If a filename (the last argument) is not provided for named-checkzone or
named-compilezone, or if it is a single dash "-" character,
zone data will be read from stdin.
Example of invocation:
cat /etc/zone_name.db | named-compilezone -f text -F raw \
-o zone_name.raw zone_name
Previously, the dns_name API used isc_thread_key API for TLS, which is
fairly complicated and requires initialization of memory contexts, etc.
This part of code was refactored to use a ISC_THREAD_LOCAL pointer which
greatly simplifies the whole code related to storing TLS variables.
The three functions has been modeled after the arc4random family of
functions, and they will always return random bytes.
The isc_random family of functions internally use these CSPRNG (if available):
1. getrandom() libc call (might be available on Linux and Solaris)
2. SYS_getrandom syscall (might be available on Linux, detected at runtime)
3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X)
4. crypto library function:
4a. RAND_bytes in case OpenSSL
4b. pkcs_C_GenerateRandom() in case PKCS#11 library
3746. [func] New "max-zone-ttl" option enforces maximum
TTLs for zones. If loading a zone containing a
higher TTL, the load fails. DDNS updates with
higher TTLs are accepted but the TTL is truncated.
(Note: Currently supported for master zones only;
inline-signing slaves will be added.) [RT #38405]
include the serial number of the zone from which
they were generated, if different (as in the case
of inline-signing zones). This is to be used in
inline-signing zones, to track changes between the
unsigned and signed versions of the zone, which may
have different serial numbers.
(Note: raw zonefiles generated by this version of
BIND are no longer compatble with prior versions.
To generate a backward-compatible raw zonefile
using dnssec-signzone or named-compilezone, specify
output format "raw=0" instead of simply "raw".)
[RT #26587]
to DNSSEC but are sematically equal according to plain
DNS. Apply plain DNS comparisons rather than DNSSEC
comparisons when processing UPDATE requests.
dnssec-signzone now removes such semantically duplicate
records prior to signing the RRset.
named-checkzone -r {ignore|warn|fail} (default warn)
named-compilezone -r {ignore|warn|fail} (default warn)
named.conf: check-dup-records {ignore|warn|fail};
* new libisc log module file
* isc_dir_chroot() now also changes the working
directory to "/".
* additional INSISTs
* additional logging when files can't be removed.
