mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 10:10:06 +00:00
Code Issues Releases Wiki Activity

prep 9.15.1

Browse Source
This commit is contained in:
Tinderbox User 2019-06-03 19:29:39 +00:00 committed by Evan Hunt
parent 7dfef18b05
commit 9bb0b30bc2
76 changed files with 904 additions and 646 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@ -2,6 +2,8 @@
statistics when hitting recursive clients
soft quota. [GL #1067]
--- 9.15.1 released ---
5248. [func] To clarify the configuration of DNSSEC keys,
the "managed-keys" and "trusted-keys" options
have both been deprecated. The new "dnssec-keys"

2
CONTRIBUTING
View File

@ -1,3 +1,5 @@
CONTRIBUTING
BIND Source Access and Contributor Guidelines
Feb 22, 2018

10
HISTORY
View File

@ -1,3 +1,5 @@
HISTORY
Functional enhancements from prior major releases of BIND 9
BIND 9.14
@ -505,11 +507,11 @@ BIND 9.4.0
* Detect duplicates of UDP queries we are recursing on and drop them.
New stats category "duplicates".
* "USE INTERNAL MALLOC" is now runtime selectable.
* The lame cache is now done on a basis as some servers only appear to
be lame for certain query types.
* The lame cache is now done on a <qname,qclass,qtype> basis as some
servers only appear to be lame for certain query types.
* Limit the number of recursive clients that can be waiting for a single
query () to resolve. New options clients-per-query and
max-clients-per-query.
query (<qname,qtype,qclass>) to resolve. New options clients-per-query
and max-clients-per-query.
* dig: report the number of extra bytes still left in the packet after
processing all the records.
* Support for IPSECKEY rdata type.

4
OPTIONS
View File

@ -1,10 +1,12 @@
OPTIONS
Setting the STD_CDEFINES environment variable before running configure can
be used to enable certain compile-time options that are not explicitly
defined in configure.
Some of these settings are:
Setting Description
Setting Description
Overwrite memory with tag values when allocating
-DISC_MEM_DEFAULTFILL=1 or freeing it; this impairs performance but
makes debugging of memory problems easier.

27
PLATFORMS
View File

@ -1,3 +1,5 @@
PLATFORMS
Supported platforms
In general, this version of BIND will build and run on any POSIX-compliant
@ -64,31 +66,6 @@ These are platforms on which BIND 9.15 is known not to build or run:
Platform quirks
ARM
If the compilation ends with following error:
Error: selected processor does not support `yield' in ARM mode
You will need to set -march compiler option to native, so the compiler
recognizes yield assembler instruction. The proper way to set -march=
native would be to put it into CFLAGS, e.g. run ./configure like this:
CFLAGS="-march=native -Os -g" ./configure plus your usual options.
If that doesn't work, you can enforce the minimum CPU and FPU (taken from
Debian armhf documentation):
* The lowest worthwhile CPU implementation is Armv7-A, therefore the
recommended build option is -march=armv7-a.
* FPU should be set at VFPv3-D16 as they represent the minimum
specification of the processors to support here, therefore the
recommended build option is -mfpu=vfpv3-d16.
The configure command should look like this:
CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
NetBSD 6 i386
The i386 build of NetBSD requires the libatomic library, available from

40
README
View File

@ -1,3 +1,5 @@
README
BIND 9
Contents
@ -134,7 +136,7 @@ make depend. If you're using Emacs, you might find make tags helpful.
Several environment variables that can be set before running configure
will affect compilation:
Variable Description
Variable Description
CC The C compiler to use. configure tries to figure out the
right one for supported systems.
C compiler flags. Defaults to include -g and/or -O2 as
@ -187,8 +189,10 @@ operations, specify the path to the PKCS#11 provider library using
To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2 http://xmlsoft.org or json-c https://
github.com/json-c. If these are installed at a nonstandard location,
specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
github.com/json-c. If these are installed at a nonstandard location, then:
* for libxml2, specify the prefix using --with-libxml2=/prefix,
* for json-c, adjust PKG_CONFIG_PATH.
To support compression on the HTTP statistics channel, the server must be
linked against libzlib. If this is installed in a nonstandard location,
@ -286,7 +290,7 @@ development BIND 9 is included in the file CHANGES, with the most recent
changes listed first. Change notes include tags indicating the category of
the change that was made; these categories are:
Category Description
Category Description
[func] New feature
[bug] General bug fix
[security] Fix for a significant security flaw
@ -321,8 +325,8 @@ issue number. Prior to 2018, these were usually of the form [RT #NNN] and
referred to entries in the "bind9-bugs" RT database, which was not open to
the public. More recent entries use the form [GL #NNN] or, less often, [GL
!NNN], which, respectively, refer to issues or merge requests in the
Gitlab database. Most of these are publically readable, unless they
include information which is confidential or security senstive.
Gitlab database. Most of these are publicly readable, unless they include
information which is confidential or security senstive.
To look up a Gitlab issue by its number, use the URL https://
gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
@ -337,21 +341,23 @@ Acknowledgments
* The original development of BIND 9 was underwritten by the following
organizations:
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
* This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit. http://www.OpenSSL.org/
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
* This product includes software written by Tim Hudson
(tjh@cryptsoft.com)

2
README.md
View File

@ -332,7 +332,7 @@ issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
and referred to entries in the "bind9-bugs" RT database, which was not open
to the public. More recent entries use the form `[GL #NNN]` or, less often,
`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
Gitlab database. Most of these are publically readable, unless they include
Gitlab database. Most of these are publicly readable, unless they include
information which is confidential or security senstive.
To look up a Gitlab issue by its number, use the URL

16
bin/delv/delv.1
View File

@ -146,14 +146,16 @@ to specify the name of a zone containing DLV records\&.
Note: When reading the trust anchor file,
\fBdelv\fR
treats
\fBmanaged\-keys\fR
statements and
\fBtrusted\-keys\fR
statements identically\&. That is, for a managed key, it is the
\fIinitial\fR
key that is trusted; RFC 5011 key management is not supported\&.
\fBdnssec\-keys\fR\fBinitial\-key\fR
and
\fBstatic\-key\fR
entries identically\&. That is, even if a key is configured with
\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by
\fBdelv\fR
will not consult the managed\-keys database maintained by
as if it had been configured as a
\fBstatic\-key\fR\&.
\fBdelv\fR
does not consult the managed keys database maintained by
\fBnamed\fR\&. This means that if either of the keys in
/etc/bind\&.keys
is revoked and rolled over, it will be necessary to update

19
bin/delv/delv.html
View File

@ -200,14 +200,17 @@
</p>
<p>
Note: When reading the trust anchor file,
<span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
statements and <code class="option">trusted-keys</code> statements
identically. That is, for a managed key, it is the
<span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
key management is not supported. <span class="command"><strong>delv</strong></span>
will not consult the managed-keys database maintained by
<span class="command"><strong>named</strong></span>. This means that if either of the
keys in <code class="filename">/etc/bind.keys</code> is revoked
<span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
<code class="option">initial-key</code> and <code class="option">static-key</code>
entries identically. That is, even if a key is configured
with <span class="command"><strong>initial-key</strong></span>, indicating that it is
meant to be used only as an initializing key for RFC 5011
key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
<span class="command"><strong>delv</strong></span> does not consult the managed keys
database maintained by <span class="command"><strong>named</strong></span>. This means
that if either of the keys in
<code class="filename">/etc/bind.keys</code> is revoked
and rolled over, it will be necessary to update
<code class="filename">/etc/bind.keys</code> to use DNSSEC
validation in <span class="command"><strong>delv</strong></span>.

6
bin/dig/dig.1
View File

@ -589,11 +589,11 @@ A synonym for
.RS 4
Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
\fBdig\fR
normally sends recursive queries\&. Recursion is automatically disabled when the
normally sends recursive queries\&. Recursion is automatically disabled when using the
\fI+nssearch\fR
or
option, and when using
\fI+trace\fR
query options are used\&.
except for an initial recursive query to get the list of root servers\&.
.RE
.PP
\fB+retry=T\fR

6
bin/dig/dig.html
View File

@ -797,8 +797,10 @@
in the query. This bit is set by default, which means
<span class="command"><strong>dig</strong></span> normally sends recursive
queries. Recursion is automatically disabled when
the <em class="parameter"><code>+nssearch</code></em> or
<em class="parameter"><code>+trace</code></em> query options are used.
using the <em class="parameter"><code>+nssearch</code></em> option, and
when using <em class="parameter"><code>+trace</code></em> except for
an initial recursive query to get the list of root
servers.
</p>
</dd>
<dt><span class="term"><code class="option">+retry=T</code></span></dt>

71
bin/named/named.conf.5
View File

@ -10,12 +10,12 @@
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2018-12-07
.\" Date: 2019-05-10
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\&.CONF" "5" "2018\-12\-07" "ISC" "BIND9"
.TH "NAMED\&.CONF" "5" "2019\-05\-10" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -97,6 +97,19 @@ dlz \fIstring\fR {
.if n \{\
.RE
.\}
.SH "DNSSEC-KEYS"
.sp
.if n \{\
.RS 4
.\}
.nf
dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
.fi
.if n \{\
.RE
.\}
.SH "DYNDB"
.sp
.if n \{\
@ -149,13 +162,16 @@ logging {
.RE
.\}
.SH "MANAGED-KEYS"
.PP
See DNSSEC\-KEYS\&.
.sp
.if n \{\
.RS 4
.\}
.nf
managed\-keys { \fIstring\fR \fIstring\fR \fIinteger\fR
\fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
managed\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
.fi
.if n \{\
.RE
@ -257,7 +273,6 @@ options {
dnsrps\-options { \fIunspecified\-text\fR };
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-enable \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-lookaside ( \fIstring\fR trust\-anchor
\fIstring\fR | auto | no );
@ -409,11 +424,12 @@ options {
resolver\-retry\-interval \fIinteger\fR;
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl
\fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname |
disabled | drop | given | no\-op | nodata | nxdomain | passthru
| tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [
nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
\fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
@ -551,13 +567,16 @@ statistics\-channels {
.RE
.\}
.SH "TRUSTED-KEYS"
.PP
Deprecated \- see DNSSEC\-KEYS\&.
.sp
.if n \{\
.RS 4
.\}
.nf
trusted\-keys { \fIstring\fR \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
trusted\-keys { \fIstring\fR \fIinteger\fR
\fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };, deprecated
.fi
.if n \{\
.RE
@ -638,7 +657,9 @@ view \fIstring\fR [ \fIclass\fR ] {
dnsrps\-options { \fIunspecified\-text\fR };
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-enable \fIboolean\fR;
dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-lookaside ( \fIstring\fR trust\-anchor
\fIstring\fR | auto | no );
@ -676,9 +697,9 @@ view \fIstring\fR [ \fIclass\fR ] {
key\-directory \fIquoted_string\fR;
lame\-ttl \fIttlval\fR;
lmdb\-mapsize \fIsizeval\fR;
managed\-keys { \fIstring\fR \fIstring\fR
\fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
managed\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
masterfile\-format ( map | raw | text );
masterfile\-style ( full | relative );
match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
@ -761,11 +782,12 @@ view \fIstring\fR [ \fIclass\fR ] {
resolver\-retry\-interval \fIinteger\fR;
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl
\fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname |
disabled | drop | given | no\-op | nodata | nxdomain | passthru
| tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [
nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
\fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
@ -827,9 +849,10 @@ view \fIstring\fR [ \fIclass\fR ] {
transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
] [ dscp \fIinteger\fR ];
trust\-anchor\-telemetry \fIboolean\fR; // experimental
trusted\-keys { \fIstring\fR \fIinteger\fR
\fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
\&.\&.\&. };
trusted\-keys { \fIstring\fR
\fIinteger\fR \fIinteger\fR
\fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };, deprecated
try\-tcp\-refresh \fIboolean\fR;
update\-check\-ksk \fIboolean\fR;
use\-alt\-transfer\-source \fIboolean\fR;

102
bin/named/named.conf.html
View File

@ -59,7 +59,6 @@
<div class="refsection">
<a name="id-1.8"></a><h2>ACL</h2>
<div class="literallayout"><p><br>
acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
</p></div>
@ -67,7 +66,6 @@ acl
<div class="refsection">
<a name="id-1.9"></a><h2>CONTROLS</h2>
<div class="literallayout"><p><br>
controls {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -85,7 +83,6 @@ controls
<div class="refsection">
<a name="id-1.10"></a><h2>DLZ</h2>
<div class="literallayout"><p><br>
dlz <em class="replaceable"><code>string</code></em> {<br>
database <em class="replaceable"><code>string</code></em>;<br>
@ -95,8 +92,16 @@ dlz
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>DYNDB</h2>
<a name="id-1.11"></a><h2>DNSSEC-KEYS</h2>
<div class="literallayout"><p><br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
    <em class="replaceable"><code>unspecified-text</code></em> };<br>
@ -104,8 +109,7 @@ dyndb
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>KEY</h2>
<a name="id-1.13"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>string</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
@ -115,8 +119,7 @@ key
</div>
<div class="refsection">
<a name="id-1.13"></a><h2>LOGGING</h2>
<a name="id-1.14"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
@ -138,17 +141,17 @@ logging
<div class="refsection">
<a name="id-1.14"></a><h2>MANAGED-KEYS</h2>
<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
<p>See DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.15"></a><h2>MASTERS</h2>
<a name="id-1.16"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
@ -158,8 +161,7 @@ masters
</div>
<div class="refsection">
<a name="id-1.16"></a><h2>OPTIONS</h2>
<a name="id-1.17"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -238,7 +240,6 @@ options
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
    <em class="replaceable"><code>string</code></em> | auto | no );<br>
@ -390,11 +391,12 @@ options
resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl<br>
    <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |<br>
    disabled | drop | given | no-op | nodata | nxdomain | passthru<br>
    | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
@ -461,8 +463,7 @@ options
</div>
<div class="refsection">
<a name="id-1.17"></a><h2>PLUGIN</h2>
<a name="id-1.18"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
@ -470,8 +471,7 @@ plugin
</div>
<div class="refsection">
<a name="id-1.18"></a><h2>SERVER</h2>
<a name="id-1.19"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server <em class="replaceable"><code>netprefix</code></em> {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
@ -509,8 +509,7 @@ server
</div>
<div class="refsection">
<a name="id-1.19"></a><h2>STATISTICS-CHANNELS</h2>
<a name="id-1.20"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -522,17 +521,17 @@ statistics-channels
</div>
<div class="refsection">
<a name="id-1.20"></a><h2>TRUSTED-KEYS</h2>
<a name="id-1.21"></a><h2>TRUSTED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.21"></a><h2>VIEW</h2>
<a name="id-1.22"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -604,7 +603,9 @@ view
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
    <em class="replaceable"><code>string</code></em> | auto | no );<br>
@ -642,9 +643,9 @@ view
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
masterfile-format ( map | raw | text );<br>
masterfile-style ( full | relative );<br>
match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -727,11 +728,12 @@ view
resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl<br>
    <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |<br>
    disabled | drop | given | no-op | nodata | nxdomain | passthru<br>
    | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
@ -793,9 +795,10 @@ view
transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
    ... };<br>
trusted-keys { <em class="replaceable"><code>string</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
@ -907,8 +910,7 @@ view
</div>
<div class="refsection">
<a name="id-1.22"></a><h2>ZONE</h2>
<a name="id-1.23"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -1007,14 +1009,14 @@ zone
</div>
<div class="refsection">
<a name="id-1.23"></a><h2>FILES</h2>
<a name="id-1.24"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsection">
<a name="id-1.24"></a><h2>SEE ALSO</h2>
<a name="id-1.25"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">ddns-confgen</span>(8)

20
bin/rndc/rndc.8
View File

@ -284,7 +284,7 @@ maintain, and also requires the zone to be configured to allow dynamic DNS\&. (S
.PP
\fBmanaged\-keys \fR\fB\fI(status | refresh | sync | destroy)\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR
.RS 4
Inspect and control the "managed\-keys" database which handles RFC 5011 DNSSEC trust anchor maintenance\&. If a view is specified, these commands are applied to that view; otherwise they are applied to all views\&.
Inspect and control the "managed keys" database which handles RFC 5011 DNSSEC trust anchor maintenance\&. If a view is specified, these commands are applied to that view; otherwise they are applied to all views\&.
.sp
.RS 4
.ie n \{\
@ -296,7 +296,7 @@ Inspect and control the "managed\-keys" database which handles RFC 5011 DNSSEC t
.\}
When run with the
status
keyword, prints the current status of the managed\-keys database\&.
keyword, prints the current status of the managed keys database\&.
.RE
.sp
.RS 4
@ -309,7 +309,7 @@ keyword, prints the current status of the managed\-keys database\&.
.\}
When run with the
refresh
keyword, forces an immediate refresh query to be sent for all the managed keys, updating the managed\-keys database if any new keys are found, without waiting the normal refresh interval\&.
keyword, forces an immediate refresh query to be sent for all the managed keys, updating the managed keys database if any new keys are found, without waiting the normal refresh interval\&.
.RE
.sp
.RS 4
@ -322,7 +322,7 @@ keyword, forces an immediate refresh query to be sent for all the managed keys,
.\}
When run with the
sync
keyword, forces an immediate dump of the managed\-keys database to disk (in the file
keyword, forces an immediate dump of the managed keys database to disk (in the file
managed\-keys\&.bind
or (\fIviewname\fR\&.mkeys)\&. This synchronizes the database with its journal file, so that the database\*(Aqs current contents can be inspected visually\&.
.RE
@ -337,7 +337,7 @@ or (\fIviewname\fR\&.mkeys)\&. This synchronizes the database with its journal f
.\}
When run with the
destroy
keyword, the managed\-keys database is shut down and deleted, and all key maintenance is terminated\&. This command should be used only with extreme caution\&.
keyword, the managed keys database is shut down and deleted, and all key maintenance is terminated\&. This command should be used only with extreme caution\&.
.sp
Existing keys that are already trusted are not deleted from memory; DNSSEC validation can continue after this command is used\&. However, key maintenance operations will cease until
\fBnamed\fR
@ -515,8 +515,12 @@ timer\&.
\fBsecroots \fR\fB[\-]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
.RS 4
Dump the security roots (i\&.e\&., trust anchors configured via
\fBtrusted\-keys\fR,
\fBmanaged\-keys\fR, or
\fBdnssec\-keys\fR
statements, or the synonymous
\fBmanaged\-keys\fR
or the deprecated
\fBtrusted\-keys\fR
statements, or via
\fBdnssec\-validation auto\fR) and negative trust anchors for the specified views\&. If no view is specified, all views are dumped\&. Security roots will indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query)\&.
.sp
If the first argument is "\-", then the output is returned via the
@ -697,7 +701,7 @@ Delete a given TKEY\-negotiated key from the server\&. (This does not apply to s
.RS 4
List the names of all TSIG keys currently configured for use by
\fBnamed\fR
in each view\&. The list both statically configured keys and dynamic TKEY\-negotiated keys\&.
in each view\&. The list includes both statically configured keys and dynamic TKEY\-negotiated keys\&.
.RE
.PP
\fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR

19
bin/rndc/rndc.html
View File

@ -378,7 +378,7 @@
<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync | destroy)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
Inspect and control the "managed-keys" database which
Inspect and control the "managed keys" database which
handles RFC 5011 DNSSEC trust anchor maintenance. If a view
is specified, these commands are applied to that view;
otherwise they are applied to all views.
@ -387,14 +387,14 @@
<li class="listitem">
<p>
When run with the <code class="literal">status</code> keyword, prints
the current status of the managed-keys database.
the current status of the managed keys database.
</p>
</li>
<li class="listitem">
<p>
When run with the <code class="literal">refresh</code> keyword,
forces an immediate refresh query to be sent for all
the managed keys, updating the managed-keys database
the managed keys, updating the managed keys database
if any new keys are found, without waiting the normal
refresh interval.
</p>
@ -402,7 +402,7 @@
<li class="listitem">
<p>
When run with the <code class="literal">sync</code> keyword, forces an
immediate dump of the managed-keys database to disk
immediate dump of the managed keys database to disk
(in the file <code class="filename">managed-keys.bind</code> or
(<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
This synchronizes the database with its journal file, so
@ -413,7 +413,7 @@
<li class="listitem">
<p>
When run with the <code class="literal">destroy</code> keyword, the
managed-keys database is shut down and deleted, and all key
managed keys database is shut down and deleted, and all key
maintenance is terminated. This command should be used only
with extreme caution.
</p>
@ -653,9 +653,10 @@
<dd>
<p>
Dump the security roots (i.e., trust anchors
configured via <span class="command"><strong>trusted-keys</strong></span>,
<span class="command"><strong>managed-keys</strong></span>, or
<span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
configured via <span class="command"><strong>dnssec-keys</strong></span> statements,
or the synonymous <span class="command"><strong>managed-keys</strong></span> or
the deprecated <span class="command"><strong>trusted-keys</strong></span> statements, or
via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
anchors for the specified views. If no view is specified, all
views are dumped. Security roots will indicate whether
they are configured as trusted keys, managed keys, or
@ -905,7 +906,7 @@
<p>
List the names of all TSIG keys currently configured
for use by <span class="command"><strong>named</strong></span> in each view. The
list both statically configured keys and dynamic
list includes both statically configured keys and dynamic
TKEY-negotiated keys.
</p>
</dd>

2
doc/arm/Bv9ARM.ch01.html
View File

@ -614,6 +614,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch02.html
View File

@ -146,6 +146,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch03.html
View File

@ -856,6 +856,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

51
doc/arm/Bv9ARM.ch04.html
View File

@ -54,7 +54,7 @@
<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#generating_dnssec_keys">Generating Keys</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers for DNSSEC</a></span></dt>
</dl></dd>
@ -913,7 +913,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="dnssec_keys"></a>Generating Keys</h3></div></div></div>
<a name="generating_dnssec_keys"></a>Generating Keys</h3></div></div></div>
<p>
The <span class="command"><strong>dnssec-keygen</strong></span> program is used to
@ -1042,8 +1042,9 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
<strong class="userinput"><code>yes</code></strong>, DNSSEC validation will only occur
if at least one trust anchor has been explicitly configured
in <code class="filename">named.conf</code>
using a <span class="command"><strong>trusted-keys</strong></span> or
<span class="command"><strong>managed-keys</strong></span> statement.
using a <span class="command"><strong>dnssec-keys</strong></span> statement (or the
synonymous <span class="command"><strong>managed-keys</strong></span> or the deprecated
<span class="command"><strong>trusted-keys</strong></span> statements).
</p>
<p>
When <span class="command"><strong>dnssec-validation</strong></span> is set to
@ -1056,23 +1057,20 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</p>
<p>
<span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
for zones that are used to form the first link in the
cryptographic chain of trust. All keys listed in
<span class="command"><strong>trusted-keys</strong></span> (and corresponding zones)
are deemed to exist and only the listed keys will be used
to validated the DNSKEY RRset that they are from.
The keys specified in <span class="command"><strong>dnssec-keys</strong></span>
copies of DNSKEY RRs for zones that are used to form the
first link in the cryptographic chain of trust. Keys configured
with the keyword <span class="command"><strong>static-key</strong></span> are loaded directly
into the table of trust anchors, and can only be changed by
altering the configuration. Keys configured with
<span class="command"><strong>initial-key</strong></span> are used to initialize
RFC 5011 trust anchor maintenance, and will be kept up to
date automatically after the first time <span class="command"><strong>named</strong></span>
runs.
</p>
<p>
<span class="command"><strong>managed-keys</strong></span> are trusted keys which are
automatically kept up to date via RFC 5011 trust anchor
maintenance.
</p>
<p>
<span class="command"><strong>trusted-keys</strong></span> and
<span class="command"><strong>managed-keys</strong></span> are described in more detail
<span class="command"><strong>dnssec-keys</strong></span> is described in more detail
later in this document.
</p>
@ -1095,7 +1093,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</p>
<pre class="programlisting">
managed-keys {
dnssec-keys {
/* Root Key */
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
@ -1107,11 +1105,8 @@ managed-keys {
66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
dgxbcDTClU0CRBdiieyLMNzXG3";
};
trusted-keys {
/* Key for our organization's forward zone */
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
example.com. static-key 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
@ -1124,7 +1119,7 @@ trusted-keys {
1OTQ09A0=";
/* Key for our reverse zone. */
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
xOdNax071L18QqZnQQQAVVr+i
LhGTnNGp3HoWQLUIzKrJVZ3zg
gy3WwNT6kZo6c0tszYqbtvchm
@ -1516,11 +1511,11 @@ options {
<p>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
<span class="command"><strong>managed-keys</strong></span> statement. Information about
<span class="command"><strong>dnssec-keys</strong></span> statement and the
<span class="command"><strong>initial-key</strong></span> keyword. Information about
this can be found in
<a class="xref" href="Bv9ARM.ch05.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>managed-keys</strong></span> Statement Definition
<a class="xref" href="Bv9ARM.ch05.html#dnssec-keys" title="dnssec-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>dnssec-keys</strong></span> Statement Definition
and Usage&#8221;</a>.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@ -2845,6 +2840,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

536
doc/arm/Bv9ARM.ch05.html
View File

@ -66,13 +66,16 @@
Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
@ -882,11 +885,17 @@
</tr>
<tr>
<td>
<p><span class="command"><strong>trusted-keys</strong></span></p>
<p><span class="command"><strong>dnssec-keys</strong></span></p>
</td>
<td>
<p>
defines trusted DNSSEC keys.
defines DNSSEC keys: if used with the
<span class="command"><strong>initial-key</strong></span> keyword,
keys are kept up to date using RFC 5011
trust anchor maintenance, and if used with
<span class="command"><strong>static-key</strong></span>, keys are permanent.
Identical to <span class="command"><strong>managed-keys</strong></span>,
but has been added for improved clarity.
</p>
</td>
</tr>
@ -896,8 +905,22 @@
</td>
<td>
<p>
lists DNSSEC keys to be kept up to date
using RFC 5011 trust anchor maintenance.
is identical to <span class="command"><strong>dnssec-keys</strong></span>,
and is retained for backward compatibility.
</p>
</td>
</tr>
<tr>
<td>
<p><span class="command"><strong>trusted-keys</strong></span></p>
</td>
<td>
<p>
defines permanent trusted DNSSEC keys;
this option is deprecated in favor
of <span class="command"><strong>dnssec-keys</strong></span> with
the <span class="command"><strong>static-key</strong></span> keyword,
and may be removed in a future release.
</p>
</td>
</tr>
@ -2438,7 +2461,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<span class="command"><strong>dnsrps-options</strong></span> { <em class="replaceable"><code>unspecified-text</code></em> };
<span class="command"><strong>dnssec-accept-expired</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-lookaside</strong></span> ( <em class="replaceable"><code>string</code></em> trust-anchor
<em class="replaceable"><code>string</code></em> | auto | no );
@ -2590,11 +2612,12 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<span class="command"><strong>resolver-retry-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>response-padding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size
<em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl
<em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |
<span class="command"><strong>disabled</strong></span> | drop | given | no-op | nodata | nxdomain | passthru
| tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>nsip-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [
<span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log
<em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval
<em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |
<span class="command"><strong>nodata</strong></span> | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
<span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [
<span class="command"><strong>min-update-interval</strong></span> <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [
<span class="command"><strong>nsip-wait-recurse</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]
@ -2746,7 +2769,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
configurable options be consistent among these
views:
<span class="command"><strong>check-names</strong></span>,
<span class="command"><strong>cleaning-interval</strong></span>,
<span class="command"><strong>dnssec-accept-expired</strong></span>,
<span class="command"><strong>dnssec-validation</strong></span>,
<span class="command"><strong>max-cache-ttl</strong></span>,
@ -3042,10 +3064,12 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<dd>
<p>
Specifies the directory in which to store the files that
track managed DNSSEC keys. By default, this is the working
directory. The directory <span class="emphasis"><em>must</em></span>
be writable by the effective user ID of the
<span class="command"><strong>named</strong></span> process.
track managed DNSSEC keys (i.e., those configured using
the <span class="command"><strong>initial-key</strong></span> keyword in a
<span class="command"><strong>dnssec-keys</strong></span> statement). By default,
this is the working directory. The directory
<span class="emphasis"><em>must</em></span> be writable by the effective
user ID of the <span class="command"><strong>named</strong></span> process.
</p>
<p>
If <span class="command"><strong>named</strong></span> is not configured to use views,
@ -3468,10 +3492,10 @@ options {
then <span class="command"><strong>named</strong></span> will only accept answers if
they are secure. If <strong class="userinput"><code>no</code></strong>, then normal
DNSSEC validation applies allowing for insecure answers to
be accepted. The specified domain must be under a
<span class="command"><strong>trusted-keys</strong></span> or
<span class="command"><strong>managed-keys</strong></span> statement, or
<span class="command"><strong>dnssec-validation auto</strong></span> must be active.
be accepted. The specified domain must be defined as a
trust anchor, for instance in a <span class="command"><strong>dnssec-keys</strong></span>
statement, or <span class="command"><strong>dnssec-validation auto</strong></span> must
be active.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>dns64</strong></span></span></dt>
@ -4459,8 +4483,8 @@ options {
<p>
Causes <span class="command"><strong>named</strong></span> to send specially-formed
queries once per day to domains for which trust anchors
have been configured via <span class="command"><strong>trusted-keys</strong></span>,
<span class="command"><strong>managed-keys</strong></span>, or
have been configured via, e.g.,
<span class="command"><strong>dnssec-keys</strong></span> or
<span class="command"><strong>dnssec-validation auto</strong></span>.
</p>
<p>
@ -4651,10 +4675,11 @@ options {
<p>
If set to <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is
enabled, but a trust anchor must be manually configured
using a <span class="command"><strong>trusted-keys</strong></span>
or <span class="command"><strong>managed-keys</strong></span> statement; if there
is no configured trust anchor, validation will not take
place.
using a <span class="command"><strong>dnssec-keys</strong></span> statement (or
the synonymous <span class="command"><strong>managed-keys</strong></span>, or the
deprecated <span class="command"><strong>trusted-keys</strong></span> statements).
If there is no configured trust anchor, validation will
not take place.
</p>
<p>
If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
@ -6441,14 +6466,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<dt><span class="term"><span class="command"><strong>cleaning-interval</strong></span></span></dt>
<dd>
<p>
This interval is effectively obsolete. Previously,
the server would remove expired resource records
from the cache every <span class="command"><strong>cleaning-interval</strong></span> minutes.
<acronym class="acronym">BIND</acronym> 9 now manages cache
memory in a more sophisticated manner and does not
rely on the periodic cleaning any more.
Specifying this option therefore has no effect on
the server's behavior.
This option is obsolete.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>heartbeat-interval</strong></span></span></dt>
@ -8691,10 +8709,10 @@ example.com CNAME rpz-tcp-only.
</p>
</div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="statschannels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<pre class="programlisting">
<span class="command"><strong>statistics-channels</strong></span> {
<span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |
* ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
@ -8702,260 +8720,244 @@ example.com CNAME rpz-tcp-only.
} ];
};
</pre>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="statistics_channels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span class="command"><strong>statistics-channels</strong></span> statement
declares communication channels to be used by system
administrators to get access to statistics information of
the name server.
</p>
<p>
This statement intends to be flexible to support multiple
communication protocols in the future, but currently only
HTTP access is supported.
It requires that BIND 9 be compiled with libxml2 and/or
json-c (also known as libjson0); the
<span class="command"><strong>statistics-channels</strong></span> statement is
still accepted even if it is built without the library,
but any HTTP access will fail with an error.
</p>
<p>
An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
listening at the specified <span class="command"><strong>ip_port</strong></span> on the
specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
address. An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code>
(asterisk) is
interpreted as the IPv4 wildcard address; connections will be
accepted on any of the system's IPv4 addresses.
To listen on the IPv6 wildcard address,
use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
</p>
<p>
If no port is specified, port 80 is used for HTTP channels.
The asterisk "<code class="literal">*</code>" cannot be used for
<span class="command"><strong>ip_port</strong></span>.
</p>
<p>
The attempt of opening a statistics channel is
restricted by the optional <span class="command"><strong>allow</strong></span> clause.
Connections to the statistics channel are permitted based on the
<span class="command"><strong>address_match_list</strong></span>.
If no <span class="command"><strong>allow</strong></span> clause is present,
<span class="command"><strong>named</strong></span> accepts connection
attempts from any address; since the statistics may
contain sensitive internal information, it is highly
recommended to restrict the source of connection requests
appropriately.
</p>
<p>
If no <span class="command"><strong>statistics-channels</strong></span> statement is present,
<span class="command"><strong>named</strong></span> will not open any communication channels.
</p>
<p>
The statistics are available in various formats and views
depending on the URI used to access them. For example, if
the statistics channel is configured to listen on 127.0.0.1
port 8888, then the statistics are accessible in XML format at
<a class="link" href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
<a class="link" href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
included which can format the XML statistics into tables
when viewed with a stylesheet-capable browser, and into
charts and graphs using the Google Charts API when using a
javascript-capable browser.
</p>
<p>
Broken-out subsets of the statistics can be viewed at
<a class="link" href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a>
(server uptime and last reconfiguration time),
<a class="link" href="http://127.0.0.1:8888/xml/v3/server" target="_top">http://127.0.0.1:8888/xml/v3/server</a>
(server and resolver statistics),
<a class="link" href="http://127.0.0.1:8888/xml/v3/zones" target="_top">http://127.0.0.1:8888/xml/v3/zones</a>
(zone statistics),
<a class="link" href="http://127.0.0.1:8888/xml/v3/net" target="_top">http://127.0.0.1:8888/xml/v3/net</a>
(network status and socket statistics),
<a class="link" href="http://127.0.0.1:8888/xml/v3/mem" target="_top">http://127.0.0.1:8888/xml/v3/mem</a>
(memory manager statistics),
<a class="link" href="http://127.0.0.1:8888/xml/v3/tasks" target="_top">http://127.0.0.1:8888/xml/v3/tasks</a>
(task manager statistics), and
<a class="link" href="http://127.0.0.1:8888/xml/v3/traffic" target="_top">http://127.0.0.1:8888/xml/v3/traffic</a>
(traffic sizes).
</p>
<p>
The full set of statistics can also be read in JSON format at
<a class="link" href="http://127.0.0.1:8888/json" target="_top">http://127.0.0.1:8888/json</a>,
with the broken-out subsets at
<a class="link" href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
(server uptime and last reconfiguration time),
<a class="link" href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
(server and resolver statistics),
<a class="link" href="http://127.0.0.1:8888/json/v1/zones" target="_top">http://127.0.0.1:8888/json/v1/zones</a>
(zone statistics),
<a class="link" href="http://127.0.0.1:8888/json/v1/net" target="_top">http://127.0.0.1:8888/json/v1/net</a>
(network status and socket statistics),
<a class="link" href="http://127.0.0.1:8888/json/v1/mem" target="_top">http://127.0.0.1:8888/json/v1/mem</a>
(memory manager statistics),
<a class="link" href="http://127.0.0.1:8888/json/v1/tasks" target="_top">http://127.0.0.1:8888/json/v1/tasks</a>
(task manager statistics), and
<a class="link" href="http://127.0.0.1:8888/json/v1/traffic" target="_top">http://127.0.0.1:8888/json/v1/traffic</a>
(traffic sizes).
</p>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<a name="statistics_channels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span class="command"><strong>statistics-channels</strong></span> statement
declares communication channels to be used by system
administrators to get access to statistics information of
the name server.
</p>
<p>
This statement intends to be flexible to support multiple
communication protocols in the future, but currently only
HTTP access is supported.
It requires that BIND 9 be compiled with libxml2 and/or
json-c (also known as libjson0); the
<span class="command"><strong>statistics-channels</strong></span> statement is
still accepted even if it is built without the library,
but any HTTP access will fail with an error.
</p>
<p>
An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
listening at the specified <span class="command"><strong>ip_port</strong></span> on the
specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
address. An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code>
(asterisk) is
interpreted as the IPv4 wildcard address; connections will be
accepted on any of the system's IPv4 addresses.
To listen on the IPv6 wildcard address,
use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
</p>
<p>
If no port is specified, port 80 is used for HTTP channels.
The asterisk "<code class="literal">*</code>" cannot be used for
<span class="command"><strong>ip_port</strong></span>.
</p>
<p>
The attempt of opening a statistics channel is
restricted by the optional <span class="command"><strong>allow</strong></span> clause.
Connections to the statistics channel are permitted based on the
<span class="command"><strong>address_match_list</strong></span>.
If no <span class="command"><strong>allow</strong></span> clause is present,
<span class="command"><strong>named</strong></span> accepts connection
attempts from any address; since the statistics may
contain sensitive internal information, it is highly
recommended to restrict the source of connection requests
appropriately.
</p>
<p>
If no <span class="command"><strong>statistics-channels</strong></span> statement is present,
<span class="command"><strong>named</strong></span> will not open any communication channels.
</p>
<p>
The statistics are available in various formats and views
depending on the URI used to access them. For example, if
the statistics channel is configured to listen on 127.0.0.1
port 8888, then the statistics are accessible in XML format at
<a class="link" href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
<a class="link" href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
included which can format the XML statistics into tables
when viewed with a stylesheet-capable browser, and into
charts and graphs using the Google Charts API when using a
javascript-capable browser.
</p>
<p>
Broken-out subsets of the statistics can be viewed at
<a class="link" href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a>
(server uptime and last reconfiguration time),
<a class="link" href="http://127.0.0.1:8888/xml/v3/server" target="_top">http://127.0.0.1:8888/xml/v3/server</a>
(server and resolver statistics),
<a class="link" href="http://127.0.0.1:8888/xml/v3/zones" target="_top">http://127.0.0.1:8888/xml/v3/zones</a>
(zone statistics),
<a class="link" href="http://127.0.0.1:8888/xml/v3/net" target="_top">http://127.0.0.1:8888/xml/v3/net</a>
(network status and socket statistics),
<a class="link" href="http://127.0.0.1:8888/xml/v3/mem" target="_top">http://127.0.0.1:8888/xml/v3/mem</a>
(memory manager statistics),
<a class="link" href="http://127.0.0.1:8888/xml/v3/tasks" target="_top">http://127.0.0.1:8888/xml/v3/tasks</a>
(task manager statistics), and
<a class="link" href="http://127.0.0.1:8888/xml/v3/traffic" target="_top">http://127.0.0.1:8888/xml/v3/traffic</a>
(traffic sizes).
</p>
<p>
The full set of statistics can also be read in JSON format at
<a class="link" href="http://127.0.0.1:8888/json" target="_top">http://127.0.0.1:8888/json</a>,
with the broken-out subsets at
<a class="link" href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
(server uptime and last reconfiguration time),
<a class="link" href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
(server and resolver statistics),
<a class="link" href="http://127.0.0.1:8888/json/v1/zones" target="_top">http://127.0.0.1:8888/json/v1/zones</a>
(zone statistics),
<a class="link" href="http://127.0.0.1:8888/json/v1/net" target="_top">http://127.0.0.1:8888/json/v1/net</a>
(network status and socket statistics),
<a class="link" href="http://127.0.0.1:8888/json/v1/mem" target="_top">http://127.0.0.1:8888/json/v1/mem</a>
(memory manager statistics),
<a class="link" href="http://127.0.0.1:8888/json/v1/tasks" target="_top">http://127.0.0.1:8888/json/v1/tasks</a>
(task manager statistics), and
<a class="link" href="http://127.0.0.1:8888/json/v1/traffic" target="_top">http://127.0.0.1:8888/json/v1/traffic</a>
(traffic sizes).
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="dnssec_keys"></a><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
<span class="command"><strong>dnssec-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
<span class="command"><strong>initial-key</strong></span> ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>quoted_string</code></em>; ... };
</pre>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="trusted_keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Definition
<a name="dnssec-keys"></a><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
The <span class="command"><strong>trusted-keys</strong></span> statement defines
DNSSEC security roots. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
public key for a non-authoritative zone is known, but
cannot be securely obtained through DNS, either because
it is the DNS root zone or because its parent zone is
unsigned. Once a key has been configured as a trusted
key, it is treated as if it had been validated and
proven secure. The resolver attempts DNSSEC validation
on all DNS data in subdomains of a security root.
The <span class="command"><strong>dnssec-keys</strong></span> statement defines DNSSEC
trust anchors. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>.
</p>
<p>
All keys (and corresponding zones) listed in
<span class="command"><strong>trusted-keys</strong></span> are deemed to exist regardless
of what parent zones say. Similarly for all keys listed in
<span class="command"><strong>trusted-keys</strong></span> only those keys are
used to validate the DNSKEY RRset. The parent's DS RRset
will not be used.
A trust anchor is defined when the public key for
a non-authoritative zone is known, but cannot be securely
obtained through DNS, either because it is the DNS root zone
or because its parent zone is unsigned. Once a key has been
configured as a trust anchor, it is treated as if it had
been validated and proven secure.
</p>
<p>
The <span class="command"><strong>trusted-keys</strong></span> statement can contain
The resolver attempts DNSSEC validation on all DNS data
in subdomains of configured trust anchors. (Validation below
specified names can be temporarily disabled by using
<span class="command"><strong>rndc nta</strong></span>, or permanently disabled with
the <span class="command"><strong>validate-except</strong></span> option).
</p>
<p>
All keys listed in <span class="command"><strong>dnssec-keys</strong></span>, and
their corresponding zones, are deemed to exist regardless
of what parent zones say. Only keys configured as trust anchors
are used to validate the DNSKEY RRset for the corresponding
name. The parent's DS RRset will not be used.
</p>
<p>
The <span class="command"><strong>dnssec-keys</strong></span> statement can contain
multiple key entries, each consisting of the key's
domain name, flags, protocol, algorithm, and the Base64
representation of the key data.
Spaces, tabs, newlines and carriage returns are ignored
domain name, followed by the <span class="command"><strong>static-key</strong></span> or
<span class="command"><strong>initial-key</strong></span> keyword, then the key's flags,
protocol, algorithm, and the Base64 representation of the key
data. Spaces, tabs, newlines and carriage returns are ignored
in the key data, so the configuration may be split up into
multiple lines.
</p>
<p>
<span class="command"><strong>trusted-keys</strong></span> may be set at the top level
<span class="command"><strong>dnssec-keys</strong></span> may be set at the top level
of <code class="filename">named.conf</code> or within a view. If it is
set in both places, they are additive: keys defined at the top
level are inherited by all views, but keys defined in a view
are only used within that view.
set in both places, the configurations are additive: keys
defined at the top level are inherited by all views, but keys
defined in a view are only used within that view.
</p>
<p>
Validation below specified names can be temporarily disabled
by using <span class="command"><strong>rndc nta</strong></span>.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
</pre>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
The <span class="command"><strong>managed-keys</strong></span> statement, like
<span class="command"><strong>trusted-keys</strong></span>, defines DNSSEC
security roots. The difference is that
<span class="command"><strong>managed-keys</strong></span> can be kept up to date
automatically, without intervention from the resolver
operator.
<span class="command"><strong>dnssec-keys</strong></span> entries can be configured with
two keywords: <span class="command"><strong>static-key</strong></span> or
<span class="command"><strong>initial-key</strong></span>. Keys configured with
<span class="command"><strong>static-key</strong></span> are immutable,
while keys configured with <span class="command"><strong>initial-key</strong></span>
can be kept up to date automatically, without intervention
from the resolver operator. (<span class="command"><strong>static-key</strong></span>
keys are identical to keys configured using the deprecated
<span class="command"><strong>trusted-keys</strong></span> statement.)
</p>
<p>
Suppose, for example, that a zone's key-signing
key was compromised, and the zone owner had to revoke and
replace the key. A resolver which had the old key in a
<span class="command"><strong>trusted-keys</strong></span> statement would be
replace the key. A resolver which had the original key
configured as a <span class="command"><strong>static-key</strong></span> would be
unable to validate this zone any longer; it would
reply with a SERVFAIL response code. This would
continue until the resolver operator had updated the
<span class="command"><strong>trusted-keys</strong></span> statement with the new key.
<span class="command"><strong>dnssec-keys</strong></span> statement with the new key.
</p>
<p>
If, however, the zone were listed in a
<span class="command"><strong>managed-keys</strong></span> statement instead, then the
zone owner could add a "stand-by" key to the zone in advance.
If, however, the trust anchor had been configured with
<span class="command"><strong>initial-key</strong></span> instead, then the
zone owner could add a "stand-by" key to their zone in advance.
<span class="command"><strong>named</strong></span> would store the stand-by key, and
when the original key was revoked, <span class="command"><strong>named</strong></span>
would be able to transition smoothly to the new key. It would
also recognize that the old key had been revoked, and cease
using that key to validate answers, minimizing the damage that
the compromised key could do.
the compromised key could do. This is the process used to
keep the ICANN root DNSSEC key up to date.
</p>
<p>
A <span class="command"><strong>managed-keys</strong></span> statement contains a list of
the keys to be managed, along with information about how the
keys are to be initialized for the first time. The only
initialization method currently supported is
<code class="literal">initial-key</code>.
This means the <span class="command"><strong>managed-keys</strong></span> statement must
contain a copy of the initializing key. (Future releases may
allow keys to be initialized by other methods, eliminating this
requirement.)
Whereas <span class="command"><strong>static-key</strong></span>
keys continue to be trusted until they are removed from
<code class="filename">named.conf</code>, an
<span class="command"><strong>initial-key</strong></span> is only trusted
<span class="emphasis"><em>once</em></span>: for as long as it
takes to load the managed key database and start the RFC 5011
key maintenance process.
</p>
<p>
Consequently, a <span class="command"><strong>managed-keys</strong></span> statement
appears similar to a <span class="command"><strong>trusted-keys</strong></span>, differing
in the presence of the second field, containing the keyword
<code class="literal">initial-key</code>. The difference is, whereas the
keys listed in a <span class="command"><strong>trusted-keys</strong></span> continue to be
trusted until they are removed from
<code class="filename">named.conf</code>, an initializing key listed
in a <span class="command"><strong>managed-keys</strong></span> statement is only trusted
<span class="emphasis"><em>once</em></span>: for as long as it takes to load the
managed key database and start the RFC 5011 key maintenance
process.
</p>
<p>
The first time <span class="command"><strong>named</strong></span> runs with a managed key
configured in <code class="filename">named.conf</code>, it fetches the
The first time <span class="command"><strong>named</strong></span> runs with an
<span class="command"><strong>initial-key</strong></span> configured in
<code class="filename">named.conf</code>, it fetches the
DNSKEY RRset directly from the zone apex, and validates it
using the key specified in the <span class="command"><strong>managed-keys</strong></span>
statement. If the DNSKEY RRset is validly signed, then it is
using the key specified in <span class="command"><strong>dnssec-keys</strong></span>.
If the DNSKEY RRset is validly signed, then it is
used as the basis for a new managed keys database.
</p>
<p>
From that point on, whenever <span class="command"><strong>named</strong></span> runs, it
sees the <span class="command"><strong>managed-keys</strong></span> statement, checks to
sees the <span class="command"><strong>initial-key</strong></span> listed in
<span class="command"><strong>dnssec-keys</strong></span>, checks to
make sure RFC 5011 key maintenance has already been initialized
for the specified domain, and if so, it simply moves on. The
key specified in the <span class="command"><strong>managed-keys</strong></span>
statement is not used to validate answers; it has been
superseded by the key or keys stored in the managed keys database.
key specified in the <span class="command"><strong>dnssec-keys</strong></span>
statement is not used to validate answers; it is
superseded by the key or keys stored in the managed keys
database.
</p>
<p>
The next time <span class="command"><strong>named</strong></span> runs after a name
has been <span class="emphasis"><em>removed</em></span> from the
<span class="command"><strong>managed-keys</strong></span> statement, the corresponding
The next time <span class="command"><strong>named</strong></span> runs after an
<span class="command"><strong>initial-key</strong></span> has been
<span class="emphasis"><em>removed</em></span> from the
<span class="command"><strong>dnssec-keys</strong></span> statement (or changed to
a <span class="command"><strong>static-key</strong></span>), the corresponding
zone will be removed from the managed keys database,
and RFC 5011 key maintenance will no longer be used for that
domain.
@ -8990,8 +8992,8 @@ example.com CNAME rpz-tcp-only.
<p>
If the <span class="command"><strong>dnssec-validation</strong></span> option is
set to <strong class="userinput"><code>auto</code></strong>, <span class="command"><strong>named</strong></span>
will automatically initialize a managed key for the
root zone. The key that is used to initialize the key
will automatically initialize an <span class="command"><strong>initial-key</strong></span>
for the root zone. The key that is used to initialize the key
maintenance process is stored in <code class="filename">bind.keys</code>;
the location of this file can be overridden with the
<span class="command"><strong>bindkeys-file</strong></span> option. As a fallback
@ -9003,6 +9005,48 @@ example.com CNAME rpz-tcp-only.
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
<span class="command"><strong>initial-key</strong></span> ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>quoted_string</code></em>; ... };
</pre>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
The <span class="command"><strong>managed-keys</strong></span> statement is
identical to the <span class="command"><strong>dnssec-keys</strong></span>, and is
retained for backward compatibility.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated
</pre>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="trusted_keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
The <span class="command"><strong>trusted-keys</strong></span> statement has been
deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#dnssec_keys" title="dnssec-keys Statement Grammar">the section called &#8220;<span class="command"><strong>dnssec-keys</strong></span> Statement Grammar&#8221;</a>
with the <span class="command"><strong>static</strong></span> keyword.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="view_statement_grammar"></a><span class="command"><strong>view</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span class="command"><strong>view</strong></span> <em class="replaceable"><code>view_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
@ -14869,6 +14913,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch06.html
View File

@ -361,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; };
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch07.html
View File

@ -191,6 +191,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

100
doc/arm/Bv9ARM.ch08.html
View File

@ -36,7 +36,7 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@ -55,7 +55,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.0</h2></div></div></div>
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@ -145,7 +145,15 @@
<p>
The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
exhaustion of file descriptors. This flaw is disclosed in
CVE-2018-5743. [GL #615]
</p>
</li>
<li class="listitem">
<p>
A race condition could trigger an assertion failure when
a large number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]
</p>
</li>
</ul></div>
@ -154,37 +162,76 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
In order to clarify the configuration of DNSSEC keys,
the <span class="command"><strong>trusted-keys</strong></span> and
<span class="command"><strong>managed-keys</strong></span> statements have been
deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
statement should now be used for both types of key.
</p>
<p>
When used with the keyword <span class="command"><strong>initial-key</strong></span>,
<span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
<span class="command"><strong>managed-keys</strong></span>, i.e., it configures
a trust anchor that is to be maintained via RFC 5011.
</p>
<p>
When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
configuring a permanent trust anchor that will not automatically
be updated. (This usage is not recommended for the root key.)
[GL #6]
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>add-soa</strong></span> option specifies whether
or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
should be included in the additional section of RPZ responses.
[GL #865]
</p>
</li></ul></div>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-enable</strong></span> option has been deprecated and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
</li></ul></div>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>cleaning-interval</strong></span> option has been
removed. [GL !1731]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now log a warning if
a static key is configured for the root zone, or if
any key is configured for "dlv.isc.org", which has been shut
down. [GL #6]
</p>
</li>
<li class="listitem">
<p>
When <span class="command"><strong>trusted-keys</strong></span> and
<span class="command"><strong>managed-keys</strong></span> were both configured for the
same name, or when <span class="command"><strong>trusted-keys</strong></span> was used to
When static and managed DNSSEC keys were both configured for the
same name, or when a static key was used to
configure a trust anchor for the root zone and
<span class="command"><strong>dnssec-validation</strong></span> was set to the default
value of <code class="literal">auto</code>, automatic RFC 5011 key
@ -209,13 +256,26 @@
<span class="command"><strong>dnssec-checkds</strong></span>.
</p>
</li>
<li class="listitem">
<p>
JSON-C is now the only supported library for enabling JSON
support for BIND statistics. The <span class="command"><strong>configure</strong></span>
option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
to <span class="command"><strong>--with-json-c</strong></span>. Use
<span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
the <span class="command"><strong>json-c</strong></span> library as the new
<span class="command"><strong>configure</strong></span> option does not take the library
installation path as an optional argument.
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The <span class="command"><strong>allow-update</strong></span> and
<span class="command"><strong>allow-update-forwarding</strong></span> options were
@ -224,14 +284,26 @@
This has now been corrected.
[GL #913]
</p>
</li></ul></div>
</li>
<li class="listitem">
<p>
When <span class="command"><strong>qname-minimization</strong></span> was set to
<span class="command"><strong>relaxed</strong></span>, some improperly configured domains
would fail to resolve, but would have succeeded when minimization
was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
resolution in such cases, and also uses type A rather than NS for
minimal queries in order to reduce the likelihood of encountering
the problem. [GL #1055]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
<p>
BIND is open source software licenced under the terms of the Mozilla
BIND is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the <code class="filename">LICENSE</code>
file for the full text).
</p>
@ -299,6 +371,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch09.html
View File

@ -148,6 +148,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch10.html
View File

@ -914,6 +914,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

14
doc/arm/Bv9ARM.ch11.html
View File

@ -170,10 +170,14 @@ $ <strong class="userinput"><code>make</code></strong>
parameters. By default the path to this configuration file is
<code class="filename">/etc/dns.conf</code>. This module is very experimental
and the configuration syntax or library interfaces may change in
future versions. Currently, only the <span class="command"><strong>trusted-keys</strong></span>
statement is supported, whose syntax is the same as the same
statement in <code class="filename">named.conf</code>. (See
<a class="xref" href="Bv9ARM.ch05.html#trusted-keys" title="trusted-keys Statement Grammar">the section called &#8220;<span class="command"><strong>trusted-keys</strong></span> Statement Grammar&#8221;</a> for details.)
future versions. Currently, only static key configuration is supported.
<span class="command"><strong>managed-keys</strong></span> and <span class="command"><strong>trusted-keys</strong></span>
statements are parsed exactly as they are in
<code class="filename">named.conf</code>, except that all
<span class="command"><strong>managed-keys</strong></span> entries will be treated as
if they were configured with the <span class="command"><strong>static-key</strong></span>
keyword, even if they are configured with <span class="command"><strong>initial-key</strong></span>.
(See <a class="xref" href="Bv9ARM.ch05.html#managed-keys" title="managed-keys Statement Grammar">the section called &#8220;<span class="command"><strong>managed-keys</strong></span> Statement Grammar&#8221;</a> for syntax details.)
</p>
</div>
<div class="section">
@ -533,6 +537,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch12.html
View File

@ -210,6 +210,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

19
doc/arm/Bv9ARM.html
View File

@ -32,7 +32,7 @@
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
<div><p class="releaseinfo">BIND Version 9.15.0</p></div>
<div><p class="releaseinfo">BIND Version 9.15.1</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
@ -102,7 +102,7 @@
<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#generating_dnssec_keys">Generating Keys</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers for DNSSEC</a></span></dt>
</dl></dd>
@ -191,13 +191,16 @@
Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
@ -242,7 +245,7 @@
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@ -440,6 +443,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

BIN
doc/arm/Bv9ARM.pdf
View File

Binary file not shown.

2
doc/arm/man.arpaname.html
View File

@ -90,6 +90,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.ddns-confgen.html
View File

@ -220,6 +220,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

21
doc/arm/man.delv.html
View File

@ -218,14 +218,17 @@
</p>
<p>
Note: When reading the trust anchor file,
<span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
statements and <code class="option">trusted-keys</code> statements
identically. That is, for a managed key, it is the
<span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
key management is not supported. <span class="command"><strong>delv</strong></span>
will not consult the managed-keys database maintained by
<span class="command"><strong>named</strong></span>. This means that if either of the
keys in <code class="filename">/etc/bind.keys</code> is revoked
<span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
<code class="option">initial-key</code> and <code class="option">static-key</code>
entries identically. That is, even if a key is configured
with <span class="command"><strong>initial-key</strong></span>, indicating that it is
meant to be used only as an initializing key for RFC 5011
key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
<span class="command"><strong>delv</strong></span> does not consult the managed keys
database maintained by <span class="command"><strong>named</strong></span>. This means
that if either of the keys in
<code class="filename">/etc/bind.keys</code> is revoked
and rolled over, it will be necessary to update
<code class="filename">/etc/bind.keys</code> to use DNSSEC
validation in <span class="command"><strong>delv</strong></span>.
@ -625,6 +628,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

8
doc/arm/man.dig.html
View File

@ -815,8 +815,10 @@
in the query. This bit is set by default, which means
<span class="command"><strong>dig</strong></span> normally sends recursive
queries. Recursion is automatically disabled when
the <em class="parameter"><code>+nssearch</code></em> or
<em class="parameter"><code>+trace</code></em> query options are used.
using the <em class="parameter"><code>+nssearch</code></em> option, and
when using <em class="parameter"><code>+trace</code></em> except for
an initial recursive query to get the list of root
servers.
</p>
</dd>
<dt><span class="term"><code class="option">+retry=T</code></span></dt>
@ -1158,6 +1160,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-cds.html
View File

@ -376,6 +376,6 @@ nsupdate -l
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-checkds.html
View File

@ -164,6 +164,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-coverage.html
View File

@ -270,6 +270,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-dsfromkey.html
View File

@ -356,6 +356,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-importkey.html
View File

@ -250,6 +250,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keyfromlabel.html
View File

@ -498,6 +498,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keygen.html
View File

@ -557,6 +557,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keymgr.html
View File

@ -405,6 +405,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-revoke.html
View File

@ -171,6 +171,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-settime.html
View File

@ -349,6 +349,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-signzone.html
View File

@ -701,6 +701,6 @@ db.example.com.signed
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-verify.html
View File

@ -202,6 +202,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnstap-read.html
View File

@ -143,6 +143,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.filter-aaaa.html
View File

@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.host.html
View File

@ -366,6 +366,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.mdig.html
View File

@ -604,6 +604,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-checkconf.html
View File

@ -208,6 +208,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-checkzone.html
View File

@ -463,6 +463,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-journalprint.html
View File

@ -117,6 +117,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-nzd2nzf.html
View File

@ -119,6 +119,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-rrchecker.html
View File

@ -121,6 +121,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

104
doc/arm/man.named.conf.html
View File

@ -77,7 +77,6 @@
<div class="refsection">
<a name="id-1.13.27.8"></a><h2>ACL</h2>
<div class="literallayout"><p><br>
acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
</p></div>
@ -85,7 +84,6 @@ acl
<div class="refsection">
<a name="id-1.13.27.9"></a><h2>CONTROLS</h2>
<div class="literallayout"><p><br>
controls {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -103,7 +101,6 @@ controls
<div class="refsection">
<a name="id-1.13.27.10"></a><h2>DLZ</h2>
<div class="literallayout"><p><br>
dlz <em class="replaceable"><code>string</code></em> {<br>
database <em class="replaceable"><code>string</code></em>;<br>
@ -113,8 +110,16 @@ dlz
</div>
<div class="refsection">
<a name="id-1.13.27.11"></a><h2>DYNDB</h2>
<a name="id-1.13.27.11"></a><h2>DNSSEC-KEYS</h2>
<div class="literallayout"><p><br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.13.27.12"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
    <em class="replaceable"><code>unspecified-text</code></em> };<br>
@ -122,8 +127,7 @@ dyndb
</div>
<div class="refsection">
<a name="id-1.13.27.12"></a><h2>KEY</h2>
<a name="id-1.13.27.13"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>string</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
@ -133,8 +137,7 @@ key
</div>
<div class="refsection">
<a name="id-1.13.27.13"></a><h2>LOGGING</h2>
<a name="id-1.13.27.14"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
@ -156,17 +159,17 @@ logging
<div class="refsection">
<a name="id-1.13.27.14"></a><h2>MANAGED-KEYS</h2>
<a name="id-1.13.27.15"></a><h2>MANAGED-KEYS</h2>
<p>See DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.13.27.15"></a><h2>MASTERS</h2>
<a name="id-1.13.27.16"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
@ -176,8 +179,7 @@ masters
</div>
<div class="refsection">
<a name="id-1.13.27.16"></a><h2>OPTIONS</h2>
<a name="id-1.13.27.17"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -256,7 +258,6 @@ options
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
    <em class="replaceable"><code>string</code></em> | auto | no );<br>
@ -408,11 +409,12 @@ options
resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl<br>
    <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |<br>
    disabled | drop | given | no-op | nodata | nxdomain | passthru<br>
    | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
@ -479,8 +481,7 @@ options
</div>
<div class="refsection">
<a name="id-1.13.27.17"></a><h2>PLUGIN</h2>
<a name="id-1.13.27.18"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
@ -488,8 +489,7 @@ plugin
</div>
<div class="refsection">
<a name="id-1.13.27.18"></a><h2>SERVER</h2>
<a name="id-1.13.27.19"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server <em class="replaceable"><code>netprefix</code></em> {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
@ -527,8 +527,7 @@ server
</div>
<div class="refsection">
<a name="id-1.13.27.19"></a><h2>STATISTICS-CHANNELS</h2>
<a name="id-1.13.27.20"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -540,17 +539,17 @@ statistics-channels
</div>
<div class="refsection">
<a name="id-1.13.27.20"></a><h2>TRUSTED-KEYS</h2>
<a name="id-1.13.27.21"></a><h2>TRUSTED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.13.27.21"></a><h2>VIEW</h2>
<a name="id-1.13.27.22"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -622,7 +621,9 @@ view
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
    <em class="replaceable"><code>string</code></em> | auto | no );<br>
@ -660,9 +661,9 @@ view
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
masterfile-format ( map | raw | text );<br>
masterfile-style ( full | relative );<br>
match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -745,11 +746,12 @@ view
resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl<br>
    <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |<br>
    disabled | drop | given | no-op | nodata | nxdomain | passthru<br>
    | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
@ -811,9 +813,10 @@ view
transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
    ... };<br>
trusted-keys { <em class="replaceable"><code>string</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
@ -925,8 +928,7 @@ view
</div>
<div class="refsection">
<a name="id-1.13.27.22"></a><h2>ZONE</h2>
<a name="id-1.13.27.23"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -1025,14 +1027,14 @@ zone
</div>
<div class="refsection">
<a name="id-1.13.27.23"></a><h2>FILES</h2>
<a name="id-1.13.27.24"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsection">
<a name="id-1.13.27.24"></a><h2>SEE ALSO</h2>
<a name="id-1.13.27.25"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">ddns-confgen</span>(8)
@ -1073,6 +1075,6 @@ zone
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named.html
View File

@ -492,6 +492,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nsec3hash.html
View File

@ -155,6 +155,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nslookup.html
View File

@ -437,6 +437,6 @@ nslookup -query=hinfo -timeout=10
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nsupdate.html
View File

@ -818,6 +818,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-destroy.html
View File

@ -162,6 +162,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-keygen.html
View File

@ -200,6 +200,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-list.html
View File

@ -158,6 +158,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-tokens.html
View File

@ -123,6 +123,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc-confgen.html
View File

@ -260,6 +260,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc.conf.html
View File

@ -268,6 +268,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

21
doc/arm/man.rndc.html
View File

@ -394,7 +394,7 @@
<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync | destroy)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
Inspect and control the "managed-keys" database which
Inspect and control the "managed keys" database which
handles RFC 5011 DNSSEC trust anchor maintenance. If a view
is specified, these commands are applied to that view;
otherwise they are applied to all views.
@ -403,14 +403,14 @@
<li class="listitem">
<p>
When run with the <code class="literal">status</code> keyword, prints
the current status of the managed-keys database.
the current status of the managed keys database.
</p>
</li>
<li class="listitem">
<p>
When run with the <code class="literal">refresh</code> keyword,
forces an immediate refresh query to be sent for all
the managed keys, updating the managed-keys database
the managed keys, updating the managed keys database
if any new keys are found, without waiting the normal
refresh interval.
</p>
@ -418,7 +418,7 @@
<li class="listitem">
<p>
When run with the <code class="literal">sync</code> keyword, forces an
immediate dump of the managed-keys database to disk
immediate dump of the managed keys database to disk
(in the file <code class="filename">managed-keys.bind</code> or
(<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
This synchronizes the database with its journal file, so
@ -429,7 +429,7 @@
<li class="listitem">
<p>
When run with the <code class="literal">destroy</code> keyword, the
managed-keys database is shut down and deleted, and all key
managed keys database is shut down and deleted, and all key
maintenance is terminated. This command should be used only
with extreme caution.
</p>
@ -669,9 +669,10 @@
<dd>
<p>
Dump the security roots (i.e., trust anchors
configured via <span class="command"><strong>trusted-keys</strong></span>,
<span class="command"><strong>managed-keys</strong></span>, or
<span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
configured via <span class="command"><strong>dnssec-keys</strong></span> statements,
or the synonymous <span class="command"><strong>managed-keys</strong></span> or
the deprecated <span class="command"><strong>trusted-keys</strong></span> statements, or
via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
anchors for the specified views. If no view is specified, all
views are dumped. Security roots will indicate whether
they are configured as trusted keys, managed keys, or
@ -921,7 +922,7 @@
<p>
List the names of all TSIG keys currently configured
for use by <span class="command"><strong>named</strong></span> in each view. The
list both statically configured keys and dynamic
list includes both statically configured keys and dynamic
TKEY-negotiated keys.
</p>
</dd>
@ -1017,6 +1018,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>

96
doc/arm/notes.html
View File

@ -15,7 +15,7 @@
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2"></a>Release Notes for BIND Version 9.15.0</h2></div></div></div>
<a name="id-1.2"></a>Release Notes for BIND Version 9.15.1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@ -105,7 +105,15 @@
<p>
The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
exhaustion of file descriptors. This flaw is disclosed in
CVE-2018-5743. [GL #615]
</p>
</li>
<li class="listitem">
<p>
A race condition could trigger an assertion failure when
a large number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]
</p>
</li>
</ul></div>
@ -114,37 +122,76 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
In order to clarify the configuration of DNSSEC keys,
the <span class="command"><strong>trusted-keys</strong></span> and
<span class="command"><strong>managed-keys</strong></span> statements have been
deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
statement should now be used for both types of key.
</p>
<p>
When used with the keyword <span class="command"><strong>initial-key</strong></span>,
<span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
<span class="command"><strong>managed-keys</strong></span>, i.e., it configures
a trust anchor that is to be maintained via RFC 5011.
</p>
<p>
When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
configuring a permanent trust anchor that will not automatically
be updated. (This usage is not recommended for the root key.)
[GL #6]
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>add-soa</strong></span> option specifies whether
or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
should be included in the additional section of RPZ responses.
[GL #865]
</p>
</li></ul></div>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-enable</strong></span> option has been deprecated and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
</li></ul></div>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>cleaning-interval</strong></span> option has been
removed. [GL !1731]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now log a warning if
a static key is configured for the root zone, or if
any key is configured for "dlv.isc.org", which has been shut
down. [GL #6]
</p>
</li>
<li class="listitem">
<p>
When <span class="command"><strong>trusted-keys</strong></span> and
<span class="command"><strong>managed-keys</strong></span> were both configured for the
same name, or when <span class="command"><strong>trusted-keys</strong></span> was used to
When static and managed DNSSEC keys were both configured for the
same name, or when a static key was used to
configure a trust anchor for the root zone and
<span class="command"><strong>dnssec-validation</strong></span> was set to the default
value of <code class="literal">auto</code>, automatic RFC 5011 key
@ -169,13 +216,26 @@
<span class="command"><strong>dnssec-checkds</strong></span>.
</p>
</li>
<li class="listitem">
<p>
JSON-C is now the only supported library for enabling JSON
support for BIND statistics. The <span class="command"><strong>configure</strong></span>
option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
to <span class="command"><strong>--with-json-c</strong></span>. Use
<span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
the <span class="command"><strong>json-c</strong></span> library as the new
<span class="command"><strong>configure</strong></span> option does not take the library
installation path as an optional argument.
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The <span class="command"><strong>allow-update</strong></span> and
<span class="command"><strong>allow-update-forwarding</strong></span> options were
@ -184,14 +244,26 @@
This has now been corrected.
[GL #913]
</p>
</li></ul></div>
</li>
<li class="listitem">
<p>
When <span class="command"><strong>qname-minimization</strong></span> was set to
<span class="command"><strong>relaxed</strong></span>, some improperly configured domains
would fail to resolve, but would have succeeded when minimization
was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
resolution in such cases, and also uses type A rather than NS for
minimal queries in order to reduce the likelihood of encountering
the problem. [GL #1055]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
<p>
BIND is open source software licenced under the terms of the Mozilla
BIND is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the <code class="filename">LICENSE</code>
file for the full text).
</p>

BIN
doc/arm/notes.pdf
View File

Binary file not shown.

46
doc/arm/notes.txt
View File

@ -1,4 +1,4 @@
Release Notes for BIND Version 9.15.0
Release Notes for BIND Version 9.15.1
Introduction
@ -57,10 +57,27 @@ Security Fixes
* The TCP client quota set using the tcp-clients option could be
exceeded in some cases. This could lead to exhaustion of file
descriptors. (CVE-2018-5743) [GL #615]
descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
* A race condition could trigger an assertion failure when a large
number of incoming packets were being rejected. This flaw is disclosed
in CVE-2019-6471. [GL #942]
New Features
* In order to clarify the configuration of DNSSEC keys, the trusted-keys
and managed-keys statements have been deprecated, and the new
dnssec-keys statement should now be used for both types of key.
When used with the keyword initial-key, dnssec-keys has the same
behavior as managed-keys, i.e., it configures a trust anchor that is
to be maintained via RFC 5011.
When used with the new keyword static-key, it has the same behavior as
trusted-keys, configuring a permanent trust anchor that will not
automatically be updated. (This usage is not recommended for the root
key.) [GL #6]
* The new add-soa option specifies whether or not the response-policy
zone's SOA record should be included in the additional section of RPZ
responses. [GL #865]
@ -71,10 +88,16 @@ Removed Features
effect. DNSSEC responses are always enabled if signatures and other
DNSSEC data are present. [GL #866]
* The cleaning-interval option has been removed. [GL !1731]
Feature Changes
* When trusted-keys and managed-keys were both configured for the same
name, or when trusted-keys was used to configure a trust anchor for
* named will now log a warning if a static key is configured for the
root zone, or if any key is configured for "dlv.isc.org", which has
been shut down. [GL #6]
* When static and managed DNSSEC keys were both configured for the same
name, or when a static key was used to configure a trust anchor for
the root zone and dnssec-validation was set to the default value of
auto, automatic RFC 5011 key rollovers would be disabled. This
combination of settings was never intended to work, but there was no
@ -89,15 +112,28 @@ Feature Changes
"sync" timing parameters in key files, and the checks performed by
dnssec-checkds.
* JSON-C is now the only supported library for enabling JSON support for
BIND statistics. The configure option has been renamed from
--with-libjson to --with-json-c. Use PKG_CONFIG_PATH to specify a
custom path to the json-c library as the new configure option does not
take the library installation path as an optional argument.
Bug Fixes
* The allow-update and allow-update-forwarding options were
inadvertently treated as configuration errors when used at the options
or view level. This has now been corrected. [GL #913]
* When qname-minimization was set to relaxed, some improperly configured
domains would fail to resolve, but would have succeeded when
minimization was disabled. named will now fall back to normal
resolution in such cases, and also uses type A rather than NS for
minimal queries in order to reduce the likelihood of encountering the
problem. [GL #1055]
License
BIND is open source software licenced under the terms of the Mozilla
BIND is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the LICENSE file for the full text).
The license requires that if you make changes to BIND and distribute them

73
doc/arm/notes.xml
View File

@ -113,6 +113,28 @@
<section xml:id="relnotes_features"><info><title>New Features</title></info>
<itemizedlist>
<listitem>
<para>
In order to clarify the configuration of DNSSEC keys,
the <command>trusted-keys</command> and
<command>managed-keys</command> statements have been
deprecated, and the new <command>dnssec-keys</command>
statement should now be used for both types of key.
</para>
<para>
When used with the keyword <command>initial-key</command>,
<command>dnssec-keys</command> has the same behavior as
<command>managed-keys</command>, i.e., it configures
a trust anchor that is to be maintained via RFC 5011.
</para>
<para>
When used with the new keyword <command>static-key</command>, it
has the same behavior as <command>trusted-keys</command>,
configuring a permanent trust anchor that will not automatically
be updated. (This usage is not recommended for the root key.)
[GL #6]
</para>
</listitem>
<listitem>
<para>
The new <command>add-soa</command> option specifies whether
@ -144,19 +166,6 @@
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
<itemizedlist>
<listitem>
<para>
The new <command>dnssec-keys</command> statement can now be
used to configure all DNSSEC trust anchors. The older
<command>managed-keys</command> statement is a synonym for
<command>dnssec-keys</command>, retained for backward
compatibility. Both statements can now use the
keyword <command>static-key</command> in place of
<command>initial-key</command> if it is necessary to
configure trusted keys for which RFC 5011 trust anchor
maintenance is not to be used. [GL #6]
</para>
</listitem>
<listitem>
<para>
<command>named</command> will now log a warning if
@ -208,33 +217,6 @@
</itemizedlist>
</section>
<section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
<itemizedlist>
<listitem>
<para>
In order to clarify the configuration of DNSSEC keys,
the <command>trusted-keys</command> and
<command>managed-keys</command> statement has been
deprecated. The new <command>dnssec-keys</command> should
be used for both types of keys.
</para>
<para>
When used with the keyword <command>initial-key</command>,
<command>dnssec-keys</command> has the same behavior as
<command>managed-keys</command>, i.e., it configures
a trust anchor that is to be maintained via RFC 5011.
</para>
<para>
When used with the new keyword <command>static-key</command>, it
has the same behavior as <command>trusted-keys</command>,
configuring a permanent trust anchor that will not automatically
be updated. This usage is not recommended for the root key.
[GL #6]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
<itemizedlist>
<listitem>
@ -247,6 +229,17 @@
[GL #913]
</para>
</listitem>
<listitem>
<para>
When <command>qname-minimization</command> was set to
<command>relaxed</command>, some improperly configured domains
would fail to resolve, but would have succeeded when minimization
was disabled. <command>named</command> will now fall back to normal
resolution in such cases, and also uses type A rather than NS for
minimal queries in order to reduce the likelihood of encountering
the problem. [GL #1055]
</para>
</listitem>
</itemizedlist>
</section>

23
doc/misc/options
View File

@ -51,9 +51,10 @@ logging {
lwres { <unspecified-text> }; // obsolete, may occur multiple times
managed-keys { <string> ( static-key |
initial-key ) <integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
managed-keys { <string> ( static-key
| initial-key ) <integer>
<integer> <integer>
<quoted_string>; ... }; // may occur multiple times, deprecated
masters <string> [ port <integer> ] [ dscp
<integer> ] { ( <masters> | <ipv4_address> [
@ -110,7 +111,7 @@ options {
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard <boolean>;
cleaning-interval <integer>;
cleaning-interval <integer>; // obsolete
clients-per-query <integer>;
cookie-algorithm ( aes | sha1 | sha256 );
cookie-secret <string>; // may occur multiple times
@ -212,7 +213,7 @@ options {
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
@ -487,7 +488,7 @@ view <string> [ <class> ] {
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard <boolean>;
cleaning-interval <integer>;
cleaning-interval <integer>; // obsolete
clients-per-query <integer>;
deny-answer-addresses { <address_match_element>; ... } [
except-from { <string>; ... } ];
@ -562,11 +563,13 @@ view <string> [ <class> ] {
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> ( static-key |
initial-key ) <integer> <integer>
<integer> <quoted_string>; ... }; // may occur multiple times
managed-keys { <string> (
static-key | initial-key
) <integer> <integer>
<integer>
<quoted_string>; ... }; // may occur multiple times, deprecated
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
match-clients { <address_match_element>; ... };

2
lib/dns/api
View File

@ -10,6 +10,6 @@
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
LIBINTERFACE = 1501
LIBREVISION = 0
LIBAGE = 0

2
lib/irs/api
View File

@ -11,5 +11,5 @@
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
LIBREVISION = 0
LIBREVISION = 1
LIBAGE = 0

2
lib/isc/api
View File

@ -10,6 +10,6 @@
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
LIBINTERFACE = 1501
LIBREVISION = 0
LIBAGE = 0

2
lib/ns/api
View File

@ -11,5 +11,5 @@
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
LIBREVISION = 0
LIBREVISION = 1
LIBAGE = 0

2
version
View File

@ -5,7 +5,7 @@ PRODUCT=BIND
DESCRIPTION="(Development Release)"
MAJORVER=9
MINORVER=15
PATCHVER=0
PATCHVER=1
RELEASETYPE=
RELEASEVER=
EXTENSIONS=