diff --git a/FAQ b/FAQ index ed6ec56b8f..29475d47a1 100644 --- a/FAQ +++ b/FAQ @@ -92,7 +92,7 @@ Q: I'm trying to use TSIG to authenticate dynamic updates or zone rejecting the TSIG. Why? A: This may be a clock skew problem. Check that the the clocks on the - client and server are properly synchronised (e.g., using ntp). + client and server are properly synchronized (e.g., using ntp). Q: I see a log message like the following. Why? diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index e4ad387818..e4d7fe35d1 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -207,7 +207,7 @@ Enable memory usage debugging\&. .PP \-p \fIport\fR .RS 4 -Send the query to a non\-standard port on the server, instead of the defaut port 53\&. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number\&. +Send the query to a non\-standard port on the server, instead of the default port 53\&. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number\&. .RE .PP \-q \fIname\fR diff --git a/bin/dig/dig.html b/bin/dig/dig.html index bebdd6753e..d3a422b794 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -191,7 +191,7 @@
-p port

Send the query to a non-standard port on the server, - instead of the defaut port 53. This option would be used + instead of the default port 53. This option would be used to test a name server that has been configured to listen for queries on a non-standard port number.

diff --git a/bin/dnssec/dnssec-importkey.8 b/bin/dnssec/dnssec-importkey.8 index 3940077200..042d474816 100644 --- a/bin/dnssec/dnssec-importkey.8 +++ b/bin/dnssec/dnssec-importkey.8 @@ -44,7 +44,7 @@ .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" -dnssec-importkey \- Import DNSKEY records from external systems so they can be managed\&. +dnssec-importkey \- import DNSKEY records from external systems so they can be managed .SH "SYNOPSIS" .HP \w'\fBdnssec\-importkey\fR\ 'u \fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR} diff --git a/bin/dnssec/dnssec-importkey.html b/bin/dnssec/dnssec-importkey.html index 6f1d657ffc..219b13aa6d 100644 --- a/bin/dnssec/dnssec-importkey.html +++ b/bin/dnssec/dnssec-importkey.html @@ -24,7 +24,7 @@

Name

-

dnssec-importkey — Import DNSKEY records from external systems so they can be managed.

+

dnssec-importkey — import DNSKEY records from external systems so they can be managed

Synopsis

diff --git a/bin/dnssec/dnssec-revoke.8 b/bin/dnssec/dnssec-revoke.8 index a8b4b09dae..284c71072d 100644 --- a/bin/dnssec/dnssec-revoke.8 +++ b/bin/dnssec/dnssec-revoke.8 @@ -44,7 +44,7 @@ .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" -dnssec-revoke \- Set the REVOKED bit on a DNSSEC key +dnssec-revoke \- set the REVOKED bit on a DNSSEC key .SH "SYNOPSIS" .HP \w'\fBdnssec\-revoke\fR\ 'u \fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] [\fB\-R\fR] {keyfile} diff --git a/bin/dnssec/dnssec-revoke.html b/bin/dnssec/dnssec-revoke.html index b2fa32d9c2..02d65f295a 100644 --- a/bin/dnssec/dnssec-revoke.html +++ b/bin/dnssec/dnssec-revoke.html @@ -23,7 +23,7 @@

Name

-

dnssec-revoke — Set the REVOKED bit on a DNSSEC key

+

dnssec-revoke — set the REVOKED bit on a DNSSEC key

Synopsis

diff --git a/bin/dnssec/dnssec-settime.8 b/bin/dnssec/dnssec-settime.8 index 599eca4776..0409b958ac 100644 --- a/bin/dnssec/dnssec-settime.8 +++ b/bin/dnssec/dnssec-settime.8 @@ -44,7 +44,7 @@ .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" -dnssec-settime \- Set the key timing metadata for a DNSSEC key +dnssec-settime \- set the key timing metadata for a DNSSEC key .SH "SYNOPSIS" .HP \w'\fBdnssec\-settime\fR\ 'u \fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile} diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html index 509cf1190c..f0d4933138 100644 --- a/bin/dnssec/dnssec-settime.html +++ b/bin/dnssec/dnssec-settime.html @@ -23,7 +23,7 @@

Name

-

dnssec-settime — Set the key timing metadata for a DNSSEC key

+

dnssec-settime — set the key timing metadata for a DNSSEC key

Synopsis

diff --git a/bin/python/dnssec-checkds.8 b/bin/python/dnssec-checkds.8 index 4706dc6ed5..540c03d545 100644 --- a/bin/python/dnssec-checkds.8 +++ b/bin/python/dnssec-checkds.8 @@ -44,7 +44,7 @@ .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" -dnssec-checkds \- A DNSSEC delegation consistency checking tool\&. +dnssec-checkds \- DNSSEC delegation consistency checking tool .SH "SYNOPSIS" .HP \w'\fBdnssec\-checkds\fR\ 'u \fBdnssec\-checkds\fR [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-d\ \fR\fB\fIdig\ path\fR\fR] [\fB\-D\ \fR\fB\fIdsfromkey\ path\fR\fR] {zone} diff --git a/bin/python/dnssec-checkds.html b/bin/python/dnssec-checkds.html index f7f49de367..df2fa892cb 100644 --- a/bin/python/dnssec-checkds.html +++ b/bin/python/dnssec-checkds.html @@ -23,7 +23,7 @@

Name

-

dnssec-checkds — A DNSSEC delegation consistency checking tool.

+

dnssec-checkds — DNSSEC delegation consistency checking tool

Synopsis

diff --git a/bin/tools/named-rrchecker.1 b/bin/tools/named-rrchecker.1 index 6bb7121ed8..d021a916d1 100644 --- a/bin/tools/named-rrchecker.1 +++ b/bin/tools/named-rrchecker.1 @@ -44,7 +44,7 @@ .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" -named-rrchecker \- A syntax checker for individual DNS resource records +named-rrchecker \- syntax checker for individual DNS resource records .SH "SYNOPSIS" .HP \w'\fBnamed\-rrchecker\fR\ 'u \fBnamed\-rrchecker\fR [\fB\-h\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-p\fR] [\fB\-u\fR] [\fB\-C\fR] [\fB\-T\fR] [\fB\-P\fR] diff --git a/bin/tools/named-rrchecker.html b/bin/tools/named-rrchecker.html index d828cea572..a577689ac0 100644 --- a/bin/tools/named-rrchecker.html +++ b/bin/tools/named-rrchecker.html @@ -24,7 +24,7 @@

Name

-

named-rrchecker — A syntax checker for individual DNS resource records

+

named-rrchecker — syntax checker for individual DNS resource records

Synopsis

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index f437f657d3..633ed672ba 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -134,12 +134,14 @@

Note

+

As a slave zone can also be a master to other slaves, named, by default, sends NOTIFY messages for every zone it loads. Specifying notify master-only; will cause named to only send NOTIFY for master zones that it loads. -

+

+

@@ -1064,9 +1066,11 @@ options {

Note

+

None of the keys listed in this example are valid. In particular, the root key is not valid. -

+

+

When DNSSEC validation is enabled and properly configured, the resolver will reject any answers from signed, secure zones @@ -1614,12 +1618,14 @@ $ /opt/pkcs11/usr/bin/softhsm-util --init-token

Note

+

The latest OpenSSL versions as of this writing (January 2015) are 0.9.8zc, 1.0.0o, and 1.0.1j. ISC will provide updated patches as new versions of OpenSSL are released. The version number in the following examples is expected to change. -

+

+

Before building BIND 9 with PKCS#11 support, it will be necessary to build OpenSSL with the patch in place, and configure @@ -1642,10 +1648,12 @@ $ patch -p1 -d openssl-0.9.8zc \

Note

- Note that the patch file may not be compatible with the +

+ The patch file may not be compatible with the "patch" utility on all operating systems. You may need to install GNU patch. -

+

+

When building OpenSSL, place it in a non-standard location so that it does not interfere with OpenSSL libraries diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index fadf671186..21b6a3652d 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -475,7 +475,7 @@ followed by '%' to represent percents.

- The behaviour is exactly the same as + The behavior is exactly the same as size_spec, but size_or_percent allows also to specify a positive integer value followed by @@ -3876,7 +3876,6 @@ options { queries. Caching may still occur as an effect the server's internal operation, such as NOTIFY address lookups. - See also fetch-glue above.

request-nsid

@@ -5242,13 +5241,15 @@ avoid-v6-udp-ports {};

Note

+

If you do not wish the alternate transfer source to be used, you should set use-alt-transfer-source appropriately and you should not depend upon getting an answer back to the first refresh query. -

+

+
alt-transfer-source-v6

@@ -6334,7 +6335,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; may be sent while servicing a recursive query. If more queries are sent, the recursive query is terminated and returns SERVFAIL. Queries to - look up top level comains such as "com" and "net" + look up top level domains such as "com" and "net" and the DNS root zone are exempt from this limitation. The default is 75.

@@ -6613,11 +6614,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

Note

+

The real parent servers for these zones should disable all empty zone under the parent zone they serve. For the real root servers, this is all built-in empty zones. This will enable them to return referrals to deeper in the tree. -

+

+
empty-server

@@ -7055,7 +7058,7 @@ deny-answer-aliases { "example.net"; };

A special form of local data is a CNAME whose target is a wildcard such as *.example.com. - It is used as if were an ordinary CNAME after the astrisk (*) + It is used as if were an ordinary CNAME after the asterisk (*) has been replaced with the query name. The purpose for this special form is query logging in the walled garden's authority DNS server. @@ -9198,7 +9201,7 @@ example.com. NS ns2.example.net. unsigned zone is transferred in or loaded from disk and a signed version of the zone is served, with possibly, a different serial number. This - behaviour is disabled by default. + behavior is disabled by default.

multi-master

@@ -9413,7 +9416,7 @@ example.com. NS ns2.example.net. The name field is subject to DNS wildcard expansion, and this rule matches when the name being updated - name is a valid expansion of the wildcard. + is a valid expansion of the wildcard.

diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 54d56fcb92..9ac05c223f 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -312,10 +312,12 @@ allow-query { !{ !10/8; any; }; key example; };

Note

- Note that if the named daemon is running as an +

+ If the named daemon is running as an unprivileged user, it will not be able to bind to new restricted ports if the server is reloaded. -

+

+
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 805853d581..8fd7128638 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -88,7 +88,7 @@ records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. This flaw is disclosed - in CVE-2015-8000. [RT #4098] + in CVE-2015-8000. [RT #40987]

  • An incorrect boundary check in the OPENPGPKEY rdatatype @@ -504,6 +504,9 @@

    Feature Changes

      +

    • + Updated the complied in addresses for H.ROOT-SERVERS.NET. +

    • ACLs containing geoip asnum elements were not correctly matched unless the full organization name was diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index 29529edee8..86cc87436f 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -432,9 +432,13 @@ $ make

    -

    Note

    In practice, either -a or -r must be specified. Others can - be optional; the underlying library routine tries to identify the - appropriate server and the zone name for the update.
    +

    Note

    +

    + In practice, either -a or -r must be specified. Others can + be optional; the underlying library routine tries to identify the + appropriate server and the zone name for the update. +

    +

    • Examples: assuming the primary authoritative server of the dynamic.example.com zone has an IPv6 address 2001:db8::1234, diff --git a/doc/arm/Bv9ARM.ch13.html b/doc/arm/Bv9ARM.ch13.html index 0382467824..08894680a0 100644 --- a/doc/arm/Bv9ARM.ch13.html +++ b/doc/arm/Bv9ARM.ch13.html @@ -57,7 +57,7 @@ delv — DNS lookup and validation utility

    -dnssec-checkds — A DNSSEC delegation consistency checking tool. +dnssec-checkds — DNSSEC delegation consistency checking tool
    dnssec-coverage — checks future DNSKEY coverage for a zone @@ -66,7 +66,7 @@ dnssec-dsfromkey — DNSSEC DS RR generation tool
    -dnssec-importkey — Import DNSKEY records from external systems so they can be managed. +dnssec-importkey — import DNSKEY records from external systems so they can be managed
    dnssec-keyfromlabel — DNSSEC key generation tool @@ -75,10 +75,10 @@ dnssec-keygen — DNSSEC key generation tool
    -dnssec-revoke — Set the REVOKED bit on a DNSSEC key +dnssec-revoke — set the REVOKED bit on a DNSSEC key
    -dnssec-settime — Set the key timing metadata for a DNSSEC key +dnssec-settime — set the key timing metadata for a DNSSEC key
    dnssec-signzone — DNSSEC zone signing tool @@ -105,7 +105,7 @@ named-journalprint — print zone journal in human-readable form
    -named-rrchecker — A syntax checker for individual DNS resource records +named-rrchecker — syntax checker for individual DNS resource records
    nsupdate — Dynamic DNS update utility diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 268b8bea09..708572be9e 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -292,7 +292,7 @@ delv — DNS lookup and validation utility
    -dnssec-checkds — A DNSSEC delegation consistency checking tool. +dnssec-checkds — DNSSEC delegation consistency checking tool
    dnssec-coverage — checks future DNSKEY coverage for a zone @@ -301,7 +301,7 @@ dnssec-dsfromkey — DNSSEC DS RR generation tool
    -dnssec-importkey — Import DNSKEY records from external systems so they can be managed. +dnssec-importkey — import DNSKEY records from external systems so they can be managed
    dnssec-keyfromlabel — DNSSEC key generation tool @@ -310,10 +310,10 @@ dnssec-keygen — DNSSEC key generation tool
    -dnssec-revoke — Set the REVOKED bit on a DNSSEC key +dnssec-revoke — set the REVOKED bit on a DNSSEC key
    -dnssec-settime — Set the key timing metadata for a DNSSEC key +dnssec-settime — set the key timing metadata for a DNSSEC key
    dnssec-signzone — DNSSEC zone signing tool @@ -340,7 +340,7 @@ named-journalprint — print zone journal in human-readable form
    -named-rrchecker — A syntax checker for individual DNS resource records +named-rrchecker — syntax checker for individual DNS resource records
    nsupdate — Dynamic DNS update utility diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index f303ed742e..6137348ce6 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -209,7 +209,7 @@
    -p port

    Send the query to a non-standard port on the server, - instead of the defaut port 53. This option would be used + instead of the default port 53. This option would be used to test a name server that has been configured to listen for queries on a non-standard port number.

    diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 35b0d0ddda..8dd13053bf 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -42,7 +42,7 @@

    Name

    -

    dnssec-checkds — A DNSSEC delegation consistency checking tool.

    +

    dnssec-checkds — DNSSEC delegation consistency checking tool

    Synopsis

    diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index 478ca15b37..5feae314d8 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -42,7 +42,7 @@

    Name

    -

    dnssec-importkey — Import DNSKEY records from external systems so they can be managed.

    +

    dnssec-importkey — import DNSKEY records from external systems so they can be managed

    Synopsis

    diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index bca580301b..b07c1c94fb 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -42,7 +42,7 @@

    Name

    -

    dnssec-revoke — Set the REVOKED bit on a DNSSEC key

    +

    dnssec-revoke — set the REVOKED bit on a DNSSEC key

    Synopsis

    diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 9946cd0887..2a847b8d6d 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -42,7 +42,7 @@

    Name

    -

    dnssec-settime — Set the key timing metadata for a DNSSEC key

    +

    dnssec-settime — set the key timing metadata for a DNSSEC key

    Synopsis

    diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index df84bb20cd..662c575cce 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -42,7 +42,7 @@

    Name

    -

    named-rrchecker — A syntax checker for individual DNS resource records

    +

    named-rrchecker — syntax checker for individual DNS resource records

    Synopsis

    diff --git a/doc/arm/notes.html b/doc/arm/notes.html index 8f6157ed49..ad26702a32 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -49,7 +49,7 @@ records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. This flaw is disclosed - in CVE-2015-8000. [RT #4098] + in CVE-2015-8000. [RT #40987]

  • An incorrect boundary check in the OPENPGPKEY rdatatype @@ -465,6 +465,9 @@

    Feature Changes

      +

    • + Updated the complied in addresses for H.ROOT-SERVERS.NET. +

    • ACLs containing geoip asnum elements were not correctly matched unless the full organization name was