diff --git a/bin/named/named.8 b/bin/named/named.8 index a4308d27f3..3ef55ac2ae 100644 --- a/bin/named/named.8 +++ b/bin/named/named.8 @@ -237,8 +237,11 @@ Report the version number and build options, and exit. .RS 4 Acquire a lock on the specified file at runtime; this helps to prevent duplicate \fBnamed\fR -instances from running simultaneously. If not specified via this option, the default lockfile is -\fI/var/run/named/named.lock\fR. +instances from running simultaneously. Use of this option overrides the +\fBlock\-file\fR +option in +\fInamed.conf\fR. If set to +none, the lock file check is disabled. .RE .PP \-x \fIcache\-file\fR diff --git a/bin/named/named.html b/bin/named/named.html index 129b325eb4..20187aab5e 100644 --- a/bin/named/named.html +++ b/bin/named/named.html @@ -257,8 +257,11 @@

Acquire a lock on the specified file at runtime; this helps to prevent duplicate named instances - from running simultaneously. If not specified via this option, - the default lockfile is /var/run/named/named.lock. + from running simultaneously. + Use of this option overrides the lock-file + option in named.conf. + If set to none, the lock file check + is disabled.

-x cache-file
@@ -278,7 +281,7 @@
-

SIGNALS

+

SIGNALS

In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -299,7 +302,7 @@

-

CONFIGURATION

+

CONFIGURATION

The named configuration file is too complex to describe in detail here. A complete description is provided @@ -316,7 +319,7 @@

-

FILES

+

FILES

/etc/named.conf

@@ -329,7 +332,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 1033, RFC 1034, RFC 1035, @@ -342,7 +345,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index a5614e40f7..dd28934f5e 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -70,39 +70,39 @@
DNSSEC, Dynamic Zones, and Automatic Signing
-
Converting from insecure to secure
-
Dynamic DNS update method
-
Fully automatic zone signing
-
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
Converting from insecure to secure
+
Dynamic DNS update method
+
Fully automatic zone signing
+
Private-type records
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
-
Validating Resolver
-
Authoritative Server
+
Validating Resolver
+
Authoritative Server
PKCS#11 (Cryptoki) support
-
Prerequisites
-
Native PKCS#11
-
OpenSSL-based PKCS#11
-
PKCS#11 Tools
-
Using the HSM
-
Specifying the engine on the command line
-
Running named with automatic zone re-signing
+
Prerequisites
+
Native PKCS#11
+
OpenSSL-based PKCS#11
+
PKCS#11 Tools
+
Using the HSM
+
Specifying the engine on the command line
+
Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
-
Configuring DLZ
-
Sample DLZ Driver
+
Configuring DLZ
+
Sample DLZ Driver
IPv6 Support in BIND 9
@@ -1080,7 +1080,7 @@ options { from insecure to signed and back again. A secure zone can use either NSEC or NSEC3 chains.

-Converting from insecure to secure

+Converting from insecure to secure

Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

@@ -1106,7 +1106,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process.

-Dynamic DNS update method

+Dynamic DNS update method

To insert the keys via dynamic update:

         % nsupdate
@@ -1142,7 +1142,7 @@ options {
 
While the initial signing and NSEC/NSEC3 chain generation
   is happening, other updates are possible as well.

 

-Fully automatic zone signing

+Fully automatic zone signing
 
To enable automatic signing, add the 
   auto-dnssec option to the zone statement in 
   named.conf. 
@@ -1205,7 +1205,7 @@ options {
   configuration. If this has not been done, the configuration will
   fail.

 

-Private-type records

+Private-type records
 
The state of the signing process is signaled by
   private-type records (with a default type value of 65534). When
   signing is complete, these records will have a nonzero value for
@@ -1246,12 +1246,12 @@ options {
 

   

 

-DNSKEY rollovers

+DNSKEY rollovers
 
As with insecure-to-secure conversions, rolling DNSSEC
   keys can be done in two ways: using a dynamic DNS update, or the 
   auto-dnssec zone option.

 

-Dynamic DNS update method

+Dynamic DNS update method
 
 To perform key rollovers via dynamic update, you need to add
   the K* files for the new keys so that 
   named can find them. You can then add the new
@@ -1273,7 +1273,7 @@ options {
   named will clean out any signatures generated
   by the old key after the update completes.

 

-Automatic key rollovers

+Automatic key rollovers
 
When a new key reaches its activation date (as set by
   dnssec-keygen or dnssec-settime),
   if the auto-dnssec zone option is set to 
@@ -1288,27 +1288,27 @@ options {
   completes in 30 days, after which it will be safe to remove the
   old key from the DNSKEY RRset.

 

-NSEC3PARAM rollovers via UPDATE

+NSEC3PARAM rollovers via UPDATE
 
Add the new NSEC3PARAM record via dynamic update. When the
   new NSEC3 chain has been generated, the NSEC3PARAM flag field
   will be zero. At this point you can remove the old NSEC3PARAM
   record. The old chain will be removed after the update request
   completes.

 

-Converting from NSEC to NSEC3

+Converting from NSEC to NSEC3
 
To do this, you just need to add an NSEC3PARAM record. When
   the conversion is complete, the NSEC chain will have been removed
   and the NSEC3PARAM record will have a zero flag field. The NSEC3
   chain will be generated before the NSEC chain is
   destroyed.

 

-Converting from NSEC3 to NSEC

+Converting from NSEC3 to NSEC
 
To do this, use nsupdate to
   remove all NSEC3PARAM records with a zero flag
   field. The NSEC chain will be generated before the NSEC3 chain is
   removed.

 

-Converting from secure to insecure

+Converting from secure to insecure
 
To convert a signed zone to unsigned using dynamic DNS,
   delete all the DNSKEY records from the zone apex using
   nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1323,14 +1323,14 @@ options {
   allow instead (or it will re-sign).
   

 

-Periodic re-signing

+Periodic re-signing
 
In any secure zone which supports dynamic updates, named
   will periodically re-sign RRsets which have not been re-signed as
   a result of some update action. The signature lifetimes will be
   adjusted so as to spread the re-sign load over time rather than
   all at once.

 

-NSEC3 and OPTOUT

+NSEC3 and OPTOUT
 

   named only supports creating new NSEC3 chains
   where all the NSEC3 records in the zone have the same OPTOUT
@@ -1352,7 +1352,7 @@ options {
   configuration files.

 

 

-Validating Resolver

+Validating Resolver

 
To configure a validating resolver to use RFC 5011 to
     maintain a trust anchor, configure the trust anchor using a 
     managed-keys statement. Information about
@@ -1363,7 +1363,7 @@ options {
 
 

 

-Authoritative Server

+Authoritative Server

 
To set up an authoritative zone for RFC 5011 trust anchor
     maintenance, generate two (or more) key signing keys (KSKs) for
     the zone. Sign the zone with one of them; this is the "active"
@@ -1460,7 +1460,7 @@ $ dnssec-signzone -S -K keys example.net<
   

 

 

-Prerequisites

+Prerequisites

 

       See the documentation provided by your HSM vendor for
       information about installing, initializing, testing and
@@ -1469,7 +1469,7 @@ $ dnssec-signzone -S -K keys example.net<
 
 

 

-Native PKCS#11

+Native PKCS#11

 

       Native PKCS#11 mode will only work with an HSM capable of carrying
       out every cryptographic operation BIND 9 may
@@ -1502,7 +1502,7 @@ $ ./configure --enable-native-pkcs11 \
     

 

 

-Building SoftHSMv2

+Building SoftHSMv2

 

 	SoftHSMv2, the latest development version of SoftHSM, is available
 	from
@@ -1540,7 +1540,7 @@ $  /opt/pkcs11/usr/bin/softhsm-util --init-token
 
 

 

-OpenSSL-based PKCS#11

+OpenSSL-based PKCS#11

 

       OpenSSL-based PKCS#11 mode uses a modified version of the
       OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1598,7 +1598,7 @@ $  /opt/pkcs11/usr/bin/softhsm-util --init-token
     

 

 

-Patching OpenSSL

+Patching OpenSSL

 
 $ wget http://www.openssl.org/source/openssl-0.9.8zc.tar.gz
   

@@ -1631,7 +1631,7 @@ $ patch -p1 -d openssl-0.9.8zc \
 
 

 

-Building OpenSSL for the AEP Keyper on Linux

+Building OpenSSL for the AEP Keyper on Linux

 

 	The AEP Keyper is a highly secure key storage device,
 	but does not provide hardware cryptographic acceleration. It
@@ -1673,7 +1673,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
 
 

 

-Building OpenSSL for the SCA 6000 on Solaris

+Building OpenSSL for the SCA 6000 on Solaris

 

 	The SCA-6000 PKCS#11 provider is installed as a system
 	library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1702,7 +1702,7 @@ $ ./Configure solaris64-x86_64-cc \
 
 

 

-Building OpenSSL for SoftHSM

+Building OpenSSL for SoftHSM

 

 	SoftHSM (version 1) is a software library developed by the
 	OpenDNSSEC project
@@ -1777,7 +1777,7 @@ $ ./Configure linux-x86_64 -pthread \
     

 

 

-Configuring BIND 9 for Linux with the AEP Keyper

+Configuring BIND 9 for Linux with the AEP Keyper

 

 	To link with the PKCS#11 provider, threads must be
 	enabled in the BIND 9 build.
@@ -1797,7 +1797,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
 
 

 

-Configuring BIND 9 for Solaris with the SCA 6000

+Configuring BIND 9 for Solaris with the SCA 6000

 

 	To link with the PKCS#11 provider, threads must be
 	enabled in the BIND 9 build.
@@ -1819,7 +1819,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
 
 

 

-Configuring BIND 9 for SoftHSM

+Configuring BIND 9 for SoftHSM

 
 $ cd ../bind9
 $ ./configure --enable-threads \
@@ -1840,7 +1840,7 @@ $ ./configure --enable-threads \
 
 

 

-PKCS#11 Tools

+PKCS#11 Tools

 

       BIND 9 includes a minimal set of tools to operate the
       HSM, including 
@@ -1863,7 +1863,7 @@ $ ./configure --enable-threads \
 
 

 

-Using the HSM

+Using the HSM

 

       For OpenSSL-based PKCS#11, we must first set up the runtime
       environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1984,7 +1984,7 @@ example.net.signed
 
 

 

-Specifying the engine on the command line

+Specifying the engine on the command line

 

       When using OpenSSL-based PKCS#11, the "engine" to be used by
       OpenSSL can be specified in named and all of
@@ -2016,7 +2016,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Running named with automatic zone re-signing

+Running named with automatic zone re-signing

 

       If you want named to dynamically re-sign zones
       using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2103,7 +2103,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Configuring DLZ

+Configuring DLZ

 

       A DLZ database is configured with a dlz
       statement in named.conf:
@@ -2152,7 +2152,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Sample DLZ Driver

+Sample DLZ Driver

 

       For guidance in implementation of DLZ modules, the directory
       contrib/dlz/example contains a basic
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 03174e7752..5bbbebb350 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -78,28 +78,28 @@
 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

 
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Definition
             and Usage

-
managed-keys Statement Grammar

+
managed-keys Statement Grammar

 
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
@@ -2239,6 +2239,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [ cache-file path_name; ] [ dump-file path_name; ] [ bindkeys-file path_name; ] + [ lock-file path_name; ] [ secroots-file path_name; ] [ session-keyfile path_name; ] [ session-keyname key_name; ] @@ -2722,6 +2723,27 @@ badresp:1,adberr:0,findfail:0,valfail:0] usage statistics to on exit. If not specified, the default is named.memstats.

+
lock-file
+
+

+ The pathname of a file on which named will + attempt to acquire a file lock when starting up for + the first time; if unsuccessful, the server will + will terminate, under the assumption that another + server is already running. If not specified, the default is + /var/run/named/named.lock. +

+

+ Specifying lock-file none disables the + use of a lock file. lock-file is + ignored if named was run using the -X + option, which overrides it. Changes to + lock-file are ignored if + named is being reloaded or + reconfigured; it is only effective when the server is + first started up. +

+
pid-file

The pathname of the file the server writes its process ID @@ -4173,7 +4195,7 @@ options {

-Forwarding

+Forwarding

The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -4217,7 +4239,7 @@ options {

-Dual-stack Servers

+Dual-stack Servers

Dual-stack servers are used as servers of last resort to work around @@ -4493,7 +4515,7 @@ options {

-Interfaces

+Interfaces

The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4970,7 +4992,7 @@ avoid-v6-udp-ports {};

-UDP Port Lists

+UDP Port Lists

use-v4-udp-ports, avoid-v4-udp-ports, @@ -5012,7 +5034,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Operating System Resource Limits

+Operating System Resource Limits

The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -5173,7 +5195,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Periodic Task Intervals

+Periodic Task Intervals
cleaning-interval

@@ -6250,7 +6272,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Content Filtering

+Content Filtering

BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -6373,7 +6395,7 @@ deny-answer-aliases { "example.net"; };

-Response Policy Zone (RPZ) Rewriting

+Response Policy Zone (RPZ) Rewriting

BIND 9 includes a limited mechanism to modify DNS responses for requests @@ -6744,7 +6766,7 @@ example.com CNAME rpz-tcp-only.

-Response Rate Limiting

+Response Rate Limiting

Excessive almost identical UDP responses can be controlled by configuring a @@ -7266,7 +7288,7 @@ example.com CNAME rpz-tcp-only.

-statistics-channels Statement Definition and +statistics-channels Statement Definition and Usage

The statistics-channels statement @@ -7382,7 +7404,7 @@ example.com CNAME rpz-tcp-only.

-trusted-keys Statement Definition +trusted-keys Statement Definition and Usage

The trusted-keys statement defines @@ -7426,7 +7448,7 @@ example.com CNAME rpz-tcp-only.

-managed-keys Statement Grammar

+managed-keys Statement Grammar
managed-keys {
     name initial-key flags protocol algorithm key-data ;
     [ name initial-key flags protocol algorithm key-data ; [...]]
@@ -7564,7 +7586,7 @@ example.com                 CNAME   rpz-tcp-only.
 
 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -7886,10 +7908,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 
@@ -8207,7 +8229,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -8229,7 +8251,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
allow-notify

 

@@ -9160,7 +9182,7 @@ example.com. NS ns2.example.net.
 

 

 

-Multiple views

+Multiple views

 

               When multiple views are in use, a zone may be
               referenced by more than one of them. Often, the views
@@ -9211,7 +9233,7 @@ view external {
 
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -9224,7 +9246,7 @@ view external {
           

 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -9961,7 +9983,7 @@ view external {
 
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -10164,7 +10186,7 @@ view external {
 
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -10419,7 +10441,7 @@ view external {
 
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -10480,7 +10502,7 @@ view external {
 
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -10495,7 +10517,7 @@ view external {
           

 

 

-The @ (at-sign)

+The @ (at-sign)

 

               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -10506,7 +10528,7 @@ view external {
 
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -10535,7 +10557,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -10571,7 +10593,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -10590,7 +10612,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
@@ -11033,7 +11055,7 @@ HOST-127.EXAMPLE. MX 0 .
           

 

 

-Name Server Statistics Counters

+Name Server Statistics Counters

 

 
 

@@ -11629,7 +11651,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

 
 

 
 
@@ -11783,7 +11805,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Resolver Statistics Counters

+Resolver Statistics Counters

 
 

 
 
@@ -12166,7 +12188,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

               Socket I/O statistics counters are defined per socket
               types, which are
@@ -12321,7 +12343,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 5cd620efc6..bedb355bdb 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -46,10 +46,10 @@
 
Table of Contents

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -245,7 +245,7 @@ allow-query { !{ !10/8; any; }; key example; };
 

 

-Chroot and Setuid
+Chroot and Setuid
 

 

           On UNIX servers, it is possible to run BIND
@@ -271,7 +271,7 @@ allow-query { !{ !10/8; any; }; key example; };
         

 

 

-The chroot Environment

+The chroot Environment

             In order for a chroot environment
             to
@@ -299,7 +299,7 @@ allow-query { !{ !10/8; any; }; key example; };
 
 

 

-Using the setuid Function

+Using the setuid Function

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 4f0e53da5f..fefda89fea 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

-Common Problems

+Common Problems

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index eecbe883ad..9c05c40c90 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -42,484 +42,7 @@
 

 

 Appendix A. Release Notes

-

-
Table of Contents

-

-
Release Notes for BIND Version 9.11.0pre-alpha

-

-
Introduction

-
Download

-
Security Fixes

-
New Features

-
Feature Changes

-
Bug Fixes

-
End of Life

-
Thank You

-

-

-

-

-

-Release Notes for BIND Version 9.11.0pre-alpha

-

-

-Introduction

-

-      This document summarizes changes since the last production release
-      of BIND on the corresponding major release branch.
-    

-

-

-

-Download

-

-      The latest versions of BIND 9 software can always be found at
-      http://www.isc.org/downloads/.
-      There you will find additional information about each release,
-      source code, and pre-compiled versions for Microsoft Windows
-      operating systems.
-    

-

-

-

-Security Fixes

-
    
-
  • 
-
    
-	  On servers configured to perform DNSSEC validation using
-	  managed trust anchors (i.e., keys configured explicitly
-	  via managed-keys, or implicitly 
-	  via dnssec-validation auto; or
-	  dnssec-lookaside auto;), revoking
-	  a trust anchor and sending a new untrusted replacement
-	  could cause named to crash with an
-	  assertion failure. This could occur in the event of a
-	  botched key rollover, or potentially as a result of a
-	  deliberate attack if the attacker was in position to
-	  monitor the victim's DNS traffic.
-	
    
-
    
-	  This flaw was discovered by Jan-Piet Mens, and is
-	  disclosed in CVE-2015-1349. [RT #38344]
-	
    
-
    • 
-
  • 
-
    
-	  A flaw in delegation handling could be exploited to put
-	  named into an infinite loop, in which
-	  each lookup of a name server triggered additional lookups
-	  of more name servers.  This has been addressed by placing
-	  limits on the number of levels of recursion
-	  named will allow (default 7), and
-	  on the number of queries that it will send before
-	  terminating a recursive query (default 50).
-	
    
-
    
-	  The recursion depth limit is configured via the
-	  max-recursion-depth option, and the query limit
-	  via the max-recursion-queries option.
-	
    
-
    
-	  The flaw was discovered by Florian Maury of ANSSI, and is
-	  disclosed in CVE-2014-8500. [RT #37580]
-	
    
-
    • 
-
  • 
-
    
-	  Two separate problems were identified in BIND's GeoIP code that
-	  could lead to an assertion failure. One was triggered by use of
-	  both IPv4 and IPv6 address families, the other by referencing
-	  a GeoIP database in named.conf which was
-	  not installed. Both are covered by CVE-2014-8680. [RT #37672]
-	  [RT #37679]
-	
    
-
    
-	  A less serious security flaw was also found in GeoIP: changes
-	  to the geoip-directory option in
-	  named.conf were ignored when running
-	  rndc reconfig. In theory, this could allow
-	  named to allow access to unintended clients.
-	
    
-
    • 
-

-

-

-

-New Features

-
    
-
  • 
-	  The serial number of a dynamically updatable zone can
-	  now be set using
-	  rndc signing -serial number zonename.
-	  This is particularly useful with inline-signing
-	  zones that have been reset.  Setting the serial number to a value
-	  larger than that on the slaves will trigger an AXFR-style
-	  transfer.
-	
    • 
-
  • 
-	  When answering recursive queries, SERVFAIL responses can now be
-	  cached by the server for a limited time; subsequent queries for
-	  the same query name and type will return another SERVFAIL until
-	  the cache times out.  This reduces the frequency of retries
-	  when a query is persistently failing, which can be a burden
-	  on recursive serviers.  The SERVFAIL cache timeout is controlled
-	  by servfail-ttl, which defaults to 10 seconds
-	  and has an upper limit of 30.
-	
    • 
-
  • 
-	  The new rndc nta command can now be used to
-	  set a "negative trust anchor" (NTA), disabling DNSSEC validation for
-	  a specific domain; this can be used when responses from a domain
-	  are known to be failing validation due to administrative error
-	  rather than because of a spoofing attack. NTAs are strictly
-	  temporary; by default they expire after one hour, but can be
-	  configured to last up to one week.  The default NTA lifetime
-	  can be changed by setting the nta-lifetime in
-	  named.conf. When added, NTAs are stored in a
-	  file (viewname.nta)
-	  in order to persist across restarts of the named server.
-	
    • 
-
  • 
-	  The EDNS Client Subnet (ECS) option is now supported for
-	  authoritative servers; if a query contains an ECS option then
-	  ACLs containing geoip or ecs
-	  elements can match against the the address encoded in the option.
-	  This can be used to select a view for a query, so that different
-	  answers can be provided depending on the client network.
-	
    • 
-
  • 
-	  The EDNS EXPIRE option has been implemented on the client
-	  side, allowing a slave server to set the expiration timer
-	  correctly when transferring zone data from another slave
-	  server.
-	
    • 
-
  • 
-	  A new masterfile-style zone option controls
-	  the formatting of text zone files:  When set to
-	  full, the zone file will dumped in
-	  single-line-per-record format.
-	
    • 
-
  • 
-	  dig +ednsopt can now be used to set
-	  arbitrary EDNS options in DNS requests.
-	
    • 
-
  • 
-	  dig +ednsflags can now be used to set
-	  yet-to-be-defined EDNS flags in DNS requests.
-	
    • 
-
  • 
-	  dig +[no]ednsnegotiation can now be used enable /
-	  disable EDNS version negotiation.
-	
    • 
-
  • 
-	  dig +header-only can now be used to send
-	  queries without a question section.
-	
    • 
-
  • 
-	  dig +ttlunits causes dig
-	  to print TTL values with time-unit suffixes: w, d, h, m, s for
-	  weeks, days, hours, minutes, and seconds.
-	
    • 
-
  • 
-	  dig +zflag can be used to set the last
-	  unassigned DNS header flag bit.  This bit in normally zero.
-	
    • 
-
  • 
-	  dig +dscp=value
-	  can now be used to set the DSCP code point in outgoing query
-	  packets.
-	
    • 
-
  • 
-	  serial-update-method can now be set to
-	  date. On update, the serial number will
-	  be set to the current date in YYYYMMDDNN format.
-	
    • 
-
  • 
-	  dnssec-signzone -N date also sets the serial
-	  number to YYYYMMDDNN.
-	
    • 
-
  • 
-	  named -L filename
-	  causes named to send log messages to the specified file by
-	  default instead of to the system log.
-	
    • 
-
  • 
-	  The rate limiter configured by the
-	  serial-query-rate option no longer covers
-	  NOTIFY messages; those are now separately controlled by
-	  notify-rate and
-	  startup-notify-rate (the latter of which
-	  controls the rate of NOTIFY messages sent when the server
-	  is first started up or reconfigured).
-	
    • 
-
  • 
-	  The default number of tasks and client objects available
-	  for serving lightweight resolver queries have been increased,
-	  and are now configurable via the new lwres-tasks
-	  and lwres-clients options in
-	  named.conf. [RT #35857]
-	
    • 
-
  • 
-	  Log output to files can now be buffered by specifying
-	  buffered yes; when creating a channel.
-	
    • 
-
  • 
-	  delv +tcp will exclusively use TCP when
-	  sending queries.
-	
    • 
-
  • 
-	  named will now check to see whether
-	  other name server processes are running before starting up.
-	  This is implemented in two ways: 1) by refusing to start
-	  if the configured network interfaces all return "address
-	  in use", and 2) by acquiring a file lock on
-	  /var/run/named/named.lock, or on a different
-	  file specified via the named -X command
-	  line option.
-	
    • 
-
  • 
-	  rndc delzone can now be applied to zones
-	  which were configured in named.conf;
-	  it is no longer restricted to zones which were added by
-	  rndc addzone.  (Note, however, that
-	  this does not edit named.conf; the zone
-	  must be removed from the configuration or it will return
-	  when named is restarted or reloaded.)
-	
    • 
-
  • 
-	  rndc modzone can be used to reconfigure
-	  a zone, using similar syntax to rndc addzone. 
-	
    • 
-
  • 
-	  rndc showzone displays the current
-	  configuration for a specified zone.
-	
    • 
-
  • 
-
    
-	  Added server-side support for pipelined TCP queries.  Clients
-	  may continue sending queries via TCP while previous queries are
-	  processed in parallel.  Responses are sent when they are
-	  ready, not necessarily in the order in which the queries were
-	  received.
-	
    
-
    
-	  To revert to the former behavior for a particular
-	  client address or range of addresses, specify the address prefix
-	  in the "keep-response-order" option.  To revert to the former
-	  behavior for all clients, use "keep-response-order { any; };".
-	
    
-
    • 
-
  • 
-	  The new mdig command is a version of
-	  dig that sends multiple pipelined
-	  queries and then waits for responses, instead of sending one
-	  query and waiting the response before sending the next. [RT #38261]
-	
    • 
-
  • 
-	  To enable better monitoring and troubleshooting of RFC 5011
-	  trust anchor management, the new rndc managed-keys
-	  can be used to check status of trust anchors or to force keys
-	  to be refreshed.  Also, the managed-keys data file now has
-	  easier-to-read comments. [RT #38458]
-	
    • 
-
  • 
-	  An --enable-querytrace configure switch is
-	  now available to enable very verbose query tracelogging. This
-	  option can only be set at compile time. This option has a
-	  negative performance impact and should be used only for
-	  debugging.
-	
    • 
-

-

-

-

-Feature Changes

-
    
-
  • 
-	  ACLs containing geoip asnum elements were
-	  not correctly matched unless the full organization name was
-	  specified in the ACL (as in
-	  geoip asnum "AS1234 Example, Inc.";).
-	  They can now match against the AS number alone (as in
-	  geoip asnum "AS1234";).
-	
    • 
-
  • 
-	  When using native PKCS#11 cryptography (i.e.,
-	  configure --enable-native-pkcs11) HSM PINs
-	  of up to 256 characters can now be used.
-	
    • 
-
  • 
-	  NXDOMAIN responses to queries of type DS are now cached separately
-	  from those for other types. This helps when using "grafted" zones
-	  of type forward, for which the parent zone does not contain a
-	  delegation, such as local top-level domains.  Previously a query
-	  of type DS for such a zone could cause the zone apex to be cached
-	  as NXDOMAIN, blocking all subsequent queries.  (Note: This
-	  change is only helpful when DNSSEC validation is not enabled.
-	  "Grafted" zones without a delegation in the parent are not a
-	  recommended configuration.)
-	
    • 
-
  • 
-	  Update forwarding performance has been improved by allowing
-	  a single TCP connection to be shared between multiple updates.
-	
    • 
-
  • 
-	  By default, nsupdate will now check
-	  the correctness of hostnames when adding records of type
-	  A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
-	  disabled with check-names no.
-	
    • 
-
  • 
-	  Added support for OPENPGPKEY type.
-	
    • 
-
  • 
-	  The names of the files used to store managed keys and added
-	  zones for each view are no longer based on the SHA256 hash
-	  of the view name, except when this is necessary because the
-	  view name contains characters that would be incompatible with use
-	  as a file name.  For views whose names do not contain forward
-	  slashes ('/'), backslashes ('\'), or capital letters - which
-	  could potentially cause namespace collision problems on
-	  case-insensitive filesystems - files will now be named
-	  after the view (for example, internal.mkeys
-	  or external.nzf).  However, to ensure
-	  consistent behavior when upgrading, if a file using the old
-	  name format is found to exist, it will continue to be used.
-	
    • 
-
  • 
-	  "rndc" can now return text output of arbitrary size to
-	  the caller. (Prior to this, certain commands such as
-	  "rndc tsig-list" and "rndc zonestatus" could return
-	  truncated output.)
-	
    • 
-
  • 
-	  Errors reported when running rndc addzone
-	  (e.g., when a zone file cannot be loaded) have been clarified
-	  to make it easier to diagnose problems.
-	
    • 
-
  • 
-	  When encountering an authoritative name server whose name is
-	  an alias pointing to another name, the resolver treats
-	  this as an error and skips to the next server. Previously
-	  this happened silently; now the error will be logged to
-	  the newly-created "cname" log category.
-	
    • 
-
  • 
-	  If named is not configured to validate the answer then
-	  allow fallback to plain DNS on timeout even when we know
-	  the server supports EDNS.  This will allow the server to
-	  potentially resolve signed queries when TCP is being
-	  blocked.
-	
    • 
-

-

-

-

-Bug Fixes

-
    
-
  • 
-	  dig, host and
-	  nslookup aborted when encountering
-	  a name which, after appending search list elements,
-	  exceeded 255 bytes. Such names are now skipped, but
-	  processing of other names will continue. [RT #36892]
-	
    • 
-
  • 
-	  The error message generated when
-	  named-checkzone or
-	  named-checkconf -z encounters a
-	  $TTL directive without a value has
-	  been clarified. [RT #37138]
-	
    • 
-
  • 
-	  Semicolon characters (;) included in TXT records were
-	  incorrectly escaped with a backslash when the record was
-	  displayed as text. This is actually only necessary when there
-	  are no quotation marks. [RT #37159]
-	
    • 
-
  • 
-	  When files opened for writing by named,
-	  such as zone journal files, were referenced more than once
-	  in named.conf, it could lead to file
-	  corruption as multiple threads wrote to the same file. This
-	  is now detected when loading named.conf
-	  and reported as an error. [RT #37172]
-	
    • 
-
  • 
-	  When checking for updates to trust anchors listed in
-	  managed-keys, named
-	  now revalidates keys based on the current set of
-	  active trust anchors, without relying on any cached
-	  record of previous validation. [RT #37506]
-	
    • 
-
  • 
-	  Large-system tuning
-	  (configure --with-tuning=large) caused
-	  problems on some platforms by setting a socket receive
-	  buffer size that was too large.  This is now detected and
-	  corrected at run time. [RT #37187]
-	
    • 
-
  • 
-	  When NXDOMAIN redirection is in use, queries for a name
-	  that is present in the redirection zone but a type that
-	  is not present will now return NOERROR instead of NXDOMAIN.
-	
    • 
-
  • 
-	  Due to an inadvertent removal of code in the previous
-	  release, when named encountered an
-	  authoritative name server which dropped all EDNS queries,
-	  it did not always try plain DNS. This has been corrected.
-	  [RT #37965]
-	
    • 
-
  • 
-	  A regression caused nsupdate to use the default recursive servers
-	  rather than the SOA MNAME server when sending the UPDATE.
-	
    • 
-
  • 
-	  Adjusted max-recursion-queries to accommodate the smaller
-	  initial packet sizes used in BIND 9.10 and higher when
-	  contacting authoritative servers for the first time.
-	
    • 
-
  • 
-	  Built-in "empty" zones did not correctly inherit the
-	  "allow-transfer" ACL from the options or view. [RT #38310]
-        
    • 
-
  • 
-	  Two leaks were fixed that could cause named
-	  processes to grow to very large sizes. [RT #38454]
-	
    • 
-
  • 
-	  Fixed some bugs in RFC 5011 trust anchor management,
-	  including a memory leak and a possible loss of state
-	  information. [RT #38458]
-	
    • 
-
  • 
-	  Asynchronous zone loads were not handled correctly when the
-	  zone load was already in progress; this could trigger a crash
-	  in zt.c. [RT #37573]
-	
    • 
-

-

-

-

-End of Life

-

-      The end of life for BIND 9.11 is yet to be determined but
-      will not be before BIND 9.13.0 has been released for 6 months.
-      https://www.isc.org/downloads/software-support-policy/
-    

-

-

-

-Thank You

-

-      Thank you to everyone who assisted us in making this release possible.
-      If you would like to contribute to ISC to assist us in continuing to
-      make quality open source software, please visit our donations page at
-      http://www.isc.org/donate/.
-    

-

-

+<xi:include></xi:include>
 

 

diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index 1feba51e5b..052a1be883 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -50,7 +50,7 @@
 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 
 

@@ -140,17 +140,17 @@
           

 

-Bibliography

+Bibliography

 
Standards

 

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

+
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

 

 

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

+
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

 

 

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 

 

 

@@ -158,42 +158,42 @@
 

 Proposed Standards

 

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 

 

 

-
[RFC2308] M. Andrews. Negative Caching of DNS
+
[RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 

 

 

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 

 

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 

 

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

 

 

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 

 

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 

 

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 

 

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

 

 

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

 

 

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

 

 

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 

 

@@ -202,19 +202,19 @@
 

 DNS Security Proposed Standards

 

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

 

 

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

 

 

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

 

 

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

 

 

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 

 

 
@@ -222,146 +222,146 @@
 
Other Important RFCs About DNS
                 Implementation

 

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software. October 1993. 

 

 

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 

 

 

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

 

 

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 

 

 
 

 
Resource Record Types

 

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

 

 

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

 

 

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 

 

 

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 

 

 

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services. October 1996. 

 

 

-
[RFC2163] A. Allocchio. Using the Internet DNS to
+
[RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 

 

 

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

 

 

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

 

 

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

 

 

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

 

 

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

 

 

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

 

 

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 

 

 

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

 

 

 

 

 DNS and the Internet

 

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 

 

 

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 

 

 

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

 

 

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

 

 

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

 

 

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

 

 

 

 

 DNS Operations

 

-
[RFC1033] M. Lottor. Domain administrators operations guide. November 1987. 

+
[RFC1033] M. Lottor. Domain administrators operations guide. November 1987. 

 

 

-
[RFC1537] P. Beertema. Common DNS Data File
+
[RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 

 

 

-
[RFC1912] D. Barr. Common DNS Operational and
+
[RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 

 

 

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers. October 1996. 

+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers. October 1996. 

 

 

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services. October 1997. 

 

 

 

 
Internationalized Domain Names

 

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 

 

 

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

 

 

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

 

 

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 

 

@@ -377,47 +377,47 @@
                 

 

 

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 

 

 

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

 

 

-
[RFC1794] T. Brisco. DNS Support for Load
+
[RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 

 

 

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

 

 

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

 

 

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

 

 

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

 

 

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 

 

 

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

 

 
 

 
Obsolete and Unimplemented Experimental RFC

 

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 

 

 

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

 

 

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 

 

 

@@ -431,39 +431,39 @@
                 

 
 

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

 

 

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

 

 

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

 

 

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 

 

 

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

 

 

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

 

 

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

 

 

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

 

 

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

 

 

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 

 

 

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

 

 
 
@@ -484,14 +484,14 @@
 
 

 

-Other Documents About BIND
+Other Documents About BIND
 

 

 

 

-Bibliography

+Bibliography

 

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 

 
 
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index 6d8492f4bf..ebd8184121 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -47,13 +47,13 @@
 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 
@@ -89,7 +89,7 @@
 
 

 

-Prerequisite

+Prerequisite

 
GNU make is required to build the export libraries (other
   part of BIND 9 can still be built with other types of make). In
   the reminder of this document, "make" means GNU make. Note that
@@ -98,7 +98,7 @@
 
 

 

-Compilation

+Compilation

 
 $ ./configure --enable-exportlib [other flags]
 $ make
@@ -113,7 +113,7 @@ $ make
 
 

 

-Installation

+Installation

 
 $ cd lib/export
 $ make install
@@ -135,7 +135,7 @@ $ make install
 
 

 

-Known Defects/Restrictions

+Known Defects/Restrictions

 
    
 
  • Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
@@ -175,7 +175,7 @@ $ make
 

 

 

-The dns.conf File

+The dns.conf File

 
The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
@@ -193,14 +193,14 @@ $ make
 
 

 

-Sample Applications

+Sample Applications

 
Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   

 

 

-sample: a simple stub resolver utility

+sample: a simple stub resolver utility

 

   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
@@ -264,7 +264,7 @@ $ make
 
 

 

-sample-async: a simple stub resolver, working asynchronously

+sample-async: a simple stub resolver, working asynchronously

 

   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
@@ -305,7 +305,7 @@ $ make
 
 

 

-sample-request: a simple DNS transaction client

+sample-request: a simple DNS transaction client

 

   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
@@ -346,7 +346,7 @@ $ make
 
 

 

-sample-gai: getaddrinfo() and getnameinfo() test code

+sample-gai: getaddrinfo() and getnameinfo() test code

 

   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -363,7 +363,7 @@ $ make
 
 

 

-sample-update: a simple dynamic update client program

+sample-update: a simple dynamic update client program

 

   It accepts a single update command as a
   command-line argument, sends an update request message to the
@@ -458,7 +458,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-nsprobe: domain/name server checker in terms of RFC 4074

+nsprobe: domain/name server checker in terms of RFC 4074

 

   It checks a set
   of domains to see the name servers of the domains behave
@@ -515,7 +515,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-Library References

+Library References

 
As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index bdf3e83bdc..27372fdaa8 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -114,39 +114,39 @@
 
 
DNSSEC, Dynamic Zones, and Automatic Signing

 

-
Converting from insecure to secure

-
Dynamic DNS update method

-
Fully automatic zone signing

-
Private-type records

-
DNSKEY rollovers

-
Dynamic DNS update method

-
Automatic key rollovers

-
NSEC3PARAM rollovers via UPDATE

-
Converting from NSEC to NSEC3

-
Converting from NSEC3 to NSEC

-
Converting from secure to insecure

-
Periodic re-signing

-
NSEC3 and OPTOUT

+
Converting from insecure to secure

+
Dynamic DNS update method

+
Fully automatic zone signing

+
Private-type records

+
DNSKEY rollovers

+
Dynamic DNS update method

+
Automatic key rollovers

+
NSEC3PARAM rollovers via UPDATE

+
Converting from NSEC to NSEC3

+
Converting from NSEC3 to NSEC

+
Converting from secure to insecure

+
Periodic re-signing

+
NSEC3 and OPTOUT

 

 
Dynamic Trust Anchor Management

 

-
Validating Resolver

-
Authoritative Server

+
Validating Resolver

+
Authoritative Server

 

 
PKCS#11 (Cryptoki) support

 

-
Prerequisites

-
Native PKCS#11

-
OpenSSL-based PKCS#11

-
PKCS#11 Tools

-
Using the HSM

-
Specifying the engine on the command line

-
Running named with automatic zone re-signing

+
Prerequisites

+
Native PKCS#11

+
OpenSSL-based PKCS#11

+
PKCS#11 Tools

+
Using the HSM

+
Specifying the engine on the command line

+
Running named with automatic zone re-signing

 

 
DLZ (Dynamically Loadable Zones)

 

-
Configuring DLZ

-
Sample DLZ Driver

+
Configuring DLZ

+
Sample DLZ Driver

 

 
IPv6 Support in BIND 9

 

@@ -194,28 +194,28 @@
 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

 
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Definition
             and Usage

-
managed-keys Statement Grammar

+
managed-keys Statement Grammar

 
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -224,34 +224,21 @@
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Release Notes

-

-
Release Notes for BIND Version 9.11.0pre-alpha

-

-
Introduction

-
Download

-
Security Fixes

-
New Features

-
Feature Changes

-
Bug Fixes

-
End of Life

-
Thank You

-

-

 
B. A Brief History of the DNS and BIND

 

 
C. General DNS Reference Information

@@ -261,20 +248,20 @@
 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 
 
D. BIND 9 DNS Library Support

 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 
I. Manual pages

diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 18e5334221..a6e1b575eb 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -50,20 +50,20 @@
 
arpaname  {ipaddress ...}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       arpaname translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 63cfbe49e9..20f84b62cd 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -51,7 +51,7 @@
 
ddns-confgen  [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name  |   -z zone ]

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       tsig-keygen and ddns-confgen
       are invocation methods for a utility that generates keys for use
@@ -87,7 +87,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -159,7 +159,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
nsupdate(1),
       named.conf(5),
       named(8),
@@ -167,7 +167,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index a126b9c0d6..a5fbb1a166 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -53,7 +53,7 @@
 
delv  [queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
delv
       (Domain Entity Lookup & Validation) is a tool for sending
       DNS queries and validating the results, using the the same internal
@@ -96,7 +96,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of delv looks like:
       

@@ -151,7 +151,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a anchor-file

 

@@ -285,7 +285,7 @@
 

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
delv
       provides a number of query options which affect the way results are
       displayed, and in some cases the way lookups are performed.
@@ -471,12 +471,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/bind.keys

 
/etc/resolv.conf

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8),
       RFC4034,
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index b24db01e55..e8c2f401ce 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -99,7 +99,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -152,7 +152,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -280,7 +280,7 @@
 

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -708,7 +708,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -754,7 +754,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -768,14 +768,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -783,7 +783,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 6b0a1a092a..b58f3a693c 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -51,7 +51,7 @@
 
dnssec-dsfromkey  [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-checkds
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f file

 

@@ -88,14 +88,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-dsfromkey(8),
       dnssec-keygen(8),
       dnssec-signzone(8),
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 18a019a871..21782e4021 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -50,7 +50,7 @@
 
dnssec-coverage  [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-coverage
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-K directory

 

@@ -192,7 +192,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-checkds(8),
       dnssec-dsfromkey(8),
@@ -201,7 +201,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 5f4a01a299..c9146ba54b 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -52,14 +52,14 @@
 
dnssec-dsfromkey  [-h] [-V]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -144,7 +144,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -159,7 +159,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -173,13 +173,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -189,7 +189,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index 347a67bb84..bd2b0c819b 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -51,7 +51,7 @@
 
dnssec-importkey  {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-importkey
       reads a public DNSKEY record and generates a pair of
       .key/.private files.  The DNSKEY record may be read from an
@@ -71,7 +71,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f filename

 

@@ -114,7 +114,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -142,7 +142,7 @@
 

 
 

-
FILES

+
FILES

 

       A keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -151,7 +151,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -159,7 +159,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 5e17ec011c..3e182aadb3 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -243,7 +243,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -315,7 +315,7 @@
 

 
 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -354,7 +354,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -363,7 +363,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index da1ccc9443..1c3af8e347 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -50,7 +50,7 @@
 
dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -287,7 +287,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -361,7 +361,7 @@
 

 
 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -407,7 +407,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -428,7 +428,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -437,7 +437,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index ddc8af5a44..1dde6b0c0e 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -50,7 +50,7 @@
 
dnssec-revoke  [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -109,14 +109,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index ea20b18ec6..be3ad8abca 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -50,7 +50,7 @@
 
dnssec-settime  [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -76,7 +76,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f

 

@@ -133,7 +133,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -212,7 +212,7 @@
 

 
 

-
PRINTING OPTIONS

+
PRINTING OPTIONS

 

       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -238,7 +238,7 @@
 

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -246,7 +246,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 7a0aabcb05..0008641219 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-Q] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -512,7 +512,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -542,14 +542,14 @@ db.example.com.signed
 %

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033, RFC 4641.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index a931404a5e..1e33aa45b9 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -50,7 +50,7 @@
 
dnssec-verify  [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-verify
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-c class

 

@@ -138,7 +138,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -146,7 +146,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 74e2370ce8..71082e1ccb 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -50,7 +50,7 @@
 
genrandom  [-n number] {size} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       genrandom
       generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
-n number

 

@@ -77,14 +77,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       rand(3),
       arc4random(3)
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index f62ae9c4c2..6e2714ae01 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -214,7 +214,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -228,12 +228,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index 7fa0b1cb8a..c5b0c1090f 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -50,7 +50,7 @@
 
isc-hmac-fixup  {algorithm} {secret}

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
     

 

 

-
SECURITY CONSIDERATIONS

+
SECURITY CONSIDERATIONS

 

       Secrets that have been converted by isc-hmac-fixup
       are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 2104.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index a93fe56a81..04b5f9e06b 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -50,7 +50,7 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a
       named configuration file.  The file is parsed
@@ -70,7 +70,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -119,21 +119,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 821c58c52e..6417ceb222 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -305,14 +305,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -320,7 +320,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 0e3f6f1f81..fea15d241b 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -50,7 +50,7 @@
 
named-journalprint  {journal}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       named-journalprint
       prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       named(8),
       nsupdate(8),
@@ -84,7 +84,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index a9e4dea527..d33ade3019 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -50,7 +50,7 @@
 
named-rrchecker  [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-rrchecker
      read a individual DNS resource record from standard input and checks if it
      is syntactically correct.
@@ -78,7 +78,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 1034,
       RFC 1035,
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index c0e082ffb9..cb1e16e91a 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-M option] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-X lock-file] [-x cache-file]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -275,8 +275,11 @@
 

             Acquire a lock on the specified file at runtime; this
             helps to prevent duplicate named instances
-            from running simultaneously. If not specified via this option,
-            the default lockfile is /var/run/named/named.lock.
+            from running simultaneously.
+            Use of this option overrides the lock-file
+            option in named.conf.
+            If set to none, the lock file check
+            is disabled.
           

 
-x cache-file

 

@@ -296,7 +299,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -317,7 +320,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -334,7 +337,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -347,7 +350,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -360,7 +363,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index e0473249b5..7856294ad8 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -48,7 +48,7 @@
 
nsec3hash  {salt} {algorithm} {iterations} {domain}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       nsec3hash generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
@@ -56,7 +56,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
salt

 

@@ -80,14 +80,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 5155.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index a0ff0d8e80..b5fdd793f2 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [-L level] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -108,7 +108,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -242,7 +242,7 @@
 

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -555,7 +555,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -609,7 +609,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -632,7 +632,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 2136,
       RFC 3007,
@@ -647,7 +647,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 45fd31c3ef..c505f9f2a3 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
 
rndc-confgen  [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -180,7 +180,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -197,7 +197,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -205,7 +205,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 0b7f0f1d77..dc0a3df6ff 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -210,7 +210,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -220,7 +220,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -228,7 +228,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index a6ac3f0c89..e927867751 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -81,7 +81,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
 

 

 

-
COMMANDS

+
COMMANDS

 

       A list of commands supported by rndc can
       be seen by running rndc without arguments.
@@ -679,7 +679,7 @@
 

 
 

-
LIMITATIONS

+
LIMITATIONS

 

       There is currently no way to provide the shared secret for a
       key_id without using the configuration file.
@@ -689,7 +689,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -699,7 +699,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index c01450347f..c2670d314e 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -19,466 +19,5 @@
 
 
 
-

-

-Release Notes for BIND Version 9.11.0pre-alpha

-

-

-Introduction

-

-      This document summarizes changes since the last production release
-      of BIND on the corresponding major release branch.
-    

-

-

-

-Download

-

-      The latest versions of BIND 9 software can always be found at
-      http://www.isc.org/downloads/.
-      There you will find additional information about each release,
-      source code, and pre-compiled versions for Microsoft Windows
-      operating systems.
-    

-

-

-

-Security Fixes

-
    
-
  • 
-
    
-	  On servers configured to perform DNSSEC validation using
-	  managed trust anchors (i.e., keys configured explicitly
-	  via managed-keys, or implicitly 
-	  via dnssec-validation auto; or
-	  dnssec-lookaside auto;), revoking
-	  a trust anchor and sending a new untrusted replacement
-	  could cause named to crash with an
-	  assertion failure. This could occur in the event of a
-	  botched key rollover, or potentially as a result of a
-	  deliberate attack if the attacker was in position to
-	  monitor the victim's DNS traffic.
-	
    
-
    
-	  This flaw was discovered by Jan-Piet Mens, and is
-	  disclosed in CVE-2015-1349. [RT #38344]
-	
    
-
    • 
-
  • 
-
    
-	  A flaw in delegation handling could be exploited to put
-	  named into an infinite loop, in which
-	  each lookup of a name server triggered additional lookups
-	  of more name servers.  This has been addressed by placing
-	  limits on the number of levels of recursion
-	  named will allow (default 7), and
-	  on the number of queries that it will send before
-	  terminating a recursive query (default 50).
-	
    
-
    
-	  The recursion depth limit is configured via the
-	  max-recursion-depth option, and the query limit
-	  via the max-recursion-queries option.
-	
    
-
    
-	  The flaw was discovered by Florian Maury of ANSSI, and is
-	  disclosed in CVE-2014-8500. [RT #37580]
-	
    
-
    • 
-
  • 
-
    
-	  Two separate problems were identified in BIND's GeoIP code that
-	  could lead to an assertion failure. One was triggered by use of
-	  both IPv4 and IPv6 address families, the other by referencing
-	  a GeoIP database in named.conf which was
-	  not installed. Both are covered by CVE-2014-8680. [RT #37672]
-	  [RT #37679]
-	
    
-
    
-	  A less serious security flaw was also found in GeoIP: changes
-	  to the geoip-directory option in
-	  named.conf were ignored when running
-	  rndc reconfig. In theory, this could allow
-	  named to allow access to unintended clients.
-	
    
-
    • 
-

-

-

-

-New Features

-
    
-
  • 
-	  The serial number of a dynamically updatable zone can
-	  now be set using
-	  rndc signing -serial number zonename.
-	  This is particularly useful with inline-signing
-	  zones that have been reset.  Setting the serial number to a value
-	  larger than that on the slaves will trigger an AXFR-style
-	  transfer.
-	
    • 
-
  • 
-	  When answering recursive queries, SERVFAIL responses can now be
-	  cached by the server for a limited time; subsequent queries for
-	  the same query name and type will return another SERVFAIL until
-	  the cache times out.  This reduces the frequency of retries
-	  when a query is persistently failing, which can be a burden
-	  on recursive serviers.  The SERVFAIL cache timeout is controlled
-	  by servfail-ttl, which defaults to 10 seconds
-	  and has an upper limit of 30.
-	
    • 
-
  • 
-	  The new rndc nta command can now be used to
-	  set a "negative trust anchor" (NTA), disabling DNSSEC validation for
-	  a specific domain; this can be used when responses from a domain
-	  are known to be failing validation due to administrative error
-	  rather than because of a spoofing attack. NTAs are strictly
-	  temporary; by default they expire after one hour, but can be
-	  configured to last up to one week.  The default NTA lifetime
-	  can be changed by setting the nta-lifetime in
-	  named.conf. When added, NTAs are stored in a
-	  file (viewname.nta)
-	  in order to persist across restarts of the named server.
-	
    • 
-
  • 
-	  The EDNS Client Subnet (ECS) option is now supported for
-	  authoritative servers; if a query contains an ECS option then
-	  ACLs containing geoip or ecs
-	  elements can match against the the address encoded in the option.
-	  This can be used to select a view for a query, so that different
-	  answers can be provided depending on the client network.
-	
    • 
-
  • 
-	  The EDNS EXPIRE option has been implemented on the client
-	  side, allowing a slave server to set the expiration timer
-	  correctly when transferring zone data from another slave
-	  server.
-	
    • 
-
  • 
-	  A new masterfile-style zone option controls
-	  the formatting of text zone files:  When set to
-	  full, the zone file will dumped in
-	  single-line-per-record format.
-	
    • 
-
  • 
-	  dig +ednsopt can now be used to set
-	  arbitrary EDNS options in DNS requests.
-	
    • 
-
  • 
-	  dig +ednsflags can now be used to set
-	  yet-to-be-defined EDNS flags in DNS requests.
-	
    • 
-
  • 
-	  dig +[no]ednsnegotiation can now be used enable /
-	  disable EDNS version negotiation.
-	
    • 
-
  • 
-	  dig +header-only can now be used to send
-	  queries without a question section.
-	
    • 
-
  • 
-	  dig +ttlunits causes dig
-	  to print TTL values with time-unit suffixes: w, d, h, m, s for
-	  weeks, days, hours, minutes, and seconds.
-	
    • 
-
  • 
-	  dig +zflag can be used to set the last
-	  unassigned DNS header flag bit.  This bit in normally zero.
-	
    • 
-
  • 
-	  dig +dscp=value
-	  can now be used to set the DSCP code point in outgoing query
-	  packets.
-	
    • 
-
  • 
-	  serial-update-method can now be set to
-	  date. On update, the serial number will
-	  be set to the current date in YYYYMMDDNN format.
-	
    • 
-
  • 
-	  dnssec-signzone -N date also sets the serial
-	  number to YYYYMMDDNN.
-	
    • 
-
  • 
-	  named -L filename
-	  causes named to send log messages to the specified file by
-	  default instead of to the system log.
-	
    • 
-
  • 
-	  The rate limiter configured by the
-	  serial-query-rate option no longer covers
-	  NOTIFY messages; those are now separately controlled by
-	  notify-rate and
-	  startup-notify-rate (the latter of which
-	  controls the rate of NOTIFY messages sent when the server
-	  is first started up or reconfigured).
-	
    • 
-
  • 
-	  The default number of tasks and client objects available
-	  for serving lightweight resolver queries have been increased,
-	  and are now configurable via the new lwres-tasks
-	  and lwres-clients options in
-	  named.conf. [RT #35857]
-	
    • 
-
  • 
-	  Log output to files can now be buffered by specifying
-	  buffered yes; when creating a channel.
-	
    • 
-
  • 
-	  delv +tcp will exclusively use TCP when
-	  sending queries.
-	
    • 
-
  • 
-	  named will now check to see whether
-	  other name server processes are running before starting up.
-	  This is implemented in two ways: 1) by refusing to start
-	  if the configured network interfaces all return "address
-	  in use", and 2) by acquiring a file lock on
-	  /var/run/named/named.lock, or on a different
-	  file specified via the named -X command
-	  line option.
-	
    • 
-
  • 
-	  rndc delzone can now be applied to zones
-	  which were configured in named.conf;
-	  it is no longer restricted to zones which were added by
-	  rndc addzone.  (Note, however, that
-	  this does not edit named.conf; the zone
-	  must be removed from the configuration or it will return
-	  when named is restarted or reloaded.)
-	
    • 
-
  • 
-	  rndc modzone can be used to reconfigure
-	  a zone, using similar syntax to rndc addzone. 
-	
    • 
-
  • 
-	  rndc showzone displays the current
-	  configuration for a specified zone.
-	
    • 
-
  • 
-
    
-	  Added server-side support for pipelined TCP queries.  Clients
-	  may continue sending queries via TCP while previous queries are
-	  processed in parallel.  Responses are sent when they are
-	  ready, not necessarily in the order in which the queries were
-	  received.
-	
    
-
    
-	  To revert to the former behavior for a particular
-	  client address or range of addresses, specify the address prefix
-	  in the "keep-response-order" option.  To revert to the former
-	  behavior for all clients, use "keep-response-order { any; };".
-	
    
-
    • 
-
  • 
-	  The new mdig command is a version of
-	  dig that sends multiple pipelined
-	  queries and then waits for responses, instead of sending one
-	  query and waiting the response before sending the next. [RT #38261]
-	
    • 
-
  • 
-	  To enable better monitoring and troubleshooting of RFC 5011
-	  trust anchor management, the new rndc managed-keys
-	  can be used to check status of trust anchors or to force keys
-	  to be refreshed.  Also, the managed-keys data file now has
-	  easier-to-read comments. [RT #38458]
-	
    • 
-
  • 
-	  An --enable-querytrace configure switch is
-	  now available to enable very verbose query tracelogging. This
-	  option can only be set at compile time. This option has a
-	  negative performance impact and should be used only for
-	  debugging.
-	
    • 
-

-

-

-

-Feature Changes

-
    
-
  • 
-	  ACLs containing geoip asnum elements were
-	  not correctly matched unless the full organization name was
-	  specified in the ACL (as in
-	  geoip asnum "AS1234 Example, Inc.";).
-	  They can now match against the AS number alone (as in
-	  geoip asnum "AS1234";).
-	
    • 
-
  • 
-	  When using native PKCS#11 cryptography (i.e.,
-	  configure --enable-native-pkcs11) HSM PINs
-	  of up to 256 characters can now be used.
-	
    • 
-
  • 
-	  NXDOMAIN responses to queries of type DS are now cached separately
-	  from those for other types. This helps when using "grafted" zones
-	  of type forward, for which the parent zone does not contain a
-	  delegation, such as local top-level domains.  Previously a query
-	  of type DS for such a zone could cause the zone apex to be cached
-	  as NXDOMAIN, blocking all subsequent queries.  (Note: This
-	  change is only helpful when DNSSEC validation is not enabled.
-	  "Grafted" zones without a delegation in the parent are not a
-	  recommended configuration.)
-	
    • 
-
  • 
-	  Update forwarding performance has been improved by allowing
-	  a single TCP connection to be shared between multiple updates.
-	
    • 
-
  • 
-	  By default, nsupdate will now check
-	  the correctness of hostnames when adding records of type
-	  A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
-	  disabled with check-names no.
-	
    • 
-
  • 
-	  Added support for OPENPGPKEY type.
-	
    • 
-
  • 
-	  The names of the files used to store managed keys and added
-	  zones for each view are no longer based on the SHA256 hash
-	  of the view name, except when this is necessary because the
-	  view name contains characters that would be incompatible with use
-	  as a file name.  For views whose names do not contain forward
-	  slashes ('/'), backslashes ('\'), or capital letters - which
-	  could potentially cause namespace collision problems on
-	  case-insensitive filesystems - files will now be named
-	  after the view (for example, internal.mkeys
-	  or external.nzf).  However, to ensure
-	  consistent behavior when upgrading, if a file using the old
-	  name format is found to exist, it will continue to be used.
-	
    • 
-
  • 
-	  "rndc" can now return text output of arbitrary size to
-	  the caller. (Prior to this, certain commands such as
-	  "rndc tsig-list" and "rndc zonestatus" could return
-	  truncated output.)
-	
    • 
-
  • 
-	  Errors reported when running rndc addzone
-	  (e.g., when a zone file cannot be loaded) have been clarified
-	  to make it easier to diagnose problems.
-	
    • 
-
  • 
-	  When encountering an authoritative name server whose name is
-	  an alias pointing to another name, the resolver treats
-	  this as an error and skips to the next server. Previously
-	  this happened silently; now the error will be logged to
-	  the newly-created "cname" log category.
-	
    • 
-
  • 
-	  If named is not configured to validate the answer then
-	  allow fallback to plain DNS on timeout even when we know
-	  the server supports EDNS.  This will allow the server to
-	  potentially resolve signed queries when TCP is being
-	  blocked.
-	
    • 
-

-

-

-

-Bug Fixes

-
    
-
  • 
-	  dig, host and
-	  nslookup aborted when encountering
-	  a name which, after appending search list elements,
-	  exceeded 255 bytes. Such names are now skipped, but
-	  processing of other names will continue. [RT #36892]
-	
    • 
-
  • 
-	  The error message generated when
-	  named-checkzone or
-	  named-checkconf -z encounters a
-	  $TTL directive without a value has
-	  been clarified. [RT #37138]
-	
    • 
-
  • 
-	  Semicolon characters (;) included in TXT records were
-	  incorrectly escaped with a backslash when the record was
-	  displayed as text. This is actually only necessary when there
-	  are no quotation marks. [RT #37159]
-	
    • 
-
  • 
-	  When files opened for writing by named,
-	  such as zone journal files, were referenced more than once
-	  in named.conf, it could lead to file
-	  corruption as multiple threads wrote to the same file. This
-	  is now detected when loading named.conf
-	  and reported as an error. [RT #37172]
-	
    • 
-
  • 
-	  When checking for updates to trust anchors listed in
-	  managed-keys, named
-	  now revalidates keys based on the current set of
-	  active trust anchors, without relying on any cached
-	  record of previous validation. [RT #37506]
-	
    • 
-
  • 
-	  Large-system tuning
-	  (configure --with-tuning=large) caused
-	  problems on some platforms by setting a socket receive
-	  buffer size that was too large.  This is now detected and
-	  corrected at run time. [RT #37187]
-	
    • 
-
  • 
-	  When NXDOMAIN redirection is in use, queries for a name
-	  that is present in the redirection zone but a type that
-	  is not present will now return NOERROR instead of NXDOMAIN.
-	
    • 
-
  • 
-	  Due to an inadvertent removal of code in the previous
-	  release, when named encountered an
-	  authoritative name server which dropped all EDNS queries,
-	  it did not always try plain DNS. This has been corrected.
-	  [RT #37965]
-	
    • 
-
  • 
-	  A regression caused nsupdate to use the default recursive servers
-	  rather than the SOA MNAME server when sending the UPDATE.
-	
    • 
-
  • 
-	  Adjusted max-recursion-queries to accommodate the smaller
-	  initial packet sizes used in BIND 9.10 and higher when
-	  contacting authoritative servers for the first time.
-	
    • 
-
  • 
-	  Built-in "empty" zones did not correctly inherit the
-	  "allow-transfer" ACL from the options or view. [RT #38310]
-        
    • 
-
  • 
-	  Two leaks were fixed that could cause named
-	  processes to grow to very large sizes. [RT #38454]
-	
    • 
-
  • 
-	  Fixed some bugs in RFC 5011 trust anchor management,
-	  including a memory leak and a possible loss of state
-	  information. [RT #38458]
-	
    • 
-
  • 
-	  Asynchronous zone loads were not handled correctly when the
-	  zone load was already in progress; this could trigger a crash
-	  in zt.c. [RT #37573]
-	
    • 
-

-

-

-

-End of Life

-

-      The end of life for BIND 9.11 is yet to be determined but
-      will not be before BIND 9.13.0 has been released for 6 months.
-      https://www.isc.org/downloads/software-support-policy/
-    

-

-

-

-Thank You

-

-      Thank you to everyone who assisted us in making this release possible.
-      If you would like to contribute to ISC to assist us in continuing to
-      make quality open source software, please visit our donations page at
-      http://www.isc.org/donate/.
-    

-

-

+
<xi:include></xi:include>

 
diff --git a/doc/misc/options b/doc/misc/options
index a93e89def7..70b605abcc 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -167,6 +167,7 @@ options {
             ; ... };
         listen-on-v6 [ port  ] [ dscp  ] {
             ; ... };
+        lock-file (  | none );
         maintain-ixfr-base ; // obsolete
         managed-keys-directory ;
         masterfile-format ( text | raw | map );