Add documentation for mirror zones

Update the ARM and various option lists with information about the
"mirror" option for slave zones.

bin/named/named.conf.docbook

@@ -861,6 +861,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 		max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
 		min-refresh-time <replaceable>integer</replaceable>;
 		min-retry-time <replaceable>integer</replaceable>;
+		mirror <replaceable>boolean</replaceable>;
 		multi-master <replaceable>boolean</replaceable>;
 		notify ( explicit | master-only | <replaceable>boolean</replaceable> );
 		notify-delay <replaceable>integer</replaceable>;
@@ -966,6 +967,7 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
 	min-refresh-time <replaceable>integer</replaceable>;
 	min-retry-time <replaceable>integer</replaceable>;
+	mirror <replaceable>boolean</replaceable>;
 	multi-master <replaceable>boolean</replaceable>;
 	notify ( explicit | master-only | <replaceable>boolean</replaceable> );
 	notify-delay <replaceable>integer</replaceable>;

doc/arm/Bv9ARM-book.xml

@@ -12455,6 +12455,46 @@ example.com. NS ns2.example.net.
 		</listitem>
 	      </varlistentry>
 
+	      <varlistentry>
+		<term><command>mirror</command></term>
+		<listitem>
+		  <para>
+		    If set to <userinput>yes</userinput>, causes the
+		    zone to become a mirror zone.  A mirror zone is a
+		    <userinput>slave</userinput> zone whose every
+		    version is subject to DNSSEC validation before being
+		    used.  In order for zone validation to succeed, its
+		    KSK must be configured as a trust anchor.  Answers
+		    coming from a mirror zone look almost exactly like
+		    answers from a regular <userinput>slave</userinput>
+		    zone, with the notable exception of the AA bit not
+		    being set.  The default is <userinput>no</userinput>.
+		    This option is meant to be used for deploying an RFC
+		    7706-style local copy of the root zone, e.g. using a
+		    configuration like this:
+		  </para>
+<programlisting>zone "." {
+	type slave;
+	mirror yes;
+	file "root.mirror";
+	masters {
+		192.228.79.201;       # b.root-servers.net
+		192.33.4.12;          # c.root-servers.net
+		192.5.5.241;          # f.root-servers.net
+		192.112.36.4;         # g.root-servers.net
+		193.0.14.129;         # k.root-servers.net
+		192.0.47.132;         # xfr.cjr.dns.icann.org
+		192.0.32.132;         # xfr.lax.dns.icann.org
+		2001:500:84::b;       # b.root-servers.net
+		2001:500:2f::f;       # f.root-servers.net
+		2001:7fd::1;          # k.root-servers.net
+		2620:0:2830:202::132; # xfr.cjr.dns.icann.org
+		2620:0:2d0:202::132;  # xfr.lax.dns.icann.org
+	};
+};</programlisting>
+		</listitem>
+	      </varlistentry>
+
 	      <varlistentry>
 		<term><command>multi-master</command></term>
 		<listitem>

doc/arm/options.grammar.xml

@@ -181,6 +181,7 @@
 	<command>min-retry-time</command> <replaceable>integer</replaceable>;
 	<command>minimal-any</command> <replaceable>boolean</replaceable>;
 	<command>minimal-responses</command> ( no-auth | no-auth-recursive | <replaceable>boolean</replaceable> );
+	<command>mirror</command> <replaceable>boolean</replaceable>;
 	<command>multi-master</command> <replaceable>boolean</replaceable>;
 	<command>new-zones-directory</command> <replaceable>quoted_string</replaceable>;
 	<command>no-case-compress</command> { <replaceable>address_match_element</replaceable>; ... };

doc/arm/slave.zoneopt.xml

@@ -50,6 +50,7 @@
 	<command>max-transfer-time-out</command> <replaceable>integer</replaceable>;
 	<command>min-refresh-time</command> <replaceable>integer</replaceable>;
 	<command>min-retry-time</command> <replaceable>integer</replaceable>;
+	<command>mirror</command> <replaceable>boolean</replaceable>;
 	<command>multi-master</command> <replaceable>boolean</replaceable>;
 	<command>notify</command> ( explicit | master-only | <replaceable>boolean</replaceable> );
 	<command>notify-delay</command> <replaceable>integer</replaceable>;

doc/misc/options

@@ -784,6 +784,7 @@ view <string> [ <class> ] {
                 max-zone-ttl ( unlimited | <ttlval> );
                 min-refresh-time <integer>;
                 min-retry-time <integer>;
+                mirror <boolean>;
                 multi-master <boolean>;
                 notify ( explicit | master-only | <boolean> );
                 notify-delay <integer>;
@@ -890,6 +891,7 @@ zone <string> [ <class> ] {
         max-zone-ttl ( unlimited | <ttlval> );
         min-refresh-time <integer>;
         min-retry-time <integer>;
+        mirror <boolean>;
         multi-master <boolean>;
         notify ( explicit | master-only | <boolean> );
         notify-delay <integer>;

doc/misc/slave.zoneopt

@@ -37,6 +37,7 @@ zone <string> [ <class> ] {
 	max-transfer-time-out <integer>;
 	min-refresh-time <integer>;
 	min-retry-time <integer>;
+	mirror <boolean>;
 	multi-master <boolean>;
 	notify ( explicit | master-only | <boolean> );
 	notify-delay <integer>;