diff --git a/CHANGES b/CHANGES index d09f3a9478..76e7106d04 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,8 @@ statistics when hitting recursive clients soft quota. [GL #1067] + --- 9.15.1 released --- + 5248. [func] To clarify the configuration of DNSSEC keys, the "managed-keys" and "trusted-keys" options have both been deprecated. The new "dnssec-keys" diff --git a/CONTRIBUTING b/CONTRIBUTING index 003a7c8593..288bcab915 100644 --- a/CONTRIBUTING +++ b/CONTRIBUTING @@ -1,3 +1,5 @@ +CONTRIBUTING + BIND Source Access and Contributor Guidelines Feb 22, 2018 diff --git a/HISTORY b/HISTORY index c8b5cb9d15..1e3dc72233 100644 --- a/HISTORY +++ b/HISTORY @@ -1,3 +1,5 @@ +HISTORY + Functional enhancements from prior major releases of BIND 9 BIND 9.14 @@ -505,11 +507,11 @@ BIND 9.4.0 * Detect duplicates of UDP queries we are recursing on and drop them. New stats category "duplicates". * "USE INTERNAL MALLOC" is now runtime selectable. - * The lame cache is now done on a basis as some servers only appear to - be lame for certain query types. + * The lame cache is now done on a basis as some + servers only appear to be lame for certain query types. * Limit the number of recursive clients that can be waiting for a single - query () to resolve. New options clients-per-query and - max-clients-per-query. + query () to resolve. New options clients-per-query + and max-clients-per-query. * dig: report the number of extra bytes still left in the packet after processing all the records. * Support for IPSECKEY rdata type. diff --git a/OPTIONS b/OPTIONS index 340b53db67..811cf7c867 100644 --- a/OPTIONS +++ b/OPTIONS @@ -1,10 +1,12 @@ +OPTIONS + Setting the STD_CDEFINES environment variable before running configure can be used to enable certain compile-time options that are not explicitly defined in configure. Some of these settings are: -Setting Description + Setting Description Overwrite memory with tag values when allocating -DISC_MEM_DEFAULTFILL=1 or freeing it; this impairs performance but makes debugging of memory problems easier. diff --git a/PLATFORMS b/PLATFORMS index e0a0aa6aab..6e123440e0 100644 --- a/PLATFORMS +++ b/PLATFORMS @@ -1,3 +1,5 @@ +PLATFORMS + Supported platforms In general, this version of BIND will build and run on any POSIX-compliant @@ -64,31 +66,6 @@ These are platforms on which BIND 9.15 is known not to build or run: Platform quirks -ARM - -If the compilation ends with following error: - -Error: selected processor does not support `yield' in ARM mode - -You will need to set -march compiler option to native, so the compiler -recognizes yield assembler instruction. The proper way to set -march= -native would be to put it into CFLAGS, e.g. run ./configure like this: -CFLAGS="-march=native -Os -g" ./configure plus your usual options. - -If that doesn't work, you can enforce the minimum CPU and FPU (taken from -Debian armhf documentation): - - * The lowest worthwhile CPU implementation is Armv7-A, therefore the - recommended build option is -march=armv7-a. - - * FPU should be set at VFPv3-D16 as they represent the minimum - specification of the processors to support here, therefore the - recommended build option is -mfpu=vfpv3-d16. - -The configure command should look like this: - -CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure - NetBSD 6 i386 The i386 build of NetBSD requires the libatomic library, available from diff --git a/README b/README index 8beb62dc1b..a964b5afb8 100644 --- a/README +++ b/README @@ -1,3 +1,5 @@ +README + BIND 9 Contents @@ -134,7 +136,7 @@ make depend. If you're using Emacs, you might find make tags helpful. Several environment variables that can be set before running configure will affect compilation: -Variable Description + Variable Description CC The C compiler to use. configure tries to figure out the right one for supported systems. C compiler flags. Defaults to include -g and/or -O2 as @@ -187,8 +189,10 @@ operations, specify the path to the PKCS#11 provider library using To support the HTTP statistics channel, the server must be linked with at least one of the following: libxml2 http://xmlsoft.org or json-c https:// -github.com/json-c. If these are installed at a nonstandard location, -specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix. +github.com/json-c. If these are installed at a nonstandard location, then: + + * for libxml2, specify the prefix using --with-libxml2=/prefix, + * for json-c, adjust PKG_CONFIG_PATH. To support compression on the HTTP statistics channel, the server must be linked against libzlib. If this is installed in a nonstandard location, @@ -286,7 +290,7 @@ development BIND 9 is included in the file CHANGES, with the most recent changes listed first. Change notes include tags indicating the category of the change that was made; these categories are: -Category Description + Category Description [func] New feature [bug] General bug fix [security] Fix for a significant security flaw @@ -321,8 +325,8 @@ issue number. Prior to 2018, these were usually of the form [RT #NNN] and referred to entries in the "bind9-bugs" RT database, which was not open to the public. More recent entries use the form [GL #NNN] or, less often, [GL !NNN], which, respectively, refer to issues or merge requests in the -Gitlab database. Most of these are publically readable, unless they -include information which is confidential or security senstive. +Gitlab database. Most of these are publicly readable, unless they include +information which is confidential or security senstive. To look up a Gitlab issue by its number, use the URL https:// gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request, @@ -337,21 +341,23 @@ Acknowledgments * The original development of BIND 9 was underwritten by the following organizations: - Sun Microsystems, Inc. - Hewlett Packard - Compaq Computer Corporation - IBM - Process Software Corporation - Silicon Graphics, Inc. - Network Associates, Inc. - U.S. Defense Information Systems Agency - USENIX Association - Stichting NLnet - NLnet Foundation - Nominum, Inc. + Sun Microsystems, Inc. + Hewlett Packard + Compaq Computer Corporation + IBM + Process Software Corporation + Silicon Graphics, Inc. + Network Associates, Inc. + U.S. Defense Information Systems Agency + USENIX Association + Stichting NLnet - NLnet Foundation + Nominum, Inc. * This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. http://www.OpenSSL.org/ + * This product includes cryptographic software written by Eric Young (eay@cryptsoft.com) + * This product includes software written by Tim Hudson (tjh@cryptsoft.com) diff --git a/README.md b/README.md index 6958ba110f..153b141233 100644 --- a/README.md +++ b/README.md @@ -332,7 +332,7 @@ issue number. Prior to 2018, these were usually of the form `[RT #NNN]` and referred to entries in the "bind9-bugs" RT database, which was not open to the public. More recent entries use the form `[GL #NNN]` or, less often, `[GL !NNN]`, which, respectively, refer to issues or merge requests in the -Gitlab database. Most of these are publically readable, unless they include +Gitlab database. Most of these are publicly readable, unless they include information which is confidential or security senstive. To look up a Gitlab issue by its number, use the URL diff --git a/bin/delv/delv.1 b/bin/delv/delv.1 index f8e0da555b..7155b70c1d 100644 --- a/bin/delv/delv.1 +++ b/bin/delv/delv.1 @@ -146,14 +146,16 @@ to specify the name of a zone containing DLV records\&. Note: When reading the trust anchor file, \fBdelv\fR treats -\fBmanaged\-keys\fR -statements and -\fBtrusted\-keys\fR -statements identically\&. That is, for a managed key, it is the -\fIinitial\fR -key that is trusted; RFC 5011 key management is not supported\&. +\fBdnssec\-keys\fR\fBinitial\-key\fR +and +\fBstatic\-key\fR +entries identically\&. That is, even if a key is configured with +\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by \fBdelv\fR -will not consult the managed\-keys database maintained by +as if it had been configured as a +\fBstatic\-key\fR\&. +\fBdelv\fR +does not consult the managed keys database maintained by \fBnamed\fR\&. This means that if either of the keys in /etc/bind\&.keys is revoked and rolled over, it will be necessary to update diff --git a/bin/delv/delv.html b/bin/delv/delv.html index 22c70cd576..6fe8840329 100644 --- a/bin/delv/delv.html +++ b/bin/delv/delv.html @@ -200,14 +200,17 @@

Note: When reading the trust anchor file, - delv treats managed-keys - statements and trusted-keys statements - identically. That is, for a managed key, it is the - initial key that is trusted; RFC 5011 - key management is not supported. delv - will not consult the managed-keys database maintained by - named. This means that if either of the - keys in /etc/bind.keys is revoked + delv treats dnssec-keys + initial-key and static-key + entries identically. That is, even if a key is configured + with initial-key, indicating that it is + meant to be used only as an initializing key for RFC 5011 + key maintenance, it is still treated by delv + as if it had been configured as a static-key. + delv does not consult the managed keys + database maintained by named. This means + that if either of the keys in + /etc/bind.keys is revoked and rolled over, it will be necessary to update /etc/bind.keys to use DNSSEC validation in delv. diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index 555c5dcb70..7da5c5693a 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -589,11 +589,11 @@ A synonym for .RS 4 Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means \fBdig\fR -normally sends recursive queries\&. Recursion is automatically disabled when the +normally sends recursive queries\&. Recursion is automatically disabled when using the \fI+nssearch\fR -or +option, and when using \fI+trace\fR -query options are used\&. +except for an initial recursive query to get the list of root servers\&. .RE .PP \fB+retry=T\fR diff --git a/bin/dig/dig.html b/bin/dig/dig.html index e4f85c60f8..d191d7a6b5 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -797,8 +797,10 @@ in the query. This bit is set by default, which means dig normally sends recursive queries. Recursion is automatically disabled when - the +nssearch or - +trace query options are used. + using the +nssearch option, and + when using +trace except for + an initial recursive query to get the list of root + servers.

+retry=T
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 081b7b8c95..7b93ad4771 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -10,12 +10,12 @@ .\" Title: named.conf .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2018-12-07 +.\" Date: 2019-05-10 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "NAMED\&.CONF" "5" "2018\-12\-07" "ISC" "BIND9" +.TH "NAMED\&.CONF" "5" "2019\-05\-10" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -97,6 +97,19 @@ dlz \fIstring\fR { .if n \{\ .RE .\} +.SH "DNSSEC-KEYS" +.sp +.if n \{\ +.RS 4 +.\} +.nf +dnssec\-keys { \fIstring\fR ( static\-key | + initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR + \fIquoted_string\fR; \&.\&.\&. }; +.fi +.if n \{\ +.RE +.\} .SH "DYNDB" .sp .if n \{\ @@ -149,13 +162,16 @@ logging { .RE .\} .SH "MANAGED-KEYS" +.PP +See DNSSEC\-KEYS\&. .sp .if n \{\ .RS 4 .\} .nf -managed\-keys { \fIstring\fR \fIstring\fR \fIinteger\fR - \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; +managed\-keys { \fIstring\fR ( static\-key | + initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR + \fIquoted_string\fR; \&.\&.\&. }; .fi .if n \{\ .RE @@ -257,7 +273,6 @@ options { dnsrps\-options { \fIunspecified\-text\fR }; dnssec\-accept\-expired \fIboolean\fR; dnssec\-dnskey\-kskonly \fIboolean\fR; - dnssec\-enable \fIboolean\fR; dnssec\-loadkeys\-interval \fIinteger\fR; dnssec\-lookaside ( \fIstring\fR trust\-anchor \fIstring\fR | auto | no ); @@ -409,11 +424,12 @@ options { resolver\-retry\-interval \fIinteger\fR; response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size \fIinteger\fR; - response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl - \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname | - disabled | drop | given | no\-op | nodata | nxdomain | passthru - | tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [ - nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ + response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log + \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval + \fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op | + nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [ + recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [ + nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [ break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ] @@ -551,13 +567,16 @@ statistics\-channels { .RE .\} .SH "TRUSTED-KEYS" +.PP +Deprecated \- see DNSSEC\-KEYS\&. .sp .if n \{\ .RS 4 .\} .nf -trusted\-keys { \fIstring\fR \fIinteger\fR \fIinteger\fR - \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; +trusted\-keys { \fIstring\fR \fIinteger\fR + \fIinteger\fR \fIinteger\fR + \fIquoted_string\fR; \&.\&.\&. };, deprecated .fi .if n \{\ .RE @@ -638,7 +657,9 @@ view \fIstring\fR [ \fIclass\fR ] { dnsrps\-options { \fIunspecified\-text\fR }; dnssec\-accept\-expired \fIboolean\fR; dnssec\-dnskey\-kskonly \fIboolean\fR; - dnssec\-enable \fIboolean\fR; + dnssec\-keys { \fIstring\fR ( static\-key | + initial\-key ) \fIinteger\fR \fIinteger\fR + \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; dnssec\-loadkeys\-interval \fIinteger\fR; dnssec\-lookaside ( \fIstring\fR trust\-anchor \fIstring\fR | auto | no ); @@ -676,9 +697,9 @@ view \fIstring\fR [ \fIclass\fR ] { key\-directory \fIquoted_string\fR; lame\-ttl \fIttlval\fR; lmdb\-mapsize \fIsizeval\fR; - managed\-keys { \fIstring\fR \fIstring\fR - \fIinteger\fR \fIinteger\fR \fIinteger\fR - \fIquoted_string\fR; \&.\&.\&. }; + managed\-keys { \fIstring\fR ( static\-key | + initial\-key ) \fIinteger\fR \fIinteger\fR + \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; masterfile\-format ( map | raw | text ); masterfile\-style ( full | relative ); match\-clients { \fIaddress_match_element\fR; \&.\&.\&. }; @@ -761,11 +782,12 @@ view \fIstring\fR [ \fIclass\fR ] { resolver\-retry\-interval \fIinteger\fR; response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size \fIinteger\fR; - response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl - \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname | - disabled | drop | given | no\-op | nodata | nxdomain | passthru - | tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [ - nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ + response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log + \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval + \fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op | + nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [ + recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [ + nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [ break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ] @@ -827,9 +849,10 @@ view \fIstring\fR [ \fIclass\fR ] { transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ]; trust\-anchor\-telemetry \fIboolean\fR; // experimental - trusted\-keys { \fIstring\fR \fIinteger\fR - \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; - \&.\&.\&. }; + trusted\-keys { \fIstring\fR + \fIinteger\fR \fIinteger\fR + \fIinteger\fR + \fIquoted_string\fR; \&.\&.\&. };, deprecated try\-tcp\-refresh \fIboolean\fR; update\-check\-ksk \fIboolean\fR; use\-alt\-transfer\-source \fIboolean\fR; diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index a77e646f06..bca8de5a24 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -59,7 +59,6 @@

ACL

-


acl string { address_match_element; ... };

@@ -67,7 +66,6 @@ acl

CONTROLS

-


controls {
inet ( ipv4_address | ipv6_address |
@@ -85,7 +83,6 @@ controls

DLZ

-


dlz string {
database string;
@@ -95,8 +92,16 @@ dlz

-

DYNDB

+

DNSSEC-KEYS

+


+dnssec-keys { string ( static-key |
+    initial-key ) integer integer integer
+    quoted_string; ... };
+

+
+
+

DYNDB


dyndb string quoted_string {
    unspecified-text };
@@ -104,8 +109,7 @@ dyndb

-

KEY

- +

KEY


key string {
algorithm string;
@@ -115,8 +119,7 @@ key

-

LOGGING

- +

LOGGING


logging {
category string { string; ... };
@@ -138,17 +141,17 @@ logging

-

MANAGED-KEYS

- +

MANAGED-KEYS

+

See DNSSEC-KEYS.


-managed-keys { string string integer
-    integer integer quoted_string; ... };
+managed-keys { string ( static-key |
+    initial-key ) integer integer integer
+    quoted_string; ... };

-

MASTERS

- +

MASTERS


masters string [ port integer ] [ dscp
    integer ] { ( masters | ipv4_address [
@@ -158,8 +161,7 @@ masters

-

OPTIONS

- +

OPTIONS


options {
allow-new-zones boolean;
@@ -238,7 +240,6 @@ options dnsrps-options { unspecified-text };
dnssec-accept-expired boolean;
dnssec-dnskey-kskonly boolean;
- dnssec-enable boolean;
dnssec-loadkeys-interval integer;
dnssec-lookaside ( string trust-anchor
    string | auto | no );
@@ -390,11 +391,12 @@ options resolver-retry-interval integer;
response-padding { address_match_element; ... } block-size
    integer;
- response-policy { zone string [ log boolean ] [ max-policy-ttl
-     ttlval ] [ min-update-interval ttlval ] [ policy ( cname |
-     disabled | drop | given | no-op | nodata | nxdomain | passthru
-     | tcp-only quoted_string ) ] [ recursive-only boolean ] [
-     nsip-enable boolean ] [ nsdname-enable boolean ]; ... } [
+ response-policy { zone string [ add-soa boolean ] [ log
+     boolean ] [ max-policy-ttl ttlval ] [ min-update-interval
+     ttlval ] [ policy ( cname | disabled | drop | given | no-op |
+     nodata | nxdomain | passthru | tcp-only quoted_string ) ] [
+     recursive-only boolean ] [ nsip-enable boolean ] [
+     nsdname-enable boolean ]; ... } [ add-soa boolean ] [
    break-dnssec boolean ] [ max-policy-ttl ttlval ] [
    min-update-interval ttlval ] [ min-ns-dots integer ] [
    nsip-wait-recurse boolean ] [ qname-wait-recurse boolean ]
@@ -461,8 +463,7 @@ options

-

PLUGIN

- +

PLUGIN


plugin ( query ) string [ { unspecified-text
    } ];
@@ -470,8 +471,7 @@ plugin

-

SERVER

- +

SERVER


server netprefix {
bogus boolean;
@@ -509,8 +509,7 @@ server

-

STATISTICS-CHANNELS

- +

STATISTICS-CHANNELS


statistics-channels {
inet ( ipv4_address | ipv6_address |
@@ -522,17 +521,17 @@ statistics-channels

-

TRUSTED-KEYS

- +

TRUSTED-KEYS

+

Deprecated - see DNSSEC-KEYS.


-trusted-keys { string integer integer
-    integer quoted_string; ... };
+trusted-keys { string integer
+    integer integer
+    quoted_string; ... };, deprecated

-

VIEW

- +

VIEW


view string [ class ] {
allow-new-zones boolean;
@@ -604,7 +603,9 @@ view dnsrps-options { unspecified-text };
dnssec-accept-expired boolean;
dnssec-dnskey-kskonly boolean;
- dnssec-enable boolean;
+ dnssec-keys { string ( static-key |
+     initial-key ) integer integer
+     integer quoted_string; ... };
dnssec-loadkeys-interval integer;
dnssec-lookaside ( string trust-anchor
    string | auto | no );
@@ -642,9 +643,9 @@ view key-directory quoted_string;
lame-ttl ttlval;
lmdb-mapsize sizeval;
- managed-keys { string string
-     integer integer integer
-     quoted_string; ... };
+ managed-keys { string ( static-key |
+     initial-key ) integer integer
+     integer quoted_string; ... };
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
match-clients { address_match_element; ... };
@@ -727,11 +728,12 @@ view resolver-retry-interval integer;
response-padding { address_match_element; ... } block-size
    integer;
- response-policy { zone string [ log boolean ] [ max-policy-ttl
-     ttlval ] [ min-update-interval ttlval ] [ policy ( cname |
-     disabled | drop | given | no-op | nodata | nxdomain | passthru
-     | tcp-only quoted_string ) ] [ recursive-only boolean ] [
-     nsip-enable boolean ] [ nsdname-enable boolean ]; ... } [
+ response-policy { zone string [ add-soa boolean ] [ log
+     boolean ] [ max-policy-ttl ttlval ] [ min-update-interval
+     ttlval ] [ policy ( cname | disabled | drop | given | no-op |
+     nodata | nxdomain | passthru | tcp-only quoted_string ) ] [
+     recursive-only boolean ] [ nsip-enable boolean ] [
+     nsdname-enable boolean ]; ... } [ add-soa boolean ] [
    break-dnssec boolean ] [ max-policy-ttl ttlval ] [
    min-update-interval ttlval ] [ min-ns-dots integer ] [
    nsip-wait-recurse boolean ] [ qname-wait-recurse boolean ]
@@ -793,9 +795,10 @@ view transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * )
    ] [ dscp integer ];
trust-anchor-telemetry boolean; // experimental
- trusted-keys { string integer
-     integer integer quoted_string;
-     ... };
+ trusted-keys { string
+     integer integer
+     integer
+     quoted_string; ... };, deprecated
try-tcp-refresh boolean;
update-check-ksk boolean;
use-alt-transfer-source boolean;
@@ -907,8 +910,7 @@ view

-

ZONE

- +

ZONE


zone string [ class ] {
allow-notify { address_match_element; ... };
@@ -1007,14 +1009,14 @@ zone

-

FILES

+

FILES

/etc/named.conf

-

SEE ALSO

+

SEE ALSO

ddns-confgen(8) diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index 0ce4c203a0..b859194604 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -284,7 +284,7 @@ maintain, and also requires the zone to be configured to allow dynamic DNS\&. (S .PP \fBmanaged\-keys \fR\fB\fI(status | refresh | sync | destroy)\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR .RS 4 -Inspect and control the "managed\-keys" database which handles RFC 5011 DNSSEC trust anchor maintenance\&. If a view is specified, these commands are applied to that view; otherwise they are applied to all views\&. +Inspect and control the "managed keys" database which handles RFC 5011 DNSSEC trust anchor maintenance\&. If a view is specified, these commands are applied to that view; otherwise they are applied to all views\&. .sp .RS 4 .ie n \{\ @@ -296,7 +296,7 @@ Inspect and control the "managed\-keys" database which handles RFC 5011 DNSSEC t .\} When run with the status -keyword, prints the current status of the managed\-keys database\&. +keyword, prints the current status of the managed keys database\&. .RE .sp .RS 4 @@ -309,7 +309,7 @@ keyword, prints the current status of the managed\-keys database\&. .\} When run with the refresh -keyword, forces an immediate refresh query to be sent for all the managed keys, updating the managed\-keys database if any new keys are found, without waiting the normal refresh interval\&. +keyword, forces an immediate refresh query to be sent for all the managed keys, updating the managed keys database if any new keys are found, without waiting the normal refresh interval\&. .RE .sp .RS 4 @@ -322,7 +322,7 @@ keyword, forces an immediate refresh query to be sent for all the managed keys, .\} When run with the sync -keyword, forces an immediate dump of the managed\-keys database to disk (in the file +keyword, forces an immediate dump of the managed keys database to disk (in the file managed\-keys\&.bind or (\fIviewname\fR\&.mkeys)\&. This synchronizes the database with its journal file, so that the database\*(Aqs current contents can be inspected visually\&. .RE @@ -337,7 +337,7 @@ or (\fIviewname\fR\&.mkeys)\&. This synchronizes the database with its journal f .\} When run with the destroy -keyword, the managed\-keys database is shut down and deleted, and all key maintenance is terminated\&. This command should be used only with extreme caution\&. +keyword, the managed keys database is shut down and deleted, and all key maintenance is terminated\&. This command should be used only with extreme caution\&. .sp Existing keys that are already trusted are not deleted from memory; DNSSEC validation can continue after this command is used\&. However, key maintenance operations will cease until \fBnamed\fR @@ -515,8 +515,12 @@ timer\&. \fBsecroots \fR\fB[\-]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR .RS 4 Dump the security roots (i\&.e\&., trust anchors configured via -\fBtrusted\-keys\fR, -\fBmanaged\-keys\fR, or +\fBdnssec\-keys\fR +statements, or the synonymous +\fBmanaged\-keys\fR +or the deprecated +\fBtrusted\-keys\fR +statements, or via \fBdnssec\-validation auto\fR) and negative trust anchors for the specified views\&. If no view is specified, all views are dumped\&. Security roots will indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query)\&. .sp If the first argument is "\-", then the output is returned via the @@ -697,7 +701,7 @@ Delete a given TKEY\-negotiated key from the server\&. (This does not apply to s .RS 4 List the names of all TSIG keys currently configured for use by \fBnamed\fR -in each view\&. The list both statically configured keys and dynamic TKEY\-negotiated keys\&. +in each view\&. The list includes both statically configured keys and dynamic TKEY\-negotiated keys\&. .RE .PP \fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index 8b9df50b16..d03708cb0f 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -378,7 +378,7 @@

managed-keys (status | refresh | sync | destroy) [class [view]]

- Inspect and control the "managed-keys" database which + Inspect and control the "managed keys" database which handles RFC 5011 DNSSEC trust anchor maintenance. If a view is specified, these commands are applied to that view; otherwise they are applied to all views. @@ -387,14 +387,14 @@

  • When run with the status keyword, prints - the current status of the managed-keys database. + the current status of the managed keys database.

  • When run with the refresh keyword, forces an immediate refresh query to be sent for all - the managed keys, updating the managed-keys database + the managed keys, updating the managed keys database if any new keys are found, without waiting the normal refresh interval.

    @@ -402,7 +402,7 @@

  • When run with the sync keyword, forces an - immediate dump of the managed-keys database to disk + immediate dump of the managed keys database to disk (in the file managed-keys.bind or (viewname.mkeys). This synchronizes the database with its journal file, so @@ -413,7 +413,7 @@

  • When run with the destroy keyword, the - managed-keys database is shut down and deleted, and all key + managed keys database is shut down and deleted, and all key maintenance is terminated. This command should be used only with extreme caution.

    @@ -653,9 +653,10 @@

    Dump the security roots (i.e., trust anchors - configured via trusted-keys, - managed-keys, or - dnssec-validation auto) and negative trust + configured via dnssec-keys statements, + or the synonymous managed-keys or + the deprecated trusted-keys statements, or + via dnssec-validation auto) and negative trust anchors for the specified views. If no view is specified, all views are dumped. Security roots will indicate whether they are configured as trusted keys, managed keys, or @@ -905,7 +906,7 @@

    List the names of all TSIG keys currently configured for use by named in each view. The - list both statically configured keys and dynamic + list includes both statically configured keys and dynamic TKEY-negotiated keys.

    diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index 73fb6a4017..f469fc7511 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -614,6 +614,6 @@
    • -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index ecadf5fdf4..d19c3fab76 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -146,6 +146,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 4bff22b72a..fe4ff10515 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -856,6 +856,6 @@ controls {
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 65ec3e3ee5..b8c0541093 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -54,7 +54,7 @@
    SIG(0)
    DNSSEC
    -
    Generating Keys
    +
    Generating Keys
    Signing the Zone
    Configuring Servers for DNSSEC
    @@ -913,7 +913,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};

    -Generating Keys

    +Generating Keys

    The dnssec-keygen program is used to @@ -1042,8 +1042,9 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; yes, DNSSEC validation will only occur if at least one trust anchor has been explicitly configured in named.conf - using a trusted-keys or - managed-keys statement. + using a dnssec-keys statement (or the + synonymous managed-keys or the deprecated + trusted-keys statements).

    When dnssec-validation is set to @@ -1056,23 +1057,20 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};

    - trusted-keys are copies of DNSKEY RRs - for zones that are used to form the first link in the - cryptographic chain of trust. All keys listed in - trusted-keys (and corresponding zones) - are deemed to exist and only the listed keys will be used - to validated the DNSKEY RRset that they are from. + The keys specified in dnssec-keys + copies of DNSKEY RRs for zones that are used to form the + first link in the cryptographic chain of trust. Keys configured + with the keyword static-key are loaded directly + into the table of trust anchors, and can only be changed by + altering the configuration. Keys configured with + initial-key are used to initialize + RFC 5011 trust anchor maintenance, and will be kept up to + date automatically after the first time named + runs.

    - managed-keys are trusted keys which are - automatically kept up to date via RFC 5011 trust anchor - maintenance. -

    - -

    - trusted-keys and - managed-keys are described in more detail + dnssec-keys is described in more detail later in this document.

    @@ -1095,7 +1093,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; 

    -managed-keys {
+dnssec-keys {
         /* Root Key */
         "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
                                  JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
@@ -1107,11 +1105,8 @@ managed-keys {
                                  66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
                                  97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
                                  dgxbcDTClU0CRBdiieyLMNzXG3";
-};
-
-trusted-keys {
         /* Key for our organization's forward zone */
-        example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
+        example.com. static-key 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
                               5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
                               GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
                               4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
@@ -1124,7 +1119,7 @@ trusted-keys {
                               1OTQ09A0=";
 
         /* Key for our reverse zone. */
-        2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
+        2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
                                        xOdNax071L18QqZnQQQAVVr+i
                                        LhGTnNGp3HoWQLUIzKrJVZ3zg
                                        gy3WwNT6kZo6c0tszYqbtvchm
@@ -1516,11 +1511,11 @@ options {
     
     
    To configure a validating resolver to use RFC 5011 to
     maintain a trust anchor, configure the trust anchor using a
-    managed-keys statement. Information about
+    dnssec-keys statement and the
+    initial-key keyword. Information about
     this can be found in
-    the section called “managed-keys Statement Definition
+    the section called “dnssec-keys Statement Definition
             and Usage”.
    
-

    @@ -2845,6 +2840,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index cfcf325203..dd14632598 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -66,13 +66,16 @@ Usage
    statistics-channels Statement Grammar
    statistics-channels Statement Definition and - Usage
    + Usage +
    dnssec-keys Statement Grammar
    +
    dnssec-keys Statement Definition + and Usage
    +
    managed-keys Statement Grammar
    +
    managed-keys Statement Definition + and Usage
    trusted-keys Statement Grammar
    trusted-keys Statement Definition and Usage
    -
    managed-keys Statement Grammar
    -
    managed-keys Statement Definition - and Usage
    view Statement Grammar
    view Statement Definition and Usage
    zone @@ -882,11 +885,17 @@ -

    trusted-keys

    +

    dnssec-keys

    - defines trusted DNSSEC keys. + defines DNSSEC keys: if used with the + initial-key keyword, + keys are kept up to date using RFC 5011 + trust anchor maintenance, and if used with + static-key, keys are permanent. + Identical to managed-keys, + but has been added for improved clarity.

    @@ -896,8 +905,22 @@

    - lists DNSSEC keys to be kept up to date - using RFC 5011 trust anchor maintenance. + is identical to dnssec-keys, + and is retained for backward compatibility. +

    + + + + +

    trusted-keys

    + + +

    + defines permanent trusted DNSSEC keys; + this option is deprecated in favor + of dnssec-keys with + the static-key keyword, + and may be removed in a future release.

    @@ -2438,7 +2461,6 @@ badresp:1,adberr:0,findfail:0,valfail:0] dnsrps-options { unspecified-text }; dnssec-accept-expired boolean; dnssec-dnskey-kskonly boolean; - dnssec-enable boolean; dnssec-loadkeys-interval integer; dnssec-lookaside ( string trust-anchor string | auto | no ); @@ -2590,11 +2612,12 @@ badresp:1,adberr:0,findfail:0,valfail:0] resolver-retry-interval integer; response-padding { address_match_element; ... } block-size integer; - response-policy { zone string [ log boolean ] [ max-policy-ttl - ttlval ] [ min-update-interval ttlval ] [ policy ( cname | - disabled | drop | given | no-op | nodata | nxdomain | passthru - | tcp-only quoted_string ) ] [ recursive-only boolean ] [ - nsip-enable boolean ] [ nsdname-enable boolean ]; ... } [ + response-policy { zone string [ add-soa boolean ] [ log + boolean ] [ max-policy-ttl ttlval ] [ min-update-interval + ttlval ] [ policy ( cname | disabled | drop | given | no-op | + nodata | nxdomain | passthru | tcp-only quoted_string ) ] [ + recursive-only boolean ] [ nsip-enable boolean ] [ + nsdname-enable boolean ]; ... } [ add-soa boolean ] [ break-dnssec boolean ] [ max-policy-ttl ttlval ] [ min-update-interval ttlval ] [ min-ns-dots integer ] [ nsip-wait-recurse boolean ] [ qname-wait-recurse boolean ] @@ -2746,7 +2769,6 @@ badresp:1,adberr:0,findfail:0,valfail:0] configurable options be consistent among these views: check-names, - cleaning-interval, dnssec-accept-expired, dnssec-validation, max-cache-ttl, @@ -3042,10 +3064,12 @@ badresp:1,adberr:0,findfail:0,valfail:0]

    Specifies the directory in which to store the files that - track managed DNSSEC keys. By default, this is the working - directory. The directory must - be writable by the effective user ID of the - named process. + track managed DNSSEC keys (i.e., those configured using + the initial-key keyword in a + dnssec-keys statement). By default, + this is the working directory. The directory + must be writable by the effective + user ID of the named process.

    If named is not configured to use views, @@ -3468,10 +3492,10 @@ options { then named will only accept answers if they are secure. If no, then normal DNSSEC validation applies allowing for insecure answers to - be accepted. The specified domain must be under a - trusted-keys or - managed-keys statement, or - dnssec-validation auto must be active. + be accepted. The specified domain must be defined as a + trust anchor, for instance in a dnssec-keys + statement, or dnssec-validation auto must + be active.

    dns64
    @@ -4459,8 +4483,8 @@ options {

    Causes named to send specially-formed queries once per day to domains for which trust anchors - have been configured via trusted-keys, - managed-keys, or + have been configured via, e.g., + dnssec-keys or dnssec-validation auto.

    @@ -4651,10 +4675,11 @@ options {

    If set to yes, DNSSEC validation is enabled, but a trust anchor must be manually configured - using a trusted-keys - or managed-keys statement; if there - is no configured trust anchor, validation will not take - place. + using a dnssec-keys statement (or + the synonymous managed-keys, or the + deprecated trusted-keys statements). + If there is no configured trust anchor, validation will + not take place.

    If set to no, DNSSEC validation @@ -6441,14 +6466,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

    cleaning-interval

    - This interval is effectively obsolete. Previously, - the server would remove expired resource records - from the cache every cleaning-interval minutes. - BIND 9 now manages cache - memory in a more sophisticated manner and does not - rely on the periodic cleaning any more. - Specifying this option therefore has no effect on - the server's behavior. + This option is obsolete.

    heartbeat-interval
    @@ -8691,10 +8709,10 @@ example.com CNAME rpz-tcp-only.

    -
    +

    statistics-channels Statement Grammar

    - 
    +          
     statistics-channels {
 	inet ( ipv4_address | ipv6_address |
 	    * ) [ port ( integer | * ) ] [
@@ -8702,260 +8720,244 @@ example.com                 CNAME   rpz-tcp-only.
 	    } ];
 };
 
    
-
    - -
    -

    -statistics-channels Statement Definition and - Usage

    - -

    - The statistics-channels statement - declares communication channels to be used by system - administrators to get access to statistics information of - the name server. -

    - -

    - This statement intends to be flexible to support multiple - communication protocols in the future, but currently only - HTTP access is supported. - It requires that BIND 9 be compiled with libxml2 and/or - json-c (also known as libjson0); the - statistics-channels statement is - still accepted even if it is built without the library, - but any HTTP access will fail with an error. -

    - -

    - An inet control channel is a TCP socket - listening at the specified ip_port on the - specified ip_addr, which can be an IPv4 or IPv6 - address. An ip_addr of * - (asterisk) is - interpreted as the IPv4 wildcard address; connections will be - accepted on any of the system's IPv4 addresses. - To listen on the IPv6 wildcard address, - use an ip_addr of ::. -

    - -

    - If no port is specified, port 80 is used for HTTP channels. - The asterisk "*" cannot be used for - ip_port. -

    - -

    - The attempt of opening a statistics channel is - restricted by the optional allow clause. - Connections to the statistics channel are permitted based on the - address_match_list. - If no allow clause is present, - named accepts connection - attempts from any address; since the statistics may - contain sensitive internal information, it is highly - recommended to restrict the source of connection requests - appropriately. -

    - -

    - If no statistics-channels statement is present, - named will not open any communication channels. -

    - -

    - The statistics are available in various formats and views - depending on the URI used to access them. For example, if - the statistics channel is configured to listen on 127.0.0.1 - port 8888, then the statistics are accessible in XML format at - http://127.0.0.1:8888/ or - http://127.0.0.1:8888/xml. A CSS file is - included which can format the XML statistics into tables - when viewed with a stylesheet-capable browser, and into - charts and graphs using the Google Charts API when using a - javascript-capable browser. -

    - -

    - Broken-out subsets of the statistics can be viewed at - http://127.0.0.1:8888/xml/v3/status - (server uptime and last reconfiguration time), - http://127.0.0.1:8888/xml/v3/server - (server and resolver statistics), - http://127.0.0.1:8888/xml/v3/zones - (zone statistics), - http://127.0.0.1:8888/xml/v3/net - (network status and socket statistics), - http://127.0.0.1:8888/xml/v3/mem - (memory manager statistics), - http://127.0.0.1:8888/xml/v3/tasks - (task manager statistics), and - http://127.0.0.1:8888/xml/v3/traffic - (traffic sizes). -

    - -

    - The full set of statistics can also be read in JSON format at - http://127.0.0.1:8888/json, - with the broken-out subsets at - http://127.0.0.1:8888/json/v1/status - (server uptime and last reconfiguration time), - http://127.0.0.1:8888/json/v1/server - (server and resolver statistics), - http://127.0.0.1:8888/json/v1/zones - (zone statistics), - http://127.0.0.1:8888/json/v1/net - (network status and socket statistics), - http://127.0.0.1:8888/json/v1/mem - (memory manager statistics), - http://127.0.0.1:8888/json/v1/tasks - (task manager statistics), and - http://127.0.0.1:8888/json/v1/traffic - (traffic sizes). -

    -
    +

    -trusted-keys Statement Grammar

    +statistics-channels Statement Definition and + Usage
    + +

    + The statistics-channels statement + declares communication channels to be used by system + administrators to get access to statistics information of + the name server. +

    + +

    + This statement intends to be flexible to support multiple + communication protocols in the future, but currently only + HTTP access is supported. + It requires that BIND 9 be compiled with libxml2 and/or + json-c (also known as libjson0); the + statistics-channels statement is + still accepted even if it is built without the library, + but any HTTP access will fail with an error. +

    + +

    + An inet control channel is a TCP socket + listening at the specified ip_port on the + specified ip_addr, which can be an IPv4 or IPv6 + address. An ip_addr of * + (asterisk) is + interpreted as the IPv4 wildcard address; connections will be + accepted on any of the system's IPv4 addresses. + To listen on the IPv6 wildcard address, + use an ip_addr of ::. +

    + +

    + If no port is specified, port 80 is used for HTTP channels. + The asterisk "*" cannot be used for + ip_port. +

    + +

    + The attempt of opening a statistics channel is + restricted by the optional allow clause. + Connections to the statistics channel are permitted based on the + address_match_list. + If no allow clause is present, + named accepts connection + attempts from any address; since the statistics may + contain sensitive internal information, it is highly + recommended to restrict the source of connection requests + appropriately. +

    + +

    + If no statistics-channels statement is present, + named will not open any communication channels. +

    + +

    + The statistics are available in various formats and views + depending on the URI used to access them. For example, if + the statistics channel is configured to listen on 127.0.0.1 + port 8888, then the statistics are accessible in XML format at + http://127.0.0.1:8888/ or + http://127.0.0.1:8888/xml. A CSS file is + included which can format the XML statistics into tables + when viewed with a stylesheet-capable browser, and into + charts and graphs using the Google Charts API when using a + javascript-capable browser. +

    + +

    + Broken-out subsets of the statistics can be viewed at + http://127.0.0.1:8888/xml/v3/status + (server uptime and last reconfiguration time), + http://127.0.0.1:8888/xml/v3/server + (server and resolver statistics), + http://127.0.0.1:8888/xml/v3/zones + (zone statistics), + http://127.0.0.1:8888/xml/v3/net + (network status and socket statistics), + http://127.0.0.1:8888/xml/v3/mem + (memory manager statistics), + http://127.0.0.1:8888/xml/v3/tasks + (task manager statistics), and + http://127.0.0.1:8888/xml/v3/traffic + (traffic sizes). +

    + +

    + The full set of statistics can also be read in JSON format at + http://127.0.0.1:8888/json, + with the broken-out subsets at + http://127.0.0.1:8888/json/v1/status + (server uptime and last reconfiguration time), + http://127.0.0.1:8888/json/v1/server + (server and resolver statistics), + http://127.0.0.1:8888/json/v1/zones + (zone statistics), + http://127.0.0.1:8888/json/v1/net + (network status and socket statistics), + http://127.0.0.1:8888/json/v1/mem + (memory manager statistics), + http://127.0.0.1:8888/json/v1/tasks + (task manager statistics), and + http://127.0.0.1:8888/json/v1/traffic + (traffic sizes). +

    +
    + +
    +

    +dnssec-keys Statement Grammar

    -trusted-keys { string integer integer
-    integer quoted_string; ... };
+dnssec-keys { string ( static-key |
+    initial-key ) integer integer integer
+    quoted_string; ... };

    -trusted-keys Statement Definition +dnssec-keys Statement Definition and Usage

    - The trusted-keys statement defines - DNSSEC security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the - public key for a non-authoritative zone is known, but - cannot be securely obtained through DNS, either because - it is the DNS root zone or because its parent zone is - unsigned. Once a key has been configured as a trusted - key, it is treated as if it had been validated and - proven secure. The resolver attempts DNSSEC validation - on all DNS data in subdomains of a security root. + The dnssec-keys statement defines DNSSEC + trust anchors. DNSSEC is described in the section called “DNSSEC”.

    - All keys (and corresponding zones) listed in - trusted-keys are deemed to exist regardless - of what parent zones say. Similarly for all keys listed in - trusted-keys only those keys are - used to validate the DNSKEY RRset. The parent's DS RRset - will not be used. + A trust anchor is defined when the public key for + a non-authoritative zone is known, but cannot be securely + obtained through DNS, either because it is the DNS root zone + or because its parent zone is unsigned. Once a key has been + configured as a trust anchor, it is treated as if it had + been validated and proven secure.

    - The trusted-keys statement can contain + The resolver attempts DNSSEC validation on all DNS data + in subdomains of configured trust anchors. (Validation below + specified names can be temporarily disabled by using + rndc nta, or permanently disabled with + the validate-except option). +

    +

    + All keys listed in dnssec-keys, and + their corresponding zones, are deemed to exist regardless + of what parent zones say. Only keys configured as trust anchors + are used to validate the DNSKEY RRset for the corresponding + name. The parent's DS RRset will not be used. +

    +

    + The dnssec-keys statement can contain multiple key entries, each consisting of the key's - domain name, flags, protocol, algorithm, and the Base64 - representation of the key data. - Spaces, tabs, newlines and carriage returns are ignored + domain name, followed by the static-key or + initial-key keyword, then the key's flags, + protocol, algorithm, and the Base64 representation of the key + data. Spaces, tabs, newlines and carriage returns are ignored in the key data, so the configuration may be split up into multiple lines.

    - trusted-keys may be set at the top level + dnssec-keys may be set at the top level of named.conf or within a view. If it is - set in both places, they are additive: keys defined at the top - level are inherited by all views, but keys defined in a view - are only used within that view. + set in both places, the configurations are additive: keys + defined at the top level are inherited by all views, but keys + defined in a view are only used within that view.

    - Validation below specified names can be temporarily disabled - by using rndc nta. -

    -
    - -
    -

    -managed-keys Statement Grammar

    - 
    -managed-keys { string string integer
-    integer integer quoted_string; ... };
-
    -
    -
    -

    -managed-keys Statement Definition - and Usage

    - -

    - The managed-keys statement, like - trusted-keys, defines DNSSEC - security roots. The difference is that - managed-keys can be kept up to date - automatically, without intervention from the resolver - operator. + dnssec-keys entries can be configured with + two keywords: static-key or + initial-key. Keys configured with + static-key are immutable, + while keys configured with initial-key + can be kept up to date automatically, without intervention + from the resolver operator. (static-key + keys are identical to keys configured using the deprecated + trusted-keys statement.)

    Suppose, for example, that a zone's key-signing key was compromised, and the zone owner had to revoke and - replace the key. A resolver which had the old key in a - trusted-keys statement would be + replace the key. A resolver which had the original key + configured as a static-key would be unable to validate this zone any longer; it would reply with a SERVFAIL response code. This would continue until the resolver operator had updated the - trusted-keys statement with the new key. + dnssec-keys statement with the new key.

    - If, however, the zone were listed in a - managed-keys statement instead, then the - zone owner could add a "stand-by" key to the zone in advance. + If, however, the trust anchor had been configured with + initial-key instead, then the + zone owner could add a "stand-by" key to their zone in advance. named would store the stand-by key, and when the original key was revoked, named would be able to transition smoothly to the new key. It would also recognize that the old key had been revoked, and cease using that key to validate answers, minimizing the damage that - the compromised key could do. + the compromised key could do. This is the process used to + keep the ICANN root DNSSEC key up to date.

    - A managed-keys statement contains a list of - the keys to be managed, along with information about how the - keys are to be initialized for the first time. The only - initialization method currently supported is - initial-key. - This means the managed-keys statement must - contain a copy of the initializing key. (Future releases may - allow keys to be initialized by other methods, eliminating this - requirement.) + Whereas static-key + keys continue to be trusted until they are removed from + named.conf, an + initial-key is only trusted + once: for as long as it + takes to load the managed key database and start the RFC 5011 + key maintenance process.

    - Consequently, a managed-keys statement - appears similar to a trusted-keys, differing - in the presence of the second field, containing the keyword - initial-key. The difference is, whereas the - keys listed in a trusted-keys continue to be - trusted until they are removed from - named.conf, an initializing key listed - in a managed-keys statement is only trusted - once: for as long as it takes to load the - managed key database and start the RFC 5011 key maintenance - process. -

    -

    - The first time named runs with a managed key - configured in named.conf, it fetches the + The first time named runs with an + initial-key configured in + named.conf, it fetches the DNSKEY RRset directly from the zone apex, and validates it - using the key specified in the managed-keys - statement. If the DNSKEY RRset is validly signed, then it is + using the key specified in dnssec-keys. + If the DNSKEY RRset is validly signed, then it is used as the basis for a new managed keys database.

    From that point on, whenever named runs, it - sees the managed-keys statement, checks to + sees the initial-key listed in + dnssec-keys, checks to make sure RFC 5011 key maintenance has already been initialized for the specified domain, and if so, it simply moves on. The - key specified in the managed-keys - statement is not used to validate answers; it has been - superseded by the key or keys stored in the managed keys database. + key specified in the dnssec-keys + statement is not used to validate answers; it is + superseded by the key or keys stored in the managed keys + database.

    - The next time named runs after a name - has been removed from the - managed-keys statement, the corresponding + The next time named runs after an + initial-key has been + removed from the + dnssec-keys statement (or changed to + a static-key), the corresponding zone will be removed from the managed keys database, and RFC 5011 key maintenance will no longer be used for that domain. @@ -8990,8 +8992,8 @@ example.com CNAME rpz-tcp-only.

    If the dnssec-validation option is set to auto, named - will automatically initialize a managed key for the - root zone. The key that is used to initialize the key + will automatically initialize an initial-key + for the root zone. The key that is used to initialize the key maintenance process is stored in bind.keys; the location of this file can be overridden with the bindkeys-file option. As a fallback @@ -9003,6 +9005,48 @@ example.com CNAME rpz-tcp-only.

    +managed-keys Statement Grammar

    + 
    +managed-keys { string ( static-key |
+    initial-key ) integer integer integer
+    quoted_string; ... };
+
    +
    +
    +

    +managed-keys Statement Definition + and Usage

    + +

    + The managed-keys statement is + identical to the dnssec-keys, and is + retained for backward compatibility. +

    +
    + +
    +

    +trusted-keys Statement Grammar

    + 
    +trusted-keys { string integer
+    integer integer
+    quoted_string; ... };, deprecated
+
    +
    +
    +

    +trusted-keys Statement Definition + and Usage

    + +

    + The trusted-keys statement has been + deprecated in favor of the section called “dnssec-keys Statement Grammar” + with the static keyword. +

    +
    + +
    +

    view Statement Grammar

    view view_name [ class ] {
@@ -14869,6 +14913,6 @@ HOST-127.EXAMPLE. MX 0 .
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index ac6a919d3d..87e00b80d2 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -361,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; };
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 1ee531f859..5e68dff489 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -191,6 +191,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index ebfa170a03..e3df521814 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -36,7 +36,7 @@

    Table of Contents

    -
    Release Notes for BIND Version 9.15.0
    +
    Release Notes for BIND Version 9.15.1
    Introduction
    Note on Version Numbering
    @@ -55,7 +55,7 @@

    -Release Notes for BIND Version 9.15.0

    +Release Notes for BIND Version 9.15.1

    @@ -145,7 +145,15 @@

    The TCP client quota set using the tcp-clients option could be exceeded in some cases. This could lead to - exhaustion of file descriptors. (CVE-2018-5743) [GL #615] + exhaustion of file descriptors. This flaw is disclosed in + CVE-2018-5743. [GL #615] +

    + +
  • +

    + A race condition could trigger an assertion failure when + a large number of incoming packets were being rejected. + This flaw is disclosed in CVE-2019-6471. [GL #942]

    • @@ -154,37 +162,76 @@

    New Features

    -
    • +
        +
      • +

        + In order to clarify the configuration of DNSSEC keys, + the trusted-keys and + managed-keys statements have been + deprecated, and the new dnssec-keys + statement should now be used for both types of key. +

        +

        + When used with the keyword initial-key, + dnssec-keys has the same behavior as + managed-keys, i.e., it configures + a trust anchor that is to be maintained via RFC 5011. +

        +

        + When used with the new keyword static-key, it + has the same behavior as trusted-keys, + configuring a permanent trust anchor that will not automatically + be updated. (This usage is not recommended for the root key.) + [GL #6] +

        +
        • +

      • The new add-soa option specifies whether or not the response-policy zone's SOA record should be included in the additional section of RPZ responses. [GL #865]

        -
      +
      • +

    Removed Features

    -
    • +
        +

      • The dnssec-enable option has been deprecated and no longer has any effect. DNSSEC responses are always enabled if signatures and other DNSSEC data are present. [GL #866]

        -
      +
      • +
    • +

      + The cleaning-interval option has been + removed. [GL !1731] +

      +
      • +

    Feature Changes

      +
    • +

      + named will now log a warning if + a static key is configured for the root zone, or if + any key is configured for "dlv.isc.org", which has been shut + down. [GL #6] +

      +

    • - When trusted-keys and - managed-keys were both configured for the - same name, or when trusted-keys was used to + When static and managed DNSSEC keys were both configured for the + same name, or when a static key was used to configure a trust anchor for the root zone and dnssec-validation was set to the default value of auto, automatic RFC 5011 key @@ -209,13 +256,26 @@ dnssec-checkds.

      • +
    • +

      + JSON-C is now the only supported library for enabling JSON + support for BIND statistics. The configure + option has been renamed from --with-libjson + to --with-json-c. Use + PKG_CONFIG_PATH to specify a custom path to + the json-c library as the new + configure option does not take the library + installation path as an optional argument. +

      +

    Bug Fixes

    -
    • +
        +

      • The allow-update and allow-update-forwarding options were @@ -224,14 +284,26 @@ This has now been corrected. [GL #913]

        -
      +
      • +
    • +

      + When qname-minimization was set to + relaxed, some improperly configured domains + would fail to resolve, but would have succeeded when minimization + was disabled. named will now fall back to normal + resolution in such cases, and also uses type A rather than NS for + minimal queries in order to reduce the likelihood of encountering + the problem. [GL #1055] +

      +
      • +

    License

    - BIND is open source software licenced under the terms of the Mozilla + BIND is open source software licensed under the terms of the Mozilla Public License, version 2.0 (see the LICENSE file for the full text).

    @@ -299,6 +371,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index a2993c6c7a..768e26d962 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -148,6 +148,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index 890d538e5d..ac6b5a128b 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -914,6 +914,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index 07f386e343..62acb8e489 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -170,10 +170,14 @@ $ make parameters. By default the path to this configuration file is /etc/dns.conf. This module is very experimental and the configuration syntax or library interfaces may change in - future versions. Currently, only the trusted-keys - statement is supported, whose syntax is the same as the same - statement in named.conf. (See - the section called “trusted-keys Statement Grammar” for details.) + future versions. Currently, only static key configuration is supported. + managed-keys and trusted-keys + statements are parsed exactly as they are in + named.conf, except that all + managed-keys entries will be treated as + if they were configured with the static-key + keyword, even if they are configured with initial-key. + (See the section called “managed-keys Statement Grammar” for syntax details.)

    @@ -533,6 +537,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index d710b1d8c4..b37d158ac0 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -210,6 +210,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 8427d1b5a4..4a1e274101 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -32,7 +32,7 @@

    BIND 9 Administrator Reference Manual

    -

    BIND Version 9.15.0

    +

    BIND Version 9.15.1

    Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")

    @@ -102,7 +102,7 @@
    SIG(0)
    DNSSEC
    -
    Generating Keys
    +
    Generating Keys
    Signing the Zone
    Configuring Servers for DNSSEC
    @@ -191,13 +191,16 @@ Usage
    statistics-channels Statement Grammar
    statistics-channels Statement Definition and - Usage
    + Usage +
    dnssec-keys Statement Grammar
    +
    dnssec-keys Statement Definition + and Usage
    +
    managed-keys Statement Grammar
    +
    managed-keys Statement Definition + and Usage
    trusted-keys Statement Grammar
    trusted-keys Statement Definition and Usage
    -
    managed-keys Statement Grammar
    -
    managed-keys Statement Definition - and Usage
    view Statement Grammar
    view Statement Definition and Usage
    zone @@ -242,7 +245,7 @@
    A. Release Notes
    -
    Release Notes for BIND Version 9.15.0
    +
    Release Notes for BIND Version 9.15.1
    Introduction
    Note on Version Numbering
    @@ -440,6 +443,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index dff491e115..9a6f0b66fd 100644 Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index c7b61c7513..97f901e714 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -90,6 +90,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index df9dd02fae..061c0f893a 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -220,6 +220,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index bbffdc4dfb..c734ae2ca8 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -218,14 +218,17 @@

    Note: When reading the trust anchor file, - delv treats managed-keys - statements and trusted-keys statements - identically. That is, for a managed key, it is the - initial key that is trusted; RFC 5011 - key management is not supported. delv - will not consult the managed-keys database maintained by - named. This means that if either of the - keys in /etc/bind.keys is revoked + delv treats dnssec-keys + initial-key and static-key + entries identically. That is, even if a key is configured + with initial-key, indicating that it is + meant to be used only as an initializing key for RFC 5011 + key maintenance, it is still treated by delv + as if it had been configured as a static-key. + delv does not consult the managed keys + database maintained by named. This means + that if either of the keys in + /etc/bind.keys is revoked and rolled over, it will be necessary to update /etc/bind.keys to use DNSSEC validation in delv. @@ -625,6 +628,6 @@

    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 7b3cba69c0..6f944399ed 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -815,8 +815,10 @@ in the query. This bit is set by default, which means dig normally sends recursive queries. Recursion is automatically disabled when - the +nssearch or - +trace query options are used. + using the +nssearch option, and + when using +trace except for + an initial recursive query to get the list of root + servers.

    +retry=T
    @@ -1158,6 +1160,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html index c91a119799..1306fb0b73 100644 --- a/doc/arm/man.dnssec-cds.html +++ b/doc/arm/man.dnssec-cds.html @@ -376,6 +376,6 @@ nsupdate -l -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 8c8a2fdec3..f1b0ab8220 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -164,6 +164,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index a08c5a3cf1..659a868b3f 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -270,6 +270,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index f961dd0e70..5d3294a534 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -356,6 +356,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index edcd0c5327..cd5c516ccd 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -250,6 +250,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 9b1dbf343c..46493d20fe 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -498,6 +498,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index e4c6a1e495..8834541886 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -557,6 +557,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html index 09ad9c1fb6..495a803b83 100644 --- a/doc/arm/man.dnssec-keymgr.html +++ b/doc/arm/man.dnssec-keymgr.html @@ -405,6 +405,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 3c7a230ad9..c36b4d833c 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -171,6 +171,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index dbe446cc54..7a0a73060c 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -349,6 +349,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 3c146b9177..7b4622fc25 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -701,6 +701,6 @@ db.example.com.signed -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index 6b719b6f58..6490261123 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -202,6 +202,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index 140f68b5cb..9ab4e7d3a4 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -143,6 +143,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html index 19c6798215..b716c8defb 100644 --- a/doc/arm/man.filter-aaaa.html +++ b/doc/arm/man.filter-aaaa.html @@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" { -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 4ddefaed57..9e2a684739 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -366,6 +366,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html index 9a9c0a7827..0782f57b2f 100644 --- a/doc/arm/man.mdig.html +++ b/doc/arm/man.mdig.html @@ -604,6 +604,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 335deaebba..433a91350d 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -208,6 +208,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index c9226b1fe2..4a27a8ab0c 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -463,6 +463,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index afe2ee1bc4..c0a984dc52 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -117,6 +117,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html index aae22fa819..69795f8029 100644 --- a/doc/arm/man.named-nzd2nzf.html +++ b/doc/arm/man.named-nzd2nzf.html @@ -119,6 +119,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 0e6d979429..c5e3582f18 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -121,6 +121,6 @@ -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index 8206022347..62be52c999 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -77,7 +77,6 @@

    ACL

    -


    acl string { address_match_element; ... };

    @@ -85,7 +84,6 @@ acl

    CONTROLS

    -


    controls {
    inet ( ipv4_address | ipv6_address |
    @@ -103,7 +101,6 @@ controls

    DLZ

    -


    dlz string {
    database string;
    @@ -113,8 +110,16 @@ dlz

    -

    DYNDB

    +

    DNSSEC-KEYS

    +


    +dnssec-keys { string ( static-key |
    +    initial-key ) integer integer integer
    +    quoted_string; ... };
    +

    +
    +
    +

    DYNDB


    dyndb string quoted_string {
        unspecified-text };
    @@ -122,8 +127,7 @@ dyndb

    -

    KEY

    - +

    KEY


    key string {
    algorithm string;
    @@ -133,8 +137,7 @@ key

    -

    LOGGING

    - +

    LOGGING


    logging {
    category string { string; ... };
    @@ -156,17 +159,17 @@ logging

    -

    MANAGED-KEYS

    - +

    MANAGED-KEYS

    +

    See DNSSEC-KEYS.


    -managed-keys { string string integer
    -    integer integer quoted_string; ... };
    +managed-keys { string ( static-key |
    +    initial-key ) integer integer integer
    +    quoted_string; ... };

    -

    MASTERS

    - +

    MASTERS


    masters string [ port integer ] [ dscp
        integer ] { ( masters | ipv4_address [
    @@ -176,8 +179,7 @@ masters

    -

    OPTIONS

    - +

    OPTIONS


    options {
    allow-new-zones boolean;
    @@ -256,7 +258,6 @@ options dnsrps-options { unspecified-text };
    dnssec-accept-expired boolean;
    dnssec-dnskey-kskonly boolean;
    - dnssec-enable boolean;
    dnssec-loadkeys-interval integer;
    dnssec-lookaside ( string trust-anchor
        string | auto | no );
    @@ -408,11 +409,12 @@ options resolver-retry-interval integer;
    response-padding { address_match_element; ... } block-size
        integer;
    - response-policy { zone string [ log boolean ] [ max-policy-ttl
    -     ttlval ] [ min-update-interval ttlval ] [ policy ( cname |
    -     disabled | drop | given | no-op | nodata | nxdomain | passthru
    -     | tcp-only quoted_string ) ] [ recursive-only boolean ] [
    -     nsip-enable boolean ] [ nsdname-enable boolean ]; ... } [
    + response-policy { zone string [ add-soa boolean ] [ log
    +     boolean ] [ max-policy-ttl ttlval ] [ min-update-interval
    +     ttlval ] [ policy ( cname | disabled | drop | given | no-op |
    +     nodata | nxdomain | passthru | tcp-only quoted_string ) ] [
    +     recursive-only boolean ] [ nsip-enable boolean ] [
    +     nsdname-enable boolean ]; ... } [ add-soa boolean ] [
        break-dnssec boolean ] [ max-policy-ttl ttlval ] [
        min-update-interval ttlval ] [ min-ns-dots integer ] [
        nsip-wait-recurse boolean ] [ qname-wait-recurse boolean ]
    @@ -479,8 +481,7 @@ options

    -

    PLUGIN

    - +

    PLUGIN


    plugin ( query ) string [ { unspecified-text
        } ];
    @@ -488,8 +489,7 @@ plugin

    -

    SERVER

    - +

    SERVER


    server netprefix {
    bogus boolean;
    @@ -527,8 +527,7 @@ server

    -

    STATISTICS-CHANNELS

    - +

    STATISTICS-CHANNELS


    statistics-channels {
    inet ( ipv4_address | ipv6_address |
    @@ -540,17 +539,17 @@ statistics-channels

    -

    TRUSTED-KEYS

    - +

    TRUSTED-KEYS

    +

    Deprecated - see DNSSEC-KEYS.


    -trusted-keys { string integer integer
    -    integer quoted_string; ... };
    +trusted-keys { string integer
    +    integer integer
    +    quoted_string; ... };, deprecated

    -

    VIEW

    - +

    VIEW


    view string [ class ] {
    allow-new-zones boolean;
    @@ -622,7 +621,9 @@ view dnsrps-options { unspecified-text };
    dnssec-accept-expired boolean;
    dnssec-dnskey-kskonly boolean;
    - dnssec-enable boolean;
    + dnssec-keys { string ( static-key |
    +     initial-key ) integer integer
    +     integer quoted_string; ... };
    dnssec-loadkeys-interval integer;
    dnssec-lookaside ( string trust-anchor
        string | auto | no );
    @@ -660,9 +661,9 @@ view key-directory quoted_string;
    lame-ttl ttlval;
    lmdb-mapsize sizeval;
    - managed-keys { string string
    -     integer integer integer
    -     quoted_string; ... };
    + managed-keys { string ( static-key |
    +     initial-key ) integer integer
    +     integer quoted_string; ... };
    masterfile-format ( map | raw | text );
    masterfile-style ( full | relative );
    match-clients { address_match_element; ... };
    @@ -745,11 +746,12 @@ view resolver-retry-interval integer;
    response-padding { address_match_element; ... } block-size
        integer;
    - response-policy { zone string [ log boolean ] [ max-policy-ttl
    -     ttlval ] [ min-update-interval ttlval ] [ policy ( cname |
    -     disabled | drop | given | no-op | nodata | nxdomain | passthru
    -     | tcp-only quoted_string ) ] [ recursive-only boolean ] [
    -     nsip-enable boolean ] [ nsdname-enable boolean ]; ... } [
    + response-policy { zone string [ add-soa boolean ] [ log
    +     boolean ] [ max-policy-ttl ttlval ] [ min-update-interval
    +     ttlval ] [ policy ( cname | disabled | drop | given | no-op |
    +     nodata | nxdomain | passthru | tcp-only quoted_string ) ] [
    +     recursive-only boolean ] [ nsip-enable boolean ] [
    +     nsdname-enable boolean ]; ... } [ add-soa boolean ] [
        break-dnssec boolean ] [ max-policy-ttl ttlval ] [
        min-update-interval ttlval ] [ min-ns-dots integer ] [
        nsip-wait-recurse boolean ] [ qname-wait-recurse boolean ]
    @@ -811,9 +813,10 @@ view transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * )
        ] [ dscp integer ];
    trust-anchor-telemetry boolean; // experimental
    - trusted-keys { string integer
    -     integer integer quoted_string;
    -     ... };
    + trusted-keys { string
    +     integer integer
    +     integer
    +     quoted_string; ... };, deprecated
    try-tcp-refresh boolean;
    update-check-ksk boolean;
    use-alt-transfer-source boolean;
    @@ -925,8 +928,7 @@ view

    -

    ZONE

    - +

    ZONE


    zone string [ class ] {
    allow-notify { address_match_element; ... };
    @@ -1025,14 +1027,14 @@ zone

    -

    FILES

    +

    FILES

    /etc/named.conf

    -

    SEE ALSO

    +

    SEE ALSO

    ddns-confgen(8) @@ -1073,6 +1075,6 @@ zone

    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 909f645a0e..169fd4c8c7 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -492,6 +492,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 55e3b650fd..e215f5ea83 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -155,6 +155,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html index 488d9c8b6d..c9fad58876 100644 --- a/doc/arm/man.nslookup.html +++ b/doc/arm/man.nslookup.html @@ -437,6 +437,6 @@ nslookup -query=hinfo -timeout=10
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 1df56750a3..f0f66ee6ee 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -818,6 +818,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html index a755b33438..f29e18d4b8 100644 --- a/doc/arm/man.pkcs11-destroy.html +++ b/doc/arm/man.pkcs11-destroy.html @@ -162,6 +162,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html index b9d2b8a78d..a5fe429995 100644 --- a/doc/arm/man.pkcs11-keygen.html +++ b/doc/arm/man.pkcs11-keygen.html @@ -200,6 +200,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html index 2bd15a4069..e11401f459 100644 --- a/doc/arm/man.pkcs11-list.html +++ b/doc/arm/man.pkcs11-list.html @@ -158,6 +158,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html index 05d1c1509f..e344f6e72f 100644 --- a/doc/arm/man.pkcs11-tokens.html +++ b/doc/arm/man.pkcs11-tokens.html @@ -123,6 +123,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 26951c3a0f..42c84ad26f 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -260,6 +260,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 032eb09d4a..abf5b4d00a 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -268,6 +268,6 @@
    -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index fdabd265c7..91aa324bc0 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -394,7 +394,7 @@
    managed-keys (status | refresh | sync | destroy) [class [view]]

    - Inspect and control the "managed-keys" database which + Inspect and control the "managed keys" database which handles RFC 5011 DNSSEC trust anchor maintenance. If a view is specified, these commands are applied to that view; otherwise they are applied to all views. @@ -403,14 +403,14 @@

  • When run with the status keyword, prints - the current status of the managed-keys database. + the current status of the managed keys database.

  • When run with the refresh keyword, forces an immediate refresh query to be sent for all - the managed keys, updating the managed-keys database + the managed keys, updating the managed keys database if any new keys are found, without waiting the normal refresh interval.

    @@ -418,7 +418,7 @@

  • When run with the sync keyword, forces an - immediate dump of the managed-keys database to disk + immediate dump of the managed keys database to disk (in the file managed-keys.bind or (viewname.mkeys). This synchronizes the database with its journal file, so @@ -429,7 +429,7 @@

  • When run with the destroy keyword, the - managed-keys database is shut down and deleted, and all key + managed keys database is shut down and deleted, and all key maintenance is terminated. This command should be used only with extreme caution.

    @@ -669,9 +669,10 @@

    Dump the security roots (i.e., trust anchors - configured via trusted-keys, - managed-keys, or - dnssec-validation auto) and negative trust + configured via dnssec-keys statements, + or the synonymous managed-keys or + the deprecated trusted-keys statements, or + via dnssec-validation auto) and negative trust anchors for the specified views. If no view is specified, all views are dumped. Security roots will indicate whether they are configured as trusted keys, managed keys, or @@ -921,7 +922,7 @@

    List the names of all TSIG keys currently configured for use by named in each view. The - list both statically configured keys and dynamic + list includes both statically configured keys and dynamic TKEY-negotiated keys.

    @@ -1017,6 +1018,6 @@
    • -

    BIND 9.15.0 (Development Release)

    +

    BIND 9.15.1 (Development Release)

    diff --git a/doc/arm/notes.html b/doc/arm/notes.html index 06e7a28619..997c22fb48 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -15,7 +15,7 @@

    -Release Notes for BIND Version 9.15.0

    +Release Notes for BIND Version 9.15.1

    @@ -105,7 +105,15 @@

    The TCP client quota set using the tcp-clients option could be exceeded in some cases. This could lead to - exhaustion of file descriptors. (CVE-2018-5743) [GL #615] + exhaustion of file descriptors. This flaw is disclosed in + CVE-2018-5743. [GL #615] +

    + +
  • +

    + A race condition could trigger an assertion failure when + a large number of incoming packets were being rejected. + This flaw is disclosed in CVE-2019-6471. [GL #942]

    • @@ -114,37 +122,76 @@

    New Features

    -
    • +
        +
      • +

        + In order to clarify the configuration of DNSSEC keys, + the trusted-keys and + managed-keys statements have been + deprecated, and the new dnssec-keys + statement should now be used for both types of key. +

        +

        + When used with the keyword initial-key, + dnssec-keys has the same behavior as + managed-keys, i.e., it configures + a trust anchor that is to be maintained via RFC 5011. +

        +

        + When used with the new keyword static-key, it + has the same behavior as trusted-keys, + configuring a permanent trust anchor that will not automatically + be updated. (This usage is not recommended for the root key.) + [GL #6] +

        +
        • +

      • The new add-soa option specifies whether or not the response-policy zone's SOA record should be included in the additional section of RPZ responses. [GL #865]

        -
      +
      • +

    Removed Features

    -
    • +
        +

      • The dnssec-enable option has been deprecated and no longer has any effect. DNSSEC responses are always enabled if signatures and other DNSSEC data are present. [GL #866]

        -
      +
      • +
    • +

      + The cleaning-interval option has been + removed. [GL !1731] +

      +
      • +

    Feature Changes

      +
    • +

      + named will now log a warning if + a static key is configured for the root zone, or if + any key is configured for "dlv.isc.org", which has been shut + down. [GL #6] +

      +

    • - When trusted-keys and - managed-keys were both configured for the - same name, or when trusted-keys was used to + When static and managed DNSSEC keys were both configured for the + same name, or when a static key was used to configure a trust anchor for the root zone and dnssec-validation was set to the default value of auto, automatic RFC 5011 key @@ -169,13 +216,26 @@ dnssec-checkds.

      • +
    • +

      + JSON-C is now the only supported library for enabling JSON + support for BIND statistics. The configure + option has been renamed from --with-libjson + to --with-json-c. Use + PKG_CONFIG_PATH to specify a custom path to + the json-c library as the new + configure option does not take the library + installation path as an optional argument. +

      +

    Bug Fixes

    -
    • +
        +

      • The allow-update and allow-update-forwarding options were @@ -184,14 +244,26 @@ This has now been corrected. [GL #913]

        -
      +
      • +
    • +

      + When qname-minimization was set to + relaxed, some improperly configured domains + would fail to resolve, but would have succeeded when minimization + was disabled. named will now fall back to normal + resolution in such cases, and also uses type A rather than NS for + minimal queries in order to reduce the likelihood of encountering + the problem. [GL #1055] +

      +
      • +

    License

    - BIND is open source software licenced under the terms of the Mozilla + BIND is open source software licensed under the terms of the Mozilla Public License, version 2.0 (see the LICENSE file for the full text).

    diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index 809031997c..4f31220a1e 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index 6c7b822d83..808e1c8478 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,4 +1,4 @@ -Release Notes for BIND Version 9.15.0 +Release Notes for BIND Version 9.15.1 Introduction @@ -57,10 +57,27 @@ Security Fixes * The TCP client quota set using the tcp-clients option could be exceeded in some cases. This could lead to exhaustion of file - descriptors. (CVE-2018-5743) [GL #615] + descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615] + + * A race condition could trigger an assertion failure when a large + number of incoming packets were being rejected. This flaw is disclosed + in CVE-2019-6471. [GL #942] New Features + * In order to clarify the configuration of DNSSEC keys, the trusted-keys + and managed-keys statements have been deprecated, and the new + dnssec-keys statement should now be used for both types of key. + + When used with the keyword initial-key, dnssec-keys has the same + behavior as managed-keys, i.e., it configures a trust anchor that is + to be maintained via RFC 5011. + + When used with the new keyword static-key, it has the same behavior as + trusted-keys, configuring a permanent trust anchor that will not + automatically be updated. (This usage is not recommended for the root + key.) [GL #6] + * The new add-soa option specifies whether or not the response-policy zone's SOA record should be included in the additional section of RPZ responses. [GL #865] @@ -71,10 +88,16 @@ Removed Features effect. DNSSEC responses are always enabled if signatures and other DNSSEC data are present. [GL #866] + * The cleaning-interval option has been removed. [GL !1731] + Feature Changes - * When trusted-keys and managed-keys were both configured for the same - name, or when trusted-keys was used to configure a trust anchor for + * named will now log a warning if a static key is configured for the + root zone, or if any key is configured for "dlv.isc.org", which has + been shut down. [GL #6] + + * When static and managed DNSSEC keys were both configured for the same + name, or when a static key was used to configure a trust anchor for the root zone and dnssec-validation was set to the default value of auto, automatic RFC 5011 key rollovers would be disabled. This combination of settings was never intended to work, but there was no @@ -89,15 +112,28 @@ Feature Changes "sync" timing parameters in key files, and the checks performed by dnssec-checkds. + * JSON-C is now the only supported library for enabling JSON support for + BIND statistics. The configure option has been renamed from + --with-libjson to --with-json-c. Use PKG_CONFIG_PATH to specify a + custom path to the json-c library as the new configure option does not + take the library installation path as an optional argument. + Bug Fixes * The allow-update and allow-update-forwarding options were inadvertently treated as configuration errors when used at the options or view level. This has now been corrected. [GL #913] + * When qname-minimization was set to relaxed, some improperly configured + domains would fail to resolve, but would have succeeded when + minimization was disabled. named will now fall back to normal + resolution in such cases, and also uses type A rather than NS for + minimal queries in order to reduce the likelihood of encountering the + problem. [GL #1055] + License -BIND is open source software licenced under the terms of the Mozilla +BIND is open source software licensed under the terms of the Mozilla Public License, version 2.0 (see the LICENSE file for the full text). The license requires that if you make changes to BIND and distribute them diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 6d897437ba..d076e5cbd3 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -113,6 +113,28 @@
    New Features + + + In order to clarify the configuration of DNSSEC keys, + the trusted-keys and + managed-keys statements have been + deprecated, and the new dnssec-keys + statement should now be used for both types of key. + + + When used with the keyword initial-key, + dnssec-keys has the same behavior as + managed-keys, i.e., it configures + a trust anchor that is to be maintained via RFC 5011. + + + When used with the new keyword static-key, it + has the same behavior as trusted-keys, + configuring a permanent trust anchor that will not automatically + be updated. (This usage is not recommended for the root key.) + [GL #6] + + The new add-soa option specifies whether @@ -144,19 +166,6 @@
    Feature Changes - - - The new dnssec-keys statement can now be - used to configure all DNSSEC trust anchors. The older - managed-keys statement is a synonym for - dnssec-keys, retained for backward - compatibility. Both statements can now use the - keyword static-key in place of - initial-key if it is necessary to - configure trusted keys for which RFC 5011 trust anchor - maintenance is not to be used. [GL #6] - - named will now log a warning if @@ -208,33 +217,6 @@
    -
    Removed Features - - - - In order to clarify the configuration of DNSSEC keys, - the trusted-keys and - managed-keys statement has been - deprecated. The new dnssec-keys should - be used for both types of keys. - - - When used with the keyword initial-key, - dnssec-keys has the same behavior as - managed-keys, i.e., it configures - a trust anchor that is to be maintained via RFC 5011. - - - When used with the new keyword static-key, it - has the same behavior as trusted-keys, - configuring a permanent trust anchor that will not automatically - be updated. This usage is not recommended for the root key. - [GL #6] - - - -
    -
    Bug Fixes @@ -247,6 +229,17 @@ [GL #913] + + + When qname-minimization was set to + relaxed, some improperly configured domains + would fail to resolve, but would have succeeded when minimization + was disabled. named will now fall back to normal + resolution in such cases, and also uses type A rather than NS for + minimal queries in order to reduce the likelihood of encountering + the problem. [GL #1055] + +
    diff --git a/doc/misc/options b/doc/misc/options index 216d85af79..eef44aa0fb 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -51,9 +51,10 @@ logging { lwres { }; // obsolete, may occur multiple times -managed-keys { ( static-key | - initial-key ) - ; ... }; // may occur multiple times +managed-keys { ( static-key + | initial-key ) + + ; ... }; // may occur multiple times, deprecated masters [ port ] [ dscp ] { ( | [ @@ -110,7 +111,7 @@ options { check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); check-wildcard ; - cleaning-interval ; + cleaning-interval ; // obsolete clients-per-query ; cookie-algorithm ( aes | sha1 | sha256 ); cookie-secret ; // may occur multiple times @@ -212,7 +213,7 @@ options { listen-on-v6 [ port ] [ dscp ] { ; ... }; // may occur multiple times - lmdb-mapsize ; + lmdb-mapsize ; // non-operational lock-file ( | none ); maintain-ixfr-base ; // ancient managed-keys-directory ; @@ -487,7 +488,7 @@ view [ ] { check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); check-wildcard ; - cleaning-interval ; + cleaning-interval ; // obsolete clients-per-query ; deny-answer-addresses { ; ... } [ except-from { ; ... } ]; @@ -562,11 +563,13 @@ view [ ] { }; // may occur multiple times key-directory ; lame-ttl ; - lmdb-mapsize ; + lmdb-mapsize ; // non-operational maintain-ixfr-base ; // ancient - managed-keys { ( static-key | - initial-key ) - ; ... }; // may occur multiple times + managed-keys { ( + static-key | initial-key + ) + + ; ... }; // may occur multiple times, deprecated masterfile-format ( map | raw | text ); masterfile-style ( full | relative ); match-clients { ; ... }; diff --git a/lib/dns/api b/lib/dns/api index c7836b219a..c72183594a 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -10,6 +10,6 @@ # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 -LIBINTERFACE = 1500 +LIBINTERFACE = 1501 LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/irs/api b/lib/irs/api index c7836b219a..b48f390b63 100644 --- a/lib/irs/api +++ b/lib/irs/api @@ -11,5 +11,5 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 LIBINTERFACE = 1500 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/isc/api b/lib/isc/api index c7836b219a..c72183594a 100644 --- a/lib/isc/api +++ b/lib/isc/api @@ -10,6 +10,6 @@ # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 -LIBINTERFACE = 1500 +LIBINTERFACE = 1501 LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/ns/api b/lib/ns/api index c7836b219a..b48f390b63 100644 --- a/lib/ns/api +++ b/lib/ns/api @@ -11,5 +11,5 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 LIBINTERFACE = 1500 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/version b/version index 1147427fb0..ee2badef05 100644 --- a/version +++ b/version @@ -5,7 +5,7 @@ PRODUCT=BIND DESCRIPTION="(Development Release)" MAJORVER=9 MINORVER=15 -PATCHVER=0 +PATCHVER=1 RELEASETYPE= RELEASEVER= EXTENSIONS=