mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

Rebuild documentation

Browse Source
This commit is contained in:
Evan Hunt 2020-02-23 20:48:55 -08:00 committed by Michał Kępień
parent b273ed8a63
commit 89ff6cabf9
65 changed files with 575 additions and 2096 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README
View File

@ -228,11 +228,9 @@ developers.google.com/protocol-buffers, and BIND must be configured with
--enable-dnstap.
Certain compiled-in constants and default settings can be increased to
values better suited to large servers with abundant memory resources (e.g,
64-bit servers with 12G or more of memory) by specifying --with-tuning=
large on the configure command line. This can improve performance on big
servers, but will consume more memory and may degrade performance on
smaller systems.
values better suited to small machines, e.g. OpenWRT boxes, by specifying
--with-tuning=small on the configure command line. This will decrease
memory usage by using smaller structures, but will degrade performance.
On Linux, process capabilities are managed in user space using the libcap
library, which can be installed on most Linux systems via the libcap-dev

5
bin/dig/nslookup.1
View File

@ -233,7 +233,10 @@ Change the default TCP/UDP name server port to
.RS 4
Change the type of the information query\&.
.sp
(Default = A; abbreviations = q, ty)
(Default = A and then AAAA; abbreviations = q, ty)
.sp
\fBNote:\fR
It is only possible to specify one query type, only the default behavior looks up both when an alternative is not specified\&.
.RE
.PP
\fB\fI[no]\fR\fR\fBrecurse\fR

8
bin/dig/nslookup.html
View File

@ -290,7 +290,13 @@ nslookup -query=hinfo -timeout=10
Change the type of the information query.
</p>
<p>
(Default = A; abbreviations = q, ty)
(Default = A and then AAAA; abbreviations = q, ty)
</p>
<p>
<span class="bold"><strong>Note:</strong></span> It is
only possible to specify one query type, only
the default behavior looks up both when an
alternative is not specified.
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>

2
bin/dnssec/dnssec-keyfromlabel.8
View File

@ -92,7 +92,7 @@ Specifies the label for a key pair in the crypto hardware\&.
.sp
When
BIND
9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&. It may be preceded by an optional OpenSSL engine name, followed by a colon, as in "pkcs11:\fIkeylabel\fR"\&.
9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&.
.sp
When
BIND

4
bin/dnssec/dnssec-keyfromlabel.html
View File

@ -146,9 +146,7 @@
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<em class="replaceable"><code>keylabel</code></em>".
identifies a particular key.
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11

2
bin/named/named.8
View File

@ -187,7 +187,7 @@ Allow
\fBnamed\fR
to use up to
\fI#max\-socks\fR
sockets\&. The default value is 4096 on systems built with default configuration options, and 21000 on systems built with "configure \-\-with\-tuning=large"\&.
sockets\&. The default value is 21000 on systems built with default configuration options, and 4096 on systems built with "configure \-\-with\-tuning=small"\&.
.if n \{\
.sp
.\}

67
bin/named/named.conf.5
View File

@ -10,12 +10,12 @@
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2019-08-12
.\" Date: 2020-02-07
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\&.CONF" "5" "2019\-08\-12" "ISC" "BIND9"
.TH "NAMED\&.CONF" "5" "2020\-02\-07" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -97,6 +97,31 @@ dlz \fIstring\fR {
.if n \{\
.RE
.\}
.SH "DNSSEC-POLICY"
.sp
.if n \{\
.RS 4
.\}
.nf
dnssec\-policy \fIstring\fR {
dnskey\-ttl \fIduration\fR;
keys { ( csk | ksk | zsk ) ( key\-directory ) lifetime ( \fIduration\fR | unlimited )
algorithm \fIinteger\fR [ \fIinteger\fR ]; \&.\&.\&. };
max\-zone\-ttl \fIduration\fR;
parent\-ds\-ttl \fIduration\fR;
parent\-propagation\-delay \fIduration\fR;
parent\-registration\-delay \fIduration\fR;
publish\-safety \fIduration\fR;
retire\-safety \fIduration\fR;
signatures\-refresh \fIduration\fR;
signatures\-validity \fIduration\fR;
signatures\-validity\-dnskey \fIduration\fR;
zone\-propagation\-delay \fIduration\fR;
};
.fi
.if n \{\
.RE
.\}
.SH "DYNDB"
.sp
.if n \{\
@ -150,7 +175,7 @@ logging {
.\}
.SH "MANAGED-KEYS"
.PP
Deprecated \- see TRUST\-ANCHORS\&.
Deprecated \- see DNSSEC\-KEYS\&.
.sp
.if n \{\
.RS 4
@ -262,6 +287,7 @@ options {
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-policy \fIstring\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
dnssec\-validation ( yes | no | auto );
@ -411,8 +437,8 @@ options {
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
\fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
\fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op
| nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
@ -567,7 +593,7 @@ trust\-anchors { \fIstring\fR ( static\-key |
.\}
.SH "TRUSTED-KEYS"
.PP
Deprecated \- see TRUST\-ANCHORS\&.
Deprecated \- see DNSSEC\-KEYS\&.
.sp
.if n \{\
.RS 4
@ -657,6 +683,7 @@ view \fIstring\fR [ \fIclass\fR ] {
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-policy \fIstring\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
dnssec\-validation ( yes | no | auto );
@ -780,8 +807,8 @@ view \fIstring\fR [ \fIclass\fR ] {
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
\fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
\fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op
| nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
@ -1067,30 +1094,6 @@ zone \fIstring\fR [ \fIclass\fR ] {
.if n \{\
.RE
.\}
.SH "DNSSEC-POLICY"
.sp
.if n \{\
.RS 4
.\}
.nf
dnssec\-policy \fIstring\fR {
dnskey\-ttl \fIduration\fR;
keys { ( csk | ksk | zsk ) key\-directory lifetime \fIduration\fR algorithm \fIinteger\fR [ \fIinteger\fR ] ; \&.\&.\&. };
parent\-ds\-ttl \fIduration\fR;
parent\-propagation\-delay \fIduration\fR;
parent\-registration\-delay \fIduration\fR;
publish\-safety \fIduration\fR;
retire\-safety \fIduration\fR;
signatures\-refresh \fIduration\fR;
signatures\-validity \fIduration\fR;
signatures\-validity\-dnskey \fIduration\fR;
zone\-max\-ttl \fIduration\fR;
zone\-propagation\-delay \fIduration\fR;
};
.fi
.if n \{\
.RE
.\}
.SH "FILES"
.PP
/etc/named\&.conf

2
bin/named/named.conf.docbook
View File

@ -13,7 +13,7 @@
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info>
<date>2019-12-12</date>
<date>2020-02-07</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>

82
bin/named/named.conf.html
View File

@ -92,7 +92,28 @@ dlz
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>DYNDB</h2>
<a name="id-1.11"></a><h2>DNSSEC-POLICY</h2>
<div class="literallayout"><p><br>
dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( <em class="replaceable"><code>duration</code></em> | unlimited )<br>
    algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ]; ... };<br>
max-zone-ttl <em class="replaceable"><code>duration</code></em>;<br>
parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
publish-safety <em class="replaceable"><code>duration</code></em>;<br>
retire-safety <em class="replaceable"><code>duration</code></em>;<br>
signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
};<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
    <em class="replaceable"><code>unspecified-text</code></em> };<br>
@ -100,7 +121,7 @@ dyndb
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>KEY</h2>
<a name="id-1.13"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>string</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
@ -110,7 +131,7 @@ key
</div>
<div class="refsection">
<a name="id-1.13"></a><h2>LOGGING</h2>
<a name="id-1.14"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
@ -131,8 +152,8 @@ logging
</div>
<div class="refsection">
<a name="id-1.14"></a><h2>MANAGED-KEYS</h2>
<p>Deprecated - see TRUST-ANCHORS.</p>
<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
    | initial-key | static-ds |<br>
@ -142,7 +163,7 @@ managed-keys
</div>
<div class="refsection">
<a name="id-1.15"></a><h2>MASTERS</h2>
<a name="id-1.16"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
@ -152,7 +173,7 @@ masters
</div>
<div class="refsection">
<a name="id-1.16"></a><h2>OPTIONS</h2>
<a name="id-1.17"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -232,6 +253,7 @@ options
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
dnssec-validation ( yes | no | auto );<br>
@ -381,8 +403,8 @@ options
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op<br>
    | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
@ -451,7 +473,7 @@ options
</div>
<div class="refsection">
<a name="id-1.17"></a><h2>PLUGIN</h2>
<a name="id-1.18"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
@ -459,7 +481,7 @@ plugin
</div>
<div class="refsection">
<a name="id-1.18"></a><h2>SERVER</h2>
<a name="id-1.19"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server <em class="replaceable"><code>netprefix</code></em> {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
@ -497,7 +519,7 @@ server
</div>
<div class="refsection">
<a name="id-1.19"></a><h2>STATISTICS-CHANNELS</h2>
<a name="id-1.20"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -509,7 +531,7 @@ statistics-channels
</div>
<div class="refsection">
<a name="id-1.20"></a><h2>TRUST-ANCHORS</h2>
<a name="id-1.21"></a><h2>TRUST-ANCHORS</h2>
<div class="literallayout"><p><br>
trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key | static-ds | initial-ds )<br>
@ -519,8 +541,8 @@ trust-anchors
</div>
<div class="refsection">
<a name="id-1.21"></a><h2>TRUSTED-KEYS</h2>
<p>Deprecated - see TRUST-ANCHORS.</p>
<a name="id-1.22"></a><h2>TRUSTED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
@ -529,7 +551,7 @@ trusted-keys
</div>
<div class="refsection">
<a name="id-1.22"></a><h2>VIEW</h2>
<a name="id-1.23"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -602,6 +624,7 @@ view
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
dnssec-validation ( yes | no | auto );<br>
@ -725,8 +748,8 @@ view
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op<br>
    | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
@ -908,7 +931,7 @@ view
</div>
<div class="refsection">
<a name="id-1.23"></a><h2>ZONE</h2>
<a name="id-1.24"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -1007,27 +1030,6 @@ zone
</p></div>
</div>
<div class="refsection">
<a name="id-1.24"></a><h2>DNSSEC-POLICY</h2>
<div class="literallayout"><p><br>
dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
publish-safety <em class="replaceable"><code>duration</code></em>;<br>
retire-safety <em class="replaceable"><code>duration</code></em>;<br>
signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
zone-max-ttl <em class="replaceable"><code>duration</code></em>;<br>
zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
};<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.25"></a><h2>FILES</h2>

6
bin/named/named.html
View File

@ -230,9 +230,9 @@
<p>
Allow <span class="command"><strong>named</strong></span> to use up to
<em class="replaceable"><code>#max-socks</code></em> sockets.
The default value is 4096 on systems built with default
configuration options, and 21000 on systems built with
"configure --with-tuning=large".
The default value is 21000 on systems built with default
configuration options, and 4096 on systems built with
"configure --with-tuning=small".
</p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>

52
configure vendored
View File

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for BIND 9.15.
# Generated by GNU Autoconf 2.69 for BIND 9.17.
#
# Report bugs to <info@isc.org>.
#
@ -589,10 +589,10 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='BIND'
PACKAGE_TARNAME='bind'
PACKAGE_VERSION='9.15'
PACKAGE_STRING='BIND 9.15'
PACKAGE_VERSION='9.17'
PACKAGE_STRING='BIND 9.17'
PACKAGE_BUGREPORT='info@isc.org'
PACKAGE_URL='https://www.isc.org/downloads/BIND/'
PACKAGE_URL='https://www.isc.org/downloads/'
# Factoring default headers for most tests.
ac_includes_default="\
@ -852,7 +852,6 @@ infodir
docdir
oldincludedir
includedir
runstatedir
localstatedir
sharedstatedir
sysconfdir
@ -1026,7 +1025,6 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@ -1279,15 +1277,6 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
-runstatedir | --runstatedir | --runstatedi | --runstated \
| --runstate | --runstat | --runsta | --runst | --runs \
| --run | --ru | --r)
ac_prev=runstatedir ;;
-runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
| --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
| --run=* | --ru=* | --r=*)
runstatedir=$ac_optarg ;;
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@ -1425,7 +1414,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
libdir localedir mandir runstatedir
libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@ -1538,7 +1527,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures BIND 9.15 to adapt to many kinds of systems.
\`configure' configures BIND 9.17 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1578,7 +1567,6 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
@ -1604,7 +1592,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of BIND 9.15:";;
short | recursive ) echo "Configuration of BIND 9.17:";;
esac
cat <<\_ACEOF
@ -1775,7 +1763,7 @@ Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
Report bugs to <info@isc.org>.
BIND home page: <https://www.isc.org/downloads/BIND/>.
BIND home page: <https://www.isc.org/downloads/>.
_ACEOF
ac_status=$?
fi
@ -1838,7 +1826,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
BIND configure 9.15
BIND configure 9.17
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2261,7 +2249,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by BIND $as_me 9.15, which was
It was created by BIND $as_me 9.17, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -4023,7 +4011,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -4069,7 +4057,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -4093,7 +4081,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -4138,7 +4126,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -4162,7 +4150,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -24193,7 +24181,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by BIND $as_me 9.15, which was
This file was extended by BIND $as_me 9.17, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -24254,13 +24242,13 @@ Configuration commands:
$config_commands
Report bugs to <info@isc.org>.
BIND home page: <https://www.isc.org/downloads/BIND/>."
BIND home page: <https://www.isc.org/downloads/>."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
BIND config.status 9.15
BIND config.status 9.17
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
@ -26012,7 +26000,7 @@ report() {
if test "yes" = "$enable_full_report" -o "standard" = "$locktype"; then
echo " Mutex lock type: $locktype"
fi
test "large" = "$use_tuning" && echo " Large-system tuning (--with-tuning)"
test "small" = "$with_tuning" && echo " Small-system tuning (--with-tuning)"
test "no" = "$use_dnstap" || \
echo " Allow 'dnstap' packet logging (--enable-dnstap)"
test -z "$MAXMINDDB_LIBS" || echo " GeoIP2 access control (--enable-geoip)"
@ -26072,7 +26060,7 @@ report() {
echo "Features disabled or unavailable on this platform:"
test "no" = "$found_ipv6" && echo " IPv6 support (--enable-ipv6)"
test "large" = "$use_tuning" || echo " Large-system tuning (--with-tuning)"
test "small" = "$with_tuning" || echo " Small-system tuning (--with-tuning)"
test "no" = "$use_dnstap" && \
echo " Allow 'dnstap' packet logging (--enable-dnstap)"

2
doc/arm/Bv9ARM.ch01.html
View File

@ -614,6 +614,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch02.html
View File

@ -146,6 +146,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch03.html
View File

@ -856,6 +856,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch04.html
View File

@ -2915,6 +2915,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

405
doc/arm/Bv9ARM.ch05.html
View File

@ -71,8 +71,7 @@
<dt><span class="section"><a href="Bv9ARM.ch05.html#trust-anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
@ -2142,41 +2141,40 @@ category notify { null; };
<a name="query_errors"></a>The <span class="command"><strong>query-errors</strong></span> Category</h4></div></div></div>
<p>
The <span class="command"><strong>query-errors</strong></span> category is
specifically intended for debugging purposes: To identify
why and how specific queries result in responses which
indicate an error.
Messages of this category are therefore only logged
with <span class="command"><strong>debug</strong></span> levels.
used to indicate why and how specific queries resulted in
responses which indicate an error. Normally, these messages
will be logged at <span class="command"><strong>debug</strong></span> logging levels;
note, however, that if query logging is active, some will be
logged at <span class="command"><strong>info</strong></span>. The logging levels are
described below:
</p>
<p>
At the debug levels of 1 or higher, each response with the
rcode of SERVFAIL is logged as follows:
At <span class="command"><strong>debug</strong></span> level 1 or higher - or at
<span class="command"><strong>info</strong></span>, when query logging is active - each
response with response code SERVFAIL will be logged as follows:
</p>
<p>
<code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
</p>
<p>
This means an error resulting in SERVFAIL was
detected at line 3880 of source file
<code class="filename">query.c</code>.
Log messages of this level will particularly
help identify the cause of SERVFAIL for an
authoritative server.
This means an error resulting in SERVFAIL was detected at line
3880 of source file <code class="filename">query.c</code>. Log messages
of this level will particularly help identify the cause of
SERVFAIL for an authoritative server.
</p>
<p>
At the debug levels of 2 or higher, detailed context
information of recursive resolutions that resulted in
SERVFAIL is logged.
The log message will look like as follows:
At <span class="command"><strong>debug</strong></span> level 2 or higher, detailed
context information about recursive resolutions that resulted in
SERVFAIL will be logged. The log message will look like this:
</p>
<p>
</p>
<pre class="programlisting">
fetch completed at resolver.c:2970 for www.example.com/A
in 30.000183: timed out/success [domain:example.com,
referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
in 10.000183: timed out/success [domain:example.com,
referral:2,restart:7,qrysent:8,timeout:5,lame:0,quota:0,neterr:0,
badresp:1,adberr:0,findfail:0,valfail:0]
</pre>
<p>
@ -2184,29 +2182,25 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<p>
The first part before the colon shows that a recursive
resolution for AAAA records of www.example.com completed
in 30.000183 seconds and the final result that led to the
in 10.000183 seconds and the final result that led to the
SERVFAIL was determined at line 2970 of source file
<code class="filename">resolver.c</code>.
</p>
<p>
The following part shows the detected final result and the
latest result of DNSSEC validation.
The latter is always success when no validation attempt
is made.
In this example, this query resulted in SERVFAIL probably
because all name servers are down or unreachable, leading
to a timeout in 30 seconds.
DNSSEC validation was probably not attempted.
latest result of DNSSEC validation. The latter is always
"success" when no validation attempt was made. In this example,
this query probably resulted in SERVFAIL because all name
servers are down or unreachable, leading to a timeout in 10
seconds. DNSSEC validation was probably not attempted.
</p>
<p>
The last part enclosed in square brackets shows statistics
information collected for this particular resolution
attempt.
The <code class="varname">domain</code> field shows the deepest zone
that the resolver reached;
it is the zone where the error was finally detected.
The meaning of the other fields is summarized in the
following table.
The last part, enclosed in square brackets, shows statistics
collected for this particular resolution attempt.
The <code class="varname">domain</code> field shows the deepest zone that
the resolver reached; it is the zone where the error was
finally detected. The meaning of the other fields is
summarized in the following table.
</p>
<div class="informaltable">
@ -2283,6 +2277,18 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</td>
</tr>
<tr>
<td>
<p><code class="varname">quota</code></p>
</td>
<td>
<p>
The number of times the resolver was unable
to send a query because it had exceeded the
permissible fetch quota for a server.
</p>
</td>
</tr>
<tr>
<td>
<p><code class="varname">neterr</code></p>
</td>
@ -2352,20 +2358,17 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</table>
</div>
<p>
At the debug levels of 3 or higher, the same messages
as those at the debug 1 level are logged for other errors
than SERVFAIL.
Note that negative responses such as NXDOMAIN are not
regarded as errors here.
At <span class="command"><strong>debug</strong></span> level 3 or higher, the same
messages as those at <span class="command"><strong>debug</strong></span> level 1 will be
logged for other errors than SERVFAIL. Note that negative
responses such as NXDOMAIN are not errors, and are not logged
at this debug level.
</p>
<p>
At the debug levels of 4 or higher, the same messages
as those at the debug 2 level are logged for other errors
than SERVFAIL.
Unlike the above case of level 3, messages are logged for
negative responses.
This is because any unexpected results can be difficult to
debug in the recursion case.
At <span class="command"><strong>debug</strong></span> level 4 or higher, the
detailed context information logged at <span class="command"><strong>debug</strong></span>
level 2 will be logged for other errors than SERVFAIL and
for negative resonses such as NXDOMAIN.
</p>
</div>
</div>
@ -2480,6 +2483,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-must-be-secure</strong></span> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
<span class="command"><strong>dnssec-validation</strong></span> ( yes | no | auto );
@ -2629,8 +2633,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log
<em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval
<em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |
<span class="command"><strong>nodata</strong></span> | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
<em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op
| nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
<span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [
@ -4781,11 +4785,22 @@ options {
<dt><span class="term"><span class="command"><strong>querylog</strong></span></span></dt>
<dd>
<p>
Specify whether query logging should be started when <span class="command"><strong>named</strong></span>
starts.
If <span class="command"><strong>querylog</strong></span> is not specified,
then the query logging
is determined by the presence of the logging category <span class="command"><strong>queries</strong></span>.
Query logging provides a complete log of all incoming
queries and all query errors. This provides more insight
into the server's activity, but with a cost to
performance which may be significant on heavily-loaded
servers.
</p>
<p>
The <span class="command"><strong>querylog</strong></span> option specifies
whether query logging should be active when
<span class="command"><strong>named</strong></span> first starts.
If <span class="command"><strong>querylog</strong></span> is not specified, then
query logging is determined by the presence of the
logging category <span class="command"><strong>queries</strong></span>.
Query logging can also be activated at runtime using the
command <span class="command"><strong>rndc querylog on</strong></span>, or
deactivated with <span class="command"><strong>rndc querylog off</strong></span>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt>
@ -5064,9 +5079,11 @@ options {
<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt>
<dd>
<p>
Specifies the IP addresses to be used
for forwarding. The default is the empty list (no
forwarding).
Specifies a list of IP addresses to which queries shall be
forwarded. The default is the empty list (no forwarding).
Each address in the list can be associated with an optional
port number and/or DSCP value, and a default port number and
DSCP value can be set for the entire list.
</p>
</dd>
</dl></div>
@ -7286,6 +7303,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
Specifying <span class="command"><strong>version none</strong></span>
disables processing of the queries.
</p>
<p>
Setting <span class="command"><strong>version</strong></span> to any value
(including <code class="literal">none</code>) will also
disable queries for <code class="literal">authors.bind TXT CH</code>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>hostname</strong></span></span></dt>
<dd>
@ -9074,7 +9096,8 @@ example.com CNAME rpz-tcp-only.
<pre class="programlisting">
<span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em> {
<span class="command"><strong>dnskey-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>keys</strong></span> { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };
<span class="command"><strong>keys</strong></span> { ( csk | ksk | zsk ) key-directory lifetime ( <em class="replaceable"><code>duration</code></em> | unlimited ) algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };
<span class="command"><strong>max-zone-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>parent-ds-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>parent-propagation-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>parent-registration-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
@ -9083,7 +9106,6 @@ example.com CNAME rpz-tcp-only.
<span class="command"><strong>signatures-refresh</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>signatures-validity</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>signatures-validity-dnskey</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>zone-max-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>zone-propagation-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
};
</pre>
@ -9091,136 +9113,232 @@ example.com CNAME rpz-tcp-only.
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="dnssec_policy"></a><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
and Usage</h3></div></div></div>
<a name="dnssec_policy"></a><span class="command"><strong>dnssec-policy</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span class="command"><strong>dnssec-policy</strong></span> statement defines a key and
signing policy (KASP) for zones.
</p>
<p>
KASP is used to determine how one or more zones need to be signed
with DNSSEC. For example, how often RRSIG records need to be
refreshed, or what cryptographic algorithms to use.
A KASP determines how one or more zones will be signed
with DNSSEC. For example, it specifies how often keys should
roll, which cryptographic algorithms to use, and how often RRSIG
records need to be refreshed.
</p>
<p>
You can configure multiple policies. To attach a policy to a zone
simply add <strong class="userinput"><code>dnssec-policy "policy_name"</code></strong>
option to the <span class="command"><strong>zone</strong></span> statement with a matching
policy name.
Multiple key and signing policies can be configured. To
attach a policy to a zone, add a <span class="command"><strong>dnssec-policy</strong></span>
option to the <span class="command"><strong>zone</strong></span> statement, specifying he
name of the policy that should be used.
</p>
<p>
Key rollover timing is computed for each key according to
the key lifetime defined in the KASP. The lifetime may be
modified by zone TTLs and propagation delays, in order to
prevent validation failures. When a key reaches the end of its
lifetime,
<span class="command"><strong>named</strong></span> will generate and publish a new key
automatically, then deactivate the old key and activate the
new one, and finally retire the old key according to a computed
schedule.
</p>
<p>
Zone-signing key (ZSK) rollovers require no operator input.
Key-signing key (KSK) and combined signing key (CSK) rollovers
require action to be taken to submit a DS record to the parent.
Rollover timing for KSKs and CSKs is adjusted to take into account
delays in processing and propagating DS updates.
</p>
<p>
There are two predefined <span class="command"><strong>dnssec-policy</strong></span> names:
<span class="command"><strong>none</strong></span> and <span class="command"><strong>default</strong></span>.
Setting a zone's policy to
<span class="command"><strong>none</strong></span> is the same as not setting
<span class="command"><strong>dnssec-policy</strong></span> at all; the zone will not
be signed. Policy <span class="command"><strong>default</strong></span> causes the
zone to be signed with a single combined signing key (CSK)
using algorithm ECDSAP256SHA256; this key will have an
unlimited lifetime. (A verbose copy of this policy
may be found in the source tree, in the file
<code class="filename">doc/misc/dnssec-policy.default.conf</code>.)
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
The default signing policy may change in future releases.
This could result in changes to your signing policy
occurring when you upgrade to a new version of BIND. Check
the release notes carefully when upgrading to be informed
of such changes. To prevent policy changes on upgrade,
use an explicitly defined <span class="command"><strong>dnssec-policy</strong></span>
rather than <span class="command"><strong>default</strong></span>.
</div>
<p>
</p>
<p>
If a <span class="command"><strong>dnssec-policy</strong></span> statement is modified
and the server restarted or reconfigured, <span class="command"><strong>named</strong></span>
will attempt to change the policy smoothly from the old one to
the new. For example, if the key algorithm is changed, then
a new key will be generated with the new algorithm, and the old
algorithm will be retired when the existing key's lifetime ends.
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
Rolling to a new policy while another key rollover is
already in progress is not yet supported, and may result in
unexpected behavior.
</div>
<p>
</p>
<p>
The following options can be specified in a
<span class="command"><strong>dnssec-policy</strong></span> statement:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><span class="command"><strong>dnskey-ttl</strong></span></span></dt>
<dd>
<p>
The TTL of the DNSKEY resource records.
Default is <code class="constant">3600</code> seconds.
The TTL to use when generating DNSKEY resource records.
The default is 1 hour (3600 seconds).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>keys</strong></span></span></dt>
<dd>
<p>
A list of keys to use. Each line represents one key. Here is
an example (for illustration purposes only) of some possible
keys in a <span class="command"><strong>dnssec-policy</strong></span>:
A list specifying the algorithms and roles to use when
generating keys and signing the zone.
Entries in this list do not represent specific
DNSSEC keys, which may be changed on a regular basis,
but the roles that keys will play in the signing policy.
For example, configuring a KSK of algorithm RSASHA256 ensures
that the DNSKEY RRset will always include a key-signing key
for that algorithm.
</p>
<p>
Here is an example (for illustration purposes only) of
some possible entries in a <span class="command"><strong>keys</strong></span>
list:
</p>
<pre class="programlisting">keys {
ksk key-directory lifetime P5Y algorithm 8 2048;
zsk key-directory lifetime P30D algorithm 8;
csk key-directory lifetime P6MT12H3M15S algorithm 13;
ksk key-directory lifetime unlimited algorithm rsasha1 2048;
zsk lifetime P30D algorithm 8;
csk lifetime P6MT12H3M15S algorithm ecdsa256;
};
</pre>
<p>
This example lists three keys. The first token determines
what RRsets the key will sign. If set to
<strong class="userinput"><code>ksk</code></strong> the key will sign the DNSKEY, CDS,
and CDNSKEY RRsets, if set to <strong class="userinput"><code>zsk</code></strong> the
key will sign the other RRsets, and if set to
<strong class="userinput"><code>csk</code></strong> the key will sign all RRsets.
This example specifies that three keys should be used
in the zone. The first token determines which role the
key will play in signing RRsets. If set to
<strong class="userinput"><code>ksk</code></strong>, then this will be
a key-signing key; it will have the KSK flag set and
will only be used to sign DNSKEY, CDS, and CDNSKEY RRsets.
If set to <strong class="userinput"><code>zsk</code></strong>, this will be
a zone-signing key; the KSK flag will be unset, and
the key will sign all RRsets <span class="emphasis"><em>except</em></span>
DNSKEY, CDS, and CDNSKEY. If set to
<strong class="userinput"><code>csk</code></strong> the key will have the KSK
flag set and will be used to sign all RRsets.
</p>
<p>
The following part determines where the key will be stored.
Currently keys can only be stored in the configured
<span class="command"><strong>key-directory</strong></span>.
An optional second token determines where the key will
be stored. Currently, keys can only be stored in the
configured <span class="command"><strong>key-directory</strong></span>. This token
may be used in the future to store keys in hardware
service modules or separate directories.
</p>
<p>
The third token tells how long the key may be used. In the
example the first key has a lifetime of 5 years, the second
key may be used for 30 days and the third key has a rather
peculiar lifetime of 6 months, 12 hours, 3 minutes and 15
seconds.
The <span class="command"><strong>lifetime</strong></span> parameter specifies how
long a key may be used before rolling over. In the
example above, the first key will have an unlimited
lifetime, the second key may be used for 30 days, and the
third key has a rather peculiar lifetime of 6 months,
12 hours, 3 minutes and 15 seconds. A lifetime of 0
seconds is the same as <span class="command"><strong>unlimited</strong></span>.
</p>
<p>
The last token(s) are the key's algorithm and algorithm
length. The length may be omitted as shown in the
example for the second and third key.
Note that the lifetime of a key may be extended if
retiring it too soon would cause validation failures.
For example, if the key were configured to roll more
frequently than its own TTL, its lifetime would
automatically be extended to account for this.
</p>
<p>
The <span class="command"><strong>algorithm</strong></span> parameter specifies
the key's algorithm, expressed either as a string
("rsasha256", "ecdsa384", etc) or as a decimal number.
An optional second parameter specifies the key's size
in size in bits. If it is omitted, as shown in the
example for the second and third keys, an appropriate
default size for the algorithm will be used.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>publish-safety</strong></span></span></dt>
<dd>
<p>
A margin that is added to the publish interval in key
timing equations to give some extra time to cover
unforeseen events. Default is <code class="constant">PT1H</code>
(1 hour).
A margin that is added to the pre-publication
interval in rollover timing calculations to give some
extra time to cover unforeseen events. This increases
the time that keys are published before becoming active.
The default is <code class="constant">PT1H</code> (1 hour).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>retire-safety</strong></span></span></dt>
<dd>
<p>
A margin that is added to the retire interval in key
timing equations to give some extra time to cover
unforeseen events. Default is <code class="constant">PT1H</code>
(1 hour).
A margin that is added to the post-publication interval
in rollover timing calculations to give some extra time
to cover unforeseen events. This increases the time a key
remains published after it is no longer active. The
default is <code class="constant">PT1H</code> (1 hour).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>signatures-refresh</strong></span></span></dt>
<dd>
<p>
This determines when a RRSIG record needs to be
refreshed. The signatures is renewed when the time until
the expiration time is closer than
<span class="command"><strong>signatures-refresh</strong></span>.
<span class="command"><strong>signatures-resign</strong></span> interval. Default
is <code class="constant">P5D</code> (5 days), meaning a signature
that will expire in 5 days or sooner will be refreshed.
This determines how frequently an RRSIG record needs to be
refreshed. The signature is renewed when the time until
the expiration time is closer than the specified interval.
The default is <code class="constant">P5D</code> (5 days), meaning
signatures that will expire in 5 days or sooner will be
refreshed.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>signatures-validity</strong></span></span></dt>
<dd>
<p>
The validity period of an RRSIG record (minus the
inception offset and jitter). Default is
The validity period of an RRSIG record (subject to
inception offset and jitter). The default is
<code class="constant">P2W</code> (2 weeks).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>signatures-validity-dnskey</strong></span></span></dt>
<dd>
<p>
Like <span class="command"><strong>signatures-validity</strong></span> but for
DNSKEY records. Default is <code class="constant">P2W</code> (2
weeks).
Similar to <span class="command"><strong>signatures-validity</strong></span> but for
DNSKEY records. The default is <code class="constant">P2W</code>
(2 weeks).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>zone-max-ttl</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>max-zone-ttl</strong></span></span></dt>
<dd>
<p>
Like <span class="command"><strong>max-zone-ttl</strong></span>, specifies the
maximum permissible TTL value in seconds. When loading a
zone file using a <code class="option">masterfile-format</code> or
Like the <span class="command"><strong>max-zone-ttl</strong></span> zone option,
this specifies the maximum permissible TTL value in
seconds for the zone. When loading a zone file using
a <code class="option">masterfile-format</code> of
<code class="constant">text</code> or <code class="constant">raw</code>,
any record encountered with a TTL higher than
<code class="option">zone-max-ttl</code> will be capped to the
<code class="option">max-zone-ttl</code> will be capped at the
maximum permissible TTL value.
</p>
<p>
This is needed in DNSSEC-maintained zones because when
rolling to a new DNSKEY, the old key needs to remain
available until RRSIG records have expired from caches.
The <code class="option">zone-max-ttl</code> option guarantees that
The <code class="option">max-zone-ttl</code> option guarantees that
the largest TTL in the zone will be no higher than the
set value.
</p>
@ -9231,41 +9349,41 @@ example.com CNAME rpz-tcp-only.
</p>
<p>
The default value is <code class="constant">PT24H</code> (24 hours).
A <code class="option">zone-max-ttl</code> of zero is treated as if
the default value is in use.
A <code class="option">max-zone-ttl</code> of zero is treated as if
the default value were in use.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>zone-propagation-delay</strong></span></span></dt>
<dd>
<p>
The expected propagation delay from when a zone is
updated and when the new version of the zone is served by
all its name servers. Default is
<code class="constant">PT5M</code> (5 minutes).
The expected propagation delay from the time when a zone
is first updated to the time when the new version of the
zone will be served by all secondary servers. The default
is <code class="constant">PT5M</code> (5 minutes).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>parent-ds-ttl</strong></span></span></dt>
<dd>
<p>
The TTL of the DS RRset that the parent uses. Default is
<code class="constant">P1D</code> (1 day).
The TTL of the DS RRset that the parent zone uses. The
default is <code class="constant">P1D</code> (1 day).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>parent-propagation-delay</strong></span></span></dt>
<dd>
<p>
The expected propagation delay from when the parent zone
is updated and when the new version of the parent zone is
served by all its name servers. Default is
<code class="constant">PT1H</code> (1 hour).
The expected propagation delay from the time when the
parent zone is updated to the time when the new version
is served by all of the parent zone's name servers.
The default is <code class="constant">PT1H</code> (1 hour).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>parent-registration-delay</strong></span></span></dt>
<dd>
<p>
The expected registration delay from when a DS RRset
change is requested and when the DS RRset has been
updated in the parent zone. Default is
The expected registration delay from the time when a DS
RRset change is requested to the time when the DS RRset
will be updated in the parent zone. The default is
<code class="constant">P1D</code> (1 day).
</p>
</dd>
@ -10366,13 +10484,16 @@ view "external" {
<dt><span class="term"><span class="command"><strong>dnssec-policy</strong></span></span></dt>
<dd>
<p>
The key and signing policy for this zone. This is a string
referring to a <span class="command"><strong>dnssec-policy</strong></span> statement.
Specifies which key and signing policy (KASP) should
be used for this zone. This is a string referring to
a <span class="command"><strong>dnssec-policy</strong></span> statement.
There are two built-in policies:
<strong class="userinput"><code>"default"</code></strong> allows you to use the
default policy, and <strong class="userinput"><code>"none"</code></strong> means
<strong class="userinput"><code>default</code></strong> allows you to use the
default policy, and <strong class="userinput"><code>none</code></strong> means
not to use any DNSSEC policy, keeping the zone unsigned.
The default is <strong class="userinput"><code>"none"</code></strong>.
The default is <strong class="userinput"><code>none</code></strong>.
See <a class="xref" href="Bv9ARM.ch05.html#dnssec_policy_grammar" title="dnssec-policy Statement Grammar">the section called &#8220;<span class="command"><strong>dnssec-policy</strong></span> Statement Grammar&#8221;</a> for
more details.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
@ -15220,6 +15341,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch06.html
View File

@ -360,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; };
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch07.html
View File

@ -191,6 +191,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

700
doc/arm/Bv9ARM.ch08.html
View File

@ -36,21 +36,12 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.8</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.17.0</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.8">Notes for BIND 9.15.8</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.7">Notes for BIND 9.15.7</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.3">Notes for BIND 9.15.3</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.2">Notes for BIND 9.15.2</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.1">Notes for BIND 9.15.1</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.0">Notes for BIND 9.15.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.17.0">Notes for BIND 9.17.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
@ -59,38 +50,21 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.8</h2></div></div></div>
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.17.0</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
BIND 9.15 is an unstable development release of BIND.
BIND 9.17 is an unstable development release of BIND.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development release
leading up to the stable BIND 9.16 release, this document will be
leading up to the stable BIND 9.18 release, this document will be
updated with additional features added and bugs fixed.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
<p>
Until BIND 9.12, new feature development releases were tagged
as "alpha" and "beta", leading up to the first stable release
for a given development branch, which always ended in ".0".
More recently, BIND adopted the "odd-unstable/even-stable"
release numbering convention. There will be no "alpha" or "beta"
releases in the 9.15 branch, only increasing version numbers.
So, for example, what would previously have been called 9.15.0a1,
9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
9.15.1, 9.15.2, etc.
</p>
<p>
The first stable release from this development branch will be
renamed as 9.16.0. Thereafter, maintenance releases will continue
on the 9.16 branch, while unstable feature development proceeds in
9.17.
Please see the file <code class="filename">CHANGES</code> for a more
detailed list of changes and bug fixes.
</p>
</div>
<div class="section">
@ -133,646 +107,7 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.8"></a>Notes for BIND 9.15.8</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.8-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>trust-anchors</strong></span> statement no longer rejects
a mix of both key-style and DS-style trust anchor entries for the
same name. [GL #1237]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.8-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Fixed an intermittent crash in the validator that could occur
when validating negative answers from the cache. [GL #1561]
</p>
</li>
<li class="listitem">
<p>
Fixed a bug that could cause <span class="command"><strong>named</strong></span> to crash on
machines with more than 40 CPUs. [GL #1493]
</p>
</li>
<li class="listitem">
<p>
Socket-related statistics counters were not being updated by
network manager sockets, but are now fully functional. [GL #1311]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.7"></a>Notes for BIND 9.15.7</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.7-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-keys</strong></span> configuration statement,
which was introduced in 9.15.1 and revised in 9.15.6, has now
been renamed to the more descriptive
<span class="command"><strong>trust-anchors</strong></span>. [GL !2702]
</p>
<p>
(See release notes for
<a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.1-new" title="New Features">BIND 9.15.1</a>
and
<a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.6-new" title="New Features">BIND 9.15.6</a>
for prior discussion of this feature.)
</p>
</li>
<li class="listitem">
<p>
Added support for multithreaded listening for TCP connections
in the network manager. [GL !2659]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.7-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
on reconfiguration when any GeoIP2 database was in use. [GL #1445]
</p>
</li>
<li class="listitem">
<p>
Fixed several possible race conditions discovered by
ThreadSanitizer.
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Set a limit on the number of concurrently served pipelined TCP
queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
A new asynchronous network communications system based on
<span class="command"><strong>libuv</strong></span> is now used by <span class="command"><strong>named</strong></span>
for listening for incoming requests and responding to them.
This change will make it easier to improve performance and
implement new protocol layers (for example, DNS over TLS) in
the future. [GL #29]
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>dnssec-policy</strong></span> option allows the
configuration key and signing policy (KASP) for zones. This
option enables <span class="command"><strong>named</strong></span> to generate new keys
as needed and automatically roll both ZSK and KSK keys.
(Note that the syntax for this statement differs from the DNSSEC
policy used by <span class="command"><strong>dnssec-keymgr</strong></span>.) [GL #1134]
</p>
</li>
<li class="listitem">
<p>
Two new keywords have been added to the
<span class="command"><strong>dnssec-keys</strong></span> statement:
<span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
These allow the use of trust anchors in DS format instead of
DNSKEY format. DS format allows trust anchors to be configured
for keys that have not yet been published; this is the format
used by IANA when announcing future root keys.
</p>
<p>
As with the <span class="command"><strong>initial-key</strong></span> and
<span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
configures a dynamic trust anchor to be maintained via RFC 5011, and
<span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
</p>
<p>
(Note: Currently, DNSKEY-format and DS-format trust anchors
cannot both be used for the same domain name.) [GL #6] [GL #622]
</p>
</li>
<li class="listitem">
<p>
Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
that reports the maximum number of simultaneous TCP clients BIND
has handled while running. [GL #1206]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
because it was found to have a significant performance impact on the
recursive service. The NSEC Aggressive Cache will be enable by default
in the future releases. [GL #1265]
</p>
</li>
<li class="listitem">
<p>
The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.5"></a>Notes for BIND 9.15.5</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.5-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> could crash with an assertion failure
if a forwarder returned a referral, rather than resolving the
query, when QNAME minimization was enabled. This flaw is
disclosed in CVE-2019-6476. [GL #1051]
</p>
</li>
<li class="listitem">
<p>
A flaw in DNSSEC verification when transferring mirror zones
could allow data to be incorrectly marked valid. This flaw
is disclosed in CVE-2019-6475. [GL #1252]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.4"></a>Notes for BIND 9.15.4</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.4-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Added a new command line option to <span class="command"><strong>dig</strong></span>:
<span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
won't accept a reply from a source other than the one to which
it sent the query. Add the <span class="command"><strong>+unexpected</strong></span> argument
to enable it to process replies from unexpected sources.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
<span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
option to print output in a a detailed YAML format. [RT #1145]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.4-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
that its policies are removed from the RPZ summary database.
[GL #1146]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.3"></a>Notes for BIND 9.15.3</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.3-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Statistics channel groups are now toggleable. [GL #1030]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.3-removed"></a>Removed Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
DNSSEC Lookaside Validation (DLV) is now obsolete.
The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
marked as deprecated; when used in <code class="filename">named.conf</code>,
it will generate a warning but will otherwise be ignored.
All code enabling the use of lookaside validation has been removed
from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
[GL #7]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.3-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
made default. Old non-default HMAC-SHA based DNS Cookie algorithms
have been removed, and only the default AES algorithm is being kept
for legacy reasons. This change doesn't have any operational impact
in most common scenarios. [GL #605]
</p>
<p>
If you are running multiple DNS Servers (different versions of BIND 9
or DNS server from multiple vendors) responding from the same IP
address (anycast or load-balancing scenarios), you'll have to make
sure that all the servers are configured with the same DNS Cookie
algorithm and same Server Secret for the best performance.
</p>
</li>
<li class="listitem">
<p>
The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
<span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
output. The standard error output is only used to print warnings and
errors, and in case the user requests the signed zone to be printed to
standard output with <span class="command"><strong>-f -</strong></span> option. A new
configuration option <span class="command"><strong>-q</strong></span> has been added to silence
all output on standard output except for the name of the signed zone.
</p>
</li>
<li class="listitem">
<p>
DS records included in DNS referral messages can now be validated
and cached immediately, reducing the number of queries needed for
a DNSSEC validation. [GL #964]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.3-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Cache database statistics counters could report invalid values
when stale answers were enabled, because of a bug in counter
maintenance when cache data becomes stale. The statistics counters
have been corrected to report the number of RRsets for each
RR type that are active, stale but still potentially served,
or stale and marked for deletion. [GL #602]
</p>
</li>
<li class="listitem">
<p>
Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
cause unexpected results; this has been fixed. [GL #1106]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
to ensure bits 64-71 are zero. [GL #1159]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
<span class="command"><strong>dnstap-output</strong></span> option when
<span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
</p>
</li>
<li class="listitem">
<p>
Handle ETIMEDOUT error on connect() with a non-blocking
socket. [GL #1133]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.2"></a>Notes for BIND 9.15.2</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.2-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The GeoIP2 API from MaxMind is now supported. Geolocation support
will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
library is found at compile time, but can be turned off by using
<span class="command"><strong>configure --disable-geoip</strong></span>.
</p>
<p>
The default path to the GeoIP2 databases will be set based
on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
for example, if it is in <code class="filename">/usr/local/lib</code>,
then the default path will be
<code class="filename">/usr/local/share/GeoIP</code>.
This value can be overridden in <code class="filename">named.conf</code>
using the <span class="command"><strong>geoip-directory</strong></span> option.
</p>
<p>
Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
<span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
no longer work when using GeoIP2. Supported GeoIP2 database
types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
<span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
<span class="command"><strong>as</strong></span>. All of these databases support both IPv4
and IPv6 lookups. [GL #182] [GL #1112]
</p>
</li>
<li class="listitem">
<p>
Two new metrics have been added to the
<span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
signing operations. For each key in each zone, the
<span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
number of signatures <span class="command"><strong>named</strong></span> has generated
using that key since server startup, and the
<span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
many of those signatures were refreshed during zone
maintenance, as opposed to having been generated
as a result of a zone update. [GL #513]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.2-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
When <span class="command"><strong>qname-minimization</strong></span> was set to
<span class="command"><strong>relaxed</strong></span>, some improperly configured domains
would fail to resolve, but would have succeeded when minimization
was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
resolution in such cases, and also uses type A rather than NS for
minimal queries in order to reduce the likelihood of encountering
the problem. [GL #1055]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>./configure</strong></span> no longer sets
<span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
<span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
when <span class="command"><strong>--prefix</strong></span> is not specified and the
aforementioned options are not specified explicitly. Instead,
Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
<span class="command"><strong>$prefix/var</strong></span> are respected.
</p>
</li>
<li class="listitem">
<p>
Glue address records were not being returned in responses
to root priming queries; this has been corrected. [GL #1092]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.1"></a>Notes for BIND 9.15.1</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.1-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
A race condition could trigger an assertion failure when
a large number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.1-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
In order to clarify the configuration of DNSSEC keys,
the <span class="command"><strong>trusted-keys</strong></span> and
<span class="command"><strong>managed-keys</strong></span> statements have been
deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
statement should now be used for both types of key.
</p>
<p>
When used with the keyword <span class="command"><strong>initial-key</strong></span>,
<span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
<span class="command"><strong>managed-keys</strong></span>, i.e., it configures
a trust anchor that is to be maintained via RFC 5011.
</p>
<p>
When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
configuring a permanent trust anchor that will not automatically
be updated. (This usage is not recommended for the root key.)
[GL #6]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.1-removed"></a>Removed Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>cleaning-interval</strong></span> option has been
removed. [GL !1731]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.1-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now log a warning if
a static key is configured for the root zone. [GL #6]
</p>
</li>
<li class="listitem">
<p>
JSON-C is now the only supported library for enabling JSON
support for BIND statistics. The <span class="command"><strong>configure</strong></span>
option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
to <span class="command"><strong>--with-json-c</strong></span>. Use
<span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
the <span class="command"><strong>json-c</strong></span> library as the new
<span class="command"><strong>configure</strong></span> option does not take the library
installation path as an optional argument.
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.0"></a>Notes for BIND 9.15.0</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
In certain configurations, <span class="command"><strong>named</strong></span> could crash
with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
was in use and a redirected query resulted in an NXDOMAIN from the
cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</p>
</li>
<li class="listitem">
<p>
The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. This flaw is disclosed in
CVE-2018-5743. [GL #615]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The new <span class="command"><strong>add-soa</strong></span> option specifies whether
or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
should be included in the additional section of RPZ responses.
[GL #865]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-removed"></a>Removed Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
When static and managed DNSSEC keys were both configured for the
same name, or when a static key was used to
configure a trust anchor for the root zone and
<span class="command"><strong>dnssec-validation</strong></span> was set to the default
value of <code class="literal">auto</code>, automatic RFC 5011 key
rollovers would be disabled. This combination of settings was
never intended to work, but there was no check for it in the
parser. This has been corrected, and it is now a fatal
configuration error. [GL #868]
</p>
</li>
<li class="listitem">
<p>
DS and CDS records are now generated with SHA-256 digests
only, instead of both SHA-1 and SHA-256. This affects the
default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
<code class="filename">dsset</code> files generated by
<span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
<code class="filename">keyset</code> files, the CDS records added to
a zone by <span class="command"><strong>named</strong></span> and
<span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
parameters in key files, and the checks performed by
<span class="command"><strong>dnssec-checkds</strong></span>.
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>allow-update</strong></span> and
<span class="command"><strong>allow-update-forwarding</strong></span> options were
inadvertently treated as configuration errors when used at the
<span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
This has now been corrected.
[GL #913]
</p>
</li></ul></div>
</div>
<a name="relnotes-9.17.0"></a>Notes for BIND 9.17.0</h3></div></div></div>
</div>
@ -780,7 +115,7 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
<p>
BIND is open source software licensed under the terms of the Mozilla
BIND 9 is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the <code class="filename">LICENSE</code>
file for the full text).
</p>
@ -795,23 +130,26 @@
</p>
<p>
Those wishing to discuss license compliance may contact ISC at
<a class="link" href="https://www.isc.org/mission/contact/" target="_top">
https://www.isc.org/mission/contact/</a>.
<a class="link" href="https://www.isc.org/contact/" target="_top">
https://www.isc.org/contact/</a>.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
BIND 9.15 is an unstable development branch. When its development
is complete, it will be renamed to BIND 9.16, which will be a
BIND 9.17 is an unstable development branch. When its development
is complete, it will be renamed to BIND 9.18, which will be a
stable branch.
</p>
<p>
The end of life date for BIND 9.16 has not yet been determined.
The end of life date for BIND 9.18 has not yet been determined.
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at
least December 2021. See
least December 2021.
</p>
<p>
See
<a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
for details of ISC's software support policy.
</p>
@ -843,6 +181,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch09.html
View File

@ -148,6 +148,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch10.html
View File

@ -914,6 +914,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch11.html
View File

@ -538,6 +538,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch12.html
View File

@ -210,6 +210,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

20
doc/arm/Bv9ARM.html
View File

@ -32,7 +32,7 @@
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
<div><p class="releaseinfo">BIND Version 9.15.8</p></div>
<div><p class="releaseinfo">BIND Version 9.17.0</p></div>
<div><p class="copyright">Copyright © 2000-2020 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
@ -196,8 +196,7 @@
<dt><span class="section"><a href="Bv9ARM.ch05.html#trust-anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
@ -248,21 +247,12 @@
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.8</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.17.0</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.8">Notes for BIND 9.15.8</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.7">Notes for BIND 9.15.7</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.3">Notes for BIND 9.15.3</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.2">Notes for BIND 9.15.2</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.1">Notes for BIND 9.15.1</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.0">Notes for BIND 9.15.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.17.0">Notes for BIND 9.17.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
@ -450,6 +440,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

BIN
doc/arm/Bv9ARM.pdf
View File

Binary file not shown.

2
doc/arm/man.arpaname.html
View File

@ -90,6 +90,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.ddns-confgen.html
View File

@ -220,6 +220,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.delv.html
View File

@ -621,6 +621,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dig.html
View File

@ -1188,6 +1188,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-cds.html
View File

@ -376,6 +376,6 @@ nsupdate -l
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-checkds.html
View File

@ -156,6 +156,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-coverage.html
View File

@ -270,6 +270,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-dsfromkey.html
View File

@ -341,6 +341,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-importkey.html
View File

@ -250,6 +250,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

6
doc/arm/man.dnssec-keyfromlabel.html
View File

@ -164,9 +164,7 @@
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<em class="replaceable"><code>keylabel</code></em>".
identifies a particular key.
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
@ -498,6 +496,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keygen.html
View File

@ -589,6 +589,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keymgr.html
View File

@ -405,6 +405,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-revoke.html
View File

@ -171,6 +171,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-settime.html
View File

@ -424,6 +424,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-signzone.html
View File

@ -707,6 +707,6 @@ db.example.com.signed
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-verify.html
View File

@ -214,6 +214,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnstap-read.html
View File

@ -143,6 +143,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.filter-aaaa.html
View File

@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.host.html
View File

@ -366,6 +366,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.mdig.html
View File

@ -610,6 +610,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-checkconf.html
View File

@ -214,6 +214,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-checkzone.html
View File

@ -463,6 +463,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-journalprint.html
View File

@ -117,6 +117,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-nzd2nzf.html
View File

@ -119,6 +119,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-rrchecker.html
View File

@ -121,6 +121,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

84
doc/arm/man.named.conf.html
View File

@ -110,7 +110,28 @@ dlz
</div>
<div class="refsection">
<a name="id-1.13.27.11"></a><h2>DYNDB</h2>
<a name="id-1.13.27.11"></a><h2>DNSSEC-POLICY</h2>
<div class="literallayout"><p><br>
dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( <em class="replaceable"><code>duration</code></em> | unlimited )<br>
    algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ]; ... };<br>
max-zone-ttl <em class="replaceable"><code>duration</code></em>;<br>
parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
publish-safety <em class="replaceable"><code>duration</code></em>;<br>
retire-safety <em class="replaceable"><code>duration</code></em>;<br>
signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
};<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.13.27.12"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
    <em class="replaceable"><code>unspecified-text</code></em> };<br>
@ -118,7 +139,7 @@ dyndb
</div>
<div class="refsection">
<a name="id-1.13.27.12"></a><h2>KEY</h2>
<a name="id-1.13.27.13"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>string</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
@ -128,7 +149,7 @@ key
</div>
<div class="refsection">
<a name="id-1.13.27.13"></a><h2>LOGGING</h2>
<a name="id-1.13.27.14"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
@ -149,8 +170,8 @@ logging
</div>
<div class="refsection">
<a name="id-1.13.27.14"></a><h2>MANAGED-KEYS</h2>
<p>Deprecated - see TRUST-ANCHORS.</p>
<a name="id-1.13.27.15"></a><h2>MANAGED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
    | initial-key | static-ds |<br>
@ -160,7 +181,7 @@ managed-keys
</div>
<div class="refsection">
<a name="id-1.13.27.15"></a><h2>MASTERS</h2>
<a name="id-1.13.27.16"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
@ -170,7 +191,7 @@ masters
</div>
<div class="refsection">
<a name="id-1.13.27.16"></a><h2>OPTIONS</h2>
<a name="id-1.13.27.17"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -250,6 +271,7 @@ options
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
dnssec-validation ( yes | no | auto );<br>
@ -399,8 +421,8 @@ options
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op<br>
    | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
@ -469,7 +491,7 @@ options
</div>
<div class="refsection">
<a name="id-1.13.27.17"></a><h2>PLUGIN</h2>
<a name="id-1.13.27.18"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
@ -477,7 +499,7 @@ plugin
</div>
<div class="refsection">
<a name="id-1.13.27.18"></a><h2>SERVER</h2>
<a name="id-1.13.27.19"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server <em class="replaceable"><code>netprefix</code></em> {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
@ -515,7 +537,7 @@ server
</div>
<div class="refsection">
<a name="id-1.13.27.19"></a><h2>STATISTICS-CHANNELS</h2>
<a name="id-1.13.27.20"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -527,7 +549,7 @@ statistics-channels
</div>
<div class="refsection">
<a name="id-1.13.27.20"></a><h2>TRUST-ANCHORS</h2>
<a name="id-1.13.27.21"></a><h2>TRUST-ANCHORS</h2>
<div class="literallayout"><p><br>
trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key | static-ds | initial-ds )<br>
@ -537,8 +559,8 @@ trust-anchors
</div>
<div class="refsection">
<a name="id-1.13.27.21"></a><h2>TRUSTED-KEYS</h2>
<p>Deprecated - see TRUST-ANCHORS.</p>
<a name="id-1.13.27.22"></a><h2>TRUSTED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
@ -547,7 +569,7 @@ trusted-keys
</div>
<div class="refsection">
<a name="id-1.13.27.22"></a><h2>VIEW</h2>
<a name="id-1.13.27.23"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -620,6 +642,7 @@ view
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
dnssec-validation ( yes | no | auto );<br>
@ -743,8 +766,8 @@ view
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op<br>
    | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
@ -926,7 +949,7 @@ view
</div>
<div class="refsection">
<a name="id-1.13.27.23"></a><h2>ZONE</h2>
<a name="id-1.13.27.24"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -1025,27 +1048,6 @@ zone
</p></div>
</div>
<div class="refsection">
<a name="id-1.13.27.24"></a><h2>DNSSEC-POLICY</h2>
<div class="literallayout"><p><br>
dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
publish-safety <em class="replaceable"><code>duration</code></em>;<br>
retire-safety <em class="replaceable"><code>duration</code></em>;<br>
signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
zone-max-ttl <em class="replaceable"><code>duration</code></em>;<br>
zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
};<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.13.27.25"></a><h2>FILES</h2>
@ -1095,6 +1097,6 @@ dnssec-policy
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

8
doc/arm/man.named.html
View File

@ -248,9 +248,9 @@
<p>
Allow <span class="command"><strong>named</strong></span> to use up to
<em class="replaceable"><code>#max-socks</code></em> sockets.
The default value is 4096 on systems built with default
configuration options, and 21000 on systems built with
"configure --with-tuning=large".
The default value is 21000 on systems built with default
configuration options, and 4096 on systems built with
"configure --with-tuning=small".
</p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>
@ -492,6 +492,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nsec3hash.html
View File

@ -155,6 +155,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

10
doc/arm/man.nslookup.html
View File

@ -308,7 +308,13 @@ nslookup -query=hinfo -timeout=10
Change the type of the information query.
</p>
<p>
(Default = A; abbreviations = q, ty)
(Default = A and then AAAA; abbreviations = q, ty)
</p>
<p>
<span class="bold"><strong>Note:</strong></span> It is
only possible to specify one query type, only
the default behavior looks up both when an
alternative is not specified.
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
@ -437,6 +443,6 @@ nslookup -query=hinfo -timeout=10
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nsupdate.html
View File

@ -818,6 +818,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-destroy.html
View File

@ -162,6 +162,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-keygen.html
View File

@ -200,6 +200,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-list.html
View File

@ -158,6 +158,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-tokens.html
View File

@ -123,6 +123,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc-confgen.html
View File

@ -260,6 +260,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc.conf.html
View File

@ -268,6 +268,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc.html
View File

@ -1021,6 +1021,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
</body>
</html>

685
doc/arm/notes.html
View File

@ -15,38 +15,21 @@
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2"></a>Release Notes for BIND Version 9.15.8</h2></div></div></div>
<a name="id-1.2"></a>Release Notes for BIND Version 9.17.0</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
BIND 9.15 is an unstable development release of BIND.
BIND 9.17 is an unstable development release of BIND.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development release
leading up to the stable BIND 9.16 release, this document will be
leading up to the stable BIND 9.18 release, this document will be
updated with additional features added and bugs fixed.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
<p>
Until BIND 9.12, new feature development releases were tagged
as "alpha" and "beta", leading up to the first stable release
for a given development branch, which always ended in ".0".
More recently, BIND adopted the "odd-unstable/even-stable"
release numbering convention. There will be no "alpha" or "beta"
releases in the 9.15 branch, only increasing version numbers.
So, for example, what would previously have been called 9.15.0a1,
9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
9.15.1, 9.15.2, etc.
</p>
<p>
The first stable release from this development branch will be
renamed as 9.16.0. Thereafter, maintenance releases will continue
on the 9.16 branch, while unstable feature development proceeds in
9.17.
Please see the file <code class="filename">CHANGES</code> for a more
detailed list of changes and bug fixes.
</p>
</div>
<div class="section">
@ -89,646 +72,7 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.8"></a>Notes for BIND 9.15.8</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.8-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>trust-anchors</strong></span> statement no longer rejects
a mix of both key-style and DS-style trust anchor entries for the
same name. [GL #1237]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.8-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Fixed an intermittent crash in the validator that could occur
when validating negative answers from the cache. [GL #1561]
</p>
</li>
<li class="listitem">
<p>
Fixed a bug that could cause <span class="command"><strong>named</strong></span> to crash on
machines with more than 40 CPUs. [GL #1493]
</p>
</li>
<li class="listitem">
<p>
Socket-related statistics counters were not being updated by
network manager sockets, but are now fully functional. [GL #1311]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.7"></a>Notes for BIND 9.15.7</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.7-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-keys</strong></span> configuration statement,
which was introduced in 9.15.1 and revised in 9.15.6, has now
been renamed to the more descriptive
<span class="command"><strong>trust-anchors</strong></span>. [GL !2702]
</p>
<p>
(See release notes for
<a class="xref" href="#relnotes-9.15.1-new" title="New Features">BIND 9.15.1</a>
and
<a class="xref" href="#relnotes-9.15.6-new" title="New Features">BIND 9.15.6</a>
for prior discussion of this feature.)
</p>
</li>
<li class="listitem">
<p>
Added support for multithreaded listening for TCP connections
in the network manager. [GL !2659]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.7-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
on reconfiguration when any GeoIP2 database was in use. [GL #1445]
</p>
</li>
<li class="listitem">
<p>
Fixed several possible race conditions discovered by
ThreadSanitizer.
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Set a limit on the number of concurrently served pipelined TCP
queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
A new asynchronous network communications system based on
<span class="command"><strong>libuv</strong></span> is now used by <span class="command"><strong>named</strong></span>
for listening for incoming requests and responding to them.
This change will make it easier to improve performance and
implement new protocol layers (for example, DNS over TLS) in
the future. [GL #29]
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>dnssec-policy</strong></span> option allows the
configuration key and signing policy (KASP) for zones. This
option enables <span class="command"><strong>named</strong></span> to generate new keys
as needed and automatically roll both ZSK and KSK keys.
(Note that the syntax for this statement differs from the DNSSEC
policy used by <span class="command"><strong>dnssec-keymgr</strong></span>.) [GL #1134]
</p>
</li>
<li class="listitem">
<p>
Two new keywords have been added to the
<span class="command"><strong>dnssec-keys</strong></span> statement:
<span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
These allow the use of trust anchors in DS format instead of
DNSKEY format. DS format allows trust anchors to be configured
for keys that have not yet been published; this is the format
used by IANA when announcing future root keys.
</p>
<p>
As with the <span class="command"><strong>initial-key</strong></span> and
<span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
configures a dynamic trust anchor to be maintained via RFC 5011, and
<span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
</p>
<p>
(Note: Currently, DNSKEY-format and DS-format trust anchors
cannot both be used for the same domain name.) [GL #6] [GL #622]
</p>
</li>
<li class="listitem">
<p>
Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
that reports the maximum number of simultaneous TCP clients BIND
has handled while running. [GL #1206]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
because it was found to have a significant performance impact on the
recursive service. The NSEC Aggressive Cache will be enable by default
in the future releases. [GL #1265]
</p>
</li>
<li class="listitem">
<p>
The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.5"></a>Notes for BIND 9.15.5</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.5-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> could crash with an assertion failure
if a forwarder returned a referral, rather than resolving the
query, when QNAME minimization was enabled. This flaw is
disclosed in CVE-2019-6476. [GL #1051]
</p>
</li>
<li class="listitem">
<p>
A flaw in DNSSEC verification when transferring mirror zones
could allow data to be incorrectly marked valid. This flaw
is disclosed in CVE-2019-6475. [GL #1252]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.4"></a>Notes for BIND 9.15.4</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.4-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Added a new command line option to <span class="command"><strong>dig</strong></span>:
<span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
won't accept a reply from a source other than the one to which
it sent the query. Add the <span class="command"><strong>+unexpected</strong></span> argument
to enable it to process replies from unexpected sources.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
<span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
option to print output in a a detailed YAML format. [RT #1145]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.4-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
that its policies are removed from the RPZ summary database.
[GL #1146]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.3"></a>Notes for BIND 9.15.3</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.3-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Statistics channel groups are now toggleable. [GL #1030]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.3-removed"></a>Removed Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
DNSSEC Lookaside Validation (DLV) is now obsolete.
The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
marked as deprecated; when used in <code class="filename">named.conf</code>,
it will generate a warning but will otherwise be ignored.
All code enabling the use of lookaside validation has been removed
from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
[GL #7]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.3-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
made default. Old non-default HMAC-SHA based DNS Cookie algorithms
have been removed, and only the default AES algorithm is being kept
for legacy reasons. This change doesn't have any operational impact
in most common scenarios. [GL #605]
</p>
<p>
If you are running multiple DNS Servers (different versions of BIND 9
or DNS server from multiple vendors) responding from the same IP
address (anycast or load-balancing scenarios), you'll have to make
sure that all the servers are configured with the same DNS Cookie
algorithm and same Server Secret for the best performance.
</p>
</li>
<li class="listitem">
<p>
The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
<span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
output. The standard error output is only used to print warnings and
errors, and in case the user requests the signed zone to be printed to
standard output with <span class="command"><strong>-f -</strong></span> option. A new
configuration option <span class="command"><strong>-q</strong></span> has been added to silence
all output on standard output except for the name of the signed zone.
</p>
</li>
<li class="listitem">
<p>
DS records included in DNS referral messages can now be validated
and cached immediately, reducing the number of queries needed for
a DNSSEC validation. [GL #964]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.3-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Cache database statistics counters could report invalid values
when stale answers were enabled, because of a bug in counter
maintenance when cache data becomes stale. The statistics counters
have been corrected to report the number of RRsets for each
RR type that are active, stale but still potentially served,
or stale and marked for deletion. [GL #602]
</p>
</li>
<li class="listitem">
<p>
Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
cause unexpected results; this has been fixed. [GL #1106]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
to ensure bits 64-71 are zero. [GL #1159]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
<span class="command"><strong>dnstap-output</strong></span> option when
<span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
</p>
</li>
<li class="listitem">
<p>
Handle ETIMEDOUT error on connect() with a non-blocking
socket. [GL #1133]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.2"></a>Notes for BIND 9.15.2</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.2-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The GeoIP2 API from MaxMind is now supported. Geolocation support
will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
library is found at compile time, but can be turned off by using
<span class="command"><strong>configure --disable-geoip</strong></span>.
</p>
<p>
The default path to the GeoIP2 databases will be set based
on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
for example, if it is in <code class="filename">/usr/local/lib</code>,
then the default path will be
<code class="filename">/usr/local/share/GeoIP</code>.
This value can be overridden in <code class="filename">named.conf</code>
using the <span class="command"><strong>geoip-directory</strong></span> option.
</p>
<p>
Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
<span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
no longer work when using GeoIP2. Supported GeoIP2 database
types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
<span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
<span class="command"><strong>as</strong></span>. All of these databases support both IPv4
and IPv6 lookups. [GL #182] [GL #1112]
</p>
</li>
<li class="listitem">
<p>
Two new metrics have been added to the
<span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
signing operations. For each key in each zone, the
<span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
number of signatures <span class="command"><strong>named</strong></span> has generated
using that key since server startup, and the
<span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
many of those signatures were refreshed during zone
maintenance, as opposed to having been generated
as a result of a zone update. [GL #513]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.2-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
When <span class="command"><strong>qname-minimization</strong></span> was set to
<span class="command"><strong>relaxed</strong></span>, some improperly configured domains
would fail to resolve, but would have succeeded when minimization
was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
resolution in such cases, and also uses type A rather than NS for
minimal queries in order to reduce the likelihood of encountering
the problem. [GL #1055]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>./configure</strong></span> no longer sets
<span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
<span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
when <span class="command"><strong>--prefix</strong></span> is not specified and the
aforementioned options are not specified explicitly. Instead,
Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
<span class="command"><strong>$prefix/var</strong></span> are respected.
</p>
</li>
<li class="listitem">
<p>
Glue address records were not being returned in responses
to root priming queries; this has been corrected. [GL #1092]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.1"></a>Notes for BIND 9.15.1</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.1-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
A race condition could trigger an assertion failure when
a large number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.1-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
In order to clarify the configuration of DNSSEC keys,
the <span class="command"><strong>trusted-keys</strong></span> and
<span class="command"><strong>managed-keys</strong></span> statements have been
deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
statement should now be used for both types of key.
</p>
<p>
When used with the keyword <span class="command"><strong>initial-key</strong></span>,
<span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
<span class="command"><strong>managed-keys</strong></span>, i.e., it configures
a trust anchor that is to be maintained via RFC 5011.
</p>
<p>
When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
configuring a permanent trust anchor that will not automatically
be updated. (This usage is not recommended for the root key.)
[GL #6]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.1-removed"></a>Removed Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>cleaning-interval</strong></span> option has been
removed. [GL !1731]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.1-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now log a warning if
a static key is configured for the root zone. [GL #6]
</p>
</li>
<li class="listitem">
<p>
JSON-C is now the only supported library for enabling JSON
support for BIND statistics. The <span class="command"><strong>configure</strong></span>
option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
to <span class="command"><strong>--with-json-c</strong></span>. Use
<span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
the <span class="command"><strong>json-c</strong></span> library as the new
<span class="command"><strong>configure</strong></span> option does not take the library
installation path as an optional argument.
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.0"></a>Notes for BIND 9.15.0</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
In certain configurations, <span class="command"><strong>named</strong></span> could crash
with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
was in use and a redirected query resulted in an NXDOMAIN from the
cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</p>
</li>
<li class="listitem">
<p>
The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. This flaw is disclosed in
CVE-2018-5743. [GL #615]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The new <span class="command"><strong>add-soa</strong></span> option specifies whether
or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
should be included in the additional section of RPZ responses.
[GL #865]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-removed"></a>Removed Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
When static and managed DNSSEC keys were both configured for the
same name, or when a static key was used to
configure a trust anchor for the root zone and
<span class="command"><strong>dnssec-validation</strong></span> was set to the default
value of <code class="literal">auto</code>, automatic RFC 5011 key
rollovers would be disabled. This combination of settings was
never intended to work, but there was no check for it in the
parser. This has been corrected, and it is now a fatal
configuration error. [GL #868]
</p>
</li>
<li class="listitem">
<p>
DS and CDS records are now generated with SHA-256 digests
only, instead of both SHA-1 and SHA-256. This affects the
default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
<code class="filename">dsset</code> files generated by
<span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
<code class="filename">keyset</code> files, the CDS records added to
a zone by <span class="command"><strong>named</strong></span> and
<span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
parameters in key files, and the checks performed by
<span class="command"><strong>dnssec-checkds</strong></span>.
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>allow-update</strong></span> and
<span class="command"><strong>allow-update-forwarding</strong></span> options were
inadvertently treated as configuration errors when used at the
<span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
This has now been corrected.
[GL #913]
</p>
</li></ul></div>
</div>
<a name="relnotes-9.17.0"></a>Notes for BIND 9.17.0</h3></div></div></div>
</div>
@ -736,7 +80,7 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
<p>
BIND is open source software licensed under the terms of the Mozilla
BIND 9 is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the <code class="filename">LICENSE</code>
file for the full text).
</p>
@ -751,23 +95,26 @@
</p>
<p>
Those wishing to discuss license compliance may contact ISC at
<a class="link" href="https://www.isc.org/mission/contact/" target="_top">
https://www.isc.org/mission/contact/</a>.
<a class="link" href="https://www.isc.org/contact/" target="_top">
https://www.isc.org/contact/</a>.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
BIND 9.15 is an unstable development branch. When its development
is complete, it will be renamed to BIND 9.16, which will be a
BIND 9.17 is an unstable development branch. When its development
is complete, it will be renamed to BIND 9.18, which will be a
stable branch.
</p>
<p>
The end of life date for BIND 9.16 has not yet been determined.
The end of life date for BIND 9.18 has not yet been determined.
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at
least December 2021. See
least December 2021.
</p>
<p>
See
<a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
for details of ISC's software support policy.
</p>

BIN
doc/arm/notes.pdf
View File

Binary file not shown.

349
doc/arm/notes.txt
View File

@ -1,27 +1,15 @@
Release Notes for BIND Version 9.15.8
Release Notes for BIND Version 9.17.0
Introduction
BIND 9.15 is an unstable development release of BIND. This document
BIND 9.17 is an unstable development release of BIND. This document
summarizes new features and functional changes that have been introduced
on this branch. With each development release leading up to the stable
BIND 9.16 release, this document will be updated with additional features
BIND 9.18 release, this document will be updated with additional features
added and bugs fixed.
Note on Version Numbering
Until BIND 9.12, new feature development releases were tagged as "alpha"
and "beta", leading up to the first stable release for a given development
branch, which always ended in ".0". More recently, BIND adopted the
"odd-unstable/even-stable" release numbering convention. There will be no
"alpha" or "beta" releases in the 9.15 branch, only increasing version
numbers. So, for example, what would previously have been called 9.15.0a1,
9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0, 9.15.1,
9.15.2, etc.
The first stable release from this development branch will be renamed as
9.16.0. Thereafter, maintenance releases will continue on the 9.16 branch,
while unstable feature development proceeds in 9.17.
Please see the file CHANGES for a more detailed list of changes and bug
fixes.
Supported Platforms
@ -48,321 +36,11 @@ www.isc.org/download/. There you will find additional information about
each release, source code, and pre-compiled versions for Microsoft Windows
operating systems.
Notes for BIND 9.15.8
Feature Changes
* The trust-anchors statement no longer rejects a mix of both key-style
and DS-style trust anchor entries for the same name. [GL #1237]
Bug Fixes
* Fixed an intermittent crash in the validator that could occur when
validating negative answers from the cache. [GL #1561]
* Fixed a bug that could cause named to crash on machines with more than
40 CPUs. [GL #1493]
* Socket-related statistics counters were not being updated by network
manager sockets, but are now fully functional. [GL #1311]
Notes for BIND 9.15.7
Feature Changes
* The dnssec-keys configuration statement, which was introduced in
9.15.1 and revised in 9.15.6, has now been renamed to the more
descriptive trust-anchors. [GL !2702]
(See release notes for BIND 9.15.1 and BIND 9.15.6 for prior
discussion of this feature.)
* Added support for multithreaded listening for TCP connections in the
network manager. [GL !2659]
Bug Fixes
* Fixed a bug that caused named to leak memory on reconfiguration when
any GeoIP2 database was in use. [GL #1445]
* Fixed several possible race conditions discovered by ThreadSanitizer.
Notes for BIND 9.15.6
Security Fixes
* Set a limit on the number of concurrently served pipelined TCP
queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
New Features
* A new asynchronous network communications system based on libuv is now
used by named for listening for incoming requests and responding to
them. This change will make it easier to improve performance and
implement new protocol layers (for example, DNS over TLS) in the
future. [GL #29]
* The new dnssec-policy option allows the configuration key and signing
policy (KASP) for zones. This option enables named to generate new
keys as needed and automatically roll both ZSK and KSK keys. (Note
that the syntax for this statement differs from the DNSSEC policy used
by dnssec-keymgr.) [GL #1134]
* Two new keywords have been added to the dnssec-keys statement:
initial-ds and static-ds. These allow the use of trust anchors in DS
format instead of DNSKEY format. DS format allows trust anchors to be
configured for keys that have not yet been published; this is the
format used by IANA when announcing future root keys.
As with the initial-key and static-key keywords, initial-ds configures
a dynamic trust anchor to be maintained via RFC 5011, and static-ds
configures a permanent trust anchor.
(Note: Currently, DNSKEY-format and DS-format trust anchors cannot
both be used for the same domain name.) [GL #6] [GL #622]
* Added a new statistics variable tcp-highwater that reports the maximum
number of simultaneous TCP clients BIND has handled while running. [GL
#1206]
Feature Changes
* NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
because it was found to have a significant performance impact on the
recursive service. The NSEC Aggressive Cache will be enable by default
in the future releases. [GL #1265]
* The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
Notes for BIND 9.15.5
Security Fixes
* named could crash with an assertion failure if a forwarder returned a
referral, rather than resolving the query, when QNAME minimization was
enabled. This flaw is disclosed in CVE-2019-6476. [GL #1051]
* A flaw in DNSSEC verification when transferring mirror zones could
allow data to be incorrectly marked valid. This flaw is disclosed in
CVE-2019-6475. [GL #1252]
Notes for BIND 9.15.4
New Features
* Added a new command line option to dig: +[no]unexpected. By default,
dig won't accept a reply from a source other than the one to which it
sent the query. Add the +unexpected argument to enable it to process
replies from unexpected sources.
* dig, mdig and delv can all now take a +yaml option to print output in
a a detailed YAML format. [RT #1145]
Bug Fixes
* When a response-policy zone expires, ensure that its policies are
removed from the RPZ summary database. [GL #1146]
Notes for BIND 9.15.3
New Features
* Statistics channel groups are now toggleable. [GL #1030]
Removed Features
* DNSSEC Lookaside Validation (DLV) is now obsolete. The
dnssec-lookaside option has been marked as deprecated; when used in
named.conf, it will generate a warning but will otherwise be ignored.
All code enabling the use of lookaside validation has been removed
from the validator, delv, and the DNSSEC tools. [GL #7]
Feature Changes
* A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
made default. Old non-default HMAC-SHA based DNS Cookie algorithms
have been removed, and only the default AES algorithm is being kept
for legacy reasons. This change doesn't have any operational impact in
most common scenarios. [GL #605]
If you are running multiple DNS Servers (different versions of BIND 9
or DNS server from multiple vendors) responding from the same IP
address (anycast or load-balancing scenarios), you'll have to make
sure that all the servers are configured with the same DNS Cookie
algorithm and same Server Secret for the best performance.
* The information from the dnssec-signzone and dnssec-verify commands is
now printed to standard output. The standard error output is only used
to print warnings and errors, and in case the user requests the signed
zone to be printed to standard output with -f - option. A new
configuration option -q has been added to silence all output on
standard output except for the name of the signed zone.
* DS records included in DNS referral messages can now be validated and
cached immediately, reducing the number of queries needed for a DNSSEC
validation. [GL #964]
Bug Fixes
* Cache database statistics counters could report invalid values when
stale answers were enabled, because of a bug in counter maintenance
when cache data becomes stale. The statistics counters have been
corrected to report the number of RRsets for each RR type that are
active, stale but still potentially served, or stale and marked for
deletion. [GL #602]
* Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
unexpected results; this has been fixed. [GL #1106]
* named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are
zero. [GL #1159]
* named-checkconf now correctly reports a missing dnstap-output option
when dnstap is set. [GL #1136]
* Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #
1133]
* dig now correctly expands the IPv6 address when run with +expandaaaa
+short. [GL #1152]
Notes for BIND 9.15.2
New Features
* The GeoIP2 API from MaxMind is now supported. Geolocation support will
be compiled in by default if the libmaxminddb library is found at
compile time, but can be turned off by using configure --disable-geoip
.
The default path to the GeoIP2 databases will be set based on the
location of the libmaxminddb library; for example, if it is in /usr/
local/lib, then the default path will be /usr/local/share/GeoIP. This
value can be overridden in named.conf using the geoip-directory
option.
Some geoip ACL settings that were available with legacy GeoIP,
including searches for netspeed, org, and three-letter ISO country
codes, will no longer work when using GeoIP2. Supported GeoIP2
database types are country, city, domain, isp, and as. All of these
databases support both IPv4 and IPv6 lookups. [GL #182] [GL #1112]
* Two new metrics have been added to the statistics-channel to report
DNSSEC signing operations. For each key in each zone, the dnssec-sign
counter indicates the total number of signatures named has generated
using that key since server startup, and the dnssec-refresh counter
indicates how many of those signatures were refreshed during zone
maintenance, as opposed to having been generated as a result of a zone
update. [GL #513]
Bug Fixes
* When qname-minimization was set to relaxed, some improperly configured
domains would fail to resolve, but would have succeeded when
minimization was disabled. named will now fall back to normal
resolution in such cases, and also uses type A rather than NS for
minimal queries in order to reduce the likelihood of encountering the
problem. [GL #1055]
* ./configure no longer sets --sysconfdir to /etc or --localstatedir to
/var when --prefix is not specified and the aforementioned options are
not specified explicitly. Instead, Autoconf's defaults of $prefix/etc
and $prefix/var are respected.
* Glue address records were not being returned in responses to root
priming queries; this has been corrected. [GL #1092]
Notes for BIND 9.15.1
Security Fixes
* A race condition could trigger an assertion failure when a large
number of incoming packets were being rejected. This flaw is disclosed
in CVE-2019-6471. [GL #942]
New Features
* In order to clarify the configuration of DNSSEC keys, the trusted-keys
and managed-keys statements have been deprecated, and the new
dnssec-keys statement should now be used for both types of key.
When used with the keyword initial-key, dnssec-keys has the same
behavior as managed-keys, i.e., it configures a trust anchor that is
to be maintained via RFC 5011.
When used with the new keyword static-key, it has the same behavior as
trusted-keys, configuring a permanent trust anchor that will not
automatically be updated. (This usage is not recommended for the root
key.) [GL #6]
Removed Features
* The cleaning-interval option has been removed. [GL !1731]
Feature Changes
* named will now log a warning if a static key is configured for the
root zone. [GL #6]
* JSON-C is now the only supported library for enabling JSON support for
BIND statistics. The configure option has been renamed from
--with-libjson to --with-json-c. Use PKG_CONFIG_PATH to specify a
custom path to the json-c library as the new configure option does not
take the library installation path as an optional argument.
Notes for BIND 9.15.0
Security Fixes
* In certain configurations, named could crash with an assertion failure
if nxdomain-redirect was in use and a redirected query resulted in an
NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL
#880]
* The TCP client quota set using the tcp-clients option could be
exceeded in some cases. This could lead to exhaustion of file
descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
New Features
* The new add-soa option specifies whether or not the response-policy
zone's SOA record should be included in the additional section of RPZ
responses. [GL #865]
Removed Features
* The dnssec-enable option has been obsoleted and no longer has any
effect. DNSSEC responses are always enabled if signatures and other
DNSSEC data are present. [GL #866]
Feature Changes
* When static and managed DNSSEC keys were both configured for the same
name, or when a static key was used to configure a trust anchor for
the root zone and dnssec-validation was set to the default value of
auto, automatic RFC 5011 key rollovers would be disabled. This
combination of settings was never intended to work, but there was no
check for it in the parser. This has been corrected, and it is now a
fatal configuration error. [GL #868]
* DS and CDS records are now generated with SHA-256 digests only,
instead of both SHA-1 and SHA-256. This affects the default output of
dnssec-dsfromkey, the dsset files generated by dnssec-signzone, the DS
records added to a zone by dnssec-signzone based on keyset files, the
CDS records added to a zone by named and dnssec-signzone based on
"sync" timing parameters in key files, and the checks performed by
dnssec-checkds.
Bug Fixes
* The allow-update and allow-update-forwarding options were
inadvertently treated as configuration errors when used at the options
or view level. This has now been corrected. [GL #913]
Notes for BIND 9.17.0
License
BIND is open source software licensed under the terms of the Mozilla
BIND 9 is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the LICENSE file for the full text).
The license requires that if you make changes to BIND and distribute them
@ -373,17 +51,18 @@ affect anyone who is using BIND, with or without modifications, without
redistributing it, nor anyone redistributing BIND without changes.
Those wishing to discuss license compliance may contact ISC at https://
www.isc.org/mission/contact/.
www.isc.org/contact/.
End of Life
BIND 9.15 is an unstable development branch. When its development is
complete, it will be renamed to BIND 9.16, which will be a stable branch.
BIND 9.17 is an unstable development branch. When its development is
complete, it will be renamed to BIND 9.18, which will be a stable branch.
The end of life date for BIND 9.16 has not yet been determined. For those
The end of life date for BIND 9.18 has not yet been determined. For those
needing long term support, the current Extended Support Version (ESV) is
BIND 9.11, which will be supported until at least December 2021. See
https://kb.isc.org/docs/aa-00896 for details of ISC's software support
BIND 9.11, which will be supported until at least December 2021.
See https://kb.isc.org/docs/aa-00896 for details of ISC's software support
policy.
Thank You