diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index c92be5254c..7df07a5865 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -91,8 +91,8 @@ security considerations, and Section 8 contains troubleshooting help. The main body of the document is followed by several - Appendices which contain useful reference - information, such as a Bibliography and + appendices which contain useful reference + information, such as a bibliography and historic information related to BIND and the Domain Name System. @@ -229,8 +229,8 @@ The Domain Name System (<acronym>DNS</acronym>) The purpose of this document is to explain the installation - and upkeep of the BIND software - package, and we + and upkeep of the BIND (Berkeley Internet + Name Domain) software package, and we begin by reviewing the fundamentals of the Domain Name System (DNS) as they relate to BIND. @@ -1085,6 +1085,12 @@ zone "eng.example.com" { (rndc) program allows the system administrator to control the operation of a name server. + Since BIND 9.2, rndc + supports all the commands of the BIND 8 ndc + utility except ndc start and + ndc restart, which were also + not supported in ndc's + channel mode. If you run rndc without any options it will display a usage message as follows: @@ -1356,15 +1362,6 @@ zone "eng.example.com" { - - In BIND 9.2, rndc - supports all the commands of the BIND 8 ndc - utility except ndc start and - ndc restart, which were also - not supported in ndc's - channel mode. - - A configuration file is required, since all communication with the server is authenticated with @@ -1758,9 +1755,8 @@ controls { on the Internet. Split DNS can also be used to allow mail from outside back in to the internal network. - - Here is an example of a split DNS setup: - + + Example split DNS setup Let's say a company named Example, Inc. (example.com) @@ -1995,6 +1991,7 @@ nameserver 172.16.72.3 nameserver 172.16.72.4 + TSIG @@ -2193,7 +2190,7 @@ allow-update { key host1-host2. ;}; outside of the allowed range, the response will be signed with the TSIG extended error code set to BADTIME, and the time values will be adjusted so that the response can be successfully - verified. In any of these cases, the message's rcode is set to + verified. In any of these cases, the message's rcode (response code) is set to NOTAUTH (not authenticated). @@ -2272,7 +2269,7 @@ allow-update { key host1-host2. ;}; Cryptographic authentication of DNS information is possible through the DNS Security (DNSSEC-bis) extensions, - defined in RFC 4033, RFC 4034 and RFC 4035. + defined in RFC 4033, RFC 4034, and RFC 4035. This section describes the creation and use of DNSSEC signed zones. @@ -2340,7 +2337,7 @@ allow-update { key host1-host2. ;}; Kchild.example.+005+12345.key and Kchild.example.+005+12345.private (where - 12345 is an example of a key tag). The key file names contain + 12345 is an example of a key tag). The key filenames contain the key name (child.example.), algorithm (3 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in @@ -2842,7 +2839,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. An IP port number. - number is limited to 0 + The number is limited to 0 through 65535, with values below 1024 typically restricted to use by processes running as root. @@ -3120,7 +3117,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. The BIND 9 comment syntax allows for comments to appear - anywhere that white space may appear in a BIND configuration + anywhere that whitespace may appear in a BIND configuration file. To appeal to programmers of all kinds, they can be written in the C, C++, or shell/perl style. @@ -3137,7 +3134,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. Definition and Usage - Comments may appear anywhere that white space may appear in + Comments may appear anywhere that whitespace may appear in a BIND configuration file. @@ -4207,7 +4204,7 @@ category notify { null; }; - the query log entry reports the client's IP + The query log entry reports the client's IP address and port number, and the query name, class and type. It also reports whether the Recursion Desired flag was set (+ if set, - @@ -4303,7 +4300,7 @@ category notify { null; }; The lwres statement configures the name server to also act as a lightweight resolver server. (See - .) There may be be multiple + .) There may be multiple lwres statements configuring lightweight resolver servers with different properties. @@ -4697,7 +4694,7 @@ category notify { null; }; name server. Specifying pid-file none disables the use of a PID file — no file will be written and any existing one will be removed. Note that none - is a keyword, not a file name, and therefore is not enclosed + is a keyword, not a filename, and therefore is not enclosed in double quotes. @@ -5326,7 +5323,7 @@ options { This option is obsolete. If you need to disable IXFR to a particular server or - servers see + servers, see the information on the provide-ixfr option in . See also @@ -5560,6 +5557,7 @@ options { Accept expired signatures when verifying DNSSEC signatures. The default is no. + Setting this option to "yes" leaves named vulnerable to replay attacks. @@ -5603,7 +5601,7 @@ options { and MX records. It also applies to the RDATA of PTR records where the owner name indicated that it is a reverse lookup of a hostname - (the owner name ends in IN-ADDR.ARPA, IP6.ARPA or IP6.INT). + (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT). @@ -5728,7 +5726,8 @@ options { Try to refresh the zone using TCP if UDP queries fail. - The default is yes. + For BIND 8 compatibility, the default is + yes. @@ -5910,6 +5909,12 @@ options { localnets and localhost. + + The way to set query access to the cache is now via + allow-query-cache. + This differs from earlier versions which used + allow-query. + @@ -6819,7 +6824,7 @@ query-source-v6 address * port *; Not yet implemented in - BIND9. + BIND 9. @@ -7206,7 +7211,7 @@ query-source-v6 address * port *; values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting edns-udp-size to - a non-default value it to get UDP answers to pass + a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. @@ -7226,6 +7231,8 @@ query-source-v6 address * port *; answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. + This is independent of the advertised receive + buffer (edns-udp-size). @@ -7443,10 +7450,10 @@ query-source-v6 address * port *; If you are using the address ranges covered here, you should already have reverse zones covering the addresses you use. In practice this appears to not be the case with many queries - being made to the infrustructure servers for names in these + being made to the infrastructure servers for names in these spaces. So many in fact that sacrificial servers were needed to be deployed to channel the query load away from the - infrustructure servers. + infrastructure servers. The real parent servers for these zones should disable all @@ -8340,7 +8347,7 @@ zone zone_name classexample.com might place the zone contents into a file called @@ -8806,8 +8813,8 @@ zone zone_name classjournal - Allow the default journal's file name to be overridden. - The default is the zone's file with ".jnl" appended. + Allow the default journal's filename to be overridden. + The default is the zone's filename with ".jnl" appended. This is applicable to master and slave zones. @@ -10566,14 +10573,14 @@ $GENERATE 1-127 $ CNAME $.0 lhs - lhs + This describes the owner name of the resource records to be created. Any single $ (dollar sign) symbols within the lhs side are replaced by the iterator value. - To get a $ in the output you need to escape the + To get a $ in the output, you need to escape the $ using a backslash \, e.g. \$. The @@ -10582,7 +10589,7 @@ $GENERATE 1-127 $ CNAME $.0 iterator, field width and base. Modifiers are introduced by a - { immediately following the + { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} @@ -10655,7 +10662,7 @@ $GENERATE 1-127 $ CNAME $.0 - A domain name. It is processed + rhs is a domain name. It is processed similarly to lhs. @@ -10783,7 +10790,7 @@ zone "example.com" { - <command>chroot</command> and <command>setuid</command> + <command>Chroot</command> and <command>Setuid</command> On UNIX servers, it is possible to run BIND in a chrooted environment (using the chroot() function) by specifying the "" @@ -10822,7 +10829,7 @@ zone "example.com" { for this. - Unlike with earlier versions of BIND, you will typically + Unlike with earlier versions of BIND, you typically will not need to compile named statically nor install shared libraries under the new root. However, depending on your operating system, you may need @@ -11045,7 +11052,7 @@ zone "example.com" { Wolfhugel, and others. - BIND version 4.9.2 was sponsored by + In 1994, BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul Vixie became BIND's principal architect/programmer. @@ -11079,7 +11086,8 @@ zone "example.com" { Anycast, an identifier for a set of interfaces; and Multicast, an identifier for a set of interfaces. Here we describe the global - Unicast address scheme. For more information, see RFC 3587. + Unicast address scheme. For more information, see RFC 3587, + "Global Unicast Address Format." IPv6 unicast addresses consist of a