diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 6fdae6a61b..5944d6daff 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -2427,305 +2427,306 @@ badresp:1,adberr:0,findfail:0,valfail:0] statement in the named.conf file:

-
options {
-  [ attach-cache cache_name ; ]
-  [ version version_string ; ]
-  [ hostname hostname_string ; ]
-  [ server-id server_id_string ; ]
-  [ directory path_name ; ]
-  [ dnstap { message_type ; ... } ; ]
-  [ dnstap-output ( file | unix ) path_name [ size size_spec ] [ versions ( number | unlimited ) ] ; ]
-  [ dnstap-identity ( string | hostname | none ) ; ]
-  [ dnstap-version ( string | none ) ; ]
-  [ fstrm-set-buffer-hint number ; ]
-  [ fstrm-set-flush-timeout number ; ]
-  [ fstrm-set-input-queue-size number ; ]
-  [ fstrm-set-output-notify-threshold number ; ]
-  [ fstrm-set-output-queue-model ( mpsc | spsc ) ; ]
-  [ fstrm-set-output-queue-size number ; ]
-  [ fstrm-set-reopen-interval number ; ]
-  [ geoip-directory path_name ; ]
-  [ key-directory path_name ; ]
-  [ managed-keys-directory path_name ; ]
-  [ named-xfer path_name ; ]
-  [ tkey-gssapi-keytab path_name ; ]
-  [ tkey-gssapi-credential principal ; ]
-  [ tkey-domain domain_name ; ]
-  [ tkey-dhkey key_name key_tag ; ]
-  [ cache-file path_name ; ]
-  [ dump-file path_name ; ]
-  [ bindkeys-file path_name ; ]
-  [ lock-file path_name ; ]
-  [ secroots-file path_name ; ]
-  [ session-keyfile path_name ; ]
-  [ session-keyname key_name ; ]
-  [ session-keyalg algorithm_id ; ]
-  [ memstatistics yes_or_no ; ]
-  [ memstatistics-file path_name ; ]
-  [ pid-file path_name ; ]
-  [ recursing-file path_name ; ]
-  [ statistics-file path_name ; ]
-  [ zone-statistics ( full | terse | none ) ; ]
-  [ auth-nxdomain yes_or_no ; ]
-  [ nxdomain-redirect string ; ]
-  [ deallocate-on-exit yes_or_no ; ]
-  [ dialup dialup_option ; ]
-  [ fake-iquery yes_or_no ; ]
-  [ fetch-glue yes_or_no ; ]
-  [ flush-zones-on-shutdown yes_or_no ; ]
-  [ has-old-clients yes_or_no ; ]
-  [ host-statistics yes_or_no ; ]
-  [ host-statistics-max number ; ]
-  [ minimal-any yes_or_no ; ]
-  [ minimal-responses ( yes_or_no | no-auth | no-auth-recursive ) ; ]
-  [ multiple-cnames yes_or_no ; ]
-  [ notify ( yes_or_no | explicit | master-only ) ; ]
-  [ recursion yes_or_no ; ]
-  [ send-cookie yes_or_no ; ]
-  [ require-server-cookie yes_or_no ; ]
-  [ cookie-algorithm algorithm_id ; ]
-  [ cookie-secret secret_string ; ]
-  [ nocookie-udp-size number ; ]
-  [ request-nsid yes_or_no ; ]
-  [ rfc2308-type1 yes_or_no ; ]
-  [ use-id-pool yes_or_no ; ]
-  [ maintain-ixfr-base yes_or_no ; ]
-  [ ixfr-from-differences ( yes_or_no | master | slave ) ; ]
-  [ auto-dnssec ( allow | maintain | off ) ; ]
-  [ dnssec-enable yes_or_no ; ]
-  [ dnssec-validation ( yes_or_no | auto ) ; ]
-  [ dnssec-lookaside ( auto | no | domain trust-anchor domain ) ; ]
-  [ dnssec-must-be-secure domain yes_or_no ; ]
-  [ dnssec-accept-expired yes_or_no ; ]
-  [ forward ( only | first ) ; ]
-  [ forwarders {
-      ( ip_addr [ port ip_port ] [ dscp ip_dscp ] ; )
-        ...
-    } ; ]
-  [ dual-stack-servers [ port ip_port ] [ dscp ip_dscp ] {
-      ( ( domain_name | ip_addr ) [ port ip_port ] [ dscp ip_dscp ] ; )
-        ...
-    } ; ]
-  [ check-names ( master | slave | response )
-                ( warn | fail | ignore ) ; ]
-  [ check-dup-records ( warn | fail | ignore ) ; ]
-  [ check-mx ( warn | fail | ignore ) ; ]
-  [ check-wildcard yes_or_no ; ]
-  [ check-integrity yes_or_no ; ]
-  [ check-mx-cname ( warn | fail | ignore ) ; ]
-  [ check-srv-cname ( warn | fail | ignore ) ; ]
-  [ check-sibling yes_or_no ; ]
-  [ check-spf ( warn | ignore ) ; ]
-  [ allow-new-zones yes_or_no ; ]
-  [ allow-notify { address_match_list } ; ]
-  [ allow-query { address_match_list } ; ]
-  [ allow-query-on { address_match_list } ; ]
-  [ allow-query-cache { address_match_list } ; ]
-  [ allow-query-cache-on { address_match_list } ; ]
-  [ allow-transfer { address_match_list } ; ]
-  [ allow-recursion { address_match_list } ; ]
-  [ allow-recursion-on { address_match_list } ; ]
-  [ allow-update { address_match_list } ]
-  [ allow-update-forwarding { address_match_list } ; ]
-  [ automatic-interface-scan yes_or_no ; ]
-  [ geoip-use-ecs yes_or_no ; ]
-  [ update-check-ksk yes_or_no ; ]
-  [ dnssec-update-mode ( maintain | no-resign ) ; ]
-  [ dnssec-dnskey-kskonly yes_or_no ; ]
-  [ dnssec-loadkeys-interval number ; ]
-  [ dnssec-secure-to-insecure yes_or_no ; ]
-  [ try-tcp-refresh yes_or_no ; ]
-  [ allow-v6-synthesis { address_match_list } ; ]
-  [ blackhole { address_match_list } ; ]
-  [ keep-response-order { address_match_list } ; ]
-  [ no-case-compress { address_match_list } ; ]
-  [ message-compression yes_or_no ; ]
-  [ use-v4-udp-ports { port_list } ; ]
-  [ avoid-v4-udp-ports { port_list } ; ]
-  [ use-v6-udp-ports { port_list } ; ]
-  [ avoid-v6-udp-ports { port_list } ; ]
-  [ listen-on [ port ip_port ] [ dscp ip_dscp ] { address_match_list } ; ]
-  [ listen-on-v6 [ port ip_port ] [ dscp ip_dscp ] { address_match_list } ; ]
-  [ query-source ( [ address ] ( ip4_addr | * ) )
-      [ port ( ip_port | * ) ] [ dscp ip_dscp ] ] ;
-  [ query-source-v6 ( [ address ] ( ip6_addr | * ) )
-      [ port ( ip_port | * ) ] [ dscp ip_dscp ] ] ;
-  [ use-queryport-pool yes_or_no ; ]
-  [ queryport-pool-ports number ; ]
-  [ queryport-pool-updateinterval number ; ]
-  [ max-records number ; ]
-  [ max-transfer-time-in number ; ]
-  [ max-transfer-time-out number ; ]
-  [ max-transfer-idle-in number ; ]
-  [ max-transfer-idle-out number ; ]
-  [ reserved-sockets number ; ]
-  [ recursive-clients number ; ]
-  [ tcp-clients number ; ]
-  [ clients-per-query number ; ]
-  [ max-clients-per-query number ; ]
-  [ fetches-per-server number [ ( drop | fail ) ] ; ]
-  [ fetches-per-zone number [ ( drop | fail ) ] ; ]
-  [ fetch-quota-params number fixedpoint fixedpoint fixedpoint ; ]
-  [ notify-rate number ; ]
-  [ startup-notify-rate number ; ]
-  [ serial-query-rate number ; ]
-  [ serial-queries number ; ]
-  [ tcp-listen-queue number ; ]
-  [ tcp-initial-timeout number; ]
-  [ tcp-idle-timeout number; ]
-  [ tcp-keepalive-timeout number; ]
-  [ tcp-advertised-timeout number; ]
-  [ transfer-format ( one-answer | many-answers ) ; ]
-  [ transfer-message-size  number ; ]
-  [ transfers-in  number ; ]
-  [ transfers-out number ; ]
-  [ transfers-per-ns number ; ]
-  [ transfer-source ( ip4_addr | * )
-      [ port ip_port ] [ dscp ip_dscp ] ; ]
-  [ transfer-source-v6 ( ip6_addr | * )
-      [ port ip_port ] [ dscp ip_dscp ] ; ]
-  [ alt-transfer-source ( ip4_addr | * )
-      [ port ip_port ] [ dscp ip_dscp ] ; ]
-  [ alt-transfer-source-v6 ( ip6_addr | * )
-      [ port ip_port ] [ dscp ip_dscp ] ; ]
-  [ use-alt-transfer-source yes_or_no ; ]
-  [ notify-delay seconds ; ]
-  [ notify-source ( ip4_addr | * )
-      [ port ip_port ] [ dscp ip_dscp ] ; ]
-  [ notify-source-v6 ( ip6_addr | * )
-      [ port ip_port ] [ dscp ip_dscp ] ; ]
-  [ notify-to-soa yes_or_no ; ]
-  [ also-notify [ port ip_port] [ dscp ip_dscp] {
-      ( masters | ip_addr [ port ip_port ] ) [ key key_name ] ;
-        ...
-    } ; ]
-  [ max-ixfr-log-size number ; ]
-  [ max-journal-size size_spec ; ]
-  [ coresize size_spec ; ]
-  [ datasize size_spec ; ]
-  [ files size_spec ; ]
-  [ stacksize size_spec ; ]
-  [ cleaning-interval number ; ]
-  [ heartbeat-interval number ; ]
-  [ interface-interval number ; ]
-  [ statistics-interval number ; ]
-  [ topology { address_match_list } ; ]
-  [ sortlist { address_match_list } ; ]
-  [ rrset-order { order_spec ; ... } ; ]
-  [ lame-ttl number ; ]
-  [ max-ncache-ttl number ; ]
-  [ max-cache-ttl number ; ]
-  [ max-zone-ttl ( unlimited | number ) ; ]
-  [ serial-update-method ( increment | unixtime | date ) ; ]
-  [ servfail-ttl number ; ]
-  [ sig-validity-interval number [number] ; ]
-  [ sig-signing-nodes number ; ]
-  [ sig-signing-signatures number ; ]
-  [ sig-signing-type number ; ]
-  [ min-roots number ; ]
-  [ use-ixfr yes_or_no ; ]
-  [ provide-ixfr yes_or_no ; ]
-  [ request-ixfr yes_or_no ; ]
-  [ request-expire yes_or_no ; ]
-  [ treat-cr-as-space yes_or_no ; ]
-  [ min-refresh-time number ; ]
-  [ max-refresh-time number ; ]
-  [ min-retry-time number ; ]
-  [ max-retry-time number ; ]
-  [ nta-lifetime duration ; ]
-  [ nta-recheck duration ; ]
-  [ port ip_port ; ]
-  [ dscp ip_dscp ; ]
-  [ additional-from-auth yes_or_no ; ]
-  [ additional-from-cache yes_or_no ; ]
-  [ random-device path_name ; ]
-  [ max-cache-size size_or_percent ; ]
-  [ match-mapped-addresses yes_or_no ; ]
-  [ filter-aaaa-on-v4 ( yes_or_no | break-dnssec ) ; ]
-  [ filter-aaaa-on-v6 ( yes_or_no | break-dnssec ) ; ]
-  [ filter-aaaa { address_match_list } ; ]
-  [ dns64 ipv6-prefix {
-      [ clients { address_match_list } ; ]
-      [ mapped { address_match_list } ; ]
-      [ exclude { address_match_list } ; ]
-      [ suffix ip6-address ; ]
-      [ recursive-only yes_or_no ; ]
-      [ break-dnssec yes_or_no ; ]
-    } ; ]
-  [ dns64-server name ]
-  [ dns64-contact name ]
-  [ preferred-glue ( A | AAAA | none ); ]
-  [ edns-udp-size number ; ]
-  [ max-udp-size number ; ]
-  [ response-padding { address_match_list } block-size number ; ]
-  [ max-rsa-exponent-size number ; ]
-  [ root-delegation-only [ exclude { namelist } ] ; ]
-  [ querylog yes_or_no ; ]
-  [ disable-algorithms domain { algorithm ; ... } ; ]
-  [ disable-ds-digests domain { digest_type ; ... } ; ]
-  [ acache-enable yes_or_no ; ]
-  [ acache-cleaning-interval number ; ]
-  [ max-acache-size size_spec ; ]
-  [ max-recursion-depth number ; ]
-  [ max-recursion-queries number ; ]
-  [ masterfile-format ( text | raw | map ) ; ]
-  [ masterfile-style ( relative | full ) ; ]
-  [ empty-server name ; ]
-  [ empty-contact name ; ]
-  [ empty-zones-enable yes_or_no ; ]
-  [ disable-empty-zone zone_name ; ]
-  [ zero-no-soa-ttl yes_or_no ; ]
-  [ zero-no-soa-ttl-cache yes_or_no ; ]
-  [ resolver-query-timeout number ; ]
-  [ deny-answer-addresses { address_match_list }
-      [ except-from { namelist } ] ; ]
-  [ deny-answer-aliases { namelist }
-      [ except-from { namelist } ] ; ]
-  [ prefetch number [ number ] ; ]
-  [ rate-limit {
-      [ responses-per-second number ; ]
-      [ referrals-per-second number ; ]
-      [ nodata-per-second number ; ]
-      [ nxdomains-per-second number ; ]
-      [ errors-per-second number ; ]
-      [ all-per-second number ; ]
-      [ window number ; ]
-      [ log-only yes_or_no ; ]
-      [ qps-scale number ; ]
-      [ ipv4-prefix-length number ; ]
-      [ ipv6-prefix-length number ; ]
-      [ slip number ; ]
-      [ exempt-clients { address_match_list } ; ]
-      [ max-table-size number ; ]
-      [ min-table-size number ; ]
-    } ; ]
-  [ response-policy {
-        zone zone_name
-      [ policy ( given | disabled | passthru | drop |
-                 tcp-only | nxdomain | nodata | cname domain ) ]
-      [ recursive-only yes_or_no ]
-      [ log yes_or_no ]
-      [ max-policy-ttl number ] ;
-         ...
-    } [ recursive-only yes_or_no ]
-      [ max-policy-ttl number ]
-      [ break-dnssec yes_or_no ]
-      [ min-ns-dots number ]
-      [ nsip-wait-recurse yes_or_no ]
-      [ qname-wait-recurse yes_or_no ] ; ]
-  [ catalog-zones {
-        zone quoted_string
-          [ default-masters [ port ip_port ] [ dscp ip_dscp ] {
-              ( masters_list | ip_addr [port ip_port] [ key key_name] ) ;
-                ...
-            } ]
-          [ zone-directory path_name ]
-          [ in-memory yes_or_no ]
-          [ min-update-interval interval ] ;
-        ...
-    } ; ]
-  [ v6-bias number ; ]
-} ; ]
+
options {
+    [ attach-cache cache_name; ]
+    [ version version_string; ]
+    [ hostname hostname_string; ]
+    [ server-id server_id_string; ]
+    [ directory path_name; ]
+    [ dnstap { message_type; ... }; ]
+    [ dnstap-output ( file | unix ) path_name; ]
+    [ dnstap-identity ( string | hostname | none ); ]
+    [ dnstap-version ( string | none ); ]
+    [ fstrm-set-buffer-hint number ; ]
+    [ fstrm-set-flush-timeout number ; ]
+    [ fstrm-set-input-queue-size number ; ]
+    [ fstrm-set-output-notify-threshold number ; ]
+    [ fstrm-set-output-queue-model ( mpsc |
+                        spsc ) ; ]
+    [ fstrm-set-output-queue-size number ; ]
+    [ fstrm-set-reopen-interval number ; ]
+    [ geoip-directory path_name; ]
+    [ key-directory path_name; ]
+    [ managed-keys-directory path_name; ]
+    [ named-xfer path_name; ]
+    [ tkey-gssapi-keytab path_name; ]
+    [ tkey-gssapi-credential principal; ]
+    [ tkey-domain domainname; ]
+    [ tkey-dhkey key_name key_tag; ]
+    [ cache-file path_name; ]
+    [ dump-file path_name; ]
+    [ bindkeys-file path_name; ]
+    [ lock-file path_name; ]
+    [ secroots-file path_name; ]
+    [ session-keyfile path_name; ]
+    [ session-keyname key_name; ]
+    [ session-keyalg algorithm_id; ]
+    [ memstatistics yes_or_no; ]
+    [ memstatistics-file path_name; ]
+    [ pid-file path_name; ]
+    [ recursing-file path_name; ]
+    [ statistics-file path_name; ]
+    [ zone-statistics full | terse | none; ]
+    [ auth-nxdomain yes_or_no; ]
+    [ nxdomain-redirect string; ]
+    [ deallocate-on-exit yes_or_no; ]
+    [ dialup dialup_option; ]
+    [ fake-iquery yes_or_no; ]
+    [ fetch-glue yes_or_no; ]
+    [ flush-zones-on-shutdown yes_or_no; ]
+    [ has-old-clients yes_or_no; ]
+    [ host-statistics yes_or_no; ]
+    [ host-statistics-max number; ]
+    [ minimal-any yes_or_no; ]
+    [ minimal-responses (yes_or_no | no-auth | no-auth-recursive); ]
+    [ multiple-cnames yes_or_no; ]
+    [ notify yes_or_no | explicit | master-only; ]
+    [ recursion yes_or_no; ]
+    [ send-cookie yes_or_no; ]
+    [ require-server-cookie yes_or_no; ]
+    [ cookie-algorithm algorithm_id; ]
+    [ cookie-secret secret_string; ]
+    [ nocookie-udp-size number ; ]
+    [ request-nsid yes_or_no; ]
+    [ rfc2308-type1 yes_or_no; ]
+    [ use-id-pool yes_or_no; ]
+    [ maintain-ixfr-base yes_or_no; ]
+    [ ixfr-from-differences (yes_or_no | master | slave); ]
+    [ auto-dnssec allow|maintain|off; ]
+    [ dnssec-enable yes_or_no; ]
+    [ dnssec-validation (yes_or_no | auto); ]
+    [ dnssec-lookaside ( auto |
+                        no |
+                        domain trust-anchor domain ); ]
+    [ dnssec-must-be-secure domain yes_or_no; ]
+    [ dnssec-accept-expired yes_or_no; ]
+    [ forward ( only | first ); ]
+    [ forwarders { [ ip_addr [port ip_port] [dscp ip_dscp] ; ... ] }; ]
+    [ dual-stack-servers [port ip_port] [dscp ip_dscp] {
+        ( domain_name [port ip_port] [dscp ip_dscp] |
+          ip_addr [port ip_port] [dscp ip_dscp]) ;
+        ... }; ]
+    [ check-names ( master | slave | response )
+        ( warn | fail | ignore ); ]
+    [ check-dup-records ( warn | fail | ignore ); ]
+    [ check-mx ( warn | fail | ignore ); ]
+    [ check-wildcard yes_or_no; ]
+    [ check-integrity yes_or_no; ]
+    [ check-mx-cname ( warn | fail | ignore ); ]
+    [ check-srv-cname ( warn | fail | ignore ); ]
+    [ check-sibling yes_or_no; ]
+    [ check-spf ( warn | ignore ); ]
+    [ allow-new-zones { yes_or_no }; ]
+    [ allow-notify { address_match_list }; ]
+    [ allow-query { address_match_list }; ]
+    [ allow-query-on { address_match_list }; ]
+    [ allow-query-cache { address_match_list }; ]
+    [ allow-query-cache-on { address_match_list }; ]
+    [ allow-transfer { address_match_list }; ]
+    [ allow-recursion { address_match_list }; ]
+    [ allow-recursion-on { address_match_list }; ]
+    [ allow-update { address_match_list }; ]
+    [ allow-update-forwarding { address_match_list }; ]
+    [ automatic-interface-scan { yes_or_no }; ]
+    [ geoip-use-ecs yes_or_no;]
+    [ update-check-ksk yes_or_no; ]
+    [ dnssec-update-mode ( maintain | no-resign ); ]
+    [ dnssec-dnskey-kskonly yes_or_no; ]
+    [ dnssec-loadkeys-interval number; ]
+    [ dnssec-secure-to-insecure yes_or_no ;]
+    [ try-tcp-refresh yes_or_no; ]
+    [ allow-v6-synthesis { address_match_list }; ]
+    [ blackhole { address_match_list }; ]
+    [ keep-response-order { address_match_list }; ]
+    [ no-case-compress { address_match_list }; ]
+    [ message-compression yes_or_no ; ]
+    [ use-v4-udp-ports { port_list }; ]
+    [ avoid-v4-udp-ports { port_list }; ]
+    [ use-v6-udp-ports { port_list }; ]
+    [ avoid-v6-udp-ports { port_list }; ]
+    [ listen-on [ port ip_port ] [dscp ip_dscp] { address_match_list }; ]
+    [ listen-on-v6 [ port ip_port] [dscp ip_dscp]
+{ address_match_list }; ]
+    [ query-source ( ( ip4_addr | * )
+        [ port ( ip_port | * ) ]
+        [ dscp ip_dscp] |
+        [ address ( ip4_addr | * ) ]
+        [ port ( ip_port | * ) ] )
+        [ dscp ip_dscp] ; ]
+    [ query-source-v6 ( ( ip6_addr | * )
+        [ port ( ip_port | * ) ]
+        [ dscp ip_dscp] |
+        [ address ( ip6_addr | * ) ]
+        [ port ( ip_port | * ) ] )
+        [ dscp ip_dscp] ; ]
+    [ use-queryport-pool yes_or_no; ]
+    [ queryport-pool-ports number; ]
+    [ queryport-pool-updateinterval number; ]
+    [ max-transfer-time-in number; ]
+    [ max-transfer-time-out number; ]
+    [ max-transfer-idle-in number; ]
+    [ max-transfer-idle-out number; ]
+    [ reserved-sockets number; ]
+    [ recursive-clients number; ]
+    [ tcp-clients number; ]
+    [ clients-per-query number ; ]
+    [ max-clients-per-query number ; ]
+    [ fetches-per-server number [(drop | fail)]; ]
+    [ fetch-quota-params number fixedpoint fixedpoint fixedpoint ; ]
+    [ fetches-per-zone number [(drop | fail)]; ]
+    [ notify-rate number; ]
+    [ startup-notify-rate number; ]
+    [ serial-query-rate number; ]
+    [ serial-queries number; ]
+    [ tcp-listen-queue number; ]
+    [ transfer-format ( one-answer | many-answers ); ]
+    [ transfer-message-size  number; ]
+    [ transfers-in  number; ]
+    [ transfers-out number; ]
+    [ transfers-per-ns number; ]
+    [ transfer-source (ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
+    [ transfer-source-v6 (ip6_addr | *) [port ip_port] [dscp ip_dscp] ; ]
+    [ alt-transfer-source (ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
+    [ alt-transfer-source-v6 (ip6_addr | *) [port ip_port] [dscp ip_dscp] ; ]
+    [ use-alt-transfer-source yes_or_no; ]
+    [ notify-delay seconds ; ]
+    [ notify-source (ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
+    [ notify-source-v6 (ip6_addr | *) [port ip_port] [dscp ip_dscp] ; ]
+    [ notify-to-soa yes_or_no ; ]
+    [ also-notify [port ip_port] [dscp ip_dscp] { ( masters | ip_addr
+                    [port ip_port] ) [key keyname] ; ... }; ]
+    [ max-ixfr-log-size number; ]
+    [ max-journal-size size_spec; ]
+    [ coresize size_spec ; ]
+    [ datasize size_spec ; ]
+    [ files size_spec ; ]
+    [ stacksize size_spec ; ]
+    [ cleaning-interval number; ]
+    [ heartbeat-interval number; ]
+    [ interface-interval number; ]
+    [ statistics-interval number; ]
+    [ topology { address_match_list }];
+    [ sortlist { address_match_list }];
+    [ rrset-order { order_spec ; [ order_spec ; ... ] ] };
+    [ lame-ttl number; ]
+    [ max-ncache-ttl number; ]
+    [ max-cache-ttl number; ]
+    [ max-zone-ttl ( unlimited | number ; ]
+    [ serial-update-method increment|unixtime|date; ]
+    [ servfail-ttl number; ]
+    [ sig-validity-interval number [number] ; ]
+    [ sig-signing-nodes number ; ]
+    [ sig-signing-signatures number ; ]
+    [ sig-signing-type number ; ]
+    [ min-roots number; ]
+    [ use-ixfr yes_or_no ; ]
+    [ provide-ixfr yes_or_no; ]
+    [ request-ixfr yes_or_no; ]
+    [ request-expire yes_or_no; ]
+    [ treat-cr-as-space yes_or_no ; ]
+    [ min-refresh-time number ; ]
+    [ max-refresh-time number ; ]
+    [ min-retry-time number ; ]
+    [ max-retry-time number ; ]
+    [ nta-lifetime duration ; ]
+    [ nta-recheck duration ; ]
+    [ port ip_port; ]
+    [ dscp ip_dscp] ;
+    [ additional-from-auth yes_or_no ; ]
+    [ additional-from-cache yes_or_no ; ]
+    [ random-device path_name ; ]
+    [ max-cache-size size_or_percent ; ]
+    [ match-mapped-addresses yes_or_no; ]
+    [ filter-aaaa-on-v4 ( yes_or_no | break-dnssec ); ]
+    [ filter-aaaa-on-v6 ( yes_or_no | break-dnssec ); ]
+    [ filter-aaaa { address_match_list }; ]
+    [ dns64 ipv6-prefix {
+        [ clients { address_match_list }; ]
+        [ mapped { address_match_list }; ]
+        [ exclude { address_match_list }; ]
+        [ suffix IPv6-address; ]
+        [ recursive-only yes_or_no; ]
+        [ break-dnssec yes_or_no; ]
+    }; ];
+    [ dns64-server name ]
+    [ dns64-contact name ]
+    [ preferred-glue ( A | AAAA | NONE ); ]
+    [ edns-udp-size number; ]
+    [ max-udp-size number; ]
+    [ max-rsa-exponent-size number; ]
+    [ root-delegation-only [ exclude { namelist } ] ; ]
+    [ querylog yes_or_no ; ]
+    [ disable-algorithms domain { algorithm;
+                                [ algorithm; ] }; ]
+    [ disable-ds-digests domain { digest_type;
+                                [ digest_type; ] }; ]
+    [ acache-enable yes_or_no ; ]
+    [ acache-cleaning-interval number; ]
+    [ max-acache-size size_spec ; ]
+    [ max-recursion-depth number ; ]
+    [ max-recursion-queries number ; ]
+    [ masterfile-format
+            (text|raw|map) ; ]
+    [ masterfile-style
+            (relative|full) ; ]
+    [ empty-server name ; ]
+    [ empty-contact name ; ]
+    [ empty-zones-enable yes_or_no ; ]
+    [ disable-empty-zone zone_name ; ]
+    [ zero-no-soa-ttl yes_or_no ; ]
+    [ zero-no-soa-ttl-cache yes_or_no ; ]
+    [ resolver-query-timeout number ; ]
+    [ deny-answer-addresses { address_match_list } [ except-from { namelist } ];]
+    [ deny-answer-aliases { namelist } [ except-from { namelist } ];]
+    [ prefetch number [number] ; ]
+
+    [ rate-limit {
+        [ responses-per-second number ; ]
+        [ referrals-per-second number ; ]
+        [ nodata-per-second number ; ]
+        [ nxdomains-per-second number ; ]
+        [ errors-per-second number ; ]
+        [ all-per-second number ; ]
+        [ window number ; ]
+        [ log-only yes_or_no ; ]
+        [ qps-scale number ; ]
+        [ ipv4-prefix-length number ; ]
+        [ ipv6-prefix-length number ; ]
+        [ slip number ; ]
+        [ exempt-clients  { address_match_list } ; ]
+        [ max-table-size number ; ]
+        [ min-table-size number ; ]
+    } ; ]
+    [ response-policy {
+        zone zone_name
+        [ policy (given | disabled | passthru | drop |
+                  tcp-only | nxdomain | nodata | cname domain) ]
+        [ recursive-only yes_or_no ]
+        [ log yes_or_no ]
+        [ max-policy-ttl number ]
+        [ min-update-interval number ]
+        ; [...]
+    } [ recursive-only yes_or_no ]
+      [ max-policy-ttl number ]
+      [ min-update-interval number ]
+      [ break-dnssec yes_or_no ]
+      [ min-ns-dots number ]
+      [ nsip-wait-recurse yes_or_no ]
+      [ qname-wait-recurse yes_or_no ]
+      [ automatic-interface-scan yes_or_no ]
+    ; ]
+    [ catalog-zones {
+        zone quoted_string
+            [ default-masters
+                [port ip_port]
+                [dscp ip_dscp]
+                { ( masters_list | ip_addr [port ip_port] [key key] ) ; [...] }]
+          [in-memory yes_or_no]
+          [min-update-interval interval]
+        ; [...] };
+    ; ]
+    [v6-bias number ; ]
+};
 

 
       
@@ -8192,6 +8193,15 @@ example.com                 CNAME   rpz-tcp-only.
             turn off rewrite logging for a particular response policy
             zone. By default, all rewrites are logged.
           

+
+          

+            Updates to RPZ zones are processed asynchronously; if there
+            is more than one update pending they are bundled together.
+            If an update to a RPZ zone (for example, via IXFR) happens less
+            than min-update-interval seconds after the most
+            recent update, then the changes will not be carried out until this
+            interval has elapsed.  The default is 5 seconds.
+          

         
 
         

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index be410fe5f8..139a77b15c 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -278,6 +278,19 @@
     
    
 
  • 
 	
    
+	  The Response Policy Zone (RPZ) implementation has been
+	  substantially refactored: updates to the RPZ summary
+	  database are no longer directly performed by the zone
+	  database but by a separate function that is called when
+	  a policy zone is updated.  This improves both performance
+	  and reliability when policy zones receive frequent updates.
+	  Summary database updates can be rate-limited by using the
+	  min-update-interval option in a
+	  response-policy statement. [RT #43449]
+	
    
+      
    • 
+
  • 
+        
    
 	  dnstap now stores both the local and remote
 	  addresses for all messages, instead of only the remote address.
 	  The default output format for dnstap-read has
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index aa00a1aa63..ee80220de8 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -241,6 +241,19 @@
     
      
 
    • 
 	
      
+	  The Response Policy Zone (RPZ) implementation has been
+	  substantially refactored: updates to the RPZ summary
+	  database are no longer directly performed by the zone
+	  database but by a separate function that is called when
+	  a policy zone is updated.  This improves both performance
+	  and reliability when policy zones receive frequent updates.
+	  Summary database updates can be rate-limited by using the
+	  min-update-interval option in a
+	  response-policy statement. [RT #43449]
+	
      
+      
      • 
+
    • 
+        
      
 	  dnstap now stores both the local and remote
 	  addresses for all messages, instead of only the remote address.
 	  The default output format for dnstap-read has
diff --git a/doc/misc/options b/doc/misc/options
index c697de264f..68dd47ba0f 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -303,7 +303,7 @@ options {
             ;
         response-policy { zone  [ log  ] [
             max-policy-ttl  ] [ min-update-interval  ] [
-            policy ( cname | disabled | drop | given | no-op | nodata | 
+            policy ( cname | disabled | drop | given | no-op | nodata |
             nxdomain | passthru | tcp-only  ) ] [
             recursive-only  ]; ... } [ break-dnssec  ] [
             max-policy-ttl  ] [ min-update-interval  ] [
@@ -613,7 +613,7 @@ view  [  ] {
         response-policy { zone  [ log  ] [
             max-policy-ttl  ] [ min-update-interval  ] [
             policy ( cname | disabled | drop | given | no-op | nodata |
-            nxdomain | passthru | tcp-only |  ) ] [
+            nxdomain | passthru | tcp-only  ) ] [
             recursive-only  ]; ... } [ break-dnssec  ] [
             max-policy-ttl  ] [ min-update-interval  ] [
             min-ns-dots  ] [ nsip-wait-recurse  ] [