diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index da2623bb49..9c05c40c90 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -42,550 +42,7 @@

Appendix A. Release Notes

-
-

Table of Contents

-
-
Release Notes for BIND Version 9.11.0pre-alpha
-
-
Introduction
-
Download
-
Security Fixes
-
New Features
-
Feature Changes
-
Bug Fixes
-
End of Life
-
Thank You
-
-
-
-
-

-Release Notes for BIND Version 9.11.0pre-alpha

-
-

-Introduction

-

- This document summarizes changes since the last production release - of BIND on the corresponding major release branch. -

-
-
-

-Download

-

- The latest versions of BIND 9 software can always be found at - http://www.isc.org/downloads/. - There you will find additional information about each release, - source code, and pre-compiled versions for Microsoft Windows - operating systems. -

-
-
-

-Security Fixes

-
    -
  • -

    - On servers configured to perform DNSSEC validation using - managed trust anchors (i.e., keys configured explicitly - via managed-keys, or implicitly - via dnssec-validation auto; or - dnssec-lookaside auto;), revoking - a trust anchor and sending a new untrusted replacement - could cause named to crash with an - assertion failure. This could occur in the event of a - botched key rollover, or potentially as a result of a - deliberate attack if the attacker was in position to - monitor the victim's DNS traffic. -

    -

    - This flaw was discovered by Jan-Piet Mens, and is - disclosed in CVE-2015-1349. [RT #38344] -

    -
    • -
  • -

    - A flaw in delegation handling could be exploited to put - named into an infinite loop, in which - each lookup of a name server triggered additional lookups - of more name servers. This has been addressed by placing - limits on the number of levels of recursion - named will allow (default 7), and - on the number of queries that it will send before - terminating a recursive query (default 50). -

    -

    - The recursion depth limit is configured via the - max-recursion-depth option, and the query limit - via the max-recursion-queries option. -

    -

    - The flaw was discovered by Florian Maury of ANSSI, and is - disclosed in CVE-2014-8500. [RT #37580] -

    -
    • -
  • -

    - Two separate problems were identified in BIND's GeoIP code that - could lead to an assertion failure. One was triggered by use of - both IPv4 and IPv6 address families, the other by referencing - a GeoIP database in named.conf which was - not installed. Both are covered by CVE-2014-8680. [RT #37672] - [RT #37679] -

    -

    - A less serious security flaw was also found in GeoIP: changes - to the geoip-directory option in - named.conf were ignored when running - rndc reconfig. In theory, this could allow - named to allow access to unintended clients. -

    -
    • -
-
-
-

-New Features

-
    -

  • - The serial number of a dynamically updatable zone can - now be set using - rndc signing -serial number zonename. - This is particularly useful with inline-signing - zones that have been reset. Setting the serial number to a value - larger than that on the slaves will trigger an AXFR-style - transfer. -

    • -

  • - When answering recursive queries, SERVFAIL responses can now be - cached by the server for a limited time; subsequent queries for - the same query name and type will return another SERVFAIL until - the cache times out. This reduces the frequency of retries - when a query is persistently failing, which can be a burden - on recursive serviers. The SERVFAIL cache timeout is controlled - by servfail-ttl, which defaults to 10 seconds - and has an upper limit of 30. -

    • -

  • - The new rndc nta command can now be used to - set a "negative trust anchor" (NTA), disabling DNSSEC validation for - a specific domain; this can be used when responses from a domain - are known to be failing validation due to administrative error - rather than because of a spoofing attack. NTAs are strictly - temporary; by default they expire after one hour, but can be - configured to last up to one week. The default NTA lifetime - can be changed by setting the nta-lifetime in - named.conf. When added, NTAs are stored in a - file (viewname.nta) - in order to persist across restarts of the named server. -

    • -

  • - The EDNS Client Subnet (ECS) option is now supported for - authoritative servers; if a query contains an ECS option then - ACLs containing geoip or ecs - elements can match against the the address encoded in the option. - This can be used to select a view for a query, so that different - answers can be provided depending on the client network. -

    • -

  • - The EDNS EXPIRE option has been implemented on the client - side, allowing a slave server to set the expiration timer - correctly when transferring zone data from another slave - server. -

    • -

  • - A new masterfile-style zone option controls - the formatting of text zone files: When set to - full, the zone file will dumped in - single-line-per-record format. -

    • -

  • - dig +ednsopt can now be used to set - arbitrary EDNS options in DNS requests. -

    • -

  • - dig +ednsflags can now be used to set - yet-to-be-defined EDNS flags in DNS requests. -

    • -

  • - dig +[no]ednsnegotiation can now be used enable / - disable EDNS version negotiation. -

    • -

  • - dig +header-only can now be used to send - queries without a question section. -

    • -

  • - dig +ttlunits causes dig - to print TTL values with time-unit suffixes: w, d, h, m, s for - weeks, days, hours, minutes, and seconds. -

    • -

  • - dig +zflag can be used to set the last - unassigned DNS header flag bit. This bit in normally zero. -

    • -

  • - dig +dscp=value - can now be used to set the DSCP code point in outgoing query - packets. -

    • -

  • - serial-update-method can now be set to - date. On update, the serial number will - be set to the current date in YYYYMMDDNN format. -

    • -

  • - dnssec-signzone -N date also sets the serial - number to YYYYMMDDNN. -

    • -

  • - named -L filename - causes named to send log messages to the specified file by - default instead of to the system log. -

    • -

  • - The rate limiter configured by the - serial-query-rate option no longer covers - NOTIFY messages; those are now separately controlled by - notify-rate and - startup-notify-rate (the latter of which - controls the rate of NOTIFY messages sent when the server - is first started up or reconfigured). -

    • -

  • - The default number of tasks and client objects available - for serving lightweight resolver queries have been increased, - and are now configurable via the new lwres-tasks - and lwres-clients options in - named.conf. [RT #35857] -

    • -

  • - Log output to files can now be buffered by specifying - buffered yes; when creating a channel. -

    • -

  • - delv +tcp will exclusively use TCP when - sending queries. -

    • -

  • - named will now check to see whether - other name server processes are running before starting up. - This is implemented in two ways: 1) by refusing to start - if the configured network interfaces all return "address - in use", and 2) by attempting to acquire a lock on a file - specified by the lock-file option or - the -X command line option. The - default lock file is - /var/run/named/named.lock. - Specifying none will disable the lock - file check. -

    • -

  • - rndc delzone can now be applied to zones - which were configured in named.conf; - it is no longer restricted to zones which were added by - rndc addzone. (Note, however, that - this does not edit named.conf; the zone - must be removed from the configuration or it will return - when named is restarted or reloaded.) -

    • -

  • - rndc modzone can be used to reconfigure - a zone, using similar syntax to rndc addzone. -

    • -

  • - rndc showzone displays the current - configuration for a specified zone. -

    • -
  • -

    - Added server-side support for pipelined TCP queries. Clients - may continue sending queries via TCP while previous queries are - processed in parallel. Responses are sent when they are - ready, not necessarily in the order in which the queries were - received. -

    -

    - To revert to the former behavior for a particular - client address or range of addresses, specify the address prefix - in the "keep-response-order" option. To revert to the former - behavior for all clients, use "keep-response-order { any; };". -

    -
    • -

  • - The new mdig command is a version of - dig that sends multiple pipelined - queries and then waits for responses, instead of sending one - query and waiting the response before sending the next. [RT #38261] -

    • -

  • - To enable better monitoring and troubleshooting of RFC 5011 - trust anchor management, the new rndc managed-keys - can be used to check status of trust anchors or to force keys - to be refreshed. Also, the managed-keys data file now has - easier-to-read comments. [RT #38458] -

    • -

  • - An --enable-querytrace configure switch is - now available to enable very verbose query tracelogging. This - option can only be set at compile time. This option has a - negative performance impact and should be used only for - debugging. [RT #37520] -

    • -

  • - A new tcp-only option can be specified - in server statements to force - named to connect to the specified - server via TCP. [RT #37800] -

    • -

  • - The nxdomain-redirect option specifies - a DNS namespace to use for NXDOMAIN redirection. When a - recursive lookup returns NXDOMAIN, a second lookup is - initiated with the specified name appended to the query - name. This allows NXDOMAIN redirection data to be supplied - by multiple zones configured on the server or by recursive - queries to other servers. (The older method, using - a single type redirect zone, has - better average performance but is less flexible.) [RT #37989] -

    • -
-
-
-

-Feature Changes

-
    -

  • - ACLs containing geoip asnum elements were - not correctly matched unless the full organization name was - specified in the ACL (as in - geoip asnum "AS1234 Example, Inc.";). - They can now match against the AS number alone (as in - geoip asnum "AS1234";). -

    • -

  • - When using native PKCS#11 cryptography (i.e., - configure --enable-native-pkcs11) HSM PINs - of up to 256 characters can now be used. -

    • -

  • - NXDOMAIN responses to queries of type DS are now cached separately - from those for other types. This helps when using "grafted" zones - of type forward, for which the parent zone does not contain a - delegation, such as local top-level domains. Previously a query - of type DS for such a zone could cause the zone apex to be cached - as NXDOMAIN, blocking all subsequent queries. (Note: This - change is only helpful when DNSSEC validation is not enabled. - "Grafted" zones without a delegation in the parent are not a - recommended configuration.) -

    • -

  • - Update forwarding performance has been improved by allowing - a single TCP connection to be shared between multiple updates. -

    • -

  • - By default, nsupdate will now check - the correctness of hostnames when adding records of type - A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be - disabled with check-names no. -

    • -

  • - Added support for OPENPGPKEY type. -

    • -

  • - The names of the files used to store managed keys and added - zones for each view are no longer based on the SHA256 hash - of the view name, except when this is necessary because the - view name contains characters that would be incompatible with use - as a file name. For views whose names do not contain forward - slashes ('/'), backslashes ('\'), or capital letters - which - could potentially cause namespace collision problems on - case-insensitive filesystems - files will now be named - after the view (for example, internal.mkeys - or external.nzf). However, to ensure - consistent behavior when upgrading, if a file using the old - name format is found to exist, it will continue to be used. -

    • -

  • - "rndc" can now return text output of arbitrary size to - the caller. (Prior to this, certain commands such as - "rndc tsig-list" and "rndc zonestatus" could return - truncated output.) -

    • -

  • - Errors reported when running rndc addzone - (e.g., when a zone file cannot be loaded) have been clarified - to make it easier to diagnose problems. -

    • -

  • - When encountering an authoritative name server whose name is - an alias pointing to another name, the resolver treats - this as an error and skips to the next server. Previously - this happened silently; now the error will be logged to - the newly-created "cname" log category. -

    • -

  • - If named is not configured to validate the answer then - allow fallback to plain DNS on timeout even when we know - the server supports EDNS. This will allow the server to - potentially resolve signed queries when TCP is being - blocked. -

    • -

  • - Large inline-signing changes should be less disruptive. - Signature generation is now done incrementally; the number - of signatures to be generated in each quantum is controlled - by "sig-signing-signatures number;". - [RT #37927] -

    • -

  • - When retrying a query via TCP due to the first answer being - truncated, dig will now correctly send - the SIT (server identity token) value returned by the server - in the prior response. [RT #39047] -

    • -

  • - A alternative NXDOMAIN redirect method (nxdomain-redirect) - which allows the redirect information to be looked up from - a namespace on the Internet rather than requiring a zone - to be configured on the server is now available. -

    • -

  • - Retrieving the local port range from net.ipv4.ip_local_port_range - on Linux is now supported. -

    • -
-
-
-

-Bug Fixes

-
    -

  • - dig, host and - nslookup aborted when encountering - a name which, after appending search list elements, - exceeded 255 bytes. Such names are now skipped, but - processing of other names will continue. [RT #36892] -

    • -

  • - The error message generated when - named-checkzone or - named-checkconf -z encounters a - $TTL directive without a value has - been clarified. [RT #37138] -

    • -

  • - Semicolon characters (;) included in TXT records were - incorrectly escaped with a backslash when the record was - displayed as text. This is actually only necessary when there - are no quotation marks. [RT #37159] -

    • -

  • - When files opened for writing by named, - such as zone journal files, were referenced more than once - in named.conf, it could lead to file - corruption as multiple threads wrote to the same file. This - is now detected when loading named.conf - and reported as an error. [RT #37172] -

    • -

  • - When checking for updates to trust anchors listed in - managed-keys, named - now revalidates keys based on the current set of - active trust anchors, without relying on any cached - record of previous validation. [RT #37506] -

    • -

  • - Large-system tuning - (configure --with-tuning=large) caused - problems on some platforms by setting a socket receive - buffer size that was too large. This is now detected and - corrected at run time. [RT #37187] -

    • -

  • - When NXDOMAIN redirection is in use, queries for a name - that is present in the redirection zone but a type that - is not present will now return NOERROR instead of NXDOMAIN. -

    • -

  • - Due to an inadvertent removal of code in the previous - release, when named encountered an - authoritative name server which dropped all EDNS queries, - it did not always try plain DNS. This has been corrected. - [RT #37965] -

    • -

  • - A regression caused nsupdate to use the default recursive servers - rather than the SOA MNAME server when sending the UPDATE. -

    • -

  • - Adjusted max-recursion-queries to accommodate the smaller - initial packet sizes used in BIND 9.10 and higher when - contacting authoritative servers for the first time. -

    • -

  • - Built-in "empty" zones did not correctly inherit the - "allow-transfer" ACL from the options or view. [RT #38310] -

    • -

  • - Two leaks were fixed that could cause named - processes to grow to very large sizes. [RT #38454] -

    • -

  • - Fixed some bugs in RFC 5011 trust anchor management, - including a memory leak and a possible loss of state - information. [RT #38458] -

    • -

  • - Asynchronous zone loads were not handled correctly when the - zone load was already in progress; this could trigger a crash - in zt.c. [RT #37573] -

    • -

  • - A race during shutdown or reconfiguration could - cause an assertion failure in mem.c. [RT #38979] -

    • -

  • - Some answer formatting options didn't work correctly with - dig +short. [RT #39291] -

    • -

  • - A bug in the RPZ implementation could cause some policy - zones that did not specifically require recursion to be - treated as if they did; consequently, setting - qname-wait-recurse no; was - sometimes ineffective. This has been corrected. - In most configurations, behavioral changes due to this - fix will not be noticeable. [RT #39229] -

    • -

  • - A bug in RPZ could cause the server to crash if policy - zones were updated (e.g. via rndc reload - or an incoming zone transfer) while RPZ processing was still - ongoing for an active query. [RT #39415] -

    • -
-
-
-

-End of Life

-

- The end of life for BIND 9.11 is yet to be determined but - will not be before BIND 9.13.0 has been released for 6 months. - https://www.isc.org/downloads/software-support-policy/ -

-
-
-

-Thank You

-

- Thank you to everyone who assisted us in making this release possible. - If you would like to contribute to ISC to assist us in continuing to - make quality open source software, please visit our donations page at - http://www.isc.org/donate/. -

-
-
+<xi:include></xi:include>
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index 4d5be96948..5324de30d8 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -47,13 +47,13 @@
BIND 9 DNS Library Support
-
Prerequisite
-
Compilation
-
Installation
-
Known Defects/Restrictions
-
The dns.conf File
-
Sample Applications
-
Library References
+
Prerequisite
+
Compilation
+
Installation
+
Known Defects/Restrictions
+
The dns.conf File
+
Sample Applications
+
Library References
@@ -89,7 +89,7 @@

-Prerequisite

+Prerequisite

GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -98,7 +98,7 @@

-Compilation

+Compilation
 $ ./configure --enable-exportlib [other flags]
 $ make
@@ -113,7 +113,7 @@ $ make
 
 

 

-Installation

+Installation

 
 $ cd lib/export
 $ make install
@@ -135,7 +135,7 @@ $ make install
 
 

 

-Known Defects/Restrictions

+Known Defects/Restrictions

 
    
 
  • Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
@@ -175,7 +175,7 @@ $ make
 

 

 

-The dns.conf File

+The dns.conf File

 
The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
@@ -193,14 +193,14 @@ $ make
 
 

 

-Sample Applications

+Sample Applications

 
Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   

 

 

-sample: a simple stub resolver utility

+sample: a simple stub resolver utility

 

   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
@@ -264,7 +264,7 @@ $ make
 
 

 

-sample-async: a simple stub resolver, working asynchronously

+sample-async: a simple stub resolver, working asynchronously

 

   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
@@ -305,7 +305,7 @@ $ make
 
 

 

-sample-request: a simple DNS transaction client

+sample-request: a simple DNS transaction client

 

   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
@@ -346,7 +346,7 @@ $ make
 
 

 

-sample-gai: getaddrinfo() and getnameinfo() test code

+sample-gai: getaddrinfo() and getnameinfo() test code

 

   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -363,7 +363,7 @@ $ make
 
 

 

-sample-update: a simple dynamic update client program

+sample-update: a simple dynamic update client program

 

   It accepts a single update command as a
   command-line argument, sends an update request message to the
@@ -458,7 +458,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-nsprobe: domain/name server checker in terms of RFC 4074

+nsprobe: domain/name server checker in terms of RFC 4074

 

   It checks a set
   of domains to see the name servers of the domains behave
@@ -515,7 +515,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-Library References

+Library References

 
As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index e0d3747305..66e573decc 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -239,19 +239,6 @@
 
Where Can I Get Help?

 
 
A. Release Notes

-

-
Release Notes for BIND Version 9.11.0pre-alpha

-

-
Introduction

-
Download

-
Security Fixes

-
New Features

-
Feature Changes

-
Bug Fixes

-
End of Life

-
Thank You

-

-

 
B. A Brief History of the DNS and BIND

 

 
C. General DNS Reference Information

@@ -268,13 +255,13 @@
 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 
I. Manual pages

diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 26dcf0468e..c943ce7833 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -50,20 +50,20 @@
 
arpaname  {ipaddress ...}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       arpaname translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 347bf14229..9ab806031c 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -51,7 +51,7 @@
 
ddns-confgen  [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name  |   -z zone ]

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       tsig-keygen and ddns-confgen
       are invocation methods for a utility that generates keys for use
@@ -87,7 +87,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -159,7 +159,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
nsupdate(1),
       named.conf(5),
       named(8),
@@ -167,7 +167,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index 69a0a2ecc1..7904fba3f7 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -53,7 +53,7 @@
 
delv  [queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
delv
       (Domain Entity Lookup & Validation) is a tool for sending
       DNS queries and validating the results, using the the same internal
@@ -96,7 +96,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of delv looks like:
       

@@ -151,7 +151,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a anchor-file

 

@@ -285,7 +285,7 @@
 

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
delv
       provides a number of query options which affect the way results are
       displayed, and in some cases the way lookups are performed.
@@ -471,12 +471,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/bind.keys

 
/etc/resolv.conf

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8),
       RFC4034,
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 32ee51c6e2..2a53c1cd39 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -99,7 +99,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -152,7 +152,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -280,7 +280,7 @@
 

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -713,7 +713,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -759,7 +759,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -773,14 +773,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -788,7 +788,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 0c85eb3b5c..26a97a45ef 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -51,7 +51,7 @@
 
dnssec-dsfromkey  [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-checkds
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f file

 

@@ -88,14 +88,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-dsfromkey(8),
       dnssec-keygen(8),
       dnssec-signzone(8),
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 0394de291d..9209bcf3c1 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -50,7 +50,7 @@
 
dnssec-coverage  [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-coverage
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-K directory

 

@@ -192,7 +192,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-checkds(8),
       dnssec-dsfromkey(8),
@@ -201,7 +201,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index c32d1622d0..d2dcf8974e 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -52,14 +52,14 @@
 
dnssec-dsfromkey  [-h] [-V]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -144,7 +144,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -159,7 +159,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -173,13 +173,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -189,7 +189,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index 44f10c83e2..c5db0db577 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -51,7 +51,7 @@
 
dnssec-importkey  {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-importkey
       reads a public DNSKEY record and generates a pair of
       .key/.private files.  The DNSKEY record may be read from an
@@ -71,7 +71,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f filename

 

@@ -114,7 +114,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -142,7 +142,7 @@
 

 
 

-
FILES

+
FILES

 

       A keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -151,7 +151,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -159,7 +159,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 88d62f6f04..035b012f31 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -243,7 +243,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -315,7 +315,7 @@
 

 
 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -354,7 +354,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -363,7 +363,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index a2e6b6b13d..ce8566fd3c 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -50,7 +50,7 @@
 
dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -287,7 +287,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -361,7 +361,7 @@
 

 
 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -407,7 +407,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -428,7 +428,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -437,7 +437,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 2fe840339f..691fe69d00 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -50,7 +50,7 @@
 
dnssec-revoke  [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -109,14 +109,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index de63e52b2d..288ffa210e 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -50,7 +50,7 @@
 
dnssec-settime  [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -76,7 +76,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f

 

@@ -133,7 +133,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -212,7 +212,7 @@
 

 
 

-
PRINTING OPTIONS

+
PRINTING OPTIONS

 

       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -238,7 +238,7 @@
 

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -246,7 +246,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 08f40034c3..6eeff08ecc 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-Q] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -512,7 +512,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -542,14 +542,14 @@ db.example.com.signed
 %

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033, RFC 4641.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index 8b7204b093..e7a47406d4 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -50,7 +50,7 @@
 
dnssec-verify  [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-verify
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-c class

 

@@ -138,7 +138,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -146,7 +146,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index cb2b05e2ea..7c181e1a92 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -50,7 +50,7 @@
 
genrandom  [-n number] {size} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       genrandom
       generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
-n number

 

@@ -77,14 +77,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       rand(3),
       arc4random(3)
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 570e78cd3c..da156b3879 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -214,7 +214,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -228,12 +228,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index 65ad060213..dc030345fc 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -50,7 +50,7 @@
 
isc-hmac-fixup  {algorithm} {secret}

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
     

 

 

-
SECURITY CONSIDERATIONS

+
SECURITY CONSIDERATIONS

 

       Secrets that have been converted by isc-hmac-fixup
       are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 2104.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index f836fdff75..4a3734b22a 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -50,7 +50,7 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a
       named configuration file.  The file is parsed
@@ -70,7 +70,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -119,21 +119,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 5393040dc7..fa1c94cde8 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -305,14 +305,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -320,7 +320,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 09cf771bab..10903fcf32 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -50,7 +50,7 @@
 
named-journalprint  {journal}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       named-journalprint
       prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       named(8),
       nsupdate(8),
@@ -84,7 +84,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 5c6ac02c6e..760c826981 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -50,7 +50,7 @@
 
named-rrchecker  [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-rrchecker
      read a individual DNS resource record from standard input and checks if it
      is syntactically correct.
@@ -78,7 +78,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 1034,
       RFC 1035,
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 743953b2c4..bab011f76b 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-M option] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-X lock-file] [-x cache-file]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -299,7 +299,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -320,7 +320,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -337,7 +337,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -350,7 +350,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -363,7 +363,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 4eeb879548..07b68a7bbf 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -48,7 +48,7 @@
 
nsec3hash  {salt} {algorithm} {iterations} {domain}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       nsec3hash generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
@@ -56,7 +56,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
salt

 

@@ -80,14 +80,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 5155.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index fe194fee69..488f9ae423 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [-L level] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -108,7 +108,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -242,7 +242,7 @@
 

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -555,7 +555,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -609,7 +609,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -632,7 +632,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 2136,
       RFC 3007,
@@ -647,7 +647,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 2492532d60..ab181e740b 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
 
rndc-confgen  [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -180,7 +180,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -197,7 +197,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -205,7 +205,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 8cf0427826..d532ebf20e 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -210,7 +210,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -220,7 +220,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -228,7 +228,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index d178ea1fa0..718f6a3ee6 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-r] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -81,7 +81,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -158,7 +158,7 @@
 

 

 

-
COMMANDS

+
COMMANDS

 

       A list of commands supported by rndc can
       be seen by running rndc without arguments.
@@ -740,7 +740,7 @@
 

 
 

-
LIMITATIONS

+
LIMITATIONS

 

       There is currently no way to provide the shared secret for a
       key_id without using the configuration file.
@@ -750,7 +750,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -760,7 +760,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 234daebe04..c2670d314e 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -19,532 +19,5 @@
 
 
 
-

-

-Release Notes for BIND Version 9.11.0pre-alpha

-

-

-Introduction

-

-      This document summarizes changes since the last production release
-      of BIND on the corresponding major release branch.
-    

-

-

-

-Download

-

-      The latest versions of BIND 9 software can always be found at
-      http://www.isc.org/downloads/.
-      There you will find additional information about each release,
-      source code, and pre-compiled versions for Microsoft Windows
-      operating systems.
-    

-

-

-

-Security Fixes

-
    
-
  • 
-
    
-	  On servers configured to perform DNSSEC validation using
-	  managed trust anchors (i.e., keys configured explicitly
-	  via managed-keys, or implicitly 
-	  via dnssec-validation auto; or
-	  dnssec-lookaside auto;), revoking
-	  a trust anchor and sending a new untrusted replacement
-	  could cause named to crash with an
-	  assertion failure. This could occur in the event of a
-	  botched key rollover, or potentially as a result of a
-	  deliberate attack if the attacker was in position to
-	  monitor the victim's DNS traffic.
-	
    
-
    
-	  This flaw was discovered by Jan-Piet Mens, and is
-	  disclosed in CVE-2015-1349. [RT #38344]
-	
    
-
    • 
-
  • 
-
    
-	  A flaw in delegation handling could be exploited to put
-	  named into an infinite loop, in which
-	  each lookup of a name server triggered additional lookups
-	  of more name servers.  This has been addressed by placing
-	  limits on the number of levels of recursion
-	  named will allow (default 7), and
-	  on the number of queries that it will send before
-	  terminating a recursive query (default 50).
-	
    
-
    
-	  The recursion depth limit is configured via the
-	  max-recursion-depth option, and the query limit
-	  via the max-recursion-queries option.
-	
    
-
    
-	  The flaw was discovered by Florian Maury of ANSSI, and is
-	  disclosed in CVE-2014-8500. [RT #37580]
-	
    
-
    • 
-
  • 
-
    
-	  Two separate problems were identified in BIND's GeoIP code that
-	  could lead to an assertion failure. One was triggered by use of
-	  both IPv4 and IPv6 address families, the other by referencing
-	  a GeoIP database in named.conf which was
-	  not installed. Both are covered by CVE-2014-8680. [RT #37672]
-	  [RT #37679]
-	
    
-
    
-	  A less serious security flaw was also found in GeoIP: changes
-	  to the geoip-directory option in
-	  named.conf were ignored when running
-	  rndc reconfig. In theory, this could allow
-	  named to allow access to unintended clients.
-	
    
-
    • 
-

-

-

-

-New Features

-
    
-
  • 
-	  The serial number of a dynamically updatable zone can
-	  now be set using
-	  rndc signing -serial number zonename.
-	  This is particularly useful with inline-signing
-	  zones that have been reset.  Setting the serial number to a value
-	  larger than that on the slaves will trigger an AXFR-style
-	  transfer.
-	
    • 
-
  • 
-	  When answering recursive queries, SERVFAIL responses can now be
-	  cached by the server for a limited time; subsequent queries for
-	  the same query name and type will return another SERVFAIL until
-	  the cache times out.  This reduces the frequency of retries
-	  when a query is persistently failing, which can be a burden
-	  on recursive serviers.  The SERVFAIL cache timeout is controlled
-	  by servfail-ttl, which defaults to 10 seconds
-	  and has an upper limit of 30.
-	
    • 
-
  • 
-	  The new rndc nta command can now be used to
-	  set a "negative trust anchor" (NTA), disabling DNSSEC validation for
-	  a specific domain; this can be used when responses from a domain
-	  are known to be failing validation due to administrative error
-	  rather than because of a spoofing attack. NTAs are strictly
-	  temporary; by default they expire after one hour, but can be
-	  configured to last up to one week.  The default NTA lifetime
-	  can be changed by setting the nta-lifetime in
-	  named.conf. When added, NTAs are stored in a
-	  file (viewname.nta)
-	  in order to persist across restarts of the named server.
-	
    • 
-
  • 
-	  The EDNS Client Subnet (ECS) option is now supported for
-	  authoritative servers; if a query contains an ECS option then
-	  ACLs containing geoip or ecs
-	  elements can match against the the address encoded in the option.
-	  This can be used to select a view for a query, so that different
-	  answers can be provided depending on the client network.
-	
    • 
-
  • 
-	  The EDNS EXPIRE option has been implemented on the client
-	  side, allowing a slave server to set the expiration timer
-	  correctly when transferring zone data from another slave
-	  server.
-	
    • 
-
  • 
-	  A new masterfile-style zone option controls
-	  the formatting of text zone files:  When set to
-	  full, the zone file will dumped in
-	  single-line-per-record format.
-	
    • 
-
  • 
-	  dig +ednsopt can now be used to set
-	  arbitrary EDNS options in DNS requests.
-	
    • 
-
  • 
-	  dig +ednsflags can now be used to set
-	  yet-to-be-defined EDNS flags in DNS requests.
-	
    • 
-
  • 
-	  dig +[no]ednsnegotiation can now be used enable /
-	  disable EDNS version negotiation.
-	
    • 
-
  • 
-	  dig +header-only can now be used to send
-	  queries without a question section.
-	
    • 
-
  • 
-	  dig +ttlunits causes dig
-	  to print TTL values with time-unit suffixes: w, d, h, m, s for
-	  weeks, days, hours, minutes, and seconds.
-	
    • 
-
  • 
-	  dig +zflag can be used to set the last
-	  unassigned DNS header flag bit.  This bit in normally zero.
-	
    • 
-
  • 
-	  dig +dscp=value
-	  can now be used to set the DSCP code point in outgoing query
-	  packets.
-	
    • 
-
  • 
-	  serial-update-method can now be set to
-	  date. On update, the serial number will
-	  be set to the current date in YYYYMMDDNN format.
-	
    • 
-
  • 
-	  dnssec-signzone -N date also sets the serial
-	  number to YYYYMMDDNN.
-	
    • 
-
  • 
-	  named -L filename
-	  causes named to send log messages to the specified file by
-	  default instead of to the system log.
-	
    • 
-
  • 
-	  The rate limiter configured by the
-	  serial-query-rate option no longer covers
-	  NOTIFY messages; those are now separately controlled by
-	  notify-rate and
-	  startup-notify-rate (the latter of which
-	  controls the rate of NOTIFY messages sent when the server
-	  is first started up or reconfigured).
-	
    • 
-
  • 
-	  The default number of tasks and client objects available
-	  for serving lightweight resolver queries have been increased,
-	  and are now configurable via the new lwres-tasks
-	  and lwres-clients options in
-	  named.conf. [RT #35857]
-	
    • 
-
  • 
-	  Log output to files can now be buffered by specifying
-	  buffered yes; when creating a channel.
-	
    • 
-
  • 
-	  delv +tcp will exclusively use TCP when
-	  sending queries.
-	
    • 
-
  • 
-	  named will now check to see whether
-	  other name server processes are running before starting up.
-	  This is implemented in two ways: 1) by refusing to start
-	  if the configured network interfaces all return "address
-	  in use", and 2) by attempting to acquire a lock on a file
-	  specified by the lock-file option or
-	  the -X command line option.  The
-	  default lock file is
-	  /var/run/named/named.lock.
-	  Specifying none will disable the lock
-	  file check.
-	
    • 
-
  • 
-	  rndc delzone can now be applied to zones
-	  which were configured in named.conf;
-	  it is no longer restricted to zones which were added by
-	  rndc addzone.  (Note, however, that
-	  this does not edit named.conf; the zone
-	  must be removed from the configuration or it will return
-	  when named is restarted or reloaded.)
-	
    • 
-
  • 
-	  rndc modzone can be used to reconfigure
-	  a zone, using similar syntax to rndc addzone. 
-	
    • 
-
  • 
-	  rndc showzone displays the current
-	  configuration for a specified zone.
-	
    • 
-
  • 
-
    
-	  Added server-side support for pipelined TCP queries.  Clients
-	  may continue sending queries via TCP while previous queries are
-	  processed in parallel.  Responses are sent when they are
-	  ready, not necessarily in the order in which the queries were
-	  received.
-	
    
-
    
-	  To revert to the former behavior for a particular
-	  client address or range of addresses, specify the address prefix
-	  in the "keep-response-order" option.  To revert to the former
-	  behavior for all clients, use "keep-response-order { any; };".
-	
    
-
    • 
-
  • 
-	  The new mdig command is a version of
-	  dig that sends multiple pipelined
-	  queries and then waits for responses, instead of sending one
-	  query and waiting the response before sending the next. [RT #38261]
-	
    • 
-
  • 
-	  To enable better monitoring and troubleshooting of RFC 5011
-	  trust anchor management, the new rndc managed-keys
-	  can be used to check status of trust anchors or to force keys
-	  to be refreshed.  Also, the managed-keys data file now has
-	  easier-to-read comments. [RT #38458]
-	
    • 
-
  • 
-	  An --enable-querytrace configure switch is
-	  now available to enable very verbose query tracelogging. This
-	  option can only be set at compile time. This option has a
-	  negative performance impact and should be used only for
-	  debugging. [RT #37520]
-	
    • 
-
  • 
-	  A new tcp-only option can be specified
-	  in server statements to force
-	  named to connect to the specified
-	  server via TCP. [RT #37800]
-	
    • 
-
  • 
-	  The nxdomain-redirect option specifies
-	  a DNS namespace to use for NXDOMAIN redirection. When a 
-	  recursive lookup returns NXDOMAIN, a second lookup is
-	  initiated with the specified name appended to the query
-	  name. This allows NXDOMAIN redirection data to be supplied
-	  by multiple zones configured on the server or by recursive
-	  queries to other servers. (The older method, using
-	  a single type redirect zone, has
-	  better average performance but is less flexible.) [RT #37989]
-	
    • 
-

-

-

-

-Feature Changes

-
    
-
  • 
-	  ACLs containing geoip asnum elements were
-	  not correctly matched unless the full organization name was
-	  specified in the ACL (as in
-	  geoip asnum "AS1234 Example, Inc.";).
-	  They can now match against the AS number alone (as in
-	  geoip asnum "AS1234";).
-	
    • 
-
  • 
-	  When using native PKCS#11 cryptography (i.e.,
-	  configure --enable-native-pkcs11) HSM PINs
-	  of up to 256 characters can now be used.
-	
    • 
-
  • 
-	  NXDOMAIN responses to queries of type DS are now cached separately
-	  from those for other types. This helps when using "grafted" zones
-	  of type forward, for which the parent zone does not contain a
-	  delegation, such as local top-level domains.  Previously a query
-	  of type DS for such a zone could cause the zone apex to be cached
-	  as NXDOMAIN, blocking all subsequent queries.  (Note: This
-	  change is only helpful when DNSSEC validation is not enabled.
-	  "Grafted" zones without a delegation in the parent are not a
-	  recommended configuration.)
-	
    • 
-
  • 
-	  Update forwarding performance has been improved by allowing
-	  a single TCP connection to be shared between multiple updates.
-	
    • 
-
  • 
-	  By default, nsupdate will now check
-	  the correctness of hostnames when adding records of type
-	  A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
-	  disabled with check-names no.
-	
    • 
-
  • 
-	  Added support for OPENPGPKEY type.
-	
    • 
-
  • 
-	  The names of the files used to store managed keys and added
-	  zones for each view are no longer based on the SHA256 hash
-	  of the view name, except when this is necessary because the
-	  view name contains characters that would be incompatible with use
-	  as a file name.  For views whose names do not contain forward
-	  slashes ('/'), backslashes ('\'), or capital letters - which
-	  could potentially cause namespace collision problems on
-	  case-insensitive filesystems - files will now be named
-	  after the view (for example, internal.mkeys
-	  or external.nzf).  However, to ensure
-	  consistent behavior when upgrading, if a file using the old
-	  name format is found to exist, it will continue to be used.
-	
    • 
-
  • 
-	  "rndc" can now return text output of arbitrary size to
-	  the caller. (Prior to this, certain commands such as
-	  "rndc tsig-list" and "rndc zonestatus" could return
-	  truncated output.)
-	
    • 
-
  • 
-	  Errors reported when running rndc addzone
-	  (e.g., when a zone file cannot be loaded) have been clarified
-	  to make it easier to diagnose problems.
-	
    • 
-
  • 
-	  When encountering an authoritative name server whose name is
-	  an alias pointing to another name, the resolver treats
-	  this as an error and skips to the next server. Previously
-	  this happened silently; now the error will be logged to
-	  the newly-created "cname" log category.
-	
    • 
-
  • 
-	  If named is not configured to validate the answer then
-	  allow fallback to plain DNS on timeout even when we know
-	  the server supports EDNS.  This will allow the server to
-	  potentially resolve signed queries when TCP is being
-	  blocked.
-	
    • 
-
  • 
-	  Large inline-signing changes should be less disruptive.
-	  Signature generation is now done incrementally; the number
-	  of signatures to be generated in each quantum is controlled
-	  by "sig-signing-signatures number;".
-	  [RT #37927]
-	
    • 
-
  • 
-	  When retrying a query via TCP due to the first answer being
-	  truncated, dig will now correctly send
-	  the SIT (server identity token) value returned by the server
-	  in the prior response. [RT #39047]
-	
    • 
-
  • 
-	  A alternative NXDOMAIN redirect method (nxdomain-redirect)
-	  which allows the redirect information to be looked up from
-	  a namespace on the Internet rather than requiring a zone
-	  to be configured on the server is now available.
-	
    • 
-
  • 
-	  Retrieving the local port range from net.ipv4.ip_local_port_range
-	  on Linux is now supported.
-	
    • 
-

-

-

-

-Bug Fixes

-
    
-
  • 
-	  dig, host and
-	  nslookup aborted when encountering
-	  a name which, after appending search list elements,
-	  exceeded 255 bytes. Such names are now skipped, but
-	  processing of other names will continue. [RT #36892]
-	
    • 
-
  • 
-	  The error message generated when
-	  named-checkzone or
-	  named-checkconf -z encounters a
-	  $TTL directive without a value has
-	  been clarified. [RT #37138]
-	
    • 
-
  • 
-	  Semicolon characters (;) included in TXT records were
-	  incorrectly escaped with a backslash when the record was
-	  displayed as text. This is actually only necessary when there
-	  are no quotation marks. [RT #37159]
-	
    • 
-
  • 
-	  When files opened for writing by named,
-	  such as zone journal files, were referenced more than once
-	  in named.conf, it could lead to file
-	  corruption as multiple threads wrote to the same file. This
-	  is now detected when loading named.conf
-	  and reported as an error. [RT #37172]
-	
    • 
-
  • 
-	  When checking for updates to trust anchors listed in
-	  managed-keys, named
-	  now revalidates keys based on the current set of
-	  active trust anchors, without relying on any cached
-	  record of previous validation. [RT #37506]
-	
    • 
-
  • 
-	  Large-system tuning
-	  (configure --with-tuning=large) caused
-	  problems on some platforms by setting a socket receive
-	  buffer size that was too large.  This is now detected and
-	  corrected at run time. [RT #37187]
-	
    • 
-
  • 
-	  When NXDOMAIN redirection is in use, queries for a name
-	  that is present in the redirection zone but a type that
-	  is not present will now return NOERROR instead of NXDOMAIN.
-	
    • 
-
  • 
-	  Due to an inadvertent removal of code in the previous
-	  release, when named encountered an
-	  authoritative name server which dropped all EDNS queries,
-	  it did not always try plain DNS. This has been corrected.
-	  [RT #37965]
-	
    • 
-
  • 
-	  A regression caused nsupdate to use the default recursive servers
-	  rather than the SOA MNAME server when sending the UPDATE.
-	
    • 
-
  • 
-	  Adjusted max-recursion-queries to accommodate the smaller
-	  initial packet sizes used in BIND 9.10 and higher when
-	  contacting authoritative servers for the first time.
-	
    • 
-
  • 
-	  Built-in "empty" zones did not correctly inherit the
-	  "allow-transfer" ACL from the options or view. [RT #38310]
-        
    • 
-
  • 
-	  Two leaks were fixed that could cause named
-	  processes to grow to very large sizes. [RT #38454]
-	
    • 
-
  • 
-	  Fixed some bugs in RFC 5011 trust anchor management,
-	  including a memory leak and a possible loss of state
-	  information. [RT #38458]
-	
    • 
-
  • 
-	  Asynchronous zone loads were not handled correctly when the
-	  zone load was already in progress; this could trigger a crash
-	  in zt.c. [RT #37573]
-	
    • 
-
  • 
-	  A race during shutdown or reconfiguration could
-	  cause an assertion failure in mem.c. [RT #38979]
-	
    • 
-
  • 
-	  Some answer formatting options didn't work correctly with
-	  dig +short. [RT #39291]
-	
    • 
-
  • 
-	  A bug in the RPZ implementation could cause some policy
-	  zones that did not specifically require recursion to be
-	  treated as if they did; consequently, setting
-	  qname-wait-recurse no; was
-	  sometimes ineffective.  This has been corrected.
-	  In most configurations, behavioral changes due to this
-	  fix will not be noticeable.  [RT #39229]
-	
    • 
-
  • 
-	  A bug in RPZ could cause the server to crash if policy
-	  zones were updated (e.g. via rndc reload
-	  or an incoming zone transfer) while RPZ processing was still
-	  ongoing for an active query. [RT #39415]
-	
    • 
-

-

-

-

-End of Life

-

-      The end of life for BIND 9.11 is yet to be determined but
-      will not be before BIND 9.13.0 has been released for 6 months.
-      https://www.isc.org/downloads/software-support-policy/
-    

-

-

-

-Thank You

-

-      Thank you to everyone who assisted us in making this release possible.
-      If you would like to contribute to ISC to assist us in continuing to
-      make quality open source software, please visit our donations page at
-      http://www.isc.org/donate/.
-    

-

-

+
<xi:include></xi:include>