sync
[-clean]
@@ -878,7 +884,7 @@ controls {
Certain UNIX signals cause the name server to take specific
actions, as described in the following table. These signals can
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index c0888cec37..454caf4bb5 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -49,59 +49,43 @@
Dynamic Update
Incremental Zone Transfers (IXFR)
-Split DNS
-Split DNS
+TSIG
-- Generate Shared Keys for Each Pair of Hosts
-- Copying the Shared Secret to Both Machines
-- Informing the Servers of the Key's Existence
-- Instructing the Server to Use the Key
-- TSIG Key Based Access Control
-- Errors
+- Generate Shared Keys for Each Pair of Hosts
+- Copying the Shared Secret to Both Machines
+- Informing the Servers of the Key's Existence
+- Instructing the Server to Use the Key
+- TSIG Key Based Access Control
+- Errors
TKEY
-SIG(0)
+TKEY
+SIG(0)
DNSSEC
DNSSEC, Dynamic Zones, and Automatic Signing
-
-- Converting from insecure to secure
-- Dynamic DNS update method
-- Fully automatic zone signing
-- Private-type records
-- DNSKEY rollovers
-- Dynamic DNS update method
-- Automatic key rollovers
-- NSEC3PARAM rollovers via UPDATE
-- Converting from NSEC to NSEC3
-- Converting from NSEC3 to NSEC
-- Converting from secure to insecure
-- Periodic re-signing
-- NSEC3 and OPTOUT
+- Generating Keys
+- Signing the Zone
+- Configuring Servers
Dynamic Trust Anchor Management
PKCS #11 (Cryptoki) support
-- Prerequisites
-- Building BIND 9 with PKCS#11
-- PKCS #11 Tools
-- Using the HSM
-- Specifying the engine on the command line
-- Running named with automatic zone re-signing
+- Prerequisites
+- Building BIND 9 with PKCS#11
+- PKCS #11 Tools
+- Using the HSM
+- Specifying the engine on the command line
+- Running named with automatic zone re-signing
IPv6 Support in BIND 9
+IPv6 Support in BIND 9
Setting up different views, or visibility, of the DNS space to
internal and external resolvers is usually referred to as a
@@ -286,7 +270,7 @@
Let's say a company named Example, Inc.
(example.com)
@@ -543,7 +527,7 @@ nameserver 172.16.72.4
A shared secret is generated to be shared between host1 and host2.
An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -551,7 +535,7 @@ nameserver 172.16.72.4
The following command will generate a 128-bit (16 byte) HMAC-SHA256
key as described above. Longer keys are better, but shorter keys
@@ -575,7 +559,7 @@ nameserver 172.16.72.4
The shared secret is simply a random sequence of bits, encoded
in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -590,7 +574,7 @@ nameserver 172.16.72.4
This is beyond the scope of DNS. A secure transport mechanism
should be used. This could be secure FTP, ssh, telephone, etc.
@@ -598,7 +582,7 @@ nameserver 172.16.72.4
Imagine host1 and host 2
are
@@ -625,7 +609,7 @@ key host1-host2. {
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the named.conf file
@@ -657,7 +641,7 @@ server 10.1.2.3 {
BIND allows IP addresses and ranges
to be specified in ACL
@@ -684,7 +668,7 @@ allow-update { key host1-host2. ;};
The processing of TSIG signed messages can result in
several errors. If a signed message is sent to a non-TSIG aware
@@ -710,7 +694,7 @@ allow-update { key host1-host2. ;};
TKEY
is a mechanism for automatically generating a shared secret
between two hosts. There are several "modes" of
@@ -746,7 +730,7 @@ allow-update { key host1-host2. ;};
BIND 9 partially supports DNSSEC SIG(0)
transaction signatures as specified in RFC 2535 and RFC 2931.
@@ -807,7 +791,7 @@ allow-update { key host1-host2. ;};
The dnssec-keygen program is used to
generate keys.
@@ -863,7 +847,7 @@ allow-update { key host1-host2. ;};
The dnssec-signzone program is used
to sign a zone.
@@ -905,7 +889,7 @@ allow-update { key host1-host2. ;};
To enable named to respond appropriately
to DNS requests from DNSSEC aware clients,
@@ -1058,248 +1042,7 @@ options {
-
-
-As of BIND 9.7.0 it is possible to change a dynamic zone
- from insecure to signed and back again. A secure zone can use
- either NSEC or NSEC3 chains.
-
-Changing a zone from insecure to secure can be done in two
- ways: using a dynamic DNS update, or the
- auto-dnssec zone option.
-For either method, you need to configure
- named so that it can see the
- K* files which contain the public and private
- parts of the keys that will be used to sign the zone. These files
- will have been generated by
- dnssec-keygen. You can do this by placing them
- in the key-directory, as specified in
- named.conf:
-
- zone example.net {
- type master;
- update-policy local;
- file "dynamic/example.net/example.net";
- key-directory "dynamic/example.net";
- };
-
-If one KSK and one ZSK DNSKEY key have been generated, this
- configuration will cause all records in the zone to be signed
- with the ZSK, and the DNSKEY RRset to be signed with the KSK as
- well. An NSEC chain will be generated as part of the initial
- signing process.
-
-To insert the keys via dynamic update:
-
- % nsupdate
- > ttl 3600
- > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
- > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
- > send
-
-While the update request will complete almost immediately,
- the zone will not be completely signed until
- named has had time to walk the zone and
- generate the NSEC and RRSIG records. The NSEC record at the apex
- will be added last, to signal that there is a complete NSEC
- chain.
-If you wish to sign using NSEC3 instead of NSEC, you should
- add an NSEC3PARAM record to the initial update request. If you
- wish the NSEC3 chain to have the OPTOUT bit set, set it in the
- flags field of the NSEC3PARAM record.
-
- % nsupdate
- > ttl 3600
- > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
- > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
- > update add example.net NSEC3PARAM 1 1 100 1234567890
- > send
-
-Again, this update request will complete almost
- immediately; however, the record won't show up until
- named has had a chance to build/remove the
- relevant chain. A private type record will be created to record
- the state of the operation (see below for more details), and will
- be removed once the operation completes.
-While the initial signing and NSEC/NSEC3 chain generation
- is happening, other updates are possible as well.
-
-To enable automatic signing, add the
- auto-dnssec option to the zone statement in
- named.conf.
- auto-dnssec has two possible arguments:
- allow or
- maintain.
-With
- auto-dnssec allow,
- named can search the key directory for keys
- matching the zone, insert them into the zone, and use them to
- sign the zone. It will do so only when it receives an
- rndc sign <zonename> or
- rndc loadkeys <zonename> command.
-
-
- auto-dnssec maintain includes the above
- functionality, but will also automatically adjust the zone's
- DNSKEY records on schedule according to the keys' timing metadata.
- (See dnssec-keygen(8) and
- dnssec-settime(8) for more information.)
- If keys are present in the key directory the first time the zone
- is loaded, it will be signed immediately, without waiting for an
- rndc sign or rndc loadkeys
- command. (Those commands can still be used when there are unscheduled
- key changes, however.)
-
-Using the
- auto-dnssec option requires the zone to be
- configured to allow dynamic updates, by adding an
- allow-update or
- update-policy statement to the zone
- configuration. If this has not been done, the configuration will
- fail.
-
-The state of the signing process is signaled by
- private-type records (with a default type value of 65534). When
- signing is complete, these records will have a nonzero value for
- the final octet (for those records which have a nonzero initial
- octet).
-The private type record format: If the first octet is
- non-zero then the record indicates that the zone needs to be
- signed with the key matching the record, or that all signatures
- that match the record should be removed.
-
-
-
-
- algorithm (octet 1)
- key id in network order (octet 2 and 3)
- removal flag (octet 4)
- complete flag (octet 5)
-
-
-
-Only records flagged as "complete" can be removed via
- dynamic update. Attempts to remove other private type records
- will be silently ignored.
-If the first octet is zero (this is a reserved algorithm
- number that should never appear in a DNSKEY record) then the
- record indicates changes to the NSEC3 chains are in progress. The
- rest of the record contains an NSEC3PARAM record. The flag field
- tells what operation to perform based on the flag bits.
-
-
-
-
- 0x01 OPTOUT
- 0x80 CREATE
- 0x40 REMOVE
- 0x20 NONSEC
-
-
-
-
-As with insecure-to-secure conversions, rolling DNSSEC
- keys can be done in two ways: using a dynamic DNS update, or the
- auto-dnssec zone option.
-
- To perform key rollovers via dynamic update, you need to add
- the K* files for the new keys so that
- named can find them. You can then add the new
- DNSKEY RRs via dynamic update.
- named will then cause the zone to be signed
- with the new keys. When the signing is complete the private type
- records will be updated so that the last octet is non
- zero.
-If this is for a KSK you need to inform the parent and any
- trust anchor repositories of the new KSK.
-You should then wait for the maximum TTL in the zone before
- removing the old DNSKEY. If it is a KSK that is being updated,
- you also need to wait for the DS RRset in the parent to be
- updated and its TTL to expire. This ensures that all clients will
- be able to verify at least one signature when you remove the old
- DNSKEY.
-The old DNSKEY can be removed via UPDATE. Take care to
- specify the correct key.
- named will clean out any signatures generated
- by the old key after the update completes.
-
-When a new key reaches its activation date (as set by
- dnssec-keygen or dnssec-settime),
- if the auto-dnssec zone option is set to
- maintain, named will
- automatically carry out the key rollover. If the key's algorithm
- has not previously been used to sign the zone, then the zone will
- be fully signed as quickly as possible. However, if the new key
- is replacing an existing key of the same algorithm, then the
- zone will be re-signed incrementally, with signatures from the
- old key being replaced with signatures from the new key as their
- signature validity periods expire. By default, this rollover
- completes in 30 days, after which it will be safe to remove the
- old key from the DNSKEY RRset.
-
-Add the new NSEC3PARAM record via dynamic update. When the
- new NSEC3 chain has been generated, the NSEC3PARAM flag field
- will be zero. At this point you can remove the old NSEC3PARAM
- record. The old chain will be removed after the update request
- completes.
-
-To do this, you just need to add an NSEC3PARAM record. When
- the conversion is complete, the NSEC chain will have been removed
- and the NSEC3PARAM record will have a zero flag field. The NSEC3
- chain will be generated before the NSEC chain is
- destroyed.
-
-To do this, use nsupdate to
- remove all NSEC3PARAM records with a zero flag
- field. The NSEC chain will be generated before the NSEC3 chain is
- removed.
-
-To convert a signed zone to unsigned using dynamic DNS,
- delete all the DNSKEY records from the zone apex using
- nsupdate. All signatures, NSEC or NSEC3 chains,
- and associated NSEC3PARAM records will be removed automatically.
- This will take place after the update request completes.
- This requires the
- dnssec-secure-to-insecure option to be set to
- yes in
- named.conf.
-In addition, if the auto-dnssec maintain
- zone statement is used, it should be removed or changed to
- allow instead (or it will re-sign).
-
-
-In any secure zone which supports dynamic updates, named
- will periodically re-sign RRsets which have not been re-signed as
- a result of some update action. The signature lifetimes will be
- adjusted so as to spread the re-sign load over time rather than
- all at once.
-
-
- named only supports creating new NSEC3 chains
- where all the NSEC3 records in the zone have the same OPTOUT
- state.
- named supports UPDATES to zones where the NSEC3
- records in the chain have mixed OPTOUT state.
- named does not support changing the OPTOUT
- state of an individual NSEC3 record, the entire chain needs to be
- changed if the OPTOUT state of an individual NSEC3 needs to be
- changed.
-
-
+<xi:include></xi:include>
To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
managed-keys statement. Information about
@@ -1320,7 +1063,7 @@ options {
To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@@ -1394,7 +1137,7 @@ $ dnssec-signzone -S -K keys example.net<
Debian Linux, Solaris x86 and Windows Server 2003.
See the HSM vendor documentation for information about
installing, initializing, testing and troubleshooting the
HSM.
@@ -1468,7 +1211,7 @@ $ patch -p1 -d openssl-0.9.8l \
when we configure BIND 9.
The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
can carry out cryptographic operations, but it is probably
@@ -1500,7 +1243,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
The SCA-6000 PKCS #11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
times faster than any CPU, so the flavor shall be
@@ -1544,12 +1287,12 @@ $ ./Configure solaris64-x86_64-cc \
When building BIND 9, the location of the custom-built
OpenSSL library must be specified via configure.
To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.
The PKCS #11 library for the AEP Keyper is currently
@@ -1565,7 +1308,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.
@@ -1588,7 +1331,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
BIND 9 includes a minimal set of tools to operate the
HSM, including
pkcs11-keygen to generate a new key pair
@@ -1606,7 +1349,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
First, we must set up the runtime environment so the
OpenSSL and PKCS #11 libraries can be loaded:
@@ -1694,7 +1437,7 @@ example.net.signed
The OpenSSL engine can be specified in
named and all of the BIND
dnssec-* tools by using the "-E
@@ -1715,7 +1458,7 @@ $ dnssec-signzone -E '' -S example.net
If you want
named to dynamically re-sign zones using HSM
keys, and/or to to sign new records inserted via nsupdate, then
@@ -1751,7 +1494,7 @@ $ dnssec-signzone -E '' -S example.net
BIND 9 fully supports all currently
defined forms of IPv6 name to address and address to name
@@ -1789,7 +1532,7 @@ $ dnssec-signzone -E '' -S example.net
The IPv6 AAAA record is a parallel to the IPv4 A record,
and, unlike the deprecated A6 record, specifies the entire
@@ -1808,7 +1551,7 @@ host 3600 IN AAAA 2001:db8::1
When looking up an address in nibble format, the address
components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 0f2c5e8dc9..6aa45b8a95 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -45,13 +45,13 @@
Table of Contents
Traditionally applications have been linked with a stub resolver
library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 1629e53b14..b3dfc842bb 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -48,58 +48,58 @@
Configuration File Elements
Configuration File Grammar
-- acl Statement Grammar
+- acl Statement Grammar
- acl Statement Definition and
Usage
-- controls Statement Grammar
+- controls Statement Grammar
- controls Statement Definition and
Usage
-- include Statement Grammar
-- include Statement Definition and
+
- include Statement Grammar
+- include Statement Definition and
Usage
-- key Statement Grammar
-- key Statement Definition and Usage
-- logging Statement Grammar
-- logging Statement Definition and
+
- key Statement Grammar
+- key Statement Definition and Usage
+- logging Statement Grammar
+- logging Statement Definition and
Usage
-- lwres Statement Grammar
-- lwres Statement Definition and Usage
-- masters Statement Grammar
-- masters Statement Definition and
+
- lwres Statement Grammar
+- lwres Statement Definition and Usage
+- masters Statement Grammar
+- masters Statement Definition and
Usage
-- options Statement Grammar
+- options Statement Grammar
- options Statement Definition and
Usage
- server Statement Grammar
- server Statement Definition and
Usage
- statistics-channels Statement Grammar
-- statistics-channels Statement Definition and
+
- statistics-channels Statement Definition and
Usage
- trusted-keys Statement Grammar
-- trusted-keys Statement Definition
+
- trusted-keys Statement Definition
and Usage
-- managed-keys Statement Grammar
+- managed-keys Statement Grammar
- managed-keys Statement Definition
and Usage
- view Statement Grammar
-- view Statement Definition and Usage
+- view Statement Definition and Usage
- zone
Statement Grammar
-- zone Statement Definition and Usage
+- zone Statement Definition and Usage
Zone File
+Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics
@@ -477,7 +477,7 @@
Address Match Lists
address_match_list = address_match_list_element ;
[ address_match_list_element; ... ]
address_match_list_element = [ ! ] (ip_address [/length] |
@@ -486,7 +486,7 @@
Address match lists are primarily used to determine access
control for various server operations. They are also used in
@@ -570,7 +570,7 @@
The BIND 9 comment syntax allows for
comments to appear
@@ -580,7 +580,7 @@
/* This is a BIND comment as in C */
@@ -596,7 +596,7 @@
Comments may appear anywhere that whitespace may appear in
a BIND configuration file.
@@ -850,7 +850,7 @@
acl acl-name {
address_match_list
};
@@ -932,7 +932,7 @@
controls {
[ inet ( ip_addr | * ) [ port ip_port ]
allow { address_match_list }
@@ -1056,12 +1056,12 @@
include filename;
The include statement inserts the
@@ -1076,7 +1076,7 @@
key key_id {
algorithm string;
secret string;
@@ -1085,7 +1085,7 @@
The key statement defines a shared
secret key for use with TSIG (see the section called “TSIG”)
@@ -1132,7 +1132,7 @@
logging {
[ channel channel_name {
( file path_name
@@ -1156,7 +1156,7 @@
The logging statement configures a
@@ -1190,7 +1190,7 @@
All log output goes to one or more channels;
you can make as many of them as you want.
@@ -1755,7 +1755,7 @@ category notify { null; };
The query-errors category is
specifically intended for debugging purposes: To identify
@@ -1983,7 +1983,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the lwres
statement in the named.conf file:
@@ -1999,7 +1999,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
The lwres statement configures the
name
@@ -2050,7 +2050,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
masters name [port ip_port] { ( masters_list |
ip_addr [port ip_port] [key key] ) ; [...] };
@@ -2058,7 +2058,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
masters
lists allow for a common set of masters to be easily used by
@@ -2068,7 +2068,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the options
statement in the named.conf file:
@@ -3701,7 +3701,7 @@ options {
The forwarding facility can be used to create a large site-wide
cache on a few servers, reducing traffic over links to external
@@ -3745,7 +3745,7 @@ options {
Dual-stack servers are used as servers of last resort to work
around
@@ -3956,7 +3956,7 @@ options {
The interfaces and ports that the server will answer queries
from may be specified using the listen-on option. listen-on takes
@@ -4424,7 +4424,7 @@ avoid-v6-udp-ports {};
use-v4-udp-ports,
avoid-v4-udp-ports,
@@ -4466,7 +4466,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The server's usage of many system resources can be limited.
Scaled values are allowed when specifying resource limits. For
@@ -4628,7 +4628,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
- cleaning-interval
@@ -5449,7 +5449,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
BIND 9 provides the ability to filter
out DNS responses from external DNS servers containing
@@ -5572,7 +5572,7 @@ deny-answer-aliases { "example.net"; };
BIND 9 includes an intentionally limited
mechanism to modify DNS responses for recursive requests
@@ -5910,7 +5910,7 @@ ns.domain.com.rpz-nsdname CNAME .
The statistics-channels statement
@@ -5970,7 +5970,7 @@ ns.domain.com.rpz-nsdname CNAME .
The trusted-keys statement defines
@@ -6010,7 +6010,7 @@ ns.domain.com.rpz-nsdname CNAME .
managed-keys {
string initial-key number number number string ;
[ string initial-key number number number string ; [...]]
@@ -6145,7 +6145,7 @@ ns.domain.com.rpz-nsdname CNAME .
The view statement is a powerful
feature
@@ -6443,10 +6443,10 @@ zone zone_name [
zone_name [
The zone's name may optionally be followed by a class. If
a class is not specified, class IN (for Internet),
@@ -6748,7 +6748,7 @@ zone zone_name [
- allow-notify
@@ -7628,7 +7628,7 @@ example.com. NS ns2.example.net.
@@ -7641,7 +7641,7 @@ example.com. NS ns2.example.net.
A domain name identifies a node. Each node has a set of
resource information, which may be empty. The set of resource
@@ -8378,7 +8378,7 @@ example.com. NS ns2.example.net.
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
@@ -8581,7 +8581,7 @@ example.com. NS ns2.example.net.
As described above, domain servers store information as a
series of resource records, each of which contains a particular
@@ -8837,7 +8837,7 @@ example.com. NS ns2.example.net.
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the in-addr.arpa domain
@@ -8898,7 +8898,7 @@ example.com. NS ns2.example.net.
The Master File Format was initially defined in RFC 1035 and
has subsequently been extended. While the Master File Format
@@ -8913,7 +8913,7 @@ example.com. NS ns2.example.net.
When used in the label (or name) field, the asperand or
at-sign (@) symbol represents the current origin.
@@ -8924,7 +8924,7 @@ example.com. NS ns2.example.net.
Syntax: $ORIGIN
domain-name
@@ -8953,7 +8953,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $INCLUDE
filename
@@ -8989,7 +8989,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $TTL
default-ttl
@@ -9008,7 +9008,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $GENERATE
range
@@ -9432,7 +9432,7 @@ HOST-127.EXAMPLE. MX 0 .
Socket I/O statistics counters are defined per socket
types, which are
@@ -10681,7 +10681,7 @@ HOST-127.EXAMPLE. MX 0 .
Most statistics counters that were available
in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 8f75a8d535..98de6f58b5 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -46,10 +46,10 @@
Table of Contents
@@ -122,7 +122,7 @@ zone "example.com" {
On UNIX servers, it is possible to run BIND
@@ -148,7 +148,7 @@ zone "example.com" {
In order for a chroot environment
to
@@ -176,7 +176,7 @@ zone "example.com" {
Prior to running the named daemon,
use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index b230b84b1f..c75d6a9788 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -45,18 +45,18 @@
Table of Contents
The best solution to solving installation and
configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
Zone serial numbers are just numbers — they aren't
date related. A lot of people set them to a number that
@@ -95,7 +95,7 @@
The Internet Systems Consortium
(ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 11d9f2bbdc..7f4dd9bbaa 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -45,31 +45,31 @@
Table of Contents
Standards
-[RFC974] Mail Routing and the Domain System. January 1986.
+[RFC974] Mail Routing and the Domain System. January 1986.
@@ -278,42 +278,42 @@
Proposed Standards
-[RFC1995] Incremental Zone Transfer in DNS. August 1996.
+[RFC1995] Incremental Zone Transfer in DNS. August 1996.
-[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
+[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
-[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
+[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
-[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
+[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
-[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
+[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
-[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
+[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
-[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
+[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
-[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
+[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
-[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
+[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
-[RFC3645] Generic Security Service Algorithm for Secret
+[RFC3645] Generic Security Service Algorithm for Secret
Key Transaction Authentication for DNS
(GSS-TSIG). October 2003.
@@ -322,19 +322,19 @@
DNS Security Proposed Standards
-[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
+[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
-[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
+[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
-[RFC4033] DNS Security Introduction and Requirements. March 2005.
+[RFC4033] DNS Security Introduction and Requirements. March 2005.
-[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
+[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
-[RFC4035] Protocol Modifications for the DNS
+[RFC4035] Protocol Modifications for the DNS
Security Extensions. March 2005.
@@ -342,146 +342,146 @@
Other Important RFCs About DNS
Implementation
-[RFC1535] A Security Problem and Proposed Correction With Widely
+[RFC1535] A Security Problem and Proposed Correction With Widely
Deployed DNS Software.. October 1993.
-[RFC1536] Common DNS Implementation
+[RFC1536] Common DNS Implementation
Errors and Suggested Fixes. October 1993.
-[RFC4074] Common Misbehaviour Against DNS
+[RFC4074] Common Misbehaviour Against DNS
Queries for IPv6 Addresses. May 2005.
Resource Record Types
-[RFC1706] DNS NSAP Resource Records. October 1994.
+[RFC1706] DNS NSAP Resource Records. October 1994.
-[RFC2168] Resolution of Uniform Resource Identifiers using
+[RFC2168] Resolution of Uniform Resource Identifiers using
the Domain Name System. June 1997.
-[RFC1876] A Means for Expressing Location Information in the
+[RFC1876] A Means for Expressing Location Information in the
Domain
Name System. January 1996.
-[RFC2052] A DNS RR for Specifying the
+[RFC2052] A DNS RR for Specifying the
Location of
Services.. October 1996.
-[RFC2163] Using the Internet DNS to
+[RFC2163] Using the Internet DNS to
Distribute MIXER
Conformant Global Address Mapping. January 1998.
-[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
+[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
-[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
+[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
-[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
+[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
-[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
+[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
-[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
+[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
-[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
+[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
-[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
+[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
-[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
+[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
DNS and the Internet
-[RFC1101] DNS Encoding of Network Names
+[RFC1101] DNS Encoding of Network Names
and Other Types. April 1989.
-[RFC1123] Requirements for Internet Hosts - Application and
+[RFC1123] Requirements for Internet Hosts - Application and
Support. October 1989.
-[RFC1591] Domain Name System Structure and Delegation. March 1994.
+[RFC1591] Domain Name System Structure and Delegation. March 1994.
-[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
+[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
DNS Operations
-[RFC1033] Domain administrators operations guide.. November 1987.
+[RFC1033] Domain administrators operations guide.. November 1987.
-[RFC1912] Common DNS Operational and
+[RFC1912] Common DNS Operational and
Configuration Errors. February 1996.
Internationalized Domain Names
-[RFC2825] A Tangled Web: Issues of I18N, Domain Names,
+[RFC2825] A Tangled Web: Issues of I18N, Domain Names,
and the Other Internet protocols. May 2000.
-[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
+[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
@@ -497,47 +497,47 @@
-[RFC1464] Using the Domain Name System To Store Arbitrary String
+[RFC1464] Using the Domain Name System To Store Arbitrary String
Attributes. May 1993.
-[RFC1713] Tools for DNS Debugging. November 1994.
+[RFC1713] Tools for DNS Debugging. November 1994.
-[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
+[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
-[RFC2345] Domain Names and Company Name Retrieval. May 1998.
+[RFC2345] Domain Names and Company Name Retrieval. May 1998.
-[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
+[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
-[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
+[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
-[RFC3258] Distributing Authoritative Name Servers via
+[RFC3258] Distributing Authoritative Name Servers via
Shared Unicast Addresses. April 2002.
-[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
+[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
Obsolete and Unimplemented Experimental RFC
-[RFC1712] DNS Encoding of Geographical
+[RFC1712] DNS Encoding of Geographical
Location. November 1994.
@@ -551,39 +551,39 @@
-[RFC2065] Domain Name System Security Extensions. January 1997.
+[RFC2065] Domain Name System Security Extensions. January 1997.
-[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
+[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
-[RFC2535] Domain Name System Security Extensions. March 1999.
+[RFC2535] Domain Name System Security Extensions. March 1999.
-[RFC3008] Domain Name System Security (DNSSEC)
+[RFC3008] Domain Name System Security (DNSSEC)
Signing Authority. November 2000.
-[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
+[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
-[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
+[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
-[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
+[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
-[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
+[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
-[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
+[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
-[RFC3757] Domain Name System KEY (DNSKEY) Resource Record
+[RFC3757] Domain Name System KEY (DNSKEY) Resource Record
(RR) Secure Entry Point (SEP) Flag. April 2004.
-[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
+[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
@@ -604,14 +604,14 @@
-DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
+DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
@@ -648,7 +648,7 @@
GNU make is required to build the export libraries (other
part of BIND 9 can still be built with other types of make). In
the reminder of this document, "make" means GNU make. Note that
@@ -657,7 +657,7 @@
$ ./configure --enable-exportlib [other flags]
$ make
@@ -672,7 +672,7 @@ $ make
$ cd lib/export
$ make install
@@ -694,7 +694,7 @@ $ make install
Currently, win32 is not supported for the export
library. (Normal BIND 9 application can be built as
@@ -734,7 +734,7 @@ $ make
The IRS library supports an "advanced" configuration file
related to the DNS library for configuration parameters that
would be beyond the capability of the
@@ -752,14 +752,14 @@ $ make
Some sample application programs using this API are
provided for reference. The following is a brief description of
these applications.
It sends a query of a given name (of a given optional RR type) to a
specified recursive server, and prints the result as a list of
@@ -823,7 +823,7 @@ $ make
Similar to "sample", but accepts a list
of (query) domain names as a separate file and resolves the names
@@ -864,7 +864,7 @@ $ make
It sends a query to a specified server, and
prints the response with minimal processing. It doesn't act as a
@@ -905,7 +905,7 @@ $ make
This is a test program
to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -922,7 +922,7 @@ $ make
It accepts a single update command as a
command-line argument, sends an update request message to the
@@ -1017,7 +1017,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
It checks a set
of domains to see the name servers of the domains behave
@@ -1074,7 +1074,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
As of this writing, there is no formal "manual" of the
libraries, except this document, header files (some of them
provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index a3bad7fca5..989774bc61 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -83,7 +83,7 @@
Name Server Operations
4. Advanced DNS Features
@@ -92,64 +92,48 @@
Dynamic Update
Incremental Zone Transfers (IXFR)
-Split DNS
-Split DNS
+TSIG
-- Generate Shared Keys for Each Pair of Hosts
-- Copying the Shared Secret to Both Machines
-- Informing the Servers of the Key's Existence
-- Instructing the Server to Use the Key
-- TSIG Key Based Access Control
-- Errors
+- Generate Shared Keys for Each Pair of Hosts
+- Copying the Shared Secret to Both Machines
+- Informing the Servers of the Key's Existence
+- Instructing the Server to Use the Key
+- TSIG Key Based Access Control
+- Errors
TKEY
-SIG(0)
+TKEY
+SIG(0)
DNSSEC
DNSSEC, Dynamic Zones, and Automatic Signing
-
-- Converting from insecure to secure
-- Dynamic DNS update method
-- Fully automatic zone signing
-- Private-type records
-- DNSKEY rollovers
-- Dynamic DNS update method
-- Automatic key rollovers
-- NSEC3PARAM rollovers via UPDATE
-- Converting from NSEC to NSEC3
-- Converting from NSEC3 to NSEC
-- Converting from secure to insecure
-- Periodic re-signing
-- NSEC3 and OPTOUT
+- Generating Keys
+- Signing the Zone
+- Configuring Servers
Dynamic Trust Anchor Management
PKCS #11 (Cryptoki) support
-- Prerequisites
-- Building BIND 9 with PKCS#11
-- PKCS #11 Tools
-- Using the HSM
-- Specifying the engine on the command line
-- Running named with automatic zone re-signing
+- Prerequisites
+- Building BIND 9 with PKCS#11
+- PKCS #11 Tools
+- Using the HSM
+- Specifying the engine on the command line
+- Running named with automatic zone re-signing
IPv6 Support in BIND 9
+IPv6 Support in BIND 9
5. The BIND 9 Lightweight Resolver
6. BIND 9 Configuration Reference
@@ -157,58 +141,58 @@
Configuration File Elements
Configuration File Grammar
-- acl Statement Grammar
+- acl Statement Grammar
- acl Statement Definition and
Usage
-- controls Statement Grammar
+- controls Statement Grammar
- controls Statement Definition and
Usage
-- include Statement Grammar
-- include Statement Definition and
+
- include Statement Grammar
+- include Statement Definition and
Usage
-- key Statement Grammar
-- key Statement Definition and Usage
-- logging Statement Grammar
-- logging Statement Definition and
+
- key Statement Grammar
+- key Statement Definition and Usage
+- logging Statement Grammar
+- logging Statement Definition and
Usage
-- lwres Statement Grammar
-- lwres Statement Definition and Usage
-- masters Statement Grammar
-- masters Statement Definition and
+
- lwres Statement Grammar
+- lwres Statement Definition and Usage
+- masters Statement Grammar
+- masters Statement Definition and
Usage
-- options Statement Grammar
+- options Statement Grammar
- options Statement Definition and
Usage
- server Statement Grammar
- server Statement Definition and
Usage
- statistics-channels Statement Grammar
-- statistics-channels Statement Definition and
+
- statistics-channels Statement Definition and
Usage
- trusted-keys Statement Grammar
-- trusted-keys Statement Definition
+
- trusted-keys Statement Definition
and Usage
-- managed-keys Statement Grammar
+- managed-keys Statement Grammar
- managed-keys Statement Definition
and Usage
- view Statement Grammar
-- view Statement Definition and Usage
+- view Statement Definition and Usage
- zone
Statement Grammar
-- zone Statement Definition and Usage
+- zone Statement Definition and Usage
Zone File
+Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics
@@ -217,41 +201,41 @@
7. BIND 9 Security Considerations
8. Troubleshooting
A. Appendices
I. Manual pages
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 4414b0f13d..388d89fb34 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,20 +50,20 @@
arpaname {ipaddress ...}
-DESCRIPTION
+DESCRIPTION
arpaname translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index cd3adee7fa..cee90f0b33 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
ddns-confgen [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name | -z zone ] [-q] [name]
-DESCRIPTION
+DESCRIPTION
ddns-confgen
generates a key for use by nsupdate
and named. It simplifies configuration
@@ -77,7 +77,7 @@
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index f46a7d1e06..740269b4a3 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -52,7 +52,7 @@
dig [global-queryopt...] [query...]
-DESCRIPTION
+DESCRIPTION
dig
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@@ -98,7 +98,7 @@
-OPTIONS
+OPTIONS
The -b option sets the source IP address of the query
to address. This must be a valid
@@ -248,7 +248,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
dig
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@@ -596,7 +596,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig
supports
@@ -642,7 +642,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -656,14 +656,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1),
named(8),
dnssec-keygen(8),
@@ -671,7 +671,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index e4060593df..408c77d5d2 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -51,14 +51,14 @@
dnssec-dsfromkey {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}
-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiii or the full file name
@@ -159,13 +159,13 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -175,7 +175,7 @@
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 2914ea371b..cce88f5aa3 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] [-y] {name}
-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -238,7 +238,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes
successfully,
@@ -277,7 +277,7 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -285,7 +285,7 @@
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 714a4feb7f..ca9e8bd99e 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-z] {name}
-DESCRIPTION
+DESCRIPTION
dnssec-keygen
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -346,7 +346,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be
@@ -413,7 +413,7 @@
-SEE ALSO
+SEE ALSO
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
RFC 2539,
@@ -422,7 +422,7 @@
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index e4abad9688..0c38a581b5 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
dnssec-revoke [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}
-DESCRIPTION
+DESCRIPTION
dnssec-revoke
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 7975f832f7..1486d014a7 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
-DESCRIPTION
+DESCRIPTION
dnssec-settime
reads a DNSSEC private key file and sets the key timing metadata
as specified by the -P, -A,
@@ -75,7 +75,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -196,7 +196,7 @@
-PRINTING OPTIONS
+PRINTING OPTIONS
dnssec-settime can also be used to print the
timing metadata associated with a key.
@@ -222,7 +222,7 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -230,7 +230,7 @@
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index a058798daf..c6928224fe 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
-DESCRIPTION
+DESCRIPTION
dnssec-signzone
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
-EXAMPLE
+EXAMPLE
The following command signs the example.com
zone with the DSA key generated by dnssec-keygen
@@ -478,14 +478,14 @@ db.example.com.signed
%
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index abbedf22b8..3c61aab642 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
genrandom [-n number] {size} {filename}
-DESCRIPTION
+DESCRIPTION
genrandom
generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 758a034ddf..4a8ad9a5a3 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
-DESCRIPTION
+DESCRIPTION
host
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -216,12 +216,12 @@
-SEE ALSO
+SEE ALSO
dig(1),
named(8).
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index a28cdc7ea2..860b9959f2 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
isc-hmac-fixup {algorithm} {secret}
-DESCRIPTION
+DESCRIPTION
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
-SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
Secrets that have been converted by isc-hmac-fixup
are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index ba4d20d4ca..2c1f5dc988 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]
-DESCRIPTION
+DESCRIPTION
named-checkconf
checks the syntax, but not the semantics, of a
named configuration file. The file is parsed
@@ -70,7 +70,7 @@
-RETURN VALUES
+RETURN VALUES
named-checkconf
returns an exit status of 1 if
errors were detected and 0 otherwise.
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index b084982233..50dec22f64 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -51,7 +51,7 @@
named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-r mode] [-s style] [-t directory] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}
-DESCRIPTION
+DESCRIPTION
named-checkzone
checks the syntax and integrity of a zone file. It performs the
same checks as named does when loading a
@@ -71,7 +71,7 @@
-RETURN VALUES
+RETURN VALUES
named-checkzone
returns an exit status of 1 if
errors were detected and 0 otherwise.
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 44bc0026b8..f23d6ef648 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
named-journalprint {journal}
-DESCRIPTION
+DESCRIPTION
named-journalprint
prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 6b27747abf..d730fbfcbf 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
named [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
-DESCRIPTION
+DESCRIPTION
named
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control
the nameserver; rndc should be used
@@ -267,7 +267,7 @@
-CONFIGURATION
+CONFIGURATION
The named configuration file is too complex
to describe in detail here. A complete description is provided
@@ -284,7 +284,7 @@
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 6a9ddb9d30..bc63634592 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -48,7 +48,7 @@
nsec3hash {salt} {algorithm} {iterations} {domain}
-DESCRIPTION
+DESCRIPTION
nsec3hash generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
@@ -56,7 +56,7 @@
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 73bc8e897c..4885b33db1 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
nsupdate [-d] [-D] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
-DESCRIPTION
+DESCRIPTION
nsupdate
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
@@ -210,7 +210,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 2c9cb2eb59..0f975a7cb2 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
-DESCRIPTION
+DESCRIPTION
rndc-confgen
generates configuration files
for rndc. It can be used as a
@@ -66,7 +66,7 @@
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index c7cb7d20c9..ee6a02eb69 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
rndc.conf
-DESCRIPTION
+DESCRIPTION
rndc.conf is the configuration file
for rndc, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
-NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and
to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 9cf645bc23..66fe610dc8 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}