regen master

README

@@ -5,13 +5,14 @@ Contents
  1. Introduction
  2. Reporting bugs and getting help
  3. Contributing to BIND
- 4. BIND 9.12 features
+ 4. BIND 9.13 features
  5. Building BIND
- 6. Compile-time options
+ 6. MacOS
- 7. Automated testing
+ 7. Compile-time options
- 8. Documentation
+ 8. Automated testing
- 9. Change log
+ 9. Documentation
-10. Acknowledgments
+10. Change log
+11. Acknowledgments
 
 Introduction
 
@@ -89,39 +90,13 @@ header with "[PATCH]" so it will be easier for us to find. If your patch
 introduces a new feature in BIND, please submit it to bind-suggest@isc.org
 ; if it fixes a bug, please submit it to bind9-bugs@isc.org.
 
-BIND 9.12 features
+BIND 9.13 features
 
-BIND 9.12.0 is the newest development branch of BIND 9. It includes a
+BIND 9.13.0 is the newest development branch of BIND 9. It includes a
-number of changes from BIND 9.11 and earlier releases. New features
+number of changes from BIND 9.12 and earlier releases. New features
 include:
 
-  * named and related libraries have been substantially refactored for
+  * TBD
-    improved query performance -- particularly on delegation heavy zones
-    -- and for improved readability, maintainability, and testability.
-  * Code implementing the name server query processing logic has been
-    moved into a new libns library, for easier testing and use in tools
-    other than named.
-  * Cached, validated NSEC and other records can now be used to synthesize
-    NXDOMAIN responses.
-  * The DNS Response Policy Service API (DNSRPS) is now supported.
-  * Setting 'max-journal-size default' now limits the size of journal
-    files to twice the size of the zone.
-  * dnstap-read -x prints a hex dump of the wire format of each logged DNS
-    message.
-  * dnstap output files can now be configured to roll automatically when
-    reaching a given size.
-  * Log file timestamps can now also be formatted in ISO 8601 (local) or
-    ISO 8601 (UTC) formats.
-  * Logging channels and dnstap output files can now be configured to use
-    a timestamp as the suffix when rolling to a new file.
-  * 'named-checkconf -l' lists zones found in named.conf.
-  * Added support for the EDNS Padding and Keepalive options.
-  * 'new-zones-directory' option sets the location where the configuration
-    data for zones added by rndc addzone is stored.
-  * The default key algorithm in rndc-confgen is now hmac-sha256.
-  * filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by
-    default without a configure option.
-  * The obsolete isc-hmac-fixup command has been removed.
 
 Building BIND
 
@@ -165,6 +140,14 @@ BUILD_CPPFLAGS
 BUILD_LDFLAGS
 BUILD_LIBS
 
+MacOS
+
+Building on MacOS assumes that the "Command Tools for Xcode" is installed.
+This can be downloaded from https://developer.apple.com/download/more/ or
+if you have Xcode already installed you can run "xcode-select --install".
+This will add /usr/include to the system and install the compiler and
+other tools so that they can be easily found.
+
 Compile-time options
 
 To see a full list of configuration options, run configure --help.

doc/arm/Bv9ARM.ch06.html

@@ -4668,13 +4668,13 @@ options {
                   difference set.
                 </p>
                 <p><span class="command"><strong>ixfr-from-differences</strong></span>
-                  also accepts <span class="command"><strong>master</strong></span> and
+                  also accepts <span class="command"><strong>master</strong></span> (or
-                  <span class="command"><strong>slave</strong></span> at the view and options
+                  <span class="command"><strong>primary</strong></span>) and
-                  levels which causes
+                  <span class="command"><strong>slave</strong></span> (or <span class="command"><strong>secondary</strong></span>)
+                  at the view and options levels, which causes
                   <span class="command"><strong>ixfr-from-differences</strong></span> to be enabled for
-                  all <span class="command"><strong>master</strong></span> or
+                  all primary or secondary zones, respectively.
-                  <span class="command"><strong>slave</strong></span> zones respectively.
+                  It is off for all zones by default.
-                  It is off by default.
                 </p>
               </dd>
 <dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
@@ -9219,7 +9219,7 @@ view "external" {
             Statement Grammar</h3></div></div></div>
 
 <pre class="programlisting"><span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
-    <span class="command"><strong>type</strong></span> master ;
+    <span class="command"><strong>type</strong></span> ( master | primary );
   [ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
   [ <span class="command"><strong>allow-query-on</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
   [ <span class="command"><strong>allow-transfer</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
@@ -9278,7 +9278,7 @@ view "external" {
 <span class="command"><strong>}</strong></span> ;
 
 <span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
-    <span class="command"><strong>type</strong></span> slave ;
+    <span class="command"><strong>type</strong></span> (slave | secondary);
   [ <span class="command"><strong>allow-notify</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
   [ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
   [ <span class="command"><strong>allow-query-on</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
@@ -9442,10 +9442,14 @@ view "external" {
               The <span class="command"><strong>type</strong></span> keyword is required
               for the <span class="command"><strong>zone</strong></span> configuration unless
               it is an <span class="command"><strong>in-view</strong></span> configuration. Its
-              acceptable values include: <code class="varname">delegation-only</code>,
+              acceptable values include:
-              <code class="varname">forward</code>, <code class="varname">hint</code>,
+              <code class="varname">master</code> (or <code class="varname">primary</code>),
-              <code class="varname">master</code>, <code class="varname">redirect</code>,
+              <code class="varname">slave</code> (or <code class="varname">secondary</code>),
-              <code class="varname">slave</code>, <code class="varname">static-stub</code>,
+              <code class="varname">delegation-only</code>,
+              <code class="varname">forward</code>,
+              <code class="varname">hint</code>,
+              <code class="varname">redirect</code>,
+              <code class="varname">static-stub</code>,
               and <code class="varname">stub</code>.
             </p>
 
@@ -9466,8 +9470,8 @@ view "external" {
                       <p>
                         The server has a master copy of the data
                         for the zone and will be able to provide authoritative
-                        answers for
+                        answers for it. Type <code class="varname">primary</code> is
-                        it.
+                        a synonym for <code class="varname">master</code>.
                       </p>
                     </td>
 </tr>
@@ -9480,7 +9484,9 @@ view "external" {
 <td>
                       <p>
                         A slave zone is a replica of a master
-                        zone. The <span class="command"><strong>masters</strong></span> list
+                        zone. Type <code class="varname">secondary</code> is a
+                        synonym for <code class="varname">slave</code>.
+                        The <span class="command"><strong>masters</strong></span> list
                         specifies one or more IP addresses
                         of master servers that the slave contacts to update
                         its copy of the zone.

doc/arm/Bv9ARM.ch09.html

@@ -40,14 +40,11 @@
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Legacy Windows No Longer Supported</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_removed">Removed Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#proto_changes">Protocol Changes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
 </dl></dd>
@@ -61,10 +58,10 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
     <p>
-      BIND 9.12.0 is a new feature release of BIND, still under development.
+      BIND 9.13 is unstable development release of BIND.
       This document summarizes new features and functional changes that
       have been introduced on this branch.  With each development
-      release leading up to the final BIND 9.12.0 release, this document
+      release leading up to the stable BIND 9.14 release, this document
       will be updated with additional features added and bugs fixed.
     </p>
   </div>
@@ -83,46 +80,6 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_license"></a>License Change</h3></div></div></div>
-    <p>
-      With the release of BIND 9.11.0, ISC changed to the open
-      source license for BIND from the ISC license to the Mozilla
-      Public License (MPL 2.0).
-    </p>
-    <p>
-      The MPL-2.0 license requires that if you make changes to
-      licensed software (e.g. BIND) and distribute them outside
-      your organization, that you publish those changes under that
-      same license. It does not require that you publish or disclose
-      anything other than the changes you made to our software.
-    </p>
-    <p>
-      This requirement will not affect anyone who is using BIND, with
-      or without modifications, without redistributing it, nor anyone
-      redistributing it without changes. Therefore, this change will be
-      without consequence for most individuals and organizations who are
-      using BIND.
-    </p>
-    <p>
-      Those unsure whether or not the license change affects their
-      use of BIND, or who wish to discuss how to comply with the
-      license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
-      https://www.isc.org/mission/contact/</a>.
-    </p>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="win_support"></a>Legacy Windows No Longer Supported</h3></div></div></div>
-    <p>
-      As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
-      platforms for BIND; "XP" binaries are no longer available for download
-      from ISC.
-    </p>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
@@ -134,712 +91,81 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-<li class="listitem">
 	<p>
-	  Many aspects of <span class="command"><strong>named</strong></span> have been modified
+	  None.
-	  to improve query performance, and in particular, performance
-	  for delegation-heavy zones:
 	</p>
-	<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
+      </li></ul></div>
-<li class="listitem">
-	    <p>
-	      The additional cache ("acache") was found not to
-	      significantly improve performance and has been removed.
-	      As a result, the <span class="command"><strong>acache-enable</strong></span> and
-	      <span class="command"><strong>acache-cleaning-interval</strong></span> options no longer
-	      have any effect. For backwards compatibility, BIND will
-	      accept their presence in a configuration file, but
-	      will log a warning.
-	    </p>
-	  </li>
-<li class="listitem">
-	    <p>
-	      In place of the acache, <span class="command"><strong>named</strong></span> can now use
-	      a glue cache to speed up retrieval of glue records when sending
-	      delegation responses.  Unlike acache, this feature is on by
-	      default; use <span class="command"><strong>glue-cache no;</strong></span> to disable it.
-	    </p>
-	  </li>
-<li class="listitem">
-	    <p>
-	      <span class="command"><strong>minimal-responses</strong></span> is now set
-	      to <code class="literal">no-auth-recursive</code> by default.
-	    </p>
-	  </li>
-<li class="listitem">
-	    <p>
-	      The <span class="command"><strong>additional-from-cache</strong></span>
-	      and <span class="command"><strong>additional-from-auth</strong></span> options no longer
-	      have any effect. <span class="command"><strong>named</strong></span> will log a warning
-	      if they are set.
-	    </p>
-	  </li>
-<li class="listitem">
-	    <p>
-	      Several functions have been refactored to improve
-	      performance, including name compression, owner name
-	      case restoration, hashing, and buffers.
-	    </p>
-	  </li>
-<li class="listitem">
-	    <p>
-	      When built with default <span class="command"><strong>configure</strong></span> options,
-	      <span class="command"><strong>named</strong></span> no longer fills memory with tag
-	      values when allocating or freeing it. This improves performance,
-	      but makes it more difficult to debug certain memory-related
-	      errors. The default is reversed if building with developer
-	      options. <span class="command"><strong>named -M fill</strong></span> or
-	      <span class="command"><strong>named -M nofill</strong></span> will set the behavior
-	      accordingly regardless of build options.
-	    </p>
-	  </li>
-</ul></div>
-      </li>
-<li class="listitem">
-	<p>
-	  Several areas of code have been refactored for improved
-	  readability, maintainability, and testability:
-	</p>
-	<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
-<li class="listitem">
-	    <p>
-	      The <span class="command"><strong>named</strong></span> query logic implemented in
-	      <span class="command"><strong>query_find()</strong></span> has been split into
-	      smaller functions with a context structure to maintain state
-	      between them, and extensive comments have been added.
-	      [RT #43929]
-	    </p>
-	  </li>
-<li class="listitem">
-	    <p>
-	      Similarly the iterative query logic implemented in
-	      <span class="command"><strong>resquery_response()</strong></span> function has been
-	      split into smaller functions and comments added. [RT #45362]
-	    </p>
-	  </li>
-</ul></div>
-      </li>
-<li class="listitem">
-	<p>
-	  Code implementing name server query processing has been moved
-	  from <span class="command"><strong>named</strong></span> to an external library,
-	  <span class="command"><strong>libns</strong></span>. This will make it easier to
-	  write unit tests for the code, or to link it into new tools.
-	  [RT #45186]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> can now synthesize negative responses
-	  (NXDOMAIN, NODATA, or wildcard answers) from cached DNSSEC-verified
-	  records that were returned in negative or wildcard responses from
-	  authoritative servers.
-	</p>
-	<p>
-	  This will reduce query loads on authoritative servers for signed
-	  domains: when existing cached records can be used by the resolver
-	  to determine that a name does not exist in the authorittive domain,
-	  no query needs to be sent. Reducing the number of iterative queries
-	  should also improve resolver performance.
-	</p>
-	<p>
-	  This behavior is controlled by the new
-	  <code class="filename">named.conf</code> option
-	  <span class="command"><strong>synth-from-dnssec</strong></span>.  It is enabled by
-	  default.
-	</p>
-	<p>
-	  Note: this currently only works for zones signed using NSEC.
-	  Support for zones signed using NSEC3 (without opt-out) is
-	  planned for the future.
-	</p>
-	<p>
-	  Thanks to APNIC for sponsoring this work.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When acting as a recursive resolver, <span class="command"><strong>named</strong></span>
-	  can now continue returning answers whose TTLs have expired
-	  when the authoritative server is under attack and unable to
-	  respond. This is controlled by the
-	  <span class="command"><strong>stale-answer-enable</strong></span>,
-	  <span class="command"><strong>stale-answer-ttl</strong></span> and
-	  <span class="command"><strong>max-stale-ttl</strong></span> options. [RT #44790]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The DNS Response Policy Service (DNSRPS) API, a mechanism to
-	  allow <span class="command"><strong>named</strong></span> to use an external response policy
-	  provider, is now supported. (One example of such a provider is
-	  "FastRPZ" from Farsight Security, Inc.) This allows the same
-	  types of policy filtering as standard RPZ, but can reduce the
-	  workload for <span class="command"><strong>named</strong></span>, particularly when using
-	  large and frequently-updated policy zones. It also enables
-	  <span class="command"><strong>named</strong></span> to share response policy providers
-	  with other DNS implementations such as Unbound.
-	</p>
-	<p>
-	  This feature is avaiable if BIND is built with
-	  <span class="command"><strong>configure --enable-dnsrps</strong></span>, if a DNSRPS
-	  provider is installed, and if <span class="command"><strong>dnsrps-enable</strong></span>
-	  is set to "yes" in <code class="filename">named.conf</code>. Standard
-	  built-in RPZ is used otherwise.
-	</p>
-	<p>
-	  Thanks to Vernon Schryver and Farsight Security for the
-	  contribution. [RT #43376]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Setting <span class="command"><strong>max-journal-size</strong></span> to
-	  <code class="literal">default</code> limits journal sizes to twice the
-	  size of the zone contents.  This can be overridden by setting
-	  <span class="command"><strong>max-journal-size</strong></span> to <code class="literal">unlimited</code>
-	  or to an explicit value up to 2G. Thanks to Tony Finch for
-	  the contribution. [RT #38324]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnstap</strong></span> logfiles can now be configured to
-	  automatically roll when they reach a specified size. If
-	  <span class="command"><strong>dnstap-output</strong></span> is configured with mode
-	  <code class="literal">file</code>, then it can take optional
-	  <span class="command"><strong>size</strong></span> and <span class="command"><strong>versions</strong></span>
-	  key-value arguments to set the logfile rolling parameters.
-	  (These have the same semantics as the corresponding
-	  options in a <span class="command"><strong>logging</strong></span> channel statement.)
-	  [RT #44502]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Logging channels and <span class="command"><strong>dnstap-output</strong></span> files can
-	  now be configured with a <span class="command"><strong>suffix</strong></span> option,
-	  set to either <code class="literal">increment</code> or
-	  <code class="literal">timestamp</code>, indicating whether log files
-	  should be given incrementing suffixes when they roll
-	  over (e.g., <code class="filename">logfile.0</code>,
-	  <code class="filename">.1</code>, <code class="filename">.2</code>, etc)
-	  or suffixes indicating the time of the roll. The default
-	  is <code class="literal">increment</code>.  [RT #42838]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>print-time</strong></span> option in the
-	  <span class="command"><strong>logging</strong></span> configuration can now take arguments
-	  <strong class="userinput"><code>local</code></strong>, <strong class="userinput"><code>iso8601</code></strong> or
-	  <strong class="userinput"><code>iso8601-utc</code></strong> to indicate the format in
-	  which the date and time should be logged. For backward
-	  compatibility, <strong class="userinput"><code>yes</code></strong> is a synonym for
-	  <strong class="userinput"><code>local</code></strong>.  [RT #42585]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The new <span class="command"><strong>dnssec-cds</strong></span> command generates a new DS
-	  set to place in a parent zone, based on the contents of a child
-	  zone's validated CDS or CDNSKEY records. It can produce a
-	  <code class="filename">dsset</code> file suitable for input to
-	  <span class="command"><strong>dnssec-signzone</strong></span>, or a series of
-	  <span class="command"><strong>nsupdate</strong></span> commands to update the parent zone
-	  via dynamic DNS. Thanks to Tony Finch for the contribution.
-	  [RT #46090]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>nsupdate</strong></span> and <span class="command"><strong>rndc</strong></span> now accept
-	  command line options <span class="command"><strong>-4</strong></span> and <span class="command"><strong>-6</strong></span>
-	  which force using only IPv4 or only IPv6, respectively. [RT #45632]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>nsec3hash -r</strong></span> ("rdata order") takes arguments
-	  in the same order as they appear in NSEC3 or NSEC3PARAM records.
-	  This makes it easier to generate an NSEC3 hash using values cut
-	  and pasted from an existing record. Thanks to Tony Finch for
-	  the contribution. [RT #45183]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>new-zones-directory</strong></span> option allows
-	  <span class="command"><strong>named</strong></span> to store configuration parameters
-	  for zones added via <span class="command"><strong>rndc addzone</strong></span> in a
-	  location other than the working directory. Thanks to Petr
-	  Men&#353;<EFBFBD>k of Red Hat for the contribution.
-	  [RT #44853]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>dnstap-read -x</strong></span> option prints a hex
-	  dump of the wire format DNS message encapsulated in each
-	  <span class="command"><strong>dnstap</strong></span> log entry. [RT #44816]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>host -A</strong></span> option returns most
-	  records for a name, but omits types RRSIG, NSEC and NSEC3.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
-	  for EDNS options in addition to numeric values. For example,
-	  an EDNS Client-Subnet option could be sent using
-	  <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
-	  John Worley of Secure64 for the contribution. [RT #44461]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Added support for the EDNS TCP Keepalive option (RFC 7828);
-	  this allows negotiation of longer-lived TCP sessions
-	  to reduce the overhead of setting up TCP for individual
-	  queries. [RT #42126]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Added support for the EDNS Padding option (RFC 7830),
-	  which obfuscates packet size analysis when DNS queries
-	  are sent over an encrypted channel. [RT #42094]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>rndc</strong></span> commands which refer to zone names
-	  can now reference a zone of type <span class="command"><strong>redirect</strong></span>
-	  by using the special zone name "-redirect". (Previously this
-	  was not possible because <span class="command"><strong>redirect</strong></span> zones
-	  always have the name ".", which can be ambiguous.)
-	</p>
-	<p>
-	  In the event you need to manipulate a zone actually
-	  called "-redirect", use a trailing dot: "-redirect."
-	</p>
-	<p>
-	  Note: This change does not appply to the
-	  <span class="command"><strong>rndc addzone</strong></span> or
-	  <span class="command"><strong>rndc modzone</strong></span> commands.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf -l</strong></span> lists the zones found
-	  in <code class="filename">named.conf</code>. [RT #43154]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Query logging now includes the ECS option, if one was
-	  present in the query, in the format
-	  "[ECS <em class="replaceable"><code>address/source/scope</code></em>]".
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  By default, BIND now uses the random number generation functions
-	  in the cryptographic library (i.e., OpenSSL or a PKCS#11
-	  provider) as a source of high-quality randomness rather than
-	  <code class="filename">/dev/random</code>.  This is suitable for virtual
-	  machine environments, which may have limited entropy pools and
-	  lack hardware random number generators.
-	</p>
-	<p>
-	  This can be overridden by specifying another entropy source via
-	  the <span class="command"><strong>random-device</strong></span> option in
-	  <code class="filename">named.conf</code>, or via the <span class="command"><strong>-r</strong></span>
-	  command line option.  However, for functions requiring full
-	  cryptographic strength, such as DNSSEC key generation, this
-	  <span class="emphasis"><em>cannot</em></span> be overridden. In particular, the
-	  <span class="command"><strong>-r</strong></span> command line option no longer has any
-	  effect on <span class="command"><strong>dnssec-keygen</strong></span>.
-	</p>
-	<p>
-	  This can be disabled by building with
-	  <span class="command"><strong>configure --disable-crypto-rand</strong></span>, in which
-	  case <code class="filename">/dev/random</code> will be the default
-	  entropy source.  [RT #31459] [RT #46047]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>rndc managed-keys destroy</strong></span> shuts down all
-	  RFC 5011 DNSSEC trust anchor maintenance, and deletes any
-	  existing managed keys database. If immediately followed by
-	  <span class="command"><strong>rndc reconfig</strong></span>, this will reinitialize
-	  key maintenance just as if the server was being started for
-	  the first time.
-	</p>
-	<p>
-	  This is intended for testing purposes, but can be used -- with
-	  extreme caution -- as a brute-force repair for unrecoverable
-	  problems with a managed keys database, to jumpstart the key
-	  acquisition process if <code class="filename">bind.keys</code> is updated,
-	  etc. [RT #32456]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnssec-signzone -S</strong></span> can now add or remove
-	  synchronization records (CDS and CDNSKEY) based on key metadata
-	  set by the <span class="command"><strong>-Psync</strong></span> and <span class="command"><strong>-Dsync</strong></span>
-	  options to <span class="command"><strong>dnssec-keygen</strong></span>,
-	  <span class="command"><strong>dnssec-settime</strong></span>, etc. [RT #46149]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnssec-checkds -s</strong></span> specifies a file from
-	  which to read a DS set rather than querying the parent zone.
-	  This can be used to check zone correctness prior to
-	  publication. Thanks to Niall O'Reilly [RT #44667]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  The ISC DNSSEC Lookaside Validation (DLV) service has
-	  been shut down; all DLV records in the dlv.isc.org zone
-	  have been removed.  References to the service have been
-	  removed from BIND documentation.  Lookaside validation
-	  is no longer used by default by <span class="command"><strong>delv</strong></span>.
-	  The DLV key has been removed from <code class="filename">bind.keys</code>.
-	  Setting <span class="command"><strong>dnssec-lookaside</strong></span> to
-	  <span class="command"><strong>auto</strong></span> or to use dlv.isc.org as a trust
-	  anchor results in a warning being issued.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  As noted above, the <span class="command"><strong>acache-enable</strong></span>,
-	  <span class="command"><strong>acache-cleaning-interval</strong></span>,
-	  <span class="command"><strong>additional-from-cache</strong></span> and
-	  <span class="command"><strong>additional-from-auth</strong></span> options are no longer
-	  effective and <span class="command"><strong>named</strong></span> will log a warning if
-	  they are set.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The use of <span class="command"><strong>dnssec-keygen</strong></span> to generate
-	  HMAC keys for TSIG authentication has been deprecated in favor
-	  of <span class="command"><strong>tsig-keygen</strong></span>. If the algorithms HMAC-MD5,
-	  HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or
-	  HMAC-SHA512 are specified, <span class="command"><strong>dnssec-keygen</strong></span>
-	  will print a warning message. These algorithms will be
-	  removed from <span class="command"><strong>dnssec-keygen</strong></span> entirely in
-	  a future release. [RT #42272]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The use of HMAC-MD5 for RNDC keys is no longer recommended.
-	  The default algorithm generated by <span class="command"><strong>rndc-confgen</strong></span>
-	  is now HMAC-SHA256. [RT #42272]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>isc-hmac-fixup</strong></span> command, which was created
-	  to address an interoperability problem in TSIG keys between
-	  early versions of BIND and other DNS implmentations, is now
-	  obsolete and has been removed. [RT #46411]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
-	  signing algorithms described in RFC 8080. Note, however, that
-	  these algorithms must be supported in OpenSSL;
-	  currently they are only available in the development branch
-	  of OpenSSL at
-	  <a class="link" href="https://github.com/openssl/openssl" target="_top">
-	    https://github.com/openssl/openssl</a>.
-	  [RT #44696]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When parsing DNS messages, EDNS KEY TAG options are checked
-	  for correctness. When printing messages (for example, in
-	  <span class="command"><strong>dig</strong></span>), EDNS KEY TAG options are printed
-	  in readable format.
-	</p>
-      </li>
-</ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-<li class="listitem">
 	<p>
-	  The ISC DNSSEC Lookaside Validation (DLV) service has been shut
+	  Zone types <span class="command"><strong>primary</strong></span> and
-	  down; all DLV records in the dlv.isc.org zone have been removed.
+	  <span class="command"><strong>secondary</strong></span> are now available as synonyms for
-	  References to the service have been removed from BIND documentation.
+	  <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
-	  Lookaside validation is no longer used by default by
+	  respectively, in <code class="filename">named.conf</code>.
-	  <span class="command"><strong>delv</strong></span>. The DLV key has been removed from
-	  <code class="filename">bind.keys</code>. Setting
-	  <span class="command"><strong>dnssec-lookaside</strong></span> to
-	  <span class="command"><strong>auto</strong></span> or to use dlv.isc.org as a trust
-	  anchor is now a fatal configuration error. [RT #46155]
 	</p>
-      </li>
+      </li></ul></div>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> will no longer start or accept
-	  reconfiguration if the working directory (specified by the
-	  <span class="command"><strong>directory</strong></span> option) or the managed-keys
-	  directory (specified by <span class="command"><strong>managed-keys-directory</strong></span>
-	  are not writable by the effective user ID. [RT #46077]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Initializing keys specified in a <span class="command"><strong>managed-keys</strong></span>
-	  statement or by <span class="command"><strong>dnssec-validation auto;</strong></span> are
-	  now tagged as "initializing", until they have been updated by a
-	  key refresh query. If key maintenance fails to initialize,
-	  this will be visible when running <span class="command"><strong>rndc secroots</strong></span>.
-	  [RT #46267]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Previously, <span class="command"><strong>update-policy local;</strong></span> accepted
-	  updates from any source so long as they were signed by the
-	  locally-generated session key. This has been further restricted;
-	  updates are now only accepted from locally configured addresses.
-	  [RT #45492]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The lightweight resolver daemon and library (<span class="command"><strong>lwresd</strong></span>
-	  and <span class="command"><strong>liblwres</strong></span>) have been removed. [RT #45186]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnssec-keygen</strong></span> no longer has default
-	  algorithm settings. It is necessary to explicitly specify the
-	  algorithm on the command line with the <span class="command"><strong>-a</strong></span> option
-	  when generating keys. This may cause errors with existing signing
-	  scripts if they rely on current defaults. The intent is to
-	  reduce the long-term cost of transitioning to newer algorithms in
-	  the event of RSASHA1 being deprecated. [RT #44755]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig +sigchase</strong></span> and related options
-	  <span class="command"><strong>+trusted-keys</strong></span> and <span class="command"><strong>+topdown</strong></span>
-	  have been removed. <span class="command"><strong>delv</strong></span> is now the recommended
-	  command for looking up records with DNSSEC validation.
-	  [RT #42793]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The Response Policy Zone (RPZ) implementation has been
-	  substantially refactored: updates to the RPZ summary
-	  database are no longer directly performed by the zone
-	  database but by a separate function that is called when
-	  a policy zone is updated.  This improves both performance
-	  and reliability when policy zones receive frequent updates.
-	  Summary database updates can be rate-limited by using the
-	  <span class="command"><strong>min-update-interval</strong></span> option in a
-	  <span class="command"><strong>response-policy</strong></span> statement. [RT #43449]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
-	  addresses for all messages, instead of only the remote address.
-	  The default output format for <span class="command"><strong>dnstap-read</strong></span> has
-	  been updated to include these addresses, with the initiating
-	  address first and the responding address second, separated by
-	  "-&gt;" or "&lt;-" to indicate in which direction the message
-	  was sent. [RT #43595]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Expanded and improved the YAML output from
-	  <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
-	  size and a detailed breakdown of message contents.
-	  [RT #43622] [RT #43642]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
-	  names to assist debugging on operating systems that support that.
-	  Threads will have names such as "isc-timer", "isc-sockmgr",
-	  "isc-worker0001", and so on. This will affect the reporting of
-	  subsidiary thread names in <span class="command"><strong>ps</strong></span> and
-	  <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If an ACL is specified with an address prefix in which the
-	  prefix length is longer than the address portion (for example,
-	  192.0.2.1/8), it will now be treated as a fatal error during
-	  configuration. [RT #43367]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig</strong></span> now warns about .local queries which are
-	  reserved for Multicast DNS. [RT #44783]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The view associated with the query is now logged unless it
-	  it is "_default/IN" or "_dnsclient/IN" when logging DNSSEC
-	  validator messages.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When <span class="command"><strong>named</strong></span> was reconfigured, failure of some
-	  zones to load correctly could leave the system in an inconsistent
-	  state; while generally harmless, this could lead to a crash later
-	  when using <span class="command"><strong>rndc addzone</strong></span>.  Reconfiguration changes
-	  are now fully rolled back in the event of failure. [RT #45841]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Multiple <span class="command"><strong>cookie-secret</strong></span> clauses are now
-	  supported.  The first <span class="command"><strong>cookie-secret</strong></span> in
-	  <code class="filename">named.conf</code> is used to generate new
-	  server cookies.  Any others are used to accept old server
-	  cookies or those generated by other servers using the
-	  matching <span class="command"><strong>cookie-secret</strong></span>.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A new statistics counter has been added to track prefetch
-	  queries. [RT #45847]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A new statistics counter has been added to track priming
-	  queries. [RT #46313]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>dnssec-signzone -x</strong></span> flag and the
-	  <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> option in
-	  <span class="command"><strong>named.conf</strong></span>, which suppress the use of
-	  the ZSK when signing DNSKEY records, now also apply to
-	  CDNSKEY and CDS records. Thanks to Tony Finch for the
-	  contribution. [RT #45689]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Trust anchor telemetry messages, as specified by
-	  RFC 8145, are now logged to the
-	  <span class="command"><strong>trust-anchor-telemetry</strong></span> logging
-	  catagory.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>filter-aaaa-on-v4</strong></span> and
-	  <span class="command"><strong>filter-aaaa-on-v6</strong></span> options are no longer
-	  conditionally compiled in <span class="command"><strong>named</strong></span>. [RT #46340]
-	</p>
-      </li>
-</ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-<li class="listitem">
 	<p>
-	  Zones created with <span class="command"><strong>rndc addzone</strong></span> could
+	  None.
-	  temporarily fail to inherit the <span class="command"><strong>allow-transfer</strong></span>
-	  ACL set in the <span class="command"><strong>options</strong></span> section of
-	  <code class="filename">named.conf</code>. [RT #46603]
 	</p>
-      </li>
+      </li></ul></div>
-<li class="listitem">
+  </div>
-	<p>
+
-	  The introduction of <span class="command"><strong>libns</strong></span> caused a bug
+  <div class="section">
-	  in which TCP client objects were not recycled after use,
+<div class="titlepage"><div><div><h3 class="title">
-	  leading to unconstrained memory growth. [RT #46029]
+<a name="relnotes_license"></a>License</h3></div></div></div>
-	</p>
+    <p>
-      </li>
+      BIND is open source software licenced under the terms of the Mozilla
-<li class="listitem">
+      Public License, version 2.0 (see the <code class="filename">LICENSE</code>
-	<p>
+      file for the full text).
-	  Some header files included &lt;isc/util.h&gt; incorrectly as
+    </p>
-	  it pollutes with namespace with non ISC_ macros and this should
+    <p>
-	  only be done by explicitly including &lt;isc/util.h&gt;.  This
+      The license requires that if you make changes to BIND and distribute
-	  has been corrected.  Some code may depend on &lt;isc/util.h&gt;
+      them outside your organization, those changes must be published under
-	  being implicitly included via other header files.  Such
+      the same license. It does not require that you publish or disclose
-	  code should explicitly include &lt;isc/util.h&gt;.
+      anything other than the changes you have made to our software.  This
-	</p>
+      requirement does not affect anyone who is using BIND, with or without
-      </li>
+      modifications, without redistributing it, nor anyone redistributing
-<li class="listitem">
+      BIND without changes.
-	<p>
+    </p>
-	  <span class="command"><strong>named</strong></span> failed to properly determine whether
+    <p>
-	  there were active KSK and ZSK keys for an algorithm when
+      Those wishing to discuss license compliance may contact ISC at
-	  <span class="command"><strong>update-check-ksk</strong></span> was true (which is the
+      <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
-	  default setting). This could leave records unsigned
+	https://www.isc.org/mission/contact/</a>.
-	  when rolling keys. [RT #46743] [RT #46754] [RT #46774]
+    </p>
-	</p>
-      </li>
-</ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
     <p>
-      The end of life for BIND 9.12 is yet to be determined but
+      BIND 9.13 is an unstable development branch. When its development
-      will not be before BIND 9.14.0 has been released for 6 months.
+      is complete, it will be renamed to BIND 9.14, which will be a
+      stable branch.
+    </p>
+    <p>
+      The end of life date for BIND 9.14 has not yet been determined.
+      For those needing long term support, the current Extended Support
+      Version (ESV) is BIND 9.11, which will be supported until December
+      2021. See
       <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
+      for details of ISC's software support policy.
     </p>
   </div>
+
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
-
     <p>
       Thank you to everyone who assisted us in making this release possible.
       If you would like to contribute to ISC to assist us in continuing to

doc/arm/Bv9ARM.html

@@ -240,14 +240,11 @@
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Legacy Windows No Longer Supported</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_removed">Removed Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#proto_changes">Protocol Changes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
 </dl></dd>

doc/arm/notes.html

@@ -21,10 +21,10 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
     <p>
-      BIND 9.12.0 is a new feature release of BIND, still under development.
+      BIND 9.13 is unstable development release of BIND.
       This document summarizes new features and functional changes that
       have been introduced on this branch.  With each development
-      release leading up to the final BIND 9.12.0 release, this document
+      release leading up to the stable BIND 9.14 release, this document
       will be updated with additional features added and bugs fixed.
     </p>
   </div>
@@ -43,46 +43,6 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_license"></a>License Change</h3></div></div></div>
-    <p>
-      With the release of BIND 9.11.0, ISC changed to the open
-      source license for BIND from the ISC license to the Mozilla
-      Public License (MPL 2.0).
-    </p>
-    <p>
-      The MPL-2.0 license requires that if you make changes to
-      licensed software (e.g. BIND) and distribute them outside
-      your organization, that you publish those changes under that
-      same license. It does not require that you publish or disclose
-      anything other than the changes you made to our software.
-    </p>
-    <p>
-      This requirement will not affect anyone who is using BIND, with
-      or without modifications, without redistributing it, nor anyone
-      redistributing it without changes. Therefore, this change will be
-      without consequence for most individuals and organizations who are
-      using BIND.
-    </p>
-    <p>
-      Those unsure whether or not the license change affects their
-      use of BIND, or who wish to discuss how to comply with the
-      license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
-      https://www.isc.org/mission/contact/</a>.
-    </p>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="win_support"></a>Legacy Windows No Longer Supported</h3></div></div></div>
-    <p>
-      As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
-      platforms for BIND; "XP" binaries are no longer available for download
-      from ISC.
-    </p>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
@@ -94,712 +54,81 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-<li class="listitem">
 	<p>
-	  Many aspects of <span class="command"><strong>named</strong></span> have been modified
+	  None.
-	  to improve query performance, and in particular, performance
-	  for delegation-heavy zones:
 	</p>
-	<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
+      </li></ul></div>
-<li class="listitem">
-	    <p>
-	      The additional cache ("acache") was found not to
-	      significantly improve performance and has been removed.
-	      As a result, the <span class="command"><strong>acache-enable</strong></span> and
-	      <span class="command"><strong>acache-cleaning-interval</strong></span> options no longer
-	      have any effect. For backwards compatibility, BIND will
-	      accept their presence in a configuration file, but
-	      will log a warning.
-	    </p>
-	  </li>
-<li class="listitem">
-	    <p>
-	      In place of the acache, <span class="command"><strong>named</strong></span> can now use
-	      a glue cache to speed up retrieval of glue records when sending
-	      delegation responses.  Unlike acache, this feature is on by
-	      default; use <span class="command"><strong>glue-cache no;</strong></span> to disable it.
-	    </p>
-	  </li>
-<li class="listitem">
-	    <p>
-	      <span class="command"><strong>minimal-responses</strong></span> is now set
-	      to <code class="literal">no-auth-recursive</code> by default.
-	    </p>
-	  </li>
-<li class="listitem">
-	    <p>
-	      The <span class="command"><strong>additional-from-cache</strong></span>
-	      and <span class="command"><strong>additional-from-auth</strong></span> options no longer
-	      have any effect. <span class="command"><strong>named</strong></span> will log a warning
-	      if they are set.
-	    </p>
-	  </li>
-<li class="listitem">
-	    <p>
-	      Several functions have been refactored to improve
-	      performance, including name compression, owner name
-	      case restoration, hashing, and buffers.
-	    </p>
-	  </li>
-<li class="listitem">
-	    <p>
-	      When built with default <span class="command"><strong>configure</strong></span> options,
-	      <span class="command"><strong>named</strong></span> no longer fills memory with tag
-	      values when allocating or freeing it. This improves performance,
-	      but makes it more difficult to debug certain memory-related
-	      errors. The default is reversed if building with developer
-	      options. <span class="command"><strong>named -M fill</strong></span> or
-	      <span class="command"><strong>named -M nofill</strong></span> will set the behavior
-	      accordingly regardless of build options.
-	    </p>
-	  </li>
-</ul></div>
-      </li>
-<li class="listitem">
-	<p>
-	  Several areas of code have been refactored for improved
-	  readability, maintainability, and testability:
-	</p>
-	<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
-<li class="listitem">
-	    <p>
-	      The <span class="command"><strong>named</strong></span> query logic implemented in
-	      <span class="command"><strong>query_find()</strong></span> has been split into
-	      smaller functions with a context structure to maintain state
-	      between them, and extensive comments have been added.
-	      [RT #43929]
-	    </p>
-	  </li>
-<li class="listitem">
-	    <p>
-	      Similarly the iterative query logic implemented in
-	      <span class="command"><strong>resquery_response()</strong></span> function has been
-	      split into smaller functions and comments added. [RT #45362]
-	    </p>
-	  </li>
-</ul></div>
-      </li>
-<li class="listitem">
-	<p>
-	  Code implementing name server query processing has been moved
-	  from <span class="command"><strong>named</strong></span> to an external library,
-	  <span class="command"><strong>libns</strong></span>. This will make it easier to
-	  write unit tests for the code, or to link it into new tools.
-	  [RT #45186]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> can now synthesize negative responses
-	  (NXDOMAIN, NODATA, or wildcard answers) from cached DNSSEC-verified
-	  records that were returned in negative or wildcard responses from
-	  authoritative servers.
-	</p>
-	<p>
-	  This will reduce query loads on authoritative servers for signed
-	  domains: when existing cached records can be used by the resolver
-	  to determine that a name does not exist in the authorittive domain,
-	  no query needs to be sent. Reducing the number of iterative queries
-	  should also improve resolver performance.
-	</p>
-	<p>
-	  This behavior is controlled by the new
-	  <code class="filename">named.conf</code> option
-	  <span class="command"><strong>synth-from-dnssec</strong></span>.  It is enabled by
-	  default.
-	</p>
-	<p>
-	  Note: this currently only works for zones signed using NSEC.
-	  Support for zones signed using NSEC3 (without opt-out) is
-	  planned for the future.
-	</p>
-	<p>
-	  Thanks to APNIC for sponsoring this work.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When acting as a recursive resolver, <span class="command"><strong>named</strong></span>
-	  can now continue returning answers whose TTLs have expired
-	  when the authoritative server is under attack and unable to
-	  respond. This is controlled by the
-	  <span class="command"><strong>stale-answer-enable</strong></span>,
-	  <span class="command"><strong>stale-answer-ttl</strong></span> and
-	  <span class="command"><strong>max-stale-ttl</strong></span> options. [RT #44790]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The DNS Response Policy Service (DNSRPS) API, a mechanism to
-	  allow <span class="command"><strong>named</strong></span> to use an external response policy
-	  provider, is now supported. (One example of such a provider is
-	  "FastRPZ" from Farsight Security, Inc.) This allows the same
-	  types of policy filtering as standard RPZ, but can reduce the
-	  workload for <span class="command"><strong>named</strong></span>, particularly when using
-	  large and frequently-updated policy zones. It also enables
-	  <span class="command"><strong>named</strong></span> to share response policy providers
-	  with other DNS implementations such as Unbound.
-	</p>
-	<p>
-	  This feature is avaiable if BIND is built with
-	  <span class="command"><strong>configure --enable-dnsrps</strong></span>, if a DNSRPS
-	  provider is installed, and if <span class="command"><strong>dnsrps-enable</strong></span>
-	  is set to "yes" in <code class="filename">named.conf</code>. Standard
-	  built-in RPZ is used otherwise.
-	</p>
-	<p>
-	  Thanks to Vernon Schryver and Farsight Security for the
-	  contribution. [RT #43376]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Setting <span class="command"><strong>max-journal-size</strong></span> to
-	  <code class="literal">default</code> limits journal sizes to twice the
-	  size of the zone contents.  This can be overridden by setting
-	  <span class="command"><strong>max-journal-size</strong></span> to <code class="literal">unlimited</code>
-	  or to an explicit value up to 2G. Thanks to Tony Finch for
-	  the contribution. [RT #38324]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnstap</strong></span> logfiles can now be configured to
-	  automatically roll when they reach a specified size. If
-	  <span class="command"><strong>dnstap-output</strong></span> is configured with mode
-	  <code class="literal">file</code>, then it can take optional
-	  <span class="command"><strong>size</strong></span> and <span class="command"><strong>versions</strong></span>
-	  key-value arguments to set the logfile rolling parameters.
-	  (These have the same semantics as the corresponding
-	  options in a <span class="command"><strong>logging</strong></span> channel statement.)
-	  [RT #44502]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Logging channels and <span class="command"><strong>dnstap-output</strong></span> files can
-	  now be configured with a <span class="command"><strong>suffix</strong></span> option,
-	  set to either <code class="literal">increment</code> or
-	  <code class="literal">timestamp</code>, indicating whether log files
-	  should be given incrementing suffixes when they roll
-	  over (e.g., <code class="filename">logfile.0</code>,
-	  <code class="filename">.1</code>, <code class="filename">.2</code>, etc)
-	  or suffixes indicating the time of the roll. The default
-	  is <code class="literal">increment</code>.  [RT #42838]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>print-time</strong></span> option in the
-	  <span class="command"><strong>logging</strong></span> configuration can now take arguments
-	  <strong class="userinput"><code>local</code></strong>, <strong class="userinput"><code>iso8601</code></strong> or
-	  <strong class="userinput"><code>iso8601-utc</code></strong> to indicate the format in
-	  which the date and time should be logged. For backward
-	  compatibility, <strong class="userinput"><code>yes</code></strong> is a synonym for
-	  <strong class="userinput"><code>local</code></strong>.  [RT #42585]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The new <span class="command"><strong>dnssec-cds</strong></span> command generates a new DS
-	  set to place in a parent zone, based on the contents of a child
-	  zone's validated CDS or CDNSKEY records. It can produce a
-	  <code class="filename">dsset</code> file suitable for input to
-	  <span class="command"><strong>dnssec-signzone</strong></span>, or a series of
-	  <span class="command"><strong>nsupdate</strong></span> commands to update the parent zone
-	  via dynamic DNS. Thanks to Tony Finch for the contribution.
-	  [RT #46090]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>nsupdate</strong></span> and <span class="command"><strong>rndc</strong></span> now accept
-	  command line options <span class="command"><strong>-4</strong></span> and <span class="command"><strong>-6</strong></span>
-	  which force using only IPv4 or only IPv6, respectively. [RT #45632]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>nsec3hash -r</strong></span> ("rdata order") takes arguments
-	  in the same order as they appear in NSEC3 or NSEC3PARAM records.
-	  This makes it easier to generate an NSEC3 hash using values cut
-	  and pasted from an existing record. Thanks to Tony Finch for
-	  the contribution. [RT #45183]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>new-zones-directory</strong></span> option allows
-	  <span class="command"><strong>named</strong></span> to store configuration parameters
-	  for zones added via <span class="command"><strong>rndc addzone</strong></span> in a
-	  location other than the working directory. Thanks to Petr
-	  Men&#353;<EFBFBD>k of Red Hat for the contribution.
-	  [RT #44853]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>dnstap-read -x</strong></span> option prints a hex
-	  dump of the wire format DNS message encapsulated in each
-	  <span class="command"><strong>dnstap</strong></span> log entry. [RT #44816]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>host -A</strong></span> option returns most
-	  records for a name, but omits types RRSIG, NSEC and NSEC3.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
-	  for EDNS options in addition to numeric values. For example,
-	  an EDNS Client-Subnet option could be sent using
-	  <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
-	  John Worley of Secure64 for the contribution. [RT #44461]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Added support for the EDNS TCP Keepalive option (RFC 7828);
-	  this allows negotiation of longer-lived TCP sessions
-	  to reduce the overhead of setting up TCP for individual
-	  queries. [RT #42126]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Added support for the EDNS Padding option (RFC 7830),
-	  which obfuscates packet size analysis when DNS queries
-	  are sent over an encrypted channel. [RT #42094]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>rndc</strong></span> commands which refer to zone names
-	  can now reference a zone of type <span class="command"><strong>redirect</strong></span>
-	  by using the special zone name "-redirect". (Previously this
-	  was not possible because <span class="command"><strong>redirect</strong></span> zones
-	  always have the name ".", which can be ambiguous.)
-	</p>
-	<p>
-	  In the event you need to manipulate a zone actually
-	  called "-redirect", use a trailing dot: "-redirect."
-	</p>
-	<p>
-	  Note: This change does not appply to the
-	  <span class="command"><strong>rndc addzone</strong></span> or
-	  <span class="command"><strong>rndc modzone</strong></span> commands.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf -l</strong></span> lists the zones found
-	  in <code class="filename">named.conf</code>. [RT #43154]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Query logging now includes the ECS option, if one was
-	  present in the query, in the format
-	  "[ECS <em class="replaceable"><code>address/source/scope</code></em>]".
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  By default, BIND now uses the random number generation functions
-	  in the cryptographic library (i.e., OpenSSL or a PKCS#11
-	  provider) as a source of high-quality randomness rather than
-	  <code class="filename">/dev/random</code>.  This is suitable for virtual
-	  machine environments, which may have limited entropy pools and
-	  lack hardware random number generators.
-	</p>
-	<p>
-	  This can be overridden by specifying another entropy source via
-	  the <span class="command"><strong>random-device</strong></span> option in
-	  <code class="filename">named.conf</code>, or via the <span class="command"><strong>-r</strong></span>
-	  command line option.  However, for functions requiring full
-	  cryptographic strength, such as DNSSEC key generation, this
-	  <span class="emphasis"><em>cannot</em></span> be overridden. In particular, the
-	  <span class="command"><strong>-r</strong></span> command line option no longer has any
-	  effect on <span class="command"><strong>dnssec-keygen</strong></span>.
-	</p>
-	<p>
-	  This can be disabled by building with
-	  <span class="command"><strong>configure --disable-crypto-rand</strong></span>, in which
-	  case <code class="filename">/dev/random</code> will be the default
-	  entropy source.  [RT #31459] [RT #46047]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>rndc managed-keys destroy</strong></span> shuts down all
-	  RFC 5011 DNSSEC trust anchor maintenance, and deletes any
-	  existing managed keys database. If immediately followed by
-	  <span class="command"><strong>rndc reconfig</strong></span>, this will reinitialize
-	  key maintenance just as if the server was being started for
-	  the first time.
-	</p>
-	<p>
-	  This is intended for testing purposes, but can be used -- with
-	  extreme caution -- as a brute-force repair for unrecoverable
-	  problems with a managed keys database, to jumpstart the key
-	  acquisition process if <code class="filename">bind.keys</code> is updated,
-	  etc. [RT #32456]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnssec-signzone -S</strong></span> can now add or remove
-	  synchronization records (CDS and CDNSKEY) based on key metadata
-	  set by the <span class="command"><strong>-Psync</strong></span> and <span class="command"><strong>-Dsync</strong></span>
-	  options to <span class="command"><strong>dnssec-keygen</strong></span>,
-	  <span class="command"><strong>dnssec-settime</strong></span>, etc. [RT #46149]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnssec-checkds -s</strong></span> specifies a file from
-	  which to read a DS set rather than querying the parent zone.
-	  This can be used to check zone correctness prior to
-	  publication. Thanks to Niall O'Reilly [RT #44667]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  The ISC DNSSEC Lookaside Validation (DLV) service has
-	  been shut down; all DLV records in the dlv.isc.org zone
-	  have been removed.  References to the service have been
-	  removed from BIND documentation.  Lookaside validation
-	  is no longer used by default by <span class="command"><strong>delv</strong></span>.
-	  The DLV key has been removed from <code class="filename">bind.keys</code>.
-	  Setting <span class="command"><strong>dnssec-lookaside</strong></span> to
-	  <span class="command"><strong>auto</strong></span> or to use dlv.isc.org as a trust
-	  anchor results in a warning being issued.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  As noted above, the <span class="command"><strong>acache-enable</strong></span>,
-	  <span class="command"><strong>acache-cleaning-interval</strong></span>,
-	  <span class="command"><strong>additional-from-cache</strong></span> and
-	  <span class="command"><strong>additional-from-auth</strong></span> options are no longer
-	  effective and <span class="command"><strong>named</strong></span> will log a warning if
-	  they are set.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The use of <span class="command"><strong>dnssec-keygen</strong></span> to generate
-	  HMAC keys for TSIG authentication has been deprecated in favor
-	  of <span class="command"><strong>tsig-keygen</strong></span>. If the algorithms HMAC-MD5,
-	  HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or
-	  HMAC-SHA512 are specified, <span class="command"><strong>dnssec-keygen</strong></span>
-	  will print a warning message. These algorithms will be
-	  removed from <span class="command"><strong>dnssec-keygen</strong></span> entirely in
-	  a future release. [RT #42272]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The use of HMAC-MD5 for RNDC keys is no longer recommended.
-	  The default algorithm generated by <span class="command"><strong>rndc-confgen</strong></span>
-	  is now HMAC-SHA256. [RT #42272]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>isc-hmac-fixup</strong></span> command, which was created
-	  to address an interoperability problem in TSIG keys between
-	  early versions of BIND and other DNS implmentations, is now
-	  obsolete and has been removed. [RT #46411]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
-	  signing algorithms described in RFC 8080. Note, however, that
-	  these algorithms must be supported in OpenSSL;
-	  currently they are only available in the development branch
-	  of OpenSSL at
-	  <a class="link" href="https://github.com/openssl/openssl" target="_top">
-	    https://github.com/openssl/openssl</a>.
-	  [RT #44696]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When parsing DNS messages, EDNS KEY TAG options are checked
-	  for correctness. When printing messages (for example, in
-	  <span class="command"><strong>dig</strong></span>), EDNS KEY TAG options are printed
-	  in readable format.
-	</p>
-      </li>
-</ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-<li class="listitem">
 	<p>
-	  The ISC DNSSEC Lookaside Validation (DLV) service has been shut
+	  Zone types <span class="command"><strong>primary</strong></span> and
-	  down; all DLV records in the dlv.isc.org zone have been removed.
+	  <span class="command"><strong>secondary</strong></span> are now available as synonyms for
-	  References to the service have been removed from BIND documentation.
+	  <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
-	  Lookaside validation is no longer used by default by
+	  respectively, in <code class="filename">named.conf</code>.
-	  <span class="command"><strong>delv</strong></span>. The DLV key has been removed from
-	  <code class="filename">bind.keys</code>. Setting
-	  <span class="command"><strong>dnssec-lookaside</strong></span> to
-	  <span class="command"><strong>auto</strong></span> or to use dlv.isc.org as a trust
-	  anchor is now a fatal configuration error. [RT #46155]
 	</p>
-      </li>
+      </li></ul></div>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> will no longer start or accept
-	  reconfiguration if the working directory (specified by the
-	  <span class="command"><strong>directory</strong></span> option) or the managed-keys
-	  directory (specified by <span class="command"><strong>managed-keys-directory</strong></span>
-	  are not writable by the effective user ID. [RT #46077]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Initializing keys specified in a <span class="command"><strong>managed-keys</strong></span>
-	  statement or by <span class="command"><strong>dnssec-validation auto;</strong></span> are
-	  now tagged as "initializing", until they have been updated by a
-	  key refresh query. If key maintenance fails to initialize,
-	  this will be visible when running <span class="command"><strong>rndc secroots</strong></span>.
-	  [RT #46267]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Previously, <span class="command"><strong>update-policy local;</strong></span> accepted
-	  updates from any source so long as they were signed by the
-	  locally-generated session key. This has been further restricted;
-	  updates are now only accepted from locally configured addresses.
-	  [RT #45492]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The lightweight resolver daemon and library (<span class="command"><strong>lwresd</strong></span>
-	  and <span class="command"><strong>liblwres</strong></span>) have been removed. [RT #45186]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnssec-keygen</strong></span> no longer has default
-	  algorithm settings. It is necessary to explicitly specify the
-	  algorithm on the command line with the <span class="command"><strong>-a</strong></span> option
-	  when generating keys. This may cause errors with existing signing
-	  scripts if they rely on current defaults. The intent is to
-	  reduce the long-term cost of transitioning to newer algorithms in
-	  the event of RSASHA1 being deprecated. [RT #44755]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig +sigchase</strong></span> and related options
-	  <span class="command"><strong>+trusted-keys</strong></span> and <span class="command"><strong>+topdown</strong></span>
-	  have been removed. <span class="command"><strong>delv</strong></span> is now the recommended
-	  command for looking up records with DNSSEC validation.
-	  [RT #42793]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The Response Policy Zone (RPZ) implementation has been
-	  substantially refactored: updates to the RPZ summary
-	  database are no longer directly performed by the zone
-	  database but by a separate function that is called when
-	  a policy zone is updated.  This improves both performance
-	  and reliability when policy zones receive frequent updates.
-	  Summary database updates can be rate-limited by using the
-	  <span class="command"><strong>min-update-interval</strong></span> option in a
-	  <span class="command"><strong>response-policy</strong></span> statement. [RT #43449]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
-	  addresses for all messages, instead of only the remote address.
-	  The default output format for <span class="command"><strong>dnstap-read</strong></span> has
-	  been updated to include these addresses, with the initiating
-	  address first and the responding address second, separated by
-	  "-&gt;" or "&lt;-" to indicate in which direction the message
-	  was sent. [RT #43595]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Expanded and improved the YAML output from
-	  <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
-	  size and a detailed breakdown of message contents.
-	  [RT #43622] [RT #43642]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
-	  names to assist debugging on operating systems that support that.
-	  Threads will have names such as "isc-timer", "isc-sockmgr",
-	  "isc-worker0001", and so on. This will affect the reporting of
-	  subsidiary thread names in <span class="command"><strong>ps</strong></span> and
-	  <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If an ACL is specified with an address prefix in which the
-	  prefix length is longer than the address portion (for example,
-	  192.0.2.1/8), it will now be treated as a fatal error during
-	  configuration. [RT #43367]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig</strong></span> now warns about .local queries which are
-	  reserved for Multicast DNS. [RT #44783]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The view associated with the query is now logged unless it
-	  it is "_default/IN" or "_dnsclient/IN" when logging DNSSEC
-	  validator messages.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When <span class="command"><strong>named</strong></span> was reconfigured, failure of some
-	  zones to load correctly could leave the system in an inconsistent
-	  state; while generally harmless, this could lead to a crash later
-	  when using <span class="command"><strong>rndc addzone</strong></span>.  Reconfiguration changes
-	  are now fully rolled back in the event of failure. [RT #45841]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Multiple <span class="command"><strong>cookie-secret</strong></span> clauses are now
-	  supported.  The first <span class="command"><strong>cookie-secret</strong></span> in
-	  <code class="filename">named.conf</code> is used to generate new
-	  server cookies.  Any others are used to accept old server
-	  cookies or those generated by other servers using the
-	  matching <span class="command"><strong>cookie-secret</strong></span>.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A new statistics counter has been added to track prefetch
-	  queries. [RT #45847]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A new statistics counter has been added to track priming
-	  queries. [RT #46313]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>dnssec-signzone -x</strong></span> flag and the
-	  <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> option in
-	  <span class="command"><strong>named.conf</strong></span>, which suppress the use of
-	  the ZSK when signing DNSKEY records, now also apply to
-	  CDNSKEY and CDS records. Thanks to Tony Finch for the
-	  contribution. [RT #45689]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Trust anchor telemetry messages, as specified by
-	  RFC 8145, are now logged to the
-	  <span class="command"><strong>trust-anchor-telemetry</strong></span> logging
-	  catagory.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>filter-aaaa-on-v4</strong></span> and
-	  <span class="command"><strong>filter-aaaa-on-v6</strong></span> options are no longer
-	  conditionally compiled in <span class="command"><strong>named</strong></span>. [RT #46340]
-	</p>
-      </li>
-</ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-<li class="listitem">
 	<p>
-	  Zones created with <span class="command"><strong>rndc addzone</strong></span> could
+	  None.
-	  temporarily fail to inherit the <span class="command"><strong>allow-transfer</strong></span>
-	  ACL set in the <span class="command"><strong>options</strong></span> section of
-	  <code class="filename">named.conf</code>. [RT #46603]
 	</p>
-      </li>
+      </li></ul></div>
-<li class="listitem">
+  </div>
-	<p>
+
-	  The introduction of <span class="command"><strong>libns</strong></span> caused a bug
+  <div class="section">
-	  in which TCP client objects were not recycled after use,
+<div class="titlepage"><div><div><h3 class="title">
-	  leading to unconstrained memory growth. [RT #46029]
+<a name="relnotes_license"></a>License</h3></div></div></div>
-	</p>
+    <p>
-      </li>
+      BIND is open source software licenced under the terms of the Mozilla
-<li class="listitem">
+      Public License, version 2.0 (see the <code class="filename">LICENSE</code>
-	<p>
+      file for the full text).
-	  Some header files included &lt;isc/util.h&gt; incorrectly as
+    </p>
-	  it pollutes with namespace with non ISC_ macros and this should
+    <p>
-	  only be done by explicitly including &lt;isc/util.h&gt;.  This
+      The license requires that if you make changes to BIND and distribute
-	  has been corrected.  Some code may depend on &lt;isc/util.h&gt;
+      them outside your organization, those changes must be published under
-	  being implicitly included via other header files.  Such
+      the same license. It does not require that you publish or disclose
-	  code should explicitly include &lt;isc/util.h&gt;.
+      anything other than the changes you have made to our software.  This
-	</p>
+      requirement does not affect anyone who is using BIND, with or without
-      </li>
+      modifications, without redistributing it, nor anyone redistributing
-<li class="listitem">
+      BIND without changes.
-	<p>
+    </p>
-	  <span class="command"><strong>named</strong></span> failed to properly determine whether
+    <p>
-	  there were active KSK and ZSK keys for an algorithm when
+      Those wishing to discuss license compliance may contact ISC at
-	  <span class="command"><strong>update-check-ksk</strong></span> was true (which is the
+      <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
-	  default setting). This could leave records unsigned
+	https://www.isc.org/mission/contact/</a>.
-	  when rolling keys. [RT #46743] [RT #46754] [RT #46774]
+    </p>
-	</p>
-      </li>
-</ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
     <p>
-      The end of life for BIND 9.12 is yet to be determined but
+      BIND 9.13 is an unstable development branch. When its development
-      will not be before BIND 9.14.0 has been released for 6 months.
+      is complete, it will be renamed to BIND 9.14, which will be a
+      stable branch.
+    </p>
+    <p>
+      The end of life date for BIND 9.14 has not yet been determined.
+      For those needing long term support, the current Extended Support
+      Version (ESV) is BIND 9.11, which will be supported until December
+      2021. See
       <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
+      for details of ISC's software support policy.
     </p>
   </div>
+
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
-
     <p>
       Thank you to everyone who assisted us in making this release possible.
       If you would like to contribute to ISC to assist us in continuing to

doc/misc/options

@@ -97,8 +97,9 @@ options {
         check-integrity <boolean>;
         check-mx ( fail | warn | ignore );
         check-mx-cname ( fail | warn | ignore );
-        check-names ( master | slave | response
+        check-names ( primary | master |
-            ) ( fail | warn | ignore ); // may occur multiple times
+            secondary | slave | response ) (
+            fail | warn | ignore ); // may occur multiple times
         check-sibling <boolean>;
         check-spf ( warn | ignore );
         check-srv-cname ( fail | warn | ignore );
@@ -192,7 +193,8 @@ options {
         hostname ( <quoted_string> | none );
         inline-signing <boolean>;
         interface-interval <integer>;
-        ixfr-from-differences ( master | slave | <boolean> );
+        ixfr-from-differences ( primary | master | secondary | slave |
+            <boolean> );
         keep-response-order { <address_match_element>; ... };
         key-directory <quoted_string>;
         lame-ttl <ttlval>;
@@ -461,8 +463,9 @@ view <string> [ <class> ] {
         check-integrity <boolean>;
         check-mx ( fail | warn | ignore );
         check-mx-cname ( fail | warn | ignore );
-        check-names ( master | slave | response
+        check-names ( primary | master |
-            ) ( fail | warn | ignore ); // may occur multiple times
+            secondary | slave | response ) (
+            fail | warn | ignore ); // may occur multiple times
         check-sibling <boolean>;
         check-spf ( warn | ignore );
         check-srv-cname ( fail | warn | ignore );
@@ -529,7 +532,8 @@ view <string> [ <class> ] {
             | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
         glue-cache <boolean>;
         inline-signing <boolean>;
-        ixfr-from-differences ( master | slave | <boolean> );
+        ixfr-from-differences ( primary | master | secondary | slave |
+            <boolean> );
         key <string> {
                 algorithm <string>;
                 secret <string>;
@@ -800,8 +804,9 @@ view <string> [ <class> ] {
                 transfer-source-v6 ( <ipv6_address> | * ) [ port (
                     <integer> | * ) ] [ dscp <integer> ];
                 try-tcp-refresh <boolean>;
-                type ( delegation-only | forward | hint | master | redirect
+                type ( primary | master | secondary | slave |
-                    | slave | static-stub | stub );
+                    delegation-only | forward | hint | redirect |
+                    static-stub | stub );
                 update-check-ksk <boolean>;
                 update-policy ( local | { ( deny | grant ) <string> (
                     6to4-self | external | krb5-self | krb5-subdomain |
@@ -902,8 +907,8 @@ zone <string> [ <class> ] {
         transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
             ] [ dscp <integer> ];
         try-tcp-refresh <boolean>;
-        type ( delegation-only | forward | hint | master | redirect | slave
+        type ( primary | master | secondary | slave | delegation-only |
-            | static-stub | stub );
+            forward | hint | redirect | static-stub | stub );
         update-check-ksk <boolean>;
         update-policy ( local | { ( deny | grant ) <string> ( 6to4-self |
             external | krb5-self | krb5-subdomain | ms-self | ms-subdomain