Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.
@@ -1096,7 +1096,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process. +Dynamic DNS update methodTo insert the keys via dynamic update:
% nsupdate
@@ -1132,7 +1132,7 @@ options {
While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.
+Fully automatic zone signing
To enable automatic signing, add the
auto-dnssec option to the zone statement in
named.conf.
@@ -1188,7 +1188,7 @@ options {
configuration. If this has not been done, the configuration will
fail.
+Private-type records
The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
signing is complete, these records will have a nonzero value for
@@ -1229,12 +1229,12 @@ options {
+DNSKEY rollovers
As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
auto-dnssec zone option.
+Dynamic DNS update method
To perform key rollovers via dynamic update, you need to add
the K* files for the new keys so that
named can find them. You can then add the new
@@ -1256,7 +1256,7 @@ options {
named will clean out any signatures generated
by the old key after the update completes.
+Automatic key rollovers
When a new key reaches its activation date (as set by
dnssec-keygen or dnssec-settime),
if the auto-dnssec zone option is set to
@@ -1271,27 +1271,27 @@ options {
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.
+NSEC3PARAM rollovers via UPDATE
Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.
+Converting from NSEC to NSEC3
To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.
+Converting from NSEC3 to NSEC
To do this, use nsupdate to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.
+Converting from secure to insecure
To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1306,14 +1306,14 @@ options {
allow instead (or it will re-sign).
+Periodic re-signing
In any secure zone which supports dynamic updates, named
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.
+NSEC3 and OPTOUT
named only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
@@ -1335,7 +1335,7 @@ options {
configuration files.
To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
managed-keys statement. Information about
@@ -1346,7 +1346,7 @@ options {
To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@@ -1420,7 +1420,7 @@ $ dnssec-signzone -S -K keys example.net<
Debian Linux, Solaris x86 and Windows Server 2003.
See the HSM vendor documentation for information about
installing, initializing, testing and troubleshooting the
HSM.
@@ -1497,7 +1497,7 @@ $ patch -p1 -d openssl-0.9.8s \
when we configure BIND 9.
The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
can carry out cryptographic operations, but it is probably
@@ -1529,7 +1529,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
The SCA-6000 PKCS #11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
times faster than any CPU, so the flavor shall be
@@ -1551,7 +1551,7 @@ $ ./Configure solaris64-x86_64-cc \
SoftHSM is a software library provided by the OpenDNSSEC
project (http://www.opendnssec.org) which provides a PKCS#11
interface to a virtual HSM, implemented in the form of encrypted
@@ -1611,12 +1611,12 @@ $ ./Configure linux-x86_64 -pthread \
When building BIND 9, the location of the custom-built
OpenSSL library must be specified via configure.
To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.
The PKCS #11 library for the AEP Keyper is currently
@@ -1632,7 +1632,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.
@@ -1650,7 +1650,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
$ cd ../bind9
$ ./configure --enable-threads \
@@ -1667,7 +1667,7 @@ $ ./configure --enable-threads \
BIND 9 includes a minimal set of tools to operate the
HSM, including
pkcs11-keygen to generate a new key pair
@@ -1685,7 +1685,7 @@ $ ./configure --enable-threads \
First, we must set up the runtime environment so the
OpenSSL and PKCS #11 libraries can be loaded:
@@ -1773,7 +1773,7 @@ example.net.signed
The OpenSSL engine can be specified in
named and all of the BIND
dnssec-* tools by using the "-E
@@ -1794,7 +1794,7 @@ $ dnssec-signzone -E '' -S example.net
If you want
named to dynamically re-sign zones using HSM
keys, and/or to to sign new records inserted via nsupdate, then
@@ -1868,7 +1868,7 @@ $ dnssec-signzone -E '' -S example.net
A DLZ database is configured with a dlz
statement in named.conf:
@@ -1917,7 +1917,7 @@ $ dnssec-signzone -E '' -S example.net
For guidance in implementation of DLZ modules, the directory
contrib/dlz/example contains a basic
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 25ec7aa46c..884bf44313 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -78,28 +78,28 @@
- server Statement Definition and
Usage
- statistics-channels Statement Grammar
-- statistics-channels Statement Definition and
+
- statistics-channels Statement Definition and
Usage
- trusted-keys Statement Grammar
-- trusted-keys Statement Definition
+
- trusted-keys Statement Definition
and Usage
-- managed-keys Statement Grammar
+- managed-keys Statement Grammar
- managed-keys Statement Definition
and Usage
- view Statement Grammar
-- view Statement Definition and Usage
+- view Statement Definition and Usage
- zone
Statement Grammar
-- zone Statement Definition and Usage
+- zone Statement Definition and Usage
yes_or_no | break-dnssec ); ]
[ filter-aaaa-on-v6 ( yes_or_no | break-dnssec ); ]
[ filter-aaaa { address_match_list }; ]
- [ dns64 IPv6-prefix {
+ [ dns64 ipv6-prefix {
[ clients { address_match_list }; ]
[ mapped { address_match_list }; ]
[ exclude { address_match_list }; ]
@@ -2410,14 +2410,16 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ deny-answer-aliases { namelist } [ except-from { namelist } ];]
[ rate-limit {
[ responses-per-second number ; ]
- [ errors-per-second number ; ]
+ [ referrals-per-second number ; ]
+ [ nodata-per-second number ; ]
[ nxdomains-per-second number ; ]
+ [ errors-per-second number ; ]
[ all-per-second number ; ]
[ window number ; ]
[ log-only yes_or_no ; ]
[ qps-scale number ; ]
- [ IPv4-prefix-length number ; ]
- [ IPv6-prefix-length number ; ]
+ [ ipv4-prefix-length number ; ]
+ [ ipv6-prefix-length number ; ]
[ slip number ; ]
[ exempt-clients { address_match_list } ; ]
[ max-table-size number ; ]
@@ -3934,7 +3936,7 @@ options {
The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3978,7 +3980,7 @@ options {
Dual-stack servers are used as servers of last resort to work around @@ -4195,7 +4197,7 @@ options {
The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4656,7 +4658,7 @@ avoid-v6-udp-ports {};
use-v4-udp-ports, avoid-v4-udp-ports, @@ -4698,7 +4700,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -4858,7 +4860,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
@@ -5798,7 +5800,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -5921,7 +5923,7 @@ deny-answer-aliases { "example.net"; };
BIND 9 includes a limited mechanism to modify DNS responses for requests @@ -6211,58 +6213,89 @@ ns.domain.com.rpz-nsdname CNAME .
- Excessive essentially identical UDP responses - can be discarded by configuring a + Excessive almost identical UDP responses + can be controlled by configuring a rate-limit clause in an - options statement. - This mechanism keeps BIND 9 from being used - in amplifying reflection denial of service attacks - as well as partially protecting BIND 9 itself from - some denial of service attacks. - Very short truncated responses can be sent to provide - rate-limited responses to legitimate - clients within a range of attacked and forged IP addresses, - Legitimate clients react to truncated response by retrying - with TCP. + options or view statement. + This mechanism keeps authoritative BIND 9 from being used + in amplifying reflection denial of service (DoS) attacks. + Short truncated (TC=1) responses can be sent to provide + rate-limited responses to legitimate clients within + a range of forged, attacked IP addresses. + Legitimate clients react to dropped or truncated response + by retrying with UDP or with TCP respectively.
- Rate limiting works by setting - responses-per-second - to a number of repetitions per second for responses for a given name - and record type to a DNS client. + This mechanism is intended for authoritative DNS servers. + It can be used on recursive servers but can slow + applications such as SMTP servers (mail receivers) and + HTTP clients (web browsers) that repeatedly request the + same domains. + When possible, closing "open" recursive servers is better.
- Responses-per-second is a limit on - identical responses instead of a limit on all responses or - even all responses to a single client. - 10 identical responses per second is a generous limit except perhaps - when many clients are using a single IP address via network - address translation (NAT). - The default limit of zero specifies an unbounded limit to turn off - rate-limiting in a view or to only rate-limit NXDOMAIN or other - errors. + Response rate limiting uses a "credit" or "token bucket" scheme. + Each combination of identical response and client + has a conceptual account that earns a specified number + of credits every second. + A prospective response debits its account by one. + Responses are dropped or truncated + while the account is negative. + Responses are tracked within a rolling window of time + which defaults to 15 seconds, but can be configured with + the window option to any value from + 1 to 3600 seconds (1 hour). + The account cannot become more positive than + the per-second limit + or more negative than window + times the per-second limit. + When the specified number of credits for a class of + responses is set to 0, those responses are not rate limited.
- The notion of "identical responses" - and "single DNS client" cannot be simplistic. - All responses to a CIDR block with prefix - length specified with IPv4-prefix-length - (default 24) or IPv6-prefix-length - (default 56) are assumed to come from a single DNS client. - Requests for a name that result in DNS NXDOMAIN - errors are considered identical. + The notions of "identical response" and "DNS client" + for rate limiting are not simplistic. + All responses to an address block are counted as if to a + single client. + The prefix lengths of addresses blocks are + specified with ipv4-prefix-length (default 24) + and ipv6-prefix-length (default 56). +
++ All non-empty responses for a valid domain name (qname) + and record type (qtype) are identical and have a limit specified + with responses-per-second + (default 0 or no limit). + All empty (NODATA) responses for a valid domain, + regardless of query type, are identical. + Responses in the NODATA class are limited by + nodata-per-second + (default responses-per-second). + Requests for any and all undefined subdomains of a given + valid domain result in NXDOMAIN errors, and are identical + regardless of query type. + They are limited by nxdomain-per-second + (default responses-per-second). This controls some attacks using random names, but - accommodates servers that expect many legitimate NXDOMAIN responses - such as anti-spam blacklists. - By default the limit on NXDOMAIN errors is the same as the - responses-per-second value, - but it can be set separately with - nxdomains-per-second. - All requests for all names or types that result in DNS errors - such as SERVFAIL and FORMERR (but not NXDOMAIN) are considered - identical. + can be relaxed or turned off (set to 0) + on servers that expect many legitimate + NXDOMAIN responses, such as from anti-spam blacklists. + Referrals or delegations to the server of a given + domain are identical and are limited by + referrals-per-second + (default responses-per-second). +
++ Responses generated from local wildcards are counted and limited + as if they were for the parent domain name. + This controls flooding using random.wild.example.com. +
++ All requests that result in DNS errors other + than NXDOMAIN, such as SERVFAIL and FORMERR, are identical + regardless of requested name (qname) or record type (qtype). This controls attacks using invalid requests or distant, broken authoritative servers. By default the limit on errors is the same as the @@ -6270,31 +6303,6 @@ ns.domain.com.rpz-nsdname CNAME . but it can be set separately with errors-per-second.
-- Rate limiting uses a "credit" or "token bucket" scheme. - Each identical response has a conceptual account - that is given responses-per-second, - errors-per-second, and - nxdomains-per-second credits every second. - A DNS request triggering some desired response debits - the account by one. - Responses are not sent while the account is negative. - The account cannot become more positive than - the per-second limit - or more negative than window - times the per-second limit. - A DNS client that sends requests that are not - answered can be penalized for up to window - seconds (default 15). -
-- Responses generated from local wildcards are counted and limited - as if they were for the parent domain name. - This prevents flooding by requesting random.wild.example.com. - For similar reasons, NXDOMAIN responses are counted and rate - limited by the valid domain name nearest to the - query name with an SOA record. -
Many attacks using DNS involve UDP requests with forged source addresses. @@ -6304,14 +6312,15 @@ ns.domain.com.rpz-nsdname CNAME . There is a mechanism that can answer some legitimate requests from a client whose address is being forged in a flood. Setting slip to 2 (its default) causes every - other UDP request to be answered with a small response - claiming that the response would have been truncated. - The small size and relative infrequency of the response make - it unattractive for abuse. - Slip must be between 0 and 10. - A value of 0 does not "slip" - or sends no rate limiting truncated responses. - Some error responses includinge REFUSED and SERVFAIL + other UDP request to be answered with a small truncated (TC=1) + response. + The small size and reduced frequency, and so lack of + amplification, of "slipped" responses make them unattractive + for reflection DoS attacks. + slip must be between 0 and 10. + A value of 0 does not "slip"; + no truncated responses are sent due to rate limiting. + Some error responses including REFUSED and SERVFAIL cannot be replaced with truncated responses and are instead leaked at the slip rate.
@@ -6339,8 +6348,8 @@ ns.domain.com.rpz-nsdname CNAME . rate-limit statements in view statements instead of the global option statement. - A rate-limit statement in a view replaces - instead of being merged with a rate-limit + A rate-limit statement in a view replaces, + rather than supplementing, a rate-limit statement among the main options. DNS clients within a view can be exempted from rate limits with the exempt-clients clause. @@ -6617,7 +6626,7 @@ ns.domain.com.rpz-nsdname CNAME .The statistics-channels statement @@ -6716,7 +6725,7 @@ ns.domain.com.rpz-nsdname CNAME .
The trusted-keys statement defines @@ -6756,7 +6765,7 @@ ns.domain.com.rpz-nsdname CNAME .
managed-keys {nameinitial-keyflagsprotocolalgorithmkey-data; [nameinitial-keyflagsprotocolalgorithmkey-data; [...]] @@ -6894,7 +6903,7 @@ ns.domain.com.rpz-nsdname CNAME .The view statement is a powerful feature @@ -7209,10 +7218,10 @@ zone
zone_name[
@@ -7517,7 +7526,7 @@ zone zone_name[The zone's name may optionally be followed by a class. If a class is not specified, class
IN(forInternet), @@ -7539,7 +7548,7 @@ zonezone_name[
- allow-notify
@@ -8450,7 +8459,7 @@ example.com. NS ns2.example.net.
@@ -8463,7 +8472,7 @@ example.com. NS ns2.example.net.A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -9200,7 +9209,7 @@ example.com. NS ns2.example.net.
RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -9403,7 +9412,7 @@ example.com. NS ns2.example.net.
As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -9659,7 +9668,7 @@ example.com. NS ns2.example.net.
Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain @@ -9720,7 +9729,7 @@ example.com. NS ns2.example.net.
The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -9735,7 +9744,7 @@ example.com. NS ns2.example.net.
When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -9746,7 +9755,7 @@ example.com. NS ns2.example.net.
Syntax: $ORIGIN
domain-name@@ -9775,7 +9784,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $INCLUDE
filename@@ -9811,7 +9820,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $TTL
default-ttl@@ -9830,7 +9839,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $GENERATE
range@@ -10272,7 +10281,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -10868,7 +10877,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -11022,7 +11031,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -11405,7 +11414,7 @@ HOST-127.EXAMPLE. MX 0 . Socket I/O statistics counters are defined per socket types, which are @@ -11560,7 +11569,7 @@ HOST-127.EXAMPLE. MX 0 .
Most statistics counters that were available in BIND 8 are also supported in diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index bcda2ae468..f6e3992f04 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -46,10 +46,10 @@
Table of Contents
@@ -114,7 +114,7 @@ zone "example.com" {On UNIX servers, it is possible to run BIND @@ -140,7 +140,7 @@ zone "example.com" {
In order for a chroot environment to @@ -168,7 +168,7 @@ zone "example.com" {
Prior to running the named daemon, use diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index ccd064856a..561f7c018a 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -45,18 +45,18 @@
Table of Contents
The best solution to solving installation and configuration issues is to take preventative measures by setting @@ -68,7 +68,7 @@
Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that @@ -95,7 +95,7 @@
The Internet Systems Consortium (ISC) offers a wide range diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 0fcf4e6db7..9eaa364f72 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -45,31 +45,31 @@
Table of Contents
@@ -278,42 +278,42 @@Standards
-[RFC974] Mail Routing and the Domain System. January 1986.
+[RFC974] Mail Routing and the Domain System. January 1986.
Proposed Standards
-[RFC1995] Incremental Zone Transfer in DNS. August 1996.
+[RFC1995] Incremental Zone Transfer in DNS. August 1996.
-[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
+[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
-[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
+[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
-[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
+[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
-[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
+[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
-[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
+[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
-[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
+[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
-[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
+[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
-[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
+[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
-@@ -322,19 +322,19 @@[RFC3645] Generic Security Service Algorithm for Secret +
[RFC3645] Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG). October 2003.
DNS Security Proposed Standards
-[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
+[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
-[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
+[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
-[RFC4033] DNS Security Introduction and Requirements. March 2005.
+[RFC4033] DNS Security Introduction and Requirements. March 2005.
-[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
+[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
-@@ -342,146 +342,146 @@[RFC4035] Protocol Modifications for the DNS +
[RFC4035] Protocol Modifications for the DNS Security Extensions. March 2005.
Other Important RFCs About DNS Implementation
-[RFC1535] A Security Problem and Proposed Correction With Widely +
[RFC1535] A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993.
-[RFC1536] Common DNS Implementation +
[RFC1536] Common DNS Implementation Errors and Suggested Fixes. October 1993.
-[RFC4074] Common Misbehaviour Against DNS +
[RFC4074] Common Misbehaviour Against DNS Queries for IPv6 Addresses. May 2005.
Resource Record Types
-[RFC1706] DNS NSAP Resource Records. October 1994.
+[RFC1706] DNS NSAP Resource Records. October 1994.
-[RFC2168] Resolution of Uniform Resource Identifiers using +
[RFC2168] Resolution of Uniform Resource Identifiers using the Domain Name System. June 1997.
-[RFC1876] A Means for Expressing Location Information in the +
[RFC1876] A Means for Expressing Location Information in the Domain Name System. January 1996.
-[RFC2052] A DNS RR for Specifying the +
[RFC2052] A DNS RR for Specifying the Location of Services.. October 1996.
-[RFC2163] Using the Internet DNS to +
[RFC2163] Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping. January 1998.
-[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
+[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
-[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
+[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
-[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
+[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
-[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
+[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
-[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
+[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
-[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
+[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
-[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
+[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
-[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
+[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
DNS and the Internet
-[RFC1101] DNS Encoding of Network Names +
[RFC1101] DNS Encoding of Network Names and Other Types. April 1989.
-[RFC1123] Requirements for Internet Hosts - Application and +
[RFC1123] Requirements for Internet Hosts - Application and Support. October 1989.
-[RFC1591] Domain Name System Structure and Delegation. March 1994.
+[RFC1591] Domain Name System Structure and Delegation. March 1994.
-[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
+[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
DNS Operations
-[RFC1033] Domain administrators operations guide.. November 1987.
+[RFC1033] Domain administrators operations guide.. November 1987.
-[RFC1912] Common DNS Operational and +
[RFC1912] Common DNS Operational and Configuration Errors. February 1996.
Internationalized Domain Names
-[RFC2825] A Tangled Web: Issues of I18N, Domain Names, +
[RFC2825] A Tangled Web: Issues of I18N, Domain Names, and the Other Internet protocols. May 2000.
-@@ -497,47 +497,47 @@[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
+[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
-[RFC1464] Using the Domain Name System To Store Arbitrary String +
[RFC1464] Using the Domain Name System To Store Arbitrary String Attributes. May 1993.
-[RFC1713] Tools for DNS Debugging. November 1994.
+[RFC1713] Tools for DNS Debugging. November 1994.
-[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
+[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
-[RFC2345] Domain Names and Company Name Retrieval. May 1998.
+[RFC2345] Domain Names and Company Name Retrieval. May 1998.
-[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
+[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
-[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
+[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
-[RFC3258] Distributing Authoritative Name Servers via +
[RFC3258] Distributing Authoritative Name Servers via Shared Unicast Addresses. April 2002.
-[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
+[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
@@ -551,39 +551,39 @@Obsolete and Unimplemented Experimental RFC
-[RFC1712] DNS Encoding of Geographical +
[RFC1712] DNS Encoding of Geographical Location. November 1994.
-[RFC2065] Domain Name System Security Extensions. January 1997.
+[RFC2065] Domain Name System Security Extensions. January 1997.
-[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
+[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
-[RFC2535] Domain Name System Security Extensions. March 1999.
+[RFC2535] Domain Name System Security Extensions. March 1999.
-[RFC3008] Domain Name System Security (DNSSEC) +
[RFC3008] Domain Name System Security (DNSSEC) Signing Authority. November 2000.
-[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
+[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
-[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
+[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
-[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
+[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
-[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
+[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
-[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
+[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
-[RFC3757] Domain Name System KEY (DNSKEY) Resource Record +
[RFC3757] Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag. April 2004.
-@@ -604,14 +604,14 @@[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
+[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
-@@ -648,7 +648,7 @@DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
+DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -657,7 +657,7 @@
$./configure --enable-exportlib$[other flags]make@@ -672,7 +672,7 @@ $make$cd lib/export$make install@@ -694,7 +694,7 @@ $make install
Currently, win32 is not supported for the export library. (Normal BIND 9 application can be built as @@ -734,7 +734,7 @@ $
makeThe IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the @@ -752,14 +752,14 @@ $
makeSome sample application programs using this API are provided for reference. The following is a brief description of these applications.
It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of @@ -823,7 +823,7 @@ $
makeSimilar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names @@ -864,7 +864,7 @@ $
makeIt sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a @@ -905,7 +905,7 @@ $
makeThis is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a @@ -922,7 +922,7 @@ $
makeIt accepts a single update command as a command-line argument, sends an update request message to the @@ -1017,7 +1017,7 @@ $
sample-update -a sample-update -k Kxxx.+nnn+mmIt checks a set of domains to see the name servers of the domains behave @@ -1074,7 +1074,7 @@ $
sample-update -a sample-update -k Kxxx.+nnn+mmAs of this writing, there is no formal "manual" of the libraries, except this document, header files (some of them provide pretty detailed explanations), and sample application diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index b8ad7e7883..093601786e 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -113,38 +113,38 @@
DNSSEC, Dynamic Zones, and Automatic Signing -
- Converting from insecure to secure
-- Dynamic DNS update method
-- Fully automatic zone signing
-- Private-type records
-- DNSKEY rollovers
-- Dynamic DNS update method
-- Automatic key rollovers
-- NSEC3PARAM rollovers via UPDATE
-- Converting from NSEC to NSEC3
-- Converting from NSEC3 to NSEC
-- Converting from secure to insecure
-- Periodic re-signing
-- NSEC3 and OPTOUT
+- Converting from insecure to secure
+- Dynamic DNS update method
+- Fully automatic zone signing
+- Private-type records
+- DNSKEY rollovers
+- Dynamic DNS update method
+- Automatic key rollovers
+- NSEC3PARAM rollovers via UPDATE
+- Converting from NSEC to NSEC3
+- Converting from NSEC3 to NSEC
+- Converting from secure to insecure
+- Periodic re-signing
+- NSEC3 and OPTOUT
Dynamic Trust Anchor Management PKCS #11 (Cryptoki) support -
- Prerequisites
-- Building BIND 9 with PKCS#11
-- PKCS #11 Tools
-- Using the HSM
-- Specifying the engine on the command line
-- Running named with automatic zone re-signing
+- Prerequisites
+- Building BIND 9 with PKCS#11
+- PKCS #11 Tools
+- Using the HSM
+- Specifying the engine on the command line
+- Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones) IPv6 Support in BIND 9 - @@ -192,28 +192,28 @@
- server Statement Definition and Usage
- statistics-channels Statement Grammar
-- statistics-channels Statement Definition and +
- statistics-channels Statement Definition and Usage
- trusted-keys Statement Grammar
-- trusted-keys Statement Definition +
- trusted-keys Statement Definition and Usage
-- managed-keys Statement Grammar
+- managed-keys Statement Grammar
- managed-keys Statement Definition and Usage
- view Statement Grammar
-- view Statement Definition and Usage
+- view Statement Definition and Usage
- zone Statement Grammar
-- zone Statement Definition and Usage
+- zone Statement Definition and Usage
Zone File +Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics @@ -222,41 +222,41 @@7. BIND 9 Security Considerations 8. Troubleshooting A. Appendices I. Manual pages diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index f3ec59d012..10d2f05b40 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -50,20 +50,20 @@
arpaname{ipaddress...}-diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index fc02913899..86f92b229e 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
ddns-confgen[-a] [algorithm-h] [-k] [keyname-r] [ -srandomfilename| -zzone] [-q] [name]-diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 99c663a0df..ab4fb8204e 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -52,7 +52,7 @@DESCRIPTION
+DESCRIPTION
ddns-confgen generates a key for use by nsupdate and named. It simplifies configuration @@ -77,7 +77,7 @@
dig[global-queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -99,7 +99,7 @@
-OPTIONS
+OPTIONS
The
-boption sets the source IP address of the query toaddress. This must be a valid @@ -256,7 +256,7 @@-QUERY OPTIONS
+QUERY OPTIONS
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -607,7 +607,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig supports @@ -653,7 +653,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -667,14 +667,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1), named(8), dnssec-keygen(8), @@ -682,7 +682,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index e3f0c035da..c66829044a 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -51,14 +51,14 @@
dnssec-dsfromkey{-s} [-1] [-2] [-a] [alg-K] [directory-l] [domain-s] [-c] [class-T] [TTL-f] [file-A] [-v] {dnsname}level-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -164,13 +164,13 @@-diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 1983cf1650..76b7669e94 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -180,7 +180,7 @@
dnssec-keyfromlabel{-llabel} [-3] [-a] [algorithm-A] [date/offset-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-I] [date/offset-k] [-K] [directory-L] [ttl-n] [nametype-P] [date/offset-p] [protocol-R] [date/offset-t] [type-v] [level-y] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -63,7 +63,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -239,7 +239,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes successfully, @@ -278,7 +278,7 @@
-diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index ec6bcc31b6..2c60c870e5 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -286,7 +286,7 @@
dnssec-keygen[-a] [algorithm-b] [keysize-n] [nametype-3] [-A] [date/offset-C] [-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-g] [generator-h] [-I] [date/offset-i] [interval-K] [directory-L] [ttl-k] [-P] [date/offset-p] [protocol-q] [-R] [date/offset-r] [randomdev-S] [key-s] [strength-t] [type-v] [level-z] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -345,7 +345,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be @@ -412,7 +412,7 @@-diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 306ab391d6..aa5e1eaafc 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -421,7 +421,7 @@
dnssec-revoke[-hr] [-v] [level-K] [directory-E] [engine-f] [-R] {keyfile}-diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index ed1bbc698a..e4dcb0b441 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@
dnssec-settime[-f] [-K] [directory-L] [ttl-P] [date/offset-A] [date/offset-R] [date/offset-I] [date/offset-D] [date/offset-h] [-v] [level-E] {keyfile}engine-DESCRIPTION
+DESCRIPTION
dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the
-P,-A, @@ -76,7 +76,7 @@-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -197,7 +197,7 @@
-PRINTING OPTIONS
+PRINTING OPTIONS
dnssec-settime can also be used to print the timing metadata associated with a key. @@ -223,7 +223,7 @@
-diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index d7f3d38a6e..95f63ec4b3 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -231,7 +231,7 @@
dnssec-signzone[-a] [-c] [class-d] [directory-D] [-E] [engine-e] [end-time-f] [output-file-g] [-h] [-K] [directory-k] [key-L] [serial-l] [domain-i] [interval-I] [input-format-j] [jitter-N] [soa-serial-format-o] [origin-O] [output-format-P] [-p] [-R] [-r] [randomdev-S] [-s] [start-time-T] [ttl-t] [-u] [-v] [level-X] [extended end-time-x] [-z] [-3] [salt-H] [iterations-A] {zonefile} [key...]-DESCRIPTION
+DESCRIPTION
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@
-diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index b79609d695..07bc23b2b5 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -50,7 +50,7 @@EXAMPLE
+EXAMPLE
The following command signs the
example.comzone with the DSA key generated by dnssec-keygen @@ -496,14 +496,14 @@ db.example.com.signed %
dnssec-verify[-c] [class-E] [engine-I] [input-format-o] [origin-v] [level-x] [-z] {zonefile}-diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index 396e38f939..930423b619 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 @@ -58,7 +58,7 @@
genrandom[-n] {numbersize} {filename}-diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 8755efc33d..f6ef14005c 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
genrandom generates a file or a set of files containing a specified quantity @@ -59,7 +59,7 @@
host[-aCdlnrsTwv] [-c] [class-N] [ndots-R] [number-t] [type-W] [wait-m] [flag-4] [-6] {name} [server]-DESCRIPTION
+DESCRIPTION
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8).
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index 89b8f550ee..6683bbef79 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -50,7 +50,7 @@
isc-hmac-fixup{algorithm} {secret}-DESCRIPTION
+DESCRIPTION
Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@
-diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 7c87592afb..047c5f4762 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -50,7 +50,7 @@SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@
named-checkconf[-h] [-v] [-j] [-t] {filename} [directory-p] [-z]-DESCRIPTION
+DESCRIPTION
named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -70,7 +70,7 @@
-diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 30e376ea98..8ab3299b9c 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -51,7 +51,7 @@RETURN VALUES
+RETURN VALUES
named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.
named-compilezone[-d] [-j] [-q] [-v] [-c] [class-C] [mode-f] [format-F] [format-J] [filename-i] [mode-k] [mode-m] [mode-n] [mode-L] [serial-r] [mode-s] [style-t] [directory-w] [directory-D] [-W] {mode-o} {zonename} {filename}filename-DESCRIPTION
+DESCRIPTION
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@
-diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 1f458eb2ae..21b0ffe67f 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -50,7 +50,7 @@RETURN VALUES
+RETURN VALUES
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named-journalprint{journal}-diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 1fa9ca018b..6caa0b3ea9 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
named-journalprint prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@
named[-4] [-6] [-c] [config-file-d] [debug-level-E] [engine-name-f] [-g] [-m] [flag-n] [#cpus-p] [port-s] [-S] [#max-socks-t] [directory-U] [#listeners-u] [user-v] [-V] [-x]cache-file-DESCRIPTION
+DESCRIPTION
named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -277,7 +277,7 @@
-diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index c5bd48d0df..62dccd4a6c 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -48,7 +48,7 @@CONFIGURATION
+CONFIGURATION
The named configuration file is too complex to describe in detail here. A complete description is provided @@ -294,7 +294,7 @@
nsec3hash{salt} {algorithm} {iterations} {domain}-diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 72366cafa4..e27422c4fc 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@
nsupdate[-d] [-D] [[-g] | [-o] | [-l] | [-y] | [[hmac:]keyname:secret-k]] [keyfile-t] [timeout-u] [udptimeout-r] [udpretries-R] [randomdev-v] [-T] [-P] [filename]-DESCRIPTION
+DESCRIPTION
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -226,7 +226,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index eecea16b5e..b1baa345cb 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -50,7 +50,7 @@
rndc-confgen[-a] [-A] [algorithm-b] [keysize-c] [keyfile-h] [-k] [keyname-p] [port-r] [randomfile-s] [address-t] [chrootdir-u]user-diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 8985293a52..169fa91596 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@
rndc.conf-DESCRIPTION
+DESCRIPTION
rndc.confis the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -136,7 +136,7 @@-diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 63f3cf414c..972586ce28 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -50,7 +50,7 @@NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to recognize the key specified in the
rndc.conf@@ -220,7 +220,7 @@
rndc[-b] [source-address-c] [config-file-k] [key-file-s] [server-p] [port-V] [-y] {command}key_id-DESCRIPTION
+DESCRIPTION
rndc controls the operation of a name server. It supersedes the ndc utility @@ -81,7 +81,7 @@
-OPTIONS
+OPTIONS
- -b
source-address@@ -153,7 +153,7 @@
-diff --git a/doc/misc/options b/doc/misc/options index 668ec88cd3..de8b033137 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -206,17 +206,18 @@ options { queryport-pool-updateintervalLIMITATIONS
+LIMITATIONS
rndc does not yet support all the commands of the BIND 8 ndc utility. @@ -167,7 +167,7 @@
; // obsolete random-device ; rate-limit { - IPv4-prefix-length ; - IPv6-prefix-length ; all-per-second ; errors-per-second ; exempt-clients { ; ... }; + ipv4-prefix-length ; + ipv6-prefix-length ; log-only ; max-table-size ; min-table-size ; + nodata-per-second ; nxdomains-per-second ; qps-scale ; - responses-per-second ; + referrals-per-second ; responses-per-second ; slip ; window ; @@ -450,17 +451,18 @@ view { queryport-pool-ports ; // obsolete queryport-pool-updateinterval ; // obsolete rate-limit { - IPv4-prefix-length ; - IPv6-prefix-length ; all-per-second ; errors-per-second ; exempt-clients { ; ... }; + ipv4-prefix-length ; + ipv6-prefix-length ; log-only ; max-table-size ; min-table-size ; + nodata-per-second ; nxdomains-per-second ; qps-scale ; - responses-per-second ; + referrals-per-second ; responses-per-second ; slip ; window ;