diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index c308fb9133..b71619d41f 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -314,7 +314,7 @@

For more detailed information about the design of the DNS and the DNS protocol, please refer to the standards documents listed in - the section called “Request for Comments (RFCs)”. + the section called “Request for Comments (RFCs)”.

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 92a3e8ad91..d978d74b1b 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -70,39 +70,39 @@
DNSSEC, Dynamic Zones, and Automatic Signing
-
Converting from insecure to secure
-
Dynamic DNS update method
-
Fully automatic zone signing
-
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
Converting from insecure to secure
+
Dynamic DNS update method
+
Fully automatic zone signing
+
Private-type records
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
-
Validating Resolver
-
Authoritative Server
+
Validating Resolver
+
Authoritative Server
PKCS#11 (Cryptoki) support
-
Prerequisites
-
Native PKCS#11
-
OpenSSL-based PKCS#11
-
PKCS#11 Tools
-
Using the HSM
-
Specifying the engine on the command line
-
Running named with automatic zone re-signing
+
Prerequisites
+
Native PKCS#11
+
OpenSSL-based PKCS#11
+
PKCS#11 Tools
+
Using the HSM
+
Specifying the engine on the command line
+
Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
-
Configuring DLZ
-
Sample DLZ Driver
+
Configuring DLZ
+
Sample DLZ Driver
IPv6 Support in BIND 9
@@ -248,7 +248,7 @@ The incremental zone transfer (IXFR) protocol is a way for slave servers to transfer only changed data, instead of having to transfer the entire zone. The IXFR protocol is specified in RFC - 1995. See Proposed Standards. + 1995. See Proposed Standards.

When acting as a master, BIND 9 @@ -1080,7 +1080,7 @@ options { from insecure to signed and back again. A secure zone can use either NSEC or NSEC3 chains.

-Converting from insecure to secure

+Converting from insecure to secure

Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

@@ -1106,7 +1106,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process.

-Dynamic DNS update method

+Dynamic DNS update method

To insert the keys via dynamic update:

         % nsupdate
@@ -1142,7 +1142,7 @@ options {
 
While the initial signing and NSEC/NSEC3 chain generation
   is happening, other updates are possible as well.

 

-Fully automatic zone signing

+Fully automatic zone signing
 
To enable automatic signing, add the 
   auto-dnssec option to the zone statement in 
   named.conf. 
@@ -1198,7 +1198,7 @@ options {
   configuration. If this has not been done, the configuration will
   fail.

 

-Private-type records

+Private-type records
 
The state of the signing process is signaled by
   private-type records (with a default type value of 65534). When
   signing is complete, these records will have a nonzero value for
@@ -1239,12 +1239,12 @@ options {
 

   

 

-DNSKEY rollovers

+DNSKEY rollovers
 
As with insecure-to-secure conversions, rolling DNSSEC
   keys can be done in two ways: using a dynamic DNS update, or the 
   auto-dnssec zone option.

 

-Dynamic DNS update method

+Dynamic DNS update method
 
 To perform key rollovers via dynamic update, you need to add
   the K* files for the new keys so that 
   named can find them. You can then add the new
@@ -1266,7 +1266,7 @@ options {
   named will clean out any signatures generated
   by the old key after the update completes.

 

-Automatic key rollovers

+Automatic key rollovers
 
When a new key reaches its activation date (as set by
   dnssec-keygen or dnssec-settime),
   if the auto-dnssec zone option is set to 
@@ -1281,27 +1281,27 @@ options {
   completes in 30 days, after which it will be safe to remove the
   old key from the DNSKEY RRset.

 

-NSEC3PARAM rollovers via UPDATE

+NSEC3PARAM rollovers via UPDATE
 
Add the new NSEC3PARAM record via dynamic update. When the
   new NSEC3 chain has been generated, the NSEC3PARAM flag field
   will be zero. At this point you can remove the old NSEC3PARAM
   record. The old chain will be removed after the update request
   completes.

 

-Converting from NSEC to NSEC3

+Converting from NSEC to NSEC3
 
To do this, you just need to add an NSEC3PARAM record. When
   the conversion is complete, the NSEC chain will have been removed
   and the NSEC3PARAM record will have a zero flag field. The NSEC3
   chain will be generated before the NSEC chain is
   destroyed.

 

-Converting from NSEC3 to NSEC

+Converting from NSEC3 to NSEC
 
To do this, use nsupdate to
   remove all NSEC3PARAM records with a zero flag
   field. The NSEC chain will be generated before the NSEC3 chain is
   removed.

 

-Converting from secure to insecure

+Converting from secure to insecure
 
To convert a signed zone to unsigned using dynamic DNS,
   delete all the DNSKEY records from the zone apex using
   nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1316,14 +1316,14 @@ options {
   allow instead (or it will re-sign).
   

 

-Periodic re-signing

+Periodic re-signing
 
In any secure zone which supports dynamic updates, named
   will periodically re-sign RRsets which have not been re-signed as
   a result of some update action. The signature lifetimes will be
   adjusted so as to spread the re-sign load over time rather than
   all at once.

 

-NSEC3 and OPTOUT

+NSEC3 and OPTOUT
 

   named only supports creating new NSEC3 chains
   where all the NSEC3 records in the zone have the same OPTOUT
@@ -1345,7 +1345,7 @@ options {
   configuration files.

 

 

-Validating Resolver

+Validating Resolver

 
To configure a validating resolver to use RFC 5011 to
     maintain a trust anchor, configure the trust anchor using a 
     managed-keys statement. Information about
@@ -1356,7 +1356,7 @@ options {
 
 

 

-Authoritative Server

+Authoritative Server

 
To set up an authoritative zone for RFC 5011 trust anchor
     maintenance, generate two (or more) key signing keys (KSKs) for
     the zone. Sign the zone with one of them; this is the "active"
@@ -1452,7 +1452,7 @@ $ dnssec-signzone -S -K keys example.net<
   

 

 

-Prerequisites

+Prerequisites

 

       See the documentation provided by your HSM vendor for
       information about installing, initializing, testing and
@@ -1461,7 +1461,7 @@ $ dnssec-signzone -S -K keys example.net<
 
 

 

-Native PKCS#11

+Native PKCS#11

 

       Native PKCS#11 mode will only work with an HSM capable of carrying
       out every cryptographic operation BIND 9 may
@@ -1495,7 +1495,7 @@ $ ./configure --enable-native-pkcs11 \
 
 

 

-OpenSSL-based PKCS#11

+OpenSSL-based PKCS#11

 

       OpenSSL-based PKCS#11 mode uses a modified version of the
       OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1553,7 +1553,7 @@ $ ./configure --enable-native-pkcs11 \
     

 

 

-Patching OpenSSL

+Patching OpenSSL

 
 $ wget http://www.openssl.org/source/openssl-0.9.8y.tar.gz
   

@@ -1586,7 +1586,7 @@ $ patch -p1 -d openssl-0.9.8y \
 
 

 

-Building OpenSSL for the AEP Keyper on Linux

+Building OpenSSL for the AEP Keyper on Linux

 

         The AEP Keyper is a highly secure key storage device,
         but does not provide hardware cryptographic acceleration. It
@@ -1628,7 +1628,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
 
 

 

-Building OpenSSL for the SCA 6000 on Solaris

+Building OpenSSL for the SCA 6000 on Solaris

 

         The SCA-6000 PKCS#11 provider is installed as a system
         library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1657,7 +1657,7 @@ $ ./Configure solaris64-x86_64-cc \
 
 

 

-Building OpenSSL for SoftHSM

+Building OpenSSL for SoftHSM

 

         SoftHSM is a software library provided by the OpenDNSSEC
         project (http://www.opendnssec.org) which provides a PKCS#11
@@ -1730,7 +1730,7 @@ $ ./Configure linux-x86_64 -pthread \
     

 

 

-Configuring BIND 9 for Linux with the AEP Keyper

+Configuring BIND 9 for Linux with the AEP Keyper

 

         To link with the PKCS#11 provider, threads must be
         enabled in the BIND 9 build.
@@ -1750,7 +1750,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
 
 

 

-Configuring BIND 9 for Solaris with the SCA 6000

+Configuring BIND 9 for Solaris with the SCA 6000

 

         To link with the PKCS#11 provider, threads must be
         enabled in the BIND 9 build.
@@ -1772,7 +1772,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
 
 

 

-Configuring BIND 9 for SoftHSM

+Configuring BIND 9 for SoftHSM

 
 $ cd ../bind9
 $ ./configure --enable-threads \
@@ -1793,7 +1793,7 @@ $ ./configure --enable-threads \
 
 

 

-PKCS#11 Tools

+PKCS#11 Tools

 

       BIND 9 includes a minimal set of tools to operate the
       HSM, including 
@@ -1816,7 +1816,7 @@ $ ./configure --enable-threads \
 
 

 

-Using the HSM

+Using the HSM

 

       For OpenSSL-based PKCS#11, we must first set up the runtime
       environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1937,7 +1937,7 @@ example.net.signed
 
 

 

-Specifying the engine on the command line

+Specifying the engine on the command line

 

       When using OpenSSL-based PKCS#11, the "engine" to be used by
       OpenSSL can be specified in named and all of
@@ -1969,7 +1969,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Running named with automatic zone re-signing

+Running named with automatic zone re-signing

 

       If you want named to dynamically re-sign zones
       using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2056,7 +2056,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Configuring DLZ

+Configuring DLZ

 

       A DLZ database is configured with a dlz
       statement in named.conf:
@@ -2105,7 +2105,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Sample DLZ Driver

+Sample DLZ Driver

 

       For guidance in implementation of DLZ modules, the directory
       contrib/dlz/example contains a basic
@@ -2189,7 +2189,7 @@ $ dnssec-signzone -E '' -S example.net
 

         For an overview of the format and structure of IPv6 addresses,
-        see the section called “IPv6 addresses (AAAA)”.
+        see the section called “IPv6 addresses (AAAA)”.
       

 

 

diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index e436155a21..bb712e818c 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -23,7 +23,7 @@
 
 
 
-
+
 
 
 

@@ -131,7 +131,7 @@
 
 Chapter 7. BIND 9 Security Considerations 
 Home
- Appendix A. Appendices
+ Appendix A. Release Notes
 
 
 

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index be1a28d71f..4cdb0687de 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -18,17 +18,17 @@
 
 
 
-Appendix A. Appendices
+Appendix A. Release Notes
 
 
 
 
-
+
 
 
 

 
-
+
@@ -41,11 +41,11 @@
 

 

-Appendix A. Appendices

+Appendix A. Release Notes

 
Table of Contents

 

-
Release Notes for BIND Version 9.11.0pre-alpha

+
Release Notes for BIND Version 9.11.0pre-alpha

 

 
Introduction

 
Download

@@ -56,31 +56,11 @@
 
End of Life

 
Thank You

 

-
Acknowledgments

-
A Brief History of the DNS and BIND

-
General DNS Reference Information

-
IPv6 addresses (AAAA)

-
Bibliography (and Suggested Reading)

-

-
Request for Comments (RFCs)

-
Internet Drafts

-
Other Documents About BIND

-

-
BIND 9 DNS Library Support

-

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

-

 

 

 

-Release Notes for BIND Version 9.11.0pre-alpha

+Release Notes for BIND Version 9.11.0pre-alpha

 

 Introduction

@@ -462,1020 +442,6 @@
     

 

-

-

-Acknowledgments

-

-

-A Brief History of the DNS and BIND
-

-

-            Although the "official" beginning of the Domain Name
-            System occurred in 1984 with the publication of RFC 920, the
-            core of the new system was described in 1983 in RFCs 882 and
-            883. From 1984 to 1987, the ARPAnet (the precursor to today's
-            Internet) became a testbed of experimentation for developing the
-            new naming/addressing scheme in a rapidly expanding,
-            operational network environment.  New RFCs were written and
-            published in 1987 that modified the original documents to
-            incorporate improvements based on the working model. RFC 1034,
-            "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
-            Names-Implementation and Specification" were published and
-            became the standards upon which all DNS implementations are
-            built.
-          

-

-            The first working domain name server, called "Jeeves", was
-            written in 1983-84 by Paul Mockapetris for operation on DEC
-            Tops-20
-            machines located at the University of Southern California's
-            Information
-            Sciences Institute (USC-ISI) and SRI International's Network
-            Information
-            Center (SRI-NIC). A DNS server for
-            Unix machines, the Berkeley Internet
-            Name Domain (BIND) package, was
-            written soon after by a group of
-            graduate students at the University of California at Berkeley
-            under
-            a grant from the US Defense Advanced Research Projects
-            Administration
-            (DARPA).
-          

-

-            Versions of BIND through
-            4.8.3 were maintained by the Computer
-            Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-            Painter, David Riggle and Songnian Zhou made up the initial BIND
-            project team. After that, additional work on the software package
-            was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
-            Corporation
-            employee on loan to the CSRG, worked on BIND for 2 years, from 1985
-            to 1987. Many other people also contributed to BIND development
-            during that time: Doug Kingston, Craig Partridge, Smoot
-            Carl-Mitchell,
-            Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently
-            handled by Mike Karels and Øivind Kure.
-          

-

-            BIND versions 4.9 and 4.9.1 were
-            released by Digital Equipment
-            Corporation (now Compaq Computer Corporation). Paul Vixie, then
-            a DEC employee, became BIND's
-            primary caretaker. He was assisted
-            by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
-            Beecher, Andrew
-            Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
-            Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
-            Wolfhugel, and others.
-          

-

-            In 1994, BIND version 4.9.2 was sponsored by
-            Vixie Enterprises. Paul
-            Vixie became BIND's principal
-            architect/programmer.
-          

-

-            BIND versions from 4.9.3 onward
-            have been developed and maintained
-            by the Internet Systems Consortium and its predecessor,
-            the Internet Software Consortium,  with support being provided
-            by ISC's sponsors.
-          

-

-            As co-architects/programmers, Bob Halley and
-            Paul Vixie released the first production-ready version of
-            BIND version 8 in May 1997.
-          

-

-            BIND version 9 was released in September 2000 and is a
-            major rewrite of nearly all aspects of the underlying
-            BIND architecture.
-          

-

-            BIND versions 4 and 8 are officially deprecated.
-            No additional development is done
-            on BIND version 4 or BIND version 8.
-          

-

-            BIND development work is made
-            possible today by the sponsorship
-            of several corporations, and by the tireless work efforts of
-            numerous individuals.
-          

-

-

-

-

-General DNS Reference Information

-

-

-IPv6 addresses (AAAA)

-

-            IPv6 addresses are 128-bit identifiers for interfaces and
-            sets of interfaces which were introduced in the DNS to facilitate
-            scalable Internet routing. There are three types of addresses: Unicast,
-            an identifier for a single interface;
-            Anycast,
-            an identifier for a set of interfaces; and Multicast,
-            an identifier for a set of interfaces. Here we describe the global
-            Unicast address scheme. For more information, see RFC 3587,
-            "Global Unicast Address Format."
-          

-

-            IPv6 unicast addresses consist of a
-            global routing prefix, a
-            subnet identifier, and an
-            interface identifier.
-          

-

-            The global routing prefix is provided by the
-            upstream provider or ISP, and (roughly) corresponds to the
-            IPv4 network section
-            of the address range.
-
-            The subnet identifier is for local subnetting, much the
-            same as subnetting an
-            IPv4 /16 network into /24 subnets.
-
-            The interface identifier is the address of an individual
-            interface on a given network; in IPv6, addresses belong to
-            interfaces rather than to machines.
-          

-

-            The subnetting capability of IPv6 is much more flexible than
-            that of IPv4: subnetting can be carried out on bit boundaries,
-            in much the same way as Classless InterDomain Routing
-            (CIDR), and the DNS PTR representation ("nibble" format)
-            makes setting up reverse zones easier.
-          

-

-            The Interface Identifier must be unique on the local link,
-            and is usually generated automatically by the IPv6
-            implementation, although it is usually possible to
-            override the default setting if necessary.  A typical IPv6
-            address might look like:
-            2001:db8:201:9:a00:20ff:fe81:2b32
-          

-

-            IPv6 address specifications often contain long strings
-            of zeros, so the architects have included a shorthand for
-            specifying
-            them. The double colon (`::') indicates the longest possible
-            string
-            of zeros that can fit, and can be used only once in an address.
-          

-

-

-

-

-Bibliography (and Suggested Reading)

-

-

-Request for Comments (RFCs)

-

-            Specification documents for the Internet protocol suite, including
-            the DNS, are published as part of
-            the Request for Comments (RFCs)
-            series of technical notes. The standards themselves are defined
-            by the Internet Engineering Task Force (IETF) and the Internet
-            Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
-          

-

-            
-              ftp://www.isi.edu/in-notes/RFCxxxx.txt
-            
-          

-

-            (where xxxx is
-            the number of the RFC). RFCs are also available via the Web at:
-          

-

-            http://www.ietf.org/rfc/.
-          

-

-

-Bibliography

-

-
Standards

-

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

-

-

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

-

-

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
-                  Specification. November 1987. 

-

-

-

-

-Proposed Standards

-

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
-                  Specification. July 1997. 

-

-

-
[RFC2308] M. Andrews. Negative Caching of DNS
-                  Queries. March 1998. 

-

-

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

-

-

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

-

-

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

-

-

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

-

-

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

-

-

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

-

-

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

-

-

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

-

-

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

-

-

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
-                       Key Transaction Authentication for DNS
-                       (GSS-TSIG). October 2003. 

-

-

-

-

-DNS Security Proposed Standards

-

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

-

-

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

-

-

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

-

-

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

-

-

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
-                       Security Extensions. March 2005. 

-

-

-

-
Other Important RFCs About DNS
-                Implementation

-

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
-                  Deployed DNS Software. October 1993. 

-

-

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
-                  Errors and Suggested Fixes. October 1993. 

-

-

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

-

-

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
-                Queries for IPv6 Addresses. May 2005. 

-

-

-

-
Resource Record Types

-

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

-

-

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

-

-

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
-                  the Domain Name System. June 1997. 

-

-

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
-                  Domain
-                  Name System. January 1996. 

-

-

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
-                  Location of
-                  Services. October 1996. 

-

-

-
[RFC2163] A. Allocchio. Using the Internet DNS to
-                  Distribute MIXER
-                  Conformant Global Address Mapping. January 1998. 

-

-

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

-

-

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

-

-

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

-

-

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

-

-

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

-

-

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

-

-

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

-

-

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

-

-

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

-

-

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

-

-

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
-                  version 6. October 2003. 

-

-

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

-

-

-

-

-DNS and the Internet

-

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
-                  and Other Types. April 1989. 

-

-

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
-                  Support. October 1989. 

-

-

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

-

-

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

-

-

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

-

-

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

-

-

-

-

-DNS Operations

-

-
[RFC1033] M. Lottor. Domain administrators operations guide. November 1987. 

-

-

-
[RFC1537] P. Beertema. Common DNS Data File
-                  Configuration Errors. October 1993. 

-

-

-
[RFC1912] D. Barr. Common DNS Operational and
-                  Configuration Errors. February 1996. 

-

-

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers. October 1996. 

-

-

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
-                  Network Services. October 1997. 

-

-

-

-
Internationalized Domain Names

-

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
-                       and the Other Internet protocols. May 2000. 

-

-

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

-

-

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

-

-

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
-                       for Internationalized Domain Names in
-                       Applications (IDNA). March 2003. 

-

-

-

-
Other DNS-related RFCs

-

-
Note

-

-                  Note: the following list of RFCs, although
-                  DNS-related, are not
-                  concerned with implementing software.
-                

-

-

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
-                  Attributes. May 1993. 

-

-

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

-

-

-
[RFC1794] T. Brisco. DNS Support for Load
-                  Balancing. April 1995. 

-

-

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

-

-

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

-

-

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

-

-

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

-

-

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
-                       Shared Unicast Addresses. April 2002. 

-

-

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

-

-

-

-
Obsolete and Unimplemented Experimental RFC

-

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
-                  Location. November 1994. 

-

-

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

-

-

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
-                       and Renumbering. July 2000. 

-

-

-

-
Obsoleted DNS Security RFCs

-

-
Note

-

-                  Most of these have been consolidated into RFC4033,
-                  RFC4034 and RFC4035 which collectively describe DNSSECbis.
-                

-

-

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

-

-

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

-

-

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

-

-

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
-                       Signing Authority. November 2000. 

-

-

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

-

-

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

-

-

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

-

-

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

-

-

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

-

-

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
-                      (RR) Secure Entry Point (SEP) Flag. April 2004. 

-

-

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

-

-

-

-

-

-

-Internet Drafts

-

-            Internet Drafts (IDs) are rough-draft working documents of
-            the Internet Engineering Task Force. They are, in essence, RFCs
-            in the preliminary stages of development. Implementors are
-            cautioned not
-            to regard IDs as archival, and they should not be quoted or cited
-            in any formal documents unless accompanied by the disclaimer that
-            they are "works in progress." IDs have a lifespan of six months
-            after which they are deleted unless updated by their authors.
-          

-

-

-

-Other Documents About BIND
-

-

-

-

-Bibliography

-

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

-

-

-

-

-

-

-BIND 9 DNS Library Support

-
This version of BIND 9 "exports" its internal libraries so
-  that they can be used by third-party applications more easily (we
-  call them "export" libraries in this document). In addition to
-  all major DNS-related APIs BIND 9 is currently using, the export
-  libraries provide the following features:

-
    
-
  • The newly created "DNS client" module. This is a higher
-      level API that provides an interface to name resolution,
-      single DNS transaction with a particular server, and dynamic
-      update. Regarding name resolution, it supports advanced
-      features such as DNSSEC validation and caching. This module
-      supports both synchronous and asynchronous mode.
    • 
-
  • The new "IRS" (Information Retrieval System) library.
-      It provides an interface to parse the traditional resolv.conf
-      file and more advanced, DNS-specific configuration file for
-      the rest of this package (see the description for the
-      dns.conf file below).
    • 
-
  • As part of the IRS library, newly implemented standard
-      address-name mapping functions, getaddrinfo() and
-      getnameinfo(), are provided. They use the DNSSEC-aware
-      validating resolver backend, and could use other advanced
-      features of the BIND 9 libraries such as caching. The
-      getaddrinfo() function resolves both A and AAAA RRs
-      concurrently (when the address family is unspecified).
    • 
-
  • An experimental framework to support other event
-      libraries than BIND 9's internal event task system.
    • 
-

-

-

-Prerequisite

-
GNU make is required to build the export libraries (other
-  part of BIND 9 can still be built with other types of make). In
-  the reminder of this document, "make" means GNU make. Note that
-  in some platforms you may need to invoke a different command name
-  than "make" (e.g. "gmake") to indicate it's GNU make.

-

-

-

-Compilation

-
-$ ./configure --enable-exportlib [other flags]
-$ make
-

-

-  This will create (in addition to usual BIND 9 programs) and a
-  separate set of libraries under the lib/export directory. For
-  example, lib/export/dns/libdns.a is the archive file of the
-  export version of the BIND 9 DNS library. Sample application
-  programs using the libraries will also be built under the
-  lib/export/samples directory (see below).

-

-

-

-Installation

-
-$ cd lib/export
-$ make install
-

-

-  This will install library object files under the directory
-  specified by the --with-export-libdir configure option (default:
-  EPREFIX/lib/bind9), and header files under the directory
-  specified by the --with-export-includedir configure option
-  (default: PREFIX/include/bind9).
-  Root privilege is normally required.
-  "make install" at the top directory will do the
-  same.
-  

-

-  To see how to build your own
-  application after the installation, see
-  lib/export/samples/Makefile-postinstall.in.

-

-

-

-Known Defects/Restrictions

-
    
-
  • Currently, win32 is not supported for the export
-      library. (Normal BIND 9 application can be built as
-      before).
    • 
-
  • 
-
    The "fixed" RRset order is not (currently) supported in
-      the export library. If you want to use "fixed" RRset order
-      for, e.g. named while still building the
-      export library even without the fixed order support, build
-      them separately:
-      
    
-
    -$ ./configure --enable-fixed-rrset [other flags, but not --enable-exportlib]
-$ make
-$ ./configure --enable-exportlib [other flags, but not --enable-fixed-rrset]
-$ cd lib/export
-$ make
-
    
-
    
-    
    
-
    • 
-
  • The client module and the IRS library currently do not
-      support DNSSEC validation using DLV (the underlying modules
-      can handle it, but there is no tunable interface to enable
-      the feature).
    • 
-
  • RFC 5011 is not supported in the validating stub
-      resolver of the export library. In fact, it is not clear
-      whether it should: trust anchors would be a system-wide
-      configuration which would be managed by an administrator,
-      while the stub resolver will be used by ordinary applications
-      run by a normal user.
    • 
-
  • Not all common /etc/resolv.conf
-      options are supported
-      in the IRS library. The only available options in this
-      version are "debug" and "ndots".
    • 
-

-

-

-

-The dns.conf File

-
The IRS library supports an "advanced" configuration file
-  related to the DNS library for configuration parameters that
-  would be beyond the capability of the
-  resolv.conf file.
-  Specifically, it is intended to provide DNSSEC related
-  configuration parameters. By default the path to this
-  configuration file is /etc/dns.conf.
-  This module is very
-  experimental and the configuration syntax or library interfaces
-  may change in future versions. Currently, only the
-  trusted-keys
-  statement is supported, whose syntax is the same as the same name
-  of statement for named.conf. (See
-  the section called “trusted-keys Statement Grammar” for details.)

-

-

-

-Sample Applications

-
Some sample application programs using this API are
-  provided for reference. The following is a brief description of
-  these applications.
-  

-

-

-sample: a simple stub resolver utility

-

-  It sends a query of a given name (of a given optional RR type) to a
-  specified recursive server, and prints the result as a list of
-  RRs. It can also act as a validating stub resolver if a trust
-  anchor is given via a set of command line options.

-

-  Usage: sample [options] server_address hostname
-  

-

-  Options and Arguments:
-  

-

-

-  -t RRtype
-  

-

-        specify the RR type of the query.  The default is the A RR.
-  

-

-  [-a algorithm] [-e] -k keyname -K keystring
-  

-

-

-        specify a command-line DNS key to validate the answer.  For
-        example, to specify the following DNSKEY of example.com:
-

-


-                example.com. 3600 IN DNSKEY 257 3 5 xxx

-

-

-        specify the options as follows:
-

-
-
-          -e -k example.com -K "xxx"
-
-

-

-        -e means that this key is a zone's "key signing key" (as known
-        as "secure Entry point").
-        When -a is omitted rsasha1 will be used by default.
-  

-

-

-  -s domain:alt_server_address
-  

-

-         specify a separate recursive server address for the specific
-        "domain".  Example: -s example.com:2001:db8::1234
-  

-
server_address

-

-        an IP(v4/v6) address of the recursive server to which queries
-        are sent.
-  

-
hostname

-

-        the domain name for the query
-  

-

-

-

-

-sample-async: a simple stub resolver, working asynchronously

-

-  Similar to "sample", but accepts a list
-  of (query) domain names as a separate file and resolves the names
-  asynchronously.

-

-    Usage: sample-async [-s server_address] [-t RR_type] input_file

-

- Options and Arguments:
-  

-

-

-   -s server_address
-   

-

-   an IPv4 address of the recursive server to which queries are sent.
-  (IPv6 addresses are not supported in this implementation)
-  

-

-   -t RR_type
-  

-

-  specify the RR type of the queries. The default is the A
-  RR.
-  

-

-   input_file
-  

-

-   a list of domain names to be resolved. each line
-  consists of a single domain name. Example:
-  


-  www.example.com

-  mx.example.net

-  ns.xxx.example

-

-

-

-

-

-

-sample-request: a simple DNS transaction client

-

-  It sends a query to a specified server, and
-  prints the response with minimal processing. It doesn't act as a
-  "stub resolver": it stops the processing once it gets any
-  response from the server, whether it's a referral or an alias
-  (CNAME or DNAME) that would require further queries to get the
-  ultimate answer. In other words, this utility acts as a very
-  simplified dig.
-  

-

-  Usage: sample-request [-t RRtype] server_address hostname
-  

-

-    Options and Arguments:
-  

-

-

-   -t RRtype
-  

-

-  specify the RR type of
-  the queries. The default is the A RR.
-  

-

-  server_address
-  

-

-   an IP(v4/v6)
-  address of the recursive server to which the query is sent.
-  

-

-  hostname
-  

-

-  the domain name for the query
-  

-

-

-

-

-sample-gai: getaddrinfo() and getnameinfo() test code

-

-  This is a test program
-  to check getaddrinfo() and getnameinfo() behavior. It takes a
-  host name as an argument, calls getaddrinfo() with the given host
-  name, and calls getnameinfo() with the resulting IP addresses
-  returned by getaddrinfo(). If the dns.conf file exists and
-  defines a trust anchor, the underlying resolver will act as a
-  validating resolver, and getaddrinfo()/getnameinfo() will fail
-  with an EAI_INSECUREDATA error when DNSSEC validation fails.
-  

-

-  Usage: sample-gai hostname
-  

-

-

-

-sample-update: a simple dynamic update client program

-

-  It accepts a single update command as a
-  command-line argument, sends an update request message to the
-  authoritative server, and shows the response from the server. In
-  other words, this is a simplified nsupdate.
-  

-

-   Usage: sample-update [options] (add|delete) "update data"
-  

-

-  Options and Arguments:
-  

-

-

-  -a auth_server
-   

-

-        An IP address of the authoritative server that has authority
-        for the zone containing the update name.  This should normally
-        be the primary authoritative server that accepts dynamic
-        updates.  It can also be a secondary server that is configured
-        to forward update requests to the primary server.
-   

-

-  -k keyfile
-   

-

-        A TSIG key file to secure the update transaction.  The keyfile
-        format is the same as that for the nsupdate utility.
-   

-

-  -p prerequisite
-   

-

-        A prerequisite for the update (only one prerequisite can be
-        specified).  The prerequisite format is the same as that is
-        accepted by the nsupdate utility.
-   

-

-  -r recursive_server
-   

-

-        An IP address of a recursive server that this utility will
-        use.  A recursive server may be necessary to identify the
-        authoritative server address to which the update request is
-        sent.
-   

-

-  -z zonename
-   

-

-        The domain name of the zone that contains
-   

-

-  (add|delete)
-   

-

-        Specify the type of update operation.  Either "add" or "delete"
-        must be specified.
-   

-

-  "update data"
-   

-

-        Specify the data to be updated.  A typical example of the data
-        would look like "name TTL RRtype RDATA".
-  

-

-

-
Note
In practice, either -a or -r must be specified.  Others can
-   be optional; the underlying library routine tries to identify the
-   appropriate server and the zone name for the update.

-

-   Examples: assuming the primary authoritative server of the
-   dynamic.example.com zone has an IPv6 address 2001:db8::1234,
-   

-
-$ sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"

-

-     adds an A RR for foo.dynamic.example.com using the given key.
-   

-
-$ sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"

-

-     removes all A RRs for foo.dynamic.example.com using the given key.
-   

-
   
-$ sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"

-

-     removes all RRs for foo.dynamic.example.com using the given key.
-   

-

-

-

-nsprobe: domain/name server checker in terms of RFC 4074

-

-  It checks a set
-  of domains to see the name servers of the domains behave
-  correctly in terms of RFC 4074. This is included in the set of
-  sample programs to show how the export library can be used in a
-  DNS-related application.
-  

-

- Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
-  

-

-   Options
-  

-

-

-  -d
-  

-

-        run in the "debug" mode.  with this option nsprobe will dump
-        every RRs it receives.
-  

-

-  -v
-  

-

-        increase verbosity of other normal log messages.  This can be
-        specified multiple times
-  

-

-  -c cache_address
-  

-

-        specify an IP address of a recursive (caching) name server.
-        nsprobe uses this server to get the NS RRset of each domain and
-        the A and/or AAAA RRsets for the name servers.  The default
-        value is 127.0.0.1.
-  

-

-  input_file
-  

-

-        a file name containing a list of domain (zone) names to be
-        probed.  when omitted the standard input will be used.  Each
-        line of the input file specifies a single domain name such as
-        "example.com".  In general this domain name must be the apex
-        name of some DNS zone (unlike normal "host names" such as
-        "www.example.com").  nsprobe first identifies the NS RRsets for
-        the given domain name, and sends A and AAAA queries to these
-        servers for some "widely used" names under the zone;
-        specifically, adding "www" and "ftp" to the zone name.
-  

-

-

-

-

-

-Library References

-
As of this writing, there is no formal "manual" of the
-  libraries, except this document, header files (some of them
-  provide pretty detailed explanations), and sample application
-  programs.

-

-

 

@@ -1490,7 +456,8 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 

-
+
Appendix A. Appendices
Appendix A. Release Notes

 

 
 Prev 
 
 
 
 
 
 
 

 Chapter 8. Troubleshooting 
 Home Manual pages Appendix B. A Brief History of the DNS and BIND
+
 

 

 

diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index f05ea39ca4..44fc841565 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -18,118 +18,132 @@
 
 
 
-Manual pages
+Appendix B. A Brief History of the DNS and BIND
 
 
 
-
-
+
+
 
 
 

 
-
+
-
Manual pages
Appendix B. A Brief History of the DNS and BIND
+

 

 
 Prev 
   Next
+ Next
 
 

 

 

 

-

-

-

-Manual pages

-

-

+

+

+Appendix B. A Brief History of the DNS and BIND
+

 

 
Table of Contents

-

-

-dig — DNS lookup utility
-

-

-host — DNS lookup utility
-

-

-delv — DNS lookup and validation utility
-

-

-dnssec-checkds — A DNSSEC delegation consistency checking tool.
-

-

-dnssec-coverage — checks future DNSKEY coverage for a zone
-

-

-dnssec-dsfromkey — DNSSEC DS RR generation tool
-

-

-dnssec-importkey — Import DNSKEY records from external systems so they can be managed.
-

-

-dnssec-keyfromlabel — DNSSEC key generation tool
-

-

-dnssec-keygen — DNSSEC key generation tool
-

-

-dnssec-revoke — Set the REVOKED bit on a DNSSEC key
-

-

-dnssec-settime — Set the key timing metadata for a DNSSEC key
-

-

-dnssec-signzone — DNSSEC zone signing tool
-

-

-dnssec-verify — DNSSEC zone verification tool
-

-

-named-checkconf — named configuration file syntax checking tool
-

-

-named-checkzone — zone file validity checking or converting tool
-

-

-named — Internet domain name server
-

-

-named-journalprint — print zone journal in human-readable form
-

-

-named-rrchecker — A syntax checker for individual DNS resource records
-

-

-nsupdate — Dynamic DNS update utility
-

-

-rndc — name server control utility
-

-

-rndc.conf — rndc configuration file
-

-

-rndc-confgen — rndc key generation tool
-

-

-ddns-confgen — ddns key generation tool
-

-

-arpaname — translate IP addresses to the corresponding ARPA names
-

-

-genrandom — generate a file containing random data
-

-

-isc-hmac-fixup — fixes HMAC keys generated by older versions of BIND
-

-

-nsec3hash — generate NSEC3 hash
-

-

+

+

+

+

+

+            Although the "official" beginning of the Domain Name
+            System occurred in 1984 with the publication of RFC 920, the
+            core of the new system was described in 1983 in RFCs 882 and
+            883. From 1984 to 1987, the ARPAnet (the precursor to today's
+            Internet) became a testbed of experimentation for developing the
+            new naming/addressing scheme in a rapidly expanding,
+            operational network environment.  New RFCs were written and
+            published in 1987 that modified the original documents to
+            incorporate improvements based on the working model. RFC 1034,
+            "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
+            Names-Implementation and Specification" were published and
+            became the standards upon which all DNS implementations are
+            built.
+          

+

+            The first working domain name server, called "Jeeves", was
+            written in 1983-84 by Paul Mockapetris for operation on DEC
+            Tops-20
+            machines located at the University of Southern California's
+            Information
+            Sciences Institute (USC-ISI) and SRI International's Network
+            Information
+            Center (SRI-NIC). A DNS server for
+            Unix machines, the Berkeley Internet
+            Name Domain (BIND) package, was
+            written soon after by a group of
+            graduate students at the University of California at Berkeley
+            under
+            a grant from the US Defense Advanced Research Projects
+            Administration
+            (DARPA).
+          

+

+            Versions of BIND through
+            4.8.3 were maintained by the Computer
+            Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
+            Painter, David Riggle and Songnian Zhou made up the initial BIND
+            project team. After that, additional work on the software package
+            was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
+            Corporation
+            employee on loan to the CSRG, worked on BIND for 2 years, from 1985
+            to 1987. Many other people also contributed to BIND development
+            during that time: Doug Kingston, Craig Partridge, Smoot
+            Carl-Mitchell,
+            Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently
+            handled by Mike Karels and Øivind Kure.
+          

+

+            BIND versions 4.9 and 4.9.1 were
+            released by Digital Equipment
+            Corporation (now Compaq Computer Corporation). Paul Vixie, then
+            a DEC employee, became BIND's
+            primary caretaker. He was assisted
+            by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
+            Beecher, Andrew
+            Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
+            Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
+            Wolfhugel, and others.
+          

+

+            In 1994, BIND version 4.9.2 was sponsored by
+            Vixie Enterprises. Paul
+            Vixie became BIND's principal
+            architect/programmer.
+          

+

+            BIND versions from 4.9.3 onward
+            have been developed and maintained
+            by the Internet Systems Consortium and its predecessor,
+            the Internet Software Consortium,  with support being provided
+            by ISC's sponsors.
+          

+

+            As co-architects/programmers, Bob Halley and
+            Paul Vixie released the first production-ready version of
+            BIND version 8 in May 1997.
+          

+

+            BIND version 9 was released in September 2000 and is a
+            major rewrite of nearly all aspects of the underlying
+            BIND architecture.
+          

+

+            BIND versions 4 and 8 are officially deprecated.
+            No additional development is done
+            on BIND version 4 or BIND version 8.
+          

+

+            BIND development work is made
+            possible today by the sponsorship
+            of several corporations, and by the tireless work efforts of
+            numerous individuals.
+          

 

 

 

@@ -139,13 +153,13 @@
 
 Prev 
  
- NextNext
 
 
 
-Appendix A. Appendices 
+Appendix A. Release Notes 
 Home
- dig
+ Appendix C. General DNS Reference Information
 
 
 

diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index b8468663fb..c2bd8ba066 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -114,39 +114,39 @@
 
 
DNSSEC, Dynamic Zones, and Automatic Signing

 

-
Converting from insecure to secure

-
Dynamic DNS update method

-
Fully automatic zone signing

-
Private-type records

-
DNSKEY rollovers

-
Dynamic DNS update method

-
Automatic key rollovers

-
NSEC3PARAM rollovers via UPDATE

-
Converting from NSEC to NSEC3

-
Converting from NSEC3 to NSEC

-
Converting from secure to insecure

-
Periodic re-signing

-
NSEC3 and OPTOUT

+
Converting from insecure to secure

+
Dynamic DNS update method

+
Fully automatic zone signing

+
Private-type records

+
DNSKEY rollovers

+
Dynamic DNS update method

+
Automatic key rollovers

+
NSEC3PARAM rollovers via UPDATE

+
Converting from NSEC to NSEC3

+
Converting from NSEC3 to NSEC

+
Converting from secure to insecure

+
Periodic re-signing

+
NSEC3 and OPTOUT

 

 
Dynamic Trust Anchor Management

 

-
Validating Resolver

-
Authoritative Server

+
Validating Resolver

+
Authoritative Server

 

 
PKCS#11 (Cryptoki) support

 

-
Prerequisites

-
Native PKCS#11

-
OpenSSL-based PKCS#11

-
PKCS#11 Tools

-
Using the HSM

-
Specifying the engine on the command line

-
Running named with automatic zone re-signing

+
Prerequisites

+
Native PKCS#11

+
OpenSSL-based PKCS#11

+
PKCS#11 Tools

+
Using the HSM

+
Specifying the engine on the command line

+
Running named with automatic zone re-signing

 

 
DLZ (Dynamically Loadable Zones)

 

-
Configuring DLZ

-
Sample DLZ Driver

+
Configuring DLZ

+
Sample DLZ Driver

 

 
IPv6 Support in BIND 9

 

@@ -238,9 +238,9 @@
 
Incrementing and Changing the Serial Number

 
Where Can I Get Help?

 

-
A. Appendices

+
A. Release Notes

 

-
Release Notes for BIND Version 9.11.0pre-alpha

+
Release Notes for BIND Version 9.11.0pre-alpha

 

 
Introduction

 
Download

@@ -251,28 +251,33 @@
 
End of Life

 
Thank You

 

-
Acknowledgments

-
A Brief History of the DNS and BIND

-
General DNS Reference Information

-
IPv6 addresses (AAAA)

-
Bibliography (and Suggested Reading)

+

+
B. A Brief History of the DNS and BIND

+

+
C. General DNS Reference Information

 

-
Request for Comments (RFCs)

-
Internet Drafts

-
Other Documents About BIND

-

-
BIND 9 DNS Library Support

+
IPv6 addresses (AAAA)

+
Bibliography (and Suggested Reading)

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Request for Comments (RFCs)

+
Internet Drafts

+
Other Documents About BIND

 

 
-
I. Manual pages

+
D. BIND 9 DNS Library Support

+

+
BIND 9 DNS Library Support

+

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

+

+

+
I. Manual pages

 

 

 dig — DNS lookup utility
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 9e0a8dc7a5..14259e5671 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -21,7 +21,7 @@
 arpaname
 
 
-
+
 
 
 
@@ -50,20 +50,20 @@
 
arpaname  {ipaddress ...}

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       arpaname translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -74,7 +74,7 @@
 
 
 Prev 
-Up
+Up
  Next
 
 
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index fd48f497e6..7708ba157e 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -21,7 +21,7 @@
 ddns-confgen
 
 
-
+
 
 
 
@@ -51,7 +51,7 @@
 
ddns-confgen  [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name  |   -z zone ]

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       tsig-keygen and ddns-confgen
       are invocation methods for a utility that generates keys for use
@@ -87,7 +87,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -159,7 +159,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
nsupdate(1),
       named.conf(5),
       named(8),
@@ -167,7 +167,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -178,7 +178,7 @@
 
 
 Prev 
-Up
+Up
  Next
 
 
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index 4177808ef1..58f5d4957c 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -21,7 +21,7 @@
 delv
 
 
-
+
 
 
 
@@ -53,7 +53,7 @@
 
delv  [queryopt...] [query...]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
delv
       (Domain Entity Lookup & Validation) is a tool for sending
       DNS queries and validating the results, using the the same internal
@@ -96,7 +96,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of delv looks like:
       

@@ -151,7 +151,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a anchor-file

 

@@ -285,7 +285,7 @@
 

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
delv
       provides a number of query options which affect the way results are
       displayed, and in some cases the way lookups are performed.
@@ -471,12 +471,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/bind.keys

 
/etc/resolv.conf

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8),
       RFC4034,
@@ -493,7 +493,7 @@
 
 
 Prev 
-Up
+Up
  Next
 
 
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 37258daa8f..b15ddd6b75 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -21,8 +21,8 @@
 dig
 
 
-
-
+
+
 
 
 
@@ -31,7 +31,7 @@
 dig
 
 
-Prev 
+Prev 
 Manual pages
  Next
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -99,7 +99,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -152,7 +152,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -260,7 +260,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -688,7 +688,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -734,7 +734,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -748,14 +748,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -763,7 +763,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

@@ -774,8 +774,8 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 
-
+Prev 
+
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 230944321d..4778c778a8 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -21,7 +21,7 @@
 dnssec-checkds
-
+
@@ -51,7 +51,7 @@
 
dnssec-dsfromkey  [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-checkds
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
     

 

-
OPTIONS

+
OPTIONS

 

 
-f file

 

@@ -88,14 +88,14 @@
 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-dsfromkey(8),
       dnssec-keygen(8),
       dnssec-signzone(8),
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -106,7 +106,7 @@
 
-
+
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index e805652e10..d7434373b6 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -21,7 +21,7 @@
 dnssec-coverage
-
+
@@ -50,7 +50,7 @@
 
dnssec-coverage  [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-coverage
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
     

 

-
OPTIONS

+
OPTIONS

 

 
-K directory

 

@@ -192,7 +192,7 @@
 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-checkds(8),
       dnssec-dsfromkey(8),
@@ -201,7 +201,7 @@
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -212,7 +212,7 @@
 
-
+
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 2a659b9b72..8f317dc641 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -21,7 +21,7 @@
 dnssec-dsfromkey
-
+
@@ -52,14 +52,14 @@
 
dnssec-dsfromkey  [-h] [-V]

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -144,7 +144,7 @@
 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -159,7 +159,7 @@
     

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -173,13 +173,13 @@
     

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -189,7 +189,7 @@
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -200,7 +200,7 @@
 
-
+
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index 10980694b9..3c6b6b1115 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -21,7 +21,7 @@
 dnssec-importkey
-
+
@@ -51,7 +51,7 @@
 
dnssec-importkey  {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-importkey
       reads a public DNSKEY record and generates a pair of
       .key/.private files.  The DNSKEY record may be read from an
@@ -71,7 +71,7 @@
     

 

-
OPTIONS

+
OPTIONS

 

 
-f filename

 

@@ -114,7 +114,7 @@
 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -142,7 +142,7 @@
 

-
FILES

+
FILES

 

       A keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -151,7 +151,7 @@
     

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -159,7 +159,7 @@
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -170,7 +170,7 @@
 
-
+
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index b3016b721f..b4d606d4fa 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -21,7 +21,7 @@
 dnssec-keyfromlabel
-
+
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
@@ -66,7 +66,7 @@
     

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -243,7 +243,7 @@
 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -315,7 +315,7 @@
 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -354,7 +354,7 @@
     

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -363,7 +363,7 @@
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -374,7 +374,7 @@
 
-
+
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index f1ba991261..6b4bcf1d74 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -21,7 +21,7 @@
 dnssec-keygen
-
+
@@ -50,7 +50,7 @@
 
dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -285,7 +285,7 @@
 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -359,7 +359,7 @@
 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -405,7 +405,7 @@
     

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -426,7 +426,7 @@
     

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -435,7 +435,7 @@
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -446,7 +446,7 @@
 
-
+
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 55d842c09d..fa1853d76d 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -21,7 +21,7 @@
 dnssec-revoke
-
+
@@ -50,7 +50,7 @@
 
dnssec-revoke  [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -109,14 +109,14 @@
 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -127,7 +127,7 @@
 
-
+
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 6ae8587904..4a3b9bfd3b 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -21,7 +21,7 @@
 dnssec-settime
-
+
@@ -50,7 +50,7 @@
 
dnssec-settime  [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -76,7 +76,7 @@
     

 

-
OPTIONS

+
OPTIONS

 

 
-f

 

@@ -131,7 +131,7 @@
 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -210,7 +210,7 @@
 

-
PRINTING OPTIONS

+
PRINTING OPTIONS

 

       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -236,7 +236,7 @@
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -244,7 +244,7 @@
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -255,7 +255,7 @@
 
-
+
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index e9ef1cb75a..0ec695ee72 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -21,7 +21,7 @@
 dnssec-signzone
-
+
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-Q] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -512,7 +512,7 @@
 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -542,14 +542,14 @@ db.example.com.signed
 %
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033, RFC 4641.
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -560,7 +560,7 @@ db.example.com.signed
 
-
+
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index f8b60dd6cc..51452acbfc 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -21,7 +21,7 @@
 dnssec-verify
-
+
@@ -50,7 +50,7 @@
 
dnssec-verify  [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-verify
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
     

 

-
OPTIONS

+
OPTIONS

 

 
-c class

 

@@ -138,7 +138,7 @@
 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -146,7 +146,7 @@
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -157,7 +157,7 @@
 
-
+
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 660f598487..815dbf1277 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -21,7 +21,7 @@
 genrandom
-
+
@@ -50,7 +50,7 @@
 
genrandom  [-n number] {size} {filename}

-
DESCRIPTION

+
DESCRIPTION

 

       genrandom
       generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
     

 

-
ARGUMENTS

+
ARGUMENTS

 

 
-n number

 

@@ -77,14 +77,14 @@
 

 

-
SEE ALSO

+
SEE ALSO

 

       rand(3),
       arc4random(3)
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -95,7 +95,7 @@
 
-
+
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 350d39b11a..4430fe5db0 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -21,7 +21,7 @@
 host
-
+
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -214,7 +214,7 @@
     

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -228,12 +228,12 @@
     

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

@@ -245,7 +245,7 @@
 

-
+
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index d75c77fd90..0ec4bec7f0 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -21,7 +21,7 @@
 isc-hmac-fixup
-
+
@@ -50,7 +50,7 @@
 
isc-hmac-fixup  {algorithm} {secret}

-
DESCRIPTION

+
DESCRIPTION

 

       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
     

 

-
SECURITY CONSIDERATIONS

+
SECURITY CONSIDERATIONS

 

       Secrets that have been converted by isc-hmac-fixup
       are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
     

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 2104.
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -105,7 +105,7 @@
 
-
+
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 07a61213bc..e503db0b75 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -21,7 +21,7 @@
 named-checkconf
-
+
@@ -50,7 +50,7 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a
       named configuration file.  The file is parsed
@@ -70,7 +70,7 @@
     

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -119,21 +119,21 @@
 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -144,7 +144,7 @@
 
-
+
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index c9f7ad82d5..b774271952 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -21,7 +21,7 @@
 named-checkzone
-
+
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -305,14 +305,14 @@
 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -320,7 +320,7 @@
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -331,7 +331,7 @@
 
-
+
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index f497d60b36..72c2e7923a 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -21,7 +21,7 @@
 named-journalprint
-
+
@@ -50,7 +50,7 @@
 
named-journalprint  {journal}

-
DESCRIPTION

+
DESCRIPTION

 

       named-journalprint
       prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
     

 

-
SEE ALSO

+
SEE ALSO

 

       named(8),
       nsupdate(8),
@@ -84,7 +84,7 @@
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -95,7 +95,7 @@
 
-
+
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index c05b6c674d..f42d3ac359 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -21,7 +21,7 @@
 named-rrchecker
-
+
@@ -50,7 +50,7 @@
 
named-rrchecker  [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]

-
DESCRIPTION

+
DESCRIPTION

 
named-rrchecker
      read a individual DNS resource record from standard input and checks if it
      is syntactically correct.
@@ -78,7 +78,7 @@
     

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 1034,
       RFC 1035,
@@ -92,7 +92,7 @@
 

-
+
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 99b7a100b3..e0b0ab108b 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -21,7 +21,7 @@
 named
-
+
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-X lock-file] [-x cache-file]

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -288,7 +288,7 @@
 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -309,7 +309,7 @@
     

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -326,7 +326,7 @@
     

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -339,7 +339,7 @@
 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -352,7 +352,7 @@
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -363,7 +363,7 @@
 
-
+
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 51dd739dc5..17a7206a4c 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -21,7 +21,7 @@
 nsec3hash
-
+
@@ -48,7 +48,7 @@
 
nsec3hash  {salt} {algorithm} {iterations} {domain}

-
DESCRIPTION

+
DESCRIPTION

 

       nsec3hash generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
@@ -56,7 +56,7 @@
     

 

-
ARGUMENTS

+
ARGUMENTS

 

 
salt

 

@@ -80,14 +80,14 @@
 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 5155.
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -98,7 +98,7 @@
 
-
+
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index d6f30c5a4d..cb466af8f9 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -21,7 +21,7 @@
 nsupdate
-
+
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -236,7 +236,7 @@
     

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -549,7 +549,7 @@
     

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -603,7 +603,7 @@
     

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -626,7 +626,7 @@
 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 2136,
       RFC 3007,
@@ -641,7 +641,7 @@
     

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
@@ -656,7 +656,7 @@
 

-
+
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index a7500a0820..0ff735b323 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -21,7 +21,7 @@
 rndc-confgen
-
+
@@ -50,7 +50,7 @@
 
rndc-confgen  [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -180,7 +180,7 @@
 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -197,7 +197,7 @@
     

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -205,7 +205,7 @@
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -216,7 +216,7 @@
 
-
+
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 58236efd02..391e4106d1 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -21,7 +21,7 @@
 rndc.conf
-
+
@@ -50,7 +50,7 @@
 
rndc.conf 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
     

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -210,7 +210,7 @@
     

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -220,7 +220,7 @@
     

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -228,7 +228,7 @@
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -239,7 +239,7 @@
 
-
+
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index db7d0d528d..3c9b1ebce1 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -21,7 +21,7 @@
 rndc
-
+
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-V] [-y key_id] {command}

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -81,7 +81,7 @@
     

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
 

 

-
COMMANDS

+
COMMANDS

 

       A list of commands supported by rndc can
       be seen by running rndc without arguments.
@@ -620,7 +620,7 @@
 

-
LIMITATIONS

+
LIMITATIONS

 

       There is currently no way to provide the shared secret for a
       key_id without using the configuration file.
@@ -630,7 +630,7 @@
     

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -640,7 +640,7 @@
     

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -651,7 +651,7 @@
 
-
+
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 4753abc405..5b480846b2 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -19,30 +19,9 @@
 
-

-

-

-
 

-

-
Release Notes for BIND Version 9.11.0pre-alpha

-

-
Introduction

-
Download

-
Security Fixes

-
New Features

-
Feature Changes

-
Bug Fixes

-
End of Life

-
Thank You

-

-

-

-

-

- 

-

+

 

-Release Notes for BIND Version 9.11.0pre-alpha

+Release Notes for BIND Version 9.11.0pre-alpha

 

 

 Introduction

@@ -423,7 +402,5 @@
       http://www.isc.org/donate/.
     

 

-

-

-
+

 

 
-Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  
 

 

 
 
 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Prev UpUp
  Next