
 branch, which always ended in ".0". More recently, BIND adopted the
 "odd-unstable/even-stable" release numbering convention. There will be no
 "alpha" or "beta" releases in the 9.15 branch, only increasing version
 numbers. So, for example, what would previously have been called 9.15.0a1,
 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0, 9.15.1,
 9.15.2, etc.
 The first stable release from this development branch will be renamed as
 9.16.0. Thereafter, maintenance releases will continue on the 9.16 branch,
 while unstable feature development proceeds in 9.17.
 Supported Platforms
@ -48,321 +36,11 @@ www.isc.org/download/. There you will find additional information about
 each release, source code, and pre-compiled versions for Microsoft Windows
 operating systems.
-Notes for BIND 9.15.8
+Notes for BIND 9.17.0
 Feature Changes
  * The trust-anchors statement no longer rejects a mix of both key-style
    and DS-style trust anchor entries for the same name. [GL #1237]
 Bug Fixes
  * Fixed an intermittent crash in the validator that could occur when
    validating negative answers from the cache. [GL #1561]
  * Fixed a bug that could cause named to crash on machines with more than
    40 CPUs. [GL #1493]
  * Socket-related statistics counters were not being updated by network
    manager sockets, but are now fully functional. [GL #1311]
 Notes for BIND 9.15.7
 Feature Changes
  * The dnssec-keys configuration statement, which was introduced in
    9.15.1 and revised in 9.15.6, has now been renamed to the more
    descriptive trust-anchors. [GL !2702]
    (See release notes for BIND 9.15.1 and BIND 9.15.6 for prior
    discussion of this feature.)
  * Added support for multithreaded listening for TCP connections in the
    network manager. [GL !2659]
 Bug Fixes
  * Fixed a bug that caused named to leak memory on reconfiguration when
    any GeoIP2 database was in use. [GL #1445]
  * Fixed several possible race conditions discovered by ThreadSanitizer.
 Notes for BIND 9.15.6
 Security Fixes
  * Set a limit on the number of concurrently served pipelined TCP
    queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
 New Features
  * A new asynchronous network communications system based on libuv is now
    used by named for listening for incoming requests and responding to
    them. This change will make it easier to improve performance and
    implement new protocol layers (for example, DNS over TLS) in the
    future. [GL #29]
  * The new dnssec-policy option allows the configuration key and signing
    policy (KASP) for zones. This option enables named to generate new
    keys as needed and automatically roll both ZSK and KSK keys. (Note
    that the syntax for this statement differs from the DNSSEC policy used
    by dnssec-keymgr.) [GL #1134]
  * Two new keywords have been added to the dnssec-keys statement:
    initial-ds and static-ds. These allow the use of trust anchors in DS
    format instead of DNSKEY format. DS format allows trust anchors to be
    configured for keys that have not yet been published; this is the
    format used by IANA when announcing future root keys.
    As with the initial-key and static-key keywords, initial-ds configures
    a dynamic trust anchor to be maintained via RFC 5011, and static-ds
    configures a permanent trust anchor.
    (Note: Currently, DNSKEY-format and DS-format trust anchors cannot
    both be used for the same domain name.) [GL #6] [GL #622]
  * Added a new statistics variable tcp-highwater that reports the maximum
    number of simultaneous TCP clients BIND has handled while running. [GL
    #1206]
 Feature Changes
  * NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
    because it was found to have a significant performance impact on the
    recursive service. The NSEC Aggressive Cache will be enable by default
    in the future releases. [GL #1265]
  * The DNSSEC validation code has been refactored for clarity and to
    reduce code duplication. [GL #622]
 Notes for BIND 9.15.5
 Security Fixes
  * named could crash with an assertion failure if a forwarder returned a
    referral, rather than resolving the query, when QNAME minimization was
    enabled. This flaw is disclosed in CVE-2019-6476. [GL #1051]
  * A flaw in DNSSEC verification when transferring mirror zones could
    allow data to be incorrectly marked valid. This flaw is disclosed in
    CVE-2019-6475. [GL #1252]
 Notes for BIND 9.15.4
 New Features
  * Added a new command line option to dig: +[no]unexpected. By default,
    dig won't accept a reply from a source other than the one to which it
    sent the query. Add the +unexpected argument to enable it to process
    replies from unexpected sources.
  * dig, mdig and delv can all now take a +yaml option to print output in
    a a detailed YAML format. [RT #1145]
 Bug Fixes
  * When a response-policy zone expires, ensure that its policies are
    removed from the RPZ summary database. [GL #1146]
 Notes for BIND 9.15.3
 New Features
  * Statistics channel groups are now toggleable. [GL #1030]
 Removed Features
  * DNSSEC Lookaside Validation (DLV) is now obsolete. The
    dnssec-lookaside option has been marked as deprecated; when used in
    named.conf, it will generate a warning but will otherwise be ignored.
    All code enabling the use of lookaside validation has been removed
    from the validator, delv, and the DNSSEC tools. [GL #7]
 Feature Changes
  * A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
    made default. Old non-default HMAC-SHA based DNS Cookie algorithms
    have been removed, and only the default AES algorithm is being kept
    for legacy reasons. This change doesn't have any operational impact in
    most common scenarios. [GL #605]
    If you are running multiple DNS Servers (different versions of BIND 9
    or DNS server from multiple vendors) responding from the same IP
    address (anycast or load-balancing scenarios), you'll have to make
    sure that all the servers are configured with the same DNS Cookie
    algorithm and same Server Secret for the best performance.
  * The information from the dnssec-signzone and dnssec-verify commands is
    now printed to standard output. The standard error output is only used
    to print warnings and errors, and in case the user requests the signed
    zone to be printed to standard output with -f - option. A new
    configuration option -q has been added to silence all output on
    standard output except for the name of the signed zone.
  * DS records included in DNS referral messages can now be validated and
    cached immediately, reducing the number of queries needed for a DNSSEC
    validation. [GL #964]
 Bug Fixes
  * Cache database statistics counters could report invalid values when
    stale answers were enabled, because of a bug in counter maintenance
    when cache data becomes stale. The statistics counters have been
    corrected to report the number of RRsets for each RR type that are
    active, stale but still potentially served, or stale and marked for
    deletion. [GL #602]
  * Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
    unexpected results; this has been fixed. [GL #1106]
  * named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are
    zero. [GL #1159]
  * named-checkconf now correctly reports a missing dnstap-output option
    when dnstap is set. [GL #1136]
  * Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #
    1133]
  * dig now correctly expands the IPv6 address when run with +expandaaaa
    +short. [GL #1152]
 Notes for BIND 9.15.2
 New Features
  * The GeoIP2 API from MaxMind is now supported. Geolocation support will
    be compiled in by default if the libmaxminddb library is found at
    compile time, but can be turned off by using configure --disable-geoip
    .
    The default path to the GeoIP2 databases will be set based on the
    location of the libmaxminddb library; for example, if it is in /usr/
    local/lib, then the default path will be /usr/local/share/GeoIP. This
    value can be overridden in named.conf using the geoip-directory
    option.
    Some geoip ACL settings that were available with legacy GeoIP,
    including searches for netspeed, org, and three-letter ISO country
    codes, will no longer work when using GeoIP2. Supported GeoIP2
    database types are country, city, domain, isp, and as. All of these
    databases support both IPv4 and IPv6 lookups. [GL #182] [GL #1112]
  * Two new metrics have been added to the statistics-channel to report
    DNSSEC signing operations. For each key in each zone, the dnssec-sign
    counter indicates the total number of signatures named has generated
    using that key since server startup, and the dnssec-refresh counter
    indicates how many of those signatures were refreshed during zone
    maintenance, as opposed to having been generated as a result of a zone
    update. [GL #513]
 Bug Fixes
  * When qname-minimization was set to relaxed, some improperly configured
    domains would fail to resolve, but would have succeeded when
    minimization was disabled. named will now fall back to normal
    resolution in such cases, and also uses type A rather than NS for
    minimal queries in order to reduce the likelihood of encountering the
    problem. [GL #1055]
  * ./configure no longer sets --sysconfdir to /etc or --localstatedir to
    /var when --prefix is not specified and the aforementioned options are
    not specified explicitly. Instead, Autoconf's defaults of $prefix/etc
    and $prefix/var are respected.
  * Glue address records were not being returned in responses to root
    priming queries; this has been corrected. [GL #1092]
 Notes for BIND 9.15.1
 Security Fixes
  * A race condition could trigger an assertion failure when a large
    number of incoming packets were being rejected. This flaw is disclosed
    in CVE-2019-6471. [GL #942]
 New Features
  * In order to clarify the configuration of DNSSEC keys, the trusted-keys
    and managed-keys statements have been deprecated, and the new
    dnssec-keys statement should now be used for both types of key.
    When used with the keyword initial-key, dnssec-keys has the same
    behavior as managed-keys, i.e., it configures a trust anchor that is
    to be maintained via RFC 5011.
    When used with the new keyword static-key, it has the same behavior as
    trusted-keys, configuring a permanent trust anchor that will not
    automatically be updated. (This usage is not recommended for the root
    key.) [GL #6]
 Removed Features
  * The cleaning-interval option has been removed. [GL !1731]
 Feature Changes
  * named will now log a warning if a static key is configured for the
    root zone. [GL #6]
  * JSON-C is now the only supported library for enabling JSON support for
    BIND statistics. The configure option has been renamed from
    --with-libjson to --with-json-c. Use PKG_CONFIG_PATH to specify a
    custom path to the json-c library as the new configure option does not
    take the library installation path as an optional argument.
 Notes for BIND 9.15.0
 Security Fixes
  * In certain configurations, named could crash with an assertion failure
    if nxdomain-redirect was in use and a redirected query resulted in an
    NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL
    #880]
  * The TCP client quota set using the tcp-clients option could be
    exceeded in some cases. This could lead to exhaustion of file
    descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
 New Features
  * The new add-soa option specifies whether or not the response-policy
    zone's SOA record should be included in the additional section of RPZ
    responses. [GL #865]
 Removed Features
  * The dnssec-enable option has been obsoleted and no longer has any
    effect. DNSSEC responses are always enabled if signatures and other
    DNSSEC data are present. [GL #866]
 Feature Changes
  * When static and managed DNSSEC keys were both configured for the same
    name, or when a static key was used to configure a trust anchor for
    the root zone and dnssec-validation was set to the default value of
    auto, automatic RFC 5011 key rollovers would be disabled. This
    combination of settings was never intended to work, but there was no
    check for it in the parser. This has been corrected, and it is now a
    fatal configuration error. [GL #868]
  * DS and CDS records are now generated with SHA-256 digests only,
    instead of both SHA-1 and SHA-256. This affects the default output of
    dnssec-dsfromkey, the dsset files generated by dnssec-signzone, the DS
    records added to a zone by dnssec-signzone based on keyset files, the
    CDS records added to a zone by named and dnssec-signzone based on
    "sync" timing parameters in key files, and the checks performed by
    dnssec-checkds.
 Bug Fixes
  * The allow-update and allow-update-forwarding options were
    inadvertently treated as configuration errors when used at the options
    or view level. This has now been corrected. [GL #913]
 License
-BIND is open source software licensed under the terms of the Mozilla
+BIND 9 is open source software licensed under the terms of the Mozilla
 Public License, version 2.0 (see the LICENSE file for the full text).
 The license requires that if you make changes to BIND and distribute them
@ -373,17 +51,18 @@ affect anyone who is using BIND, with or without modifications, without
 redistributing it, nor anyone redistributing BIND without changes.
 Those wishing to discuss license compliance may contact ISC at https://
-www.isc.org/mission/contact/.
+www.isc.org/contact/.
 End of Life
-BIND 9.15 is an unstable development branch. When its development is
+BIND 9.17 is an unstable development branch. When its development is
-complete, it will be renamed to BIND 9.16, which will be a stable branch.
+complete, it will be renamed to BIND 9.18, which will be a stable branch.
-The end of life date for BIND 9.16 has not yet been determined. For those
+The end of life date for BIND 9.18 has not yet been determined. For those
 needing long term support, the current Extended Support Version (ESV) is
-BIND 9.11, which will be supported until at least December 2021. See
+BIND 9.11, which will be supported until at least December 2021.
-https://kb.isc.org/docs/aa-00896 for details of ISC's software support
+
 See https://kb.isc.org/docs/aa-00896 for details of ISC's software support
 policy.
 Thank You