From 164ade1482251e1da962b42e5bf0d3aa02a11e03 Mon Sep 17 00:00:00 2001
From: Tinderbox User <tbox@isc.org>
Date: Sun, 23 Apr 2017 01:10:00 +0000
Subject: [PATCH] regen v9_11

---
 HISTORY                              |  525 ----------
 OPTIONS                              |   25 -
 README                               |  443 ---------
 bin/named/named.conf.5               | 1337 +++++++++++++++----------
 bin/named/named.conf.html            | 1356 +++++++++++++++----------
 bin/rndc/rndc.8                      |    2 +-
 bin/rndc/rndc.html                   |    8 +-
 configure                            |   14 +-
 doc/arm/Bv9ARM.ch01.html             |    2 +-
 doc/arm/Bv9ARM.ch02.html             |    2 +-
 doc/arm/Bv9ARM.ch03.html             |    2 +-
 doc/arm/Bv9ARM.ch04.html             |    2 +-
 doc/arm/Bv9ARM.ch05.html             |    2 +-
 doc/arm/Bv9ARM.ch06.html             |    2 +-
 doc/arm/Bv9ARM.ch07.html             |    2 +-
 doc/arm/Bv9ARM.ch08.html             |    2 +-
 doc/arm/Bv9ARM.ch09.html             |  219 +----
 doc/arm/Bv9ARM.ch10.html             |    2 +-
 doc/arm/Bv9ARM.ch11.html             |    2 +-
 doc/arm/Bv9ARM.ch12.html             |    2 +-
 doc/arm/Bv9ARM.ch13.html             |    2 +-
 doc/arm/Bv9ARM.html                  |    8 +-
 doc/arm/man.arpaname.html            |    2 +-
 doc/arm/man.ddns-confgen.html        |    2 +-
 doc/arm/man.delv.html                |    2 +-
 doc/arm/man.dig.html                 |    2 +-
 doc/arm/man.dnssec-checkds.html      |    2 +-
 doc/arm/man.dnssec-coverage.html     |    2 +-
 doc/arm/man.dnssec-dsfromkey.html    |    2 +-
 doc/arm/man.dnssec-importkey.html    |    2 +-
 doc/arm/man.dnssec-keyfromlabel.html |    2 +-
 doc/arm/man.dnssec-keygen.html       |    2 +-
 doc/arm/man.dnssec-keymgr.html       |    2 +-
 doc/arm/man.dnssec-revoke.html       |    2 +-
 doc/arm/man.dnssec-settime.html      |    2 +-
 doc/arm/man.dnssec-signzone.html     |    2 +-
 doc/arm/man.dnssec-verify.html       |    2 +-
 doc/arm/man.dnstap-read.html         |    2 +-
 doc/arm/man.genrandom.html           |    2 +-
 doc/arm/man.host.html                |    2 +-
 doc/arm/man.isc-hmac-fixup.html      |    2 +-
 doc/arm/man.lwresd.html              |    2 +-
 doc/arm/man.mdig.html                |    2 +-
 doc/arm/man.named-checkconf.html     |    2 +-
 doc/arm/man.named-checkzone.html     |    2 +-
 doc/arm/man.named-journalprint.html  |    2 +-
 doc/arm/man.named-nzd2nzf.html       |    2 +-
 doc/arm/man.named-rrchecker.html     |    2 +-
 doc/arm/man.named.conf.html          | 1358 +++++++++++++++-----------
 doc/arm/man.named.html               |    2 +-
 doc/arm/man.nsec3hash.html           |    2 +-
 doc/arm/man.nslookup.html            |    2 +-
 doc/arm/man.nsupdate.html            |    2 +-
 doc/arm/man.pkcs11-destroy.html      |    2 +-
 doc/arm/man.pkcs11-keygen.html       |    2 +-
 doc/arm/man.pkcs11-list.html         |    2 +-
 doc/arm/man.pkcs11-tokens.html       |    2 +-
 doc/arm/man.rndc-confgen.html        |    2 +-
 doc/arm/man.rndc.conf.html           |    2 +-
 doc/arm/man.rndc.html                |   10 +-
 doc/arm/notes.html                   |  213 +---
 61 files changed, 2556 insertions(+), 3058 deletions(-)

diff --git a/HISTORY b/HISTORY
index 238e263415..e69de29bb2 100644
--- a/HISTORY
+++ b/HISTORY
@@ -1,525 +0,0 @@
-Functional enhancements from prior major releases of BIND 9
-
-BIND 9.11
-
-BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
-releases. New features include:
-
-  * Added support for Catalog Zones, a new method for provisioning
-    servers: a list of zones to be served is stored in a DNS zone, along
-    with their configuration parameters. Changes to the catalog zone are
-    propagated to slaves via normal AXFR/IXFR, whereupon the zones that
-    are listed in it are automatically added, deleted or reconfigured.
-  * Added support for "dnstap", a fast and flexible method of capturing
-    and logging DNS traffic.
-  * Added support for "dyndb", a new API for loading zone data from an
-    external database, developed by Red Hat for the FreeIPA project.
-  * "fetchlimit" quotas are now compiled in by default. These are for the
-    use of recursive resolvers that are are under high query load for
-    domains whose authoritative servers are nonresponsive or are
-    experiencing a denial of service attack:
-      + "fetches-per-server" limits the number of simultaneous queries
-        that can be sent to any single authoritative server. The
-        configured value is a starting point; it is automatically adjusted
-        downward if the server is partially or completely non-responsive.
-        The algorithm used to adjust the quota can be configured via the
-        "fetch-quota-params" option.
-      + "fetches-per-zone" limits the number of simultaneous queries that
-        can be sent for names within a single domain. (Note: Unlike
-        "fetches-per-server", this value is not self-tuning.)
-      + New stats counters have been added to count queries spilled due to
-        these quotas.
-  * Added a new "dnssec-keymgr" key mainenance utility, which can generate
-    or update keys as needed to ensure that a zone's keys match a defined
-    DNSSEC policy.
-  * The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
-    and is no longer optional. EDNS COOKIE is a mechanism enabling clients
-    to detect off-path spoofed responses, and servers to detect
-    spoofed-source queries. Clients that identify themselves using COOKIE
-    options are not subject to response rate limiting (RRL) and can
-    receive larger UDP responses.
-  * SERVFAIL responses can now be cached for a limited time (defaulting to
-    1 second, with an upper limit of 30). This can reduce the frequency of
-    retries when a query is persistently failing.
-  * Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to
-    be skipped if a name server IP address isn't in the cache yet; the
-    address will be looked up and the rule will be applied on future
-    queries.
-  * Added a Python RNDC module. This allows multiple commands to sent over
-    a persistent RNDC channel, which saves time.
-  * The "controls" block in named.conf can now grant read-only "rndc"
-    access to specified clients or keys. Read-only clients could, for
-    example, check "rndc status" but could not reconfigure or shut down
-    the server.
-  * "rndc" commands can now return arbitrarily large amounts of text to
-    the caller.
-  * The zone serial number of a dynamically updatable zone can now be set
-    via "rndc signing -serial ". This allows inline-signing zones to be
-    set to a specific serial number.
-  * The new "rndc nta" command can be used to set a Negative Trust Anchor
-    (NTA), disabling DNSSEC validation for a specific domain; this can be
-    used when responses from a domain are known to be failing validation
-    due to administrative error rather than because of a spoofing attack.
-    Negative trust anchors are strictly temporary; by default they expire
-    after one hour, but can be configured to last up to one week.
-  * "rndc delzone" can now be used on zones that were not originally
-    created by "rndc addzone".
-  * "rndc modzone" reconfigures a single zone, without requiring the
-    entire server to be reconfigured.
-  * "rndc showzone" displays the current configuration of a zone.
-  * "rndc managed-keys" can be used to check the status of RFC 5001
-    managed trust anchors, or to force trust anchors to be refreshed.
-  * "max-cache-size" can now be set to a percentage of available memory.
-    The default is 90%.
-  * Update forwarding performance has been improved by allowing a single
-    TCP connection to be shared by multiple updates.
-  * The EDNS Client Subnet (ECS) option is now supported for authoritative
-    servers; if a query contains an ECS option then ACLs containing
-    "geoip" or "ecs" elements can match against the the address encoded in
-    the option. This can be used to select a view for a query, so that
-    different answers can be provided depending on the client network.
-  * The EDNS EXPIRE option has been implemented on the client side,
-    allowing a slave server to set the expiration timer correctly when
-    transferring zone data from another slave server.
-  * The key generation and manipulation tools (dnssec-keygen,
-    dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take
-    "-Psync" and "-Dsync" options to set the publication and deletion
-    times of CDS and CDNSKEY parent-synchronization records. Both named
-    and dnssec-signzone can now publish and remove these records at the
-    scheduled times.
-  * A new "minimal-any" option reduces the size of UDP responses for query
-    type ANY by returning a single arbitrarily selected RRset instead of
-    all RRsets.
-  * A new "masterfile-style" zone option controls the formatting of text
-    zone files: When set to "full", a zone file is dumped in
-    single-line-per-record format.
-  * "serial-update-method" can now be set to "date". On update, the serial
-    number will be set to the current date in YYYYMMDDNN format.
-  * "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
-  * "named -L " causes named to send log messages to the specified file by
-    default instead of to the system log.
-  * "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m,
-    s for weeks, days, hours, minutes, and seconds.
-  * "dig +unknownformat" prints dig output in RFC 3597 "unknown record"
-    presentation format.
-  * "dig +ednsopt" allows dig to set arbitrary EDNS options on requests.
-  * "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on
-    requests.
-  * "mdig" is an alternate version of dig which sends multiple pipelined
-    TCP queries to a server. Instead of waiting for a response after
-    sending a query, it sends all queries immediately and displays
-    responses in the order received.
-  * "serial-query-rate" no longer controls NOTIFY messages. These are
-    separately controlled by "notify-rate" and "startup-notify-rate".
-  * "nsupdate" now performs "check-names" processing by default on records
-    to be added. This can be disabled with "check-names no".
-  * The statistics channel now supports DEFLATE compression, reducing the
-    size of the data sent over the network when querying statistics.
-  * New counters have been added to the statistics channel to track the
-    sizes of incoming queries and outgoing responses in histogram buckets,
-    as specified in RSSAC002.
-  * A new NXDOMAIN redirect method (option "nxdomain-redirect") has been
-    added, allowing redirection to a specified DNS namespace instead of a
-    single redirect zone.
-  * When starting up, named now ensures that no other named process is
-    already running.
-  * Files created by named to store information, including "mkeys" and
-    "nzf" files, are now named after their corresponding views unless the
-    view name contains characters incompatible with use as a filename. Old
-    style filenames (based on the hash of the view name) will still work.
-
-BIND 9.10.0
-
-BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
-releases. New features include:
-
-  * DNS Response-rate limiting (DNS RRL), which blunts the impact of
-    reflection and amplification attacks, is always compiled in and no
-    longer requires a compile-time option to enable it.
-  * An experimental "Source Identity Token" (SIT) EDNS option is now
-    available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
-    these are designed to enable clients to detect off-path spoofed
-    responses, and to enable servers to detect spoofed-source queries.
-    Servers can be configured to send smaller responses to clients that
-    have not identified themselves using a SIT option, reducing the
-    effectiveness of amplification attacks. RRL processing has also been
-    updated; clients proven to be legitimate via SIT are not subject to
-    rate limiting. Use "configure --enable-sit" to enable this feature in
-    BIND.
-  * A new zone file format, "map", stores zone data in a format that can
-    be mapped directly into memory, allowing significantly faster zone
-    loading.
-  * "delv" (domain entity lookup and validation) is a new tool with
-    dig-like semantics for looking up DNS data and performing internal
-    DNSSEC validation. This allows easy validation in environments where
-    the resolver may not be trustworthy, and assists with troubleshooting
-    of DNSSEC problems. (NOTE: In previous development releases of BIND
-    9.10, this utility was called "delve". The spelling has been changed
-    to avoid confusion with the "delve" utility included with the Xapian
-    search engine.)
-  * Improved EDNS(0) processing for better resolver performance and
-    reliability over slow or lossy connections.
-  * A new "configure --with-tuning=large" option tunes certain compiled-in
-    constants and default settings to values better suited to large
-    servers with abundant memory. This can improve performance on such
-    servers, but will consume more memory and may degrade performance on
-    smaller systems.
-  * Substantial improvement in response-policy zone (RPZ) performance. Up
-    to 32 response-policy zones can be configured with minimal performance
-    loss.
-  * To improve recursive resolver performance, cache records which are
-    still being requested by clients can now be automatically refreshed
-    from the authoritative server before they expire, reducing or
-    eliminating the time window in which no answer is available in the
-    cache.
-  * New "rpz-client-ip" triggers and drop policies allowing response
-    policies based on the IP address of the client.
-  * ACLs can now be specified based on geographic location using the
-    MaxMind GeoIP databases. Use "configure --with-geoip" to enable.
-  * Zone data can now be shared between views, allowing multiple views to
-    serve the same zones authoritatively without storing multiple copies
-    in memory.
-  * New XML schema (version 3) for the statistics channel includes many
-    new statistics and uses a flattened XML tree for faster parsing. The
-    older schema is now deprecated.
-  * A new stylesheet, based on the Google Charts API, displays XML
-    statistics in charts and graphs on javascript-enabled browsers.
-  * The statistics channel can now provide data in JSON format as well as
-    XML.
-  * New stats counters track TCP and UDP queries received per zone, and
-    EDNS options received in total.
-  * The internal and export versions of the BIND libraries (libisc,
-    libdns, etc) have been unified so that external library clients can
-    use the same libraries as BIND itself.
-  * A new compile-time option, "configure --enable-native-pkcs11", allows
-    BIND 9 cryptography functions to use the PKCS#11 API natively, so that
-    BIND can drive a cryptographic hardware service module (HSM) directly
-    instead of using a modified OpenSSL as an intermediary. (Note: This
-    feature requires an HSM to have a full implementation of the PKCS#11
-    API; many current HSMs only have partial implementations. The new
-    "pkcs11-tokens" command can be used to check API completeness. Native
-    PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
-    version 2 from the Open DNSSEC project.)
-  * The new "max-zone-ttl" option enforces maximum TTLs for zones. This
-    can simplify the process of rolling DNSSEC keys by guaranteeing that
-    cached signatures will have expired within the specified amount of
-    time.
-  * "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
-  * "dig +expire" sends an EDNS EXPIRE option when querying. When this
-    option is sent with an SOA query to a server that supports it, it will
-    report the expiry time of a slave zone.
-  * New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
-    report if a lapse in signing coverage has been inadvertently
-    scheduled.
-  * Signing algorithm flexibility and other improvements for the "rndc"
-    control channel.
-  * "named-checkzone" and "named-compilezone" can now read journal files,
-    allowing them to process dynamic zones.
-  * Multiple DLZ databases can now be configured. Individual zones can be
-    configured to be served from a specific DLZ database. DLZ databases
-    now serve zones of type "master" and "redirect".
-  * "rndc zonestatus" reports information about a specified zone.
-  * "named" now listens on IPv6 as well as IPv4 interfaces by default.
-  * "named" now preserves the capitalization of names when responding to
-    queries: for instance, a query for "example.com" may be answered with
-    "example.COM" if the name was configured that way in the zone file.
-    Some clients have a bug causing them to depend on the older behavior,
-    in which the case of the answer always matched the case of the query,
-    rather than the case of the name configured in the DNS. Such clients
-    can now be specified in the new "no-case-compress" ACL; this will
-    restore the older behavior of "named" for those clients only.
-  * new "dnssec-importkey" command allows the use of offline DNSSEC keys
-    with automatic DNSKEY management.
-  * New "named-rrchecker" tool to verify the syntactic correctness of
-    individual resource records.
-  * When re-signing a zone, the new "dnssec-signzone -Q" option drops
-    signatures from keys that are still published but are no longer
-    active.
-  * "named-checkconf -px" will print the contents of configuration files
-    with the shared secrets obscured, making it easier to share
-    configuration (e.g. when submitting a bug report) without revealing
-    private information.
-  * "rndc scan" causes named to re-scan network interfaces for changes in
-    local addresses.
-  * On operating systems with support for routing sockets, network
-    interfaces are re-scanned automatically whenever they change.
-  * "tsig-keygen" is now available as an alternate command name to use for
-    "ddns-confgen".
-
-BIND 9.9.0
-
-BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
-releases. New features include:
-
-  * Inline signing, allowing automatic DNSSEC signing of master zones
-    without modification of the zonefile, or "bump in the wire" signing in
-    slaves.
-  * NXDOMAIN redirection.
-  * New 'rndc flushtree' command clears all data under a given name from
-    the DNS cache.
-  * New 'rndc sync' command dumps pending changes in a dynamic zone to
-    disk without a freeze/thaw cycle.
-  * New 'rndc signing' command displays or clears signing status records
-    in 'auto-dnssec' zones.
-  * NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
-    signing, eliminating the need to initially sign with NSEC.
-  * Startup time improvements on large authoritative servers.
-  * Slave zones are now saved in raw format by default.
-  * Several improvements to response policy zones (RPZ).
-  * Improved hardware scalability by using multiple threads to listen for
-    queries and using finer-grained client locking
-  * The 'also-notify' option now takes the same syntax as 'masters', so it
-    can used named masterlists and TSIG keys.
-  * 'dnssec-signzone -D' writes an output file containing only DNSSEC
-    data, which can be included by the primary zone file.
-  * 'dnssec-signzone -R' forces removal of signatures that are not expired
-    but were created by a key which no longer exists.
-  * 'dnssec-signzone -X' allows a separate expiration date to be specified
-    for DNSKEY signatures from other signatures.
-  * New '-L' option to dnssec-keygen, dnssec-settime, and
-    dnssec-keyfromlabel sets the default TTL for the key.
-  * dnssec-dsfromkey now supports reading from standard input, to make it
-    easier to convert DNSKEY to DS.
-  * RFC 1918 reverse zones have been added to the empty-zones table per
-    RFC 6303.
-  * Dynamic updates can now optionally set the zone's SOA serial number to
-    the current UNIX time.
-  * DLZ modules can now retrieve the source IP address of the querying
-    client.
-  * 'request-ixfr' option can now be set at the per-zone level.
-  * 'dig +rrcomments' turns on comments about DNSKEY records, indicating
-    their key ID, algorithm and function
-  * Simplified nsupdate syntax and added readline support
-
-BIND 9.8.0
-
-BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
-releases. New features include:
-
-  * Built-in trust anchor for the root zone, which can be switched on via
-    "dnssec-validation auto;"
-  * Support for DNS64.
-  * Support for response policy zones (RPZ).
-  * Support for writable DLZ zones.
-  * Improved ease of configuration of GSS/TSIG for interoperability with
-    Active Directory
-  * Support for GOST signing algorithm for DNSSEC.
-  * Removed RTT Banding from server selection algorithm.
-  * New "static-stub" zone type.
-  * Allow configuration of resolver timeouts via "resolver-query-timeout"
-    option.
-  * The DLZ "dlopen" driver is now built by default.
-  * Added a new include file with function typedefs for the DLZ "dlopen"
-    driver.
-  * Made "--with-gssapi" default.
-  * More verbose error reporting from DLZ LDAP.
-
-BIND 9.7.0
-
-BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
-releases. Most are intended to simplify DNSSEC configuration. New features
-include:
-
-  * Fully automatic signing of zones by "named".
-  * Simplified configuration of DNSSEC Lookaside Validation (DLV).
-  * Simplified configuration of Dynamic DNS, using the "ddns-confgen"
-    command line tool or the "local" update-policy option. (As a side
-    effect, this also makes it easier to configure automatic zone
-    re-signing.)
-  * New named option "attach-cache" that allows multiple views to share a
-    single cache.
-  * DNS rebinding attack prevention.
-  * New default values for dnssec-keygen parameters.
-  * Support for RFC 5011 automated trust anchor maintenance
-  * Smart signing: simplified tools for zone signing and key maintenance.
-  * The "statistics-channels" option is now available on Windows.
-  * A new DNSSEC-aware libdns API for use by non-BIND9 applications
-  * On some platforms, named and other binaries can now print out a stack
-    backtrace on assertion failure, to aid in debugging.
-  * A "tools only" installation mode on Windows, which only installs dig,
-    host, nslookup and nsupdate.
-  * Improved PKCS#11 support, including Keyper support and explicit
-    OpenSSL engine selection.
-
-BIND 9.6.0
-
-  * Full NSEC3 support
-  * Automatic zone re-signing
-  * New update-policy methods tcp-self and 6to4-self
-  * The BIND 8 resolver library, libbind, has been removed from the BIND 9
-    distribution and is now available as a separate download.
-  * Change the default pid file location from /var/run to /var/run/
-    {named,lwresd} for improved chroot/setuid support.
-
-BIND 9.5.0
-
-  * GSS-TSIG support (RFC 3645).
-  * DHCID support.
-  * Experimental http server and statistics support for named via xml.
-  * More detailed statistics counters including those supported in BIND 8.
-  * Faster ACL processing.
-  * Use Doxygen to generate internal documentation.
-  * Efficient LRU cache-cleaning mechanism.
-  * NSID support.
-
-BIND 9.4.0
-
-  * Implemented "additional section caching (or acache)", an internal
-    cache framework for additional section content to improve response
-    performance. Several configuration options were provided to control
-    the behavior.
-  * New notify type 'master-only'. Enable notify for master zones only.
-  * Accept 'notify-source' style syntax for query-source.
-  * rndc now allows addresses to be set in the server clauses.
-  * New option "allow-query-cache". This lets "allow-query" be used to
-    specify the default zone access level rather than having to have every
-    zone override the global value. "allow-query-cache" can be set at both
-    the options and view levels. If "allow-query-cache" is not set then
-    "allow-recursion" is used if set, otherwise "allow-query" is used if
-    set unless "recursion no;" is set in which case "none;" is used,
-    otherwise the default (localhost; localnets;) is used.
-  * rndc: the source address can now be specified.
-  * ixfr-from-differences now takes master and slave in addition to yes
-    and no at the options and view levels.
-  * Allow the journal's name to be changed via named.conf.
-  * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
-    specified zone.
-  * 'dig +trace' now randomly selects the next servers to try. Report if
-    there is a bad delegation.
-  * Improve check-names error messages.
-  * Make public the function to read a key file, dst_key_read_public().
-  * dig now returns the byte count for axfr/ixfr.
-  * allow-update is now settable at the options / view level.
-  * named-checkconf now checks the logging configuration.
-  * host now can turn on memory debugging flags with '-m'.
-  * Don't send notify messages to self.
-  * Perform sanity checks on NS records which refer to 'in zone' names.
-  * New zone option "notify-delay". Specify a minimum delay between sets
-    of NOTIFY messages.
-  * Extend adjusting TTL warning messages.
-  * Named and named-checkzone can now both check for non-terminal wildcard
-    records.
-  * "rndc freeze/thaw" now freezes/thaws all zones.
-  * named-checkconf now check acls to verify that they only refer to
-    existing acls.
-  * The server syntax has been extended to support a range of servers.
-  * Report differences between hints and real NS rrset and associated
-    address records.
-  * Preserve the case of domain names in rdata during zone transfers.
-  * Restructured the data locking framework using architecture dependent
-    atomic operations (when available), improving response performance on
-    multi-processor machines significantly. x86, x86_64, alpha, powerpc,
-    and mips are currently supported.
-  * UNIX domain controls are now supported.
-  * Add support for additional zone file formats for improving loading
-    performance. The masterfile-format option in named.conf can be used to
-    specify a non-default format. A separate command named-compilezone was
-    provided to generate zone files in the new format. Additionally, the
-    -I and -O options for dnssec-signzone specify the input and output
-    formats.
-  * dnssec-signzone can now randomize signature end times (dnssec-signzone
-    -j jitter).
-  * Add support for CH A record.
-  * Add additional zone data constancy checks. named-checkzone has
-    extended checking of NS, MX and SRV record and the hosts they
-    reference. named has extended post zone load checks. New zone options:
-    check-mx and integrity-check.
-  * edns-udp-size can now be overridden on a per server basis.
-  * dig can now specify the EDNS version when making a query.
-  * Added framework for handling multiple EDNS versions.
-  * Additional memory debugging support to track size and mctx arguments.
-  * Detect duplicates of UDP queries we are recursing on and drop them.
-    New stats category "duplicates".
-  * "USE INTERNAL MALLOC" is now runtime selectable.
-  * The lame cache is now done on a basis as some servers only appear to
-    be lame for certain query types.
-  * Limit the number of recursive clients that can be waiting for a single
-    query () to resolve. New options clients-per-query and
-    max-clients-per-query.
-  * dig: report the number of extra bytes still left in the packet after
-    processing all the records.
-  * Support for IPSECKEY rdata type.
-  * Raise the UDP recieve buffer size to 32k if it is less than 32k.
-  * x86 and x86_64 now have seperate atomic locking implementations.
-  * named-checkconf now validates update-policy entries.
-  * Attempt to make the amount of work performed in a iteration self
-    tuning. The covers nodes clean from the cache per iteration, nodes
-    written to disk when rewriting a master file and nodes destroyed per
-    iteration when destroying a zone or a cache.
-  * ISC string copy API.
-  * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
-    1918 zones are not yet covered by this but are likely to be in a
-    future release.
-  * New options: empty-server, empty-contact, empty-zones-enable and
-    disable-empty-zone.
-  * dig now has a '-q queryname' and '+showsearch' options.
-  * host/nslookup now continue (default)/fail on SERVFAIL.
-  * dig now warns if 'RA' is not set in the answer when 'RD' was set in
-    the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
-    is set unless a server is explicitly set.
-  * Integrate contibuted DLZ code into named.
-  * Integrate contibuted IDN code from JPNIC.
-  * libbind: corresponds to that from BIND 8.4.7.
-
-BIND 9.3.0
-
-  * DNSSEC is now DS based (RFC 3658).
-  * DNSSEC lookaside validation.
-  * check-names is now implemented.
-  * rrset-order is more complete.
-  * IPv4/IPv6 transition support, dual-stack-servers.
-  * IXFR deltas can now be generated when loading master files,
-    ixfr-from-differences.
-  * It is now possible to specify the size of a journal, max-journal-size.
-  * It is now possible to define a named set of master servers to be used
-    in masters clause, masters.
-  * The advertised EDNS UDP size can now be set, edns-udp-size.
-  * allow-v6-synthesis has been obsoleted.
-  * Zones containing MD and MF will now be rejected.
-  * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
-    NOTIMPL. This will have impact on scripts that are looking for
-    NOTIMPL.
-  * libbind: corresponds to that from BIND 8.4.5.
-
-BIND 9.2.0
-
-  * The size of the cache can now be limited using the "max-cache-size"
-    option.
-  * The server can now automatically convert RFC1886-style recursive
-    lookup requests into RFC2874-style lookups, when enabled using the new
-    option "allow-v6-synthesis". This allows stub resolvers that support
-    AAAA records but not A6 record chains or binary labels to perform
-    lookups in domains that make use of these IPv6 DNS features.
-  * Performance has been improved.
-  * The man pages now use the more portable "man" macros rather than the
-    "mandoc" macros, and are installed by "make install".
-  * The named.conf parser has been completely rewritten. It now supports
-    "include" directives in more places such as inside "view" statements,
-    and it no longer has any reserved words.
-  * The "rndc status" command is now implemented.
-  * rndc can now be configured automatically.
-  * A BIND 8 compatible stub resolver library is now included in lib/bind.
-  * OpenSSL has been removed from the distribution. This means that to use
-    DNSSEC, OpenSSL must be installed and the --with-openssl option must
-    be supplied to configure. This does not apply to the use of TSIG,
-    which does not require OpenSSL.
-  * The source distribution now builds on Windows. See win32utils/
-    readme1.txt and win32utils/win32-build.txt for details.
-  * This distribution also includes a new lightweight stub resolver
-    library and associated resolver daemon that fully support forward and
-    reverse lookups of both IPv4 and IPv6 addresses. This library is
-    considered experimental and is not a complete replacement for the BIND
-    8 resolver library. Applications that use the BIND 8 res_* functions
-    to perform DNS lookups or dynamic updates still need to be linked
-    against the BIND 8 libraries. For DNS lookups, they can also use the
-    new "getrrsetbyname()" API.
-  * BIND 9.2 is capable of acting as an authoritative server for DNSSEC
-    secured zones. This functionality is believed to be stable and
-    complete except for lacking support for verifications involving
-    wildcard records in secure zones.
-  * When acting as a caching server, BIND 9.2 can be configured to perform
-    DNSSEC secure resolution on behalf of its clients. This part of the
-    DNSSEC implementation is still considered experimental. For detailed
-    information about the state of the DNSSEC implementation, see the file
-    doc/misc/dnssec.
-
diff --git a/OPTIONS b/OPTIONS
index 0be74b7aac..e69de29bb2 100644
--- a/OPTIONS
+++ b/OPTIONS
@@ -1,25 +0,0 @@
-Setting the STD_CDEFINES environment variable before running configure can
-be used to enable certain compile-time options that are not explicitly
-defined in configure.
-
-Some of these settings are:
-
-Setting                   Description
-                          Don't ovewrite memory when allocating or freeing
--DISC_MEM_FILL=0          it; this improves performance but makes
-                          debugging more difficult.
-                          Don't track memory allocations by file and line
--DISC_MEM_TRACKLINES=0    number; this improves performance but makes
-                          debugging more difficult.
--DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
--DNS_CLIENT_DROPPORT=0    Disable dropping queries from particular
-                          well-known ports:
--DCHECK_SIBLING=0         Don't check sibling glue in named-checkzone
--DCHECK_LOCAL=0           Don't check out-of-zone addresses in
-                          named-checkzone
--DNS_RUN_PID_DIR=0        Create default PID files in ${localstatedir}/run
-                          rather than ${localstatedir}/run/{named,lwresd}/
-                          Enable DNSSEC signature chasing support in dig.
--DDIG_SIGCHASE=1          (Note: This feature is deprecated. Use delv
-                          instead.)
-
diff --git a/README b/README
index 5e10af2729..e69de29bb2 100644
--- a/README
+++ b/README
@@ -1,443 +0,0 @@
-BIND 9
-
-Contents
-
- 1. Introduction
- 2. Reporting bugs and getting help
- 3. Contributing to BIND
- 4. BIND 9.11 features
- 5. Building BIND
- 6. Compile-time options
- 7. Automated testing
- 8. Documentation
- 9. Change log
-10. Acknowledgments
-
-Introduction
-
-BIND (Berkeley Internet Name Domain) is a complete, highly portable
-implementation of the DNS (Domain Name System) protocol.
-
-The BIND name server, named, is able to serve as an authoritative name
-server, recursive resolver, DNS forwarder, or all three simultaneously. It
-implements views for split-horizon DNS, automatic DNSSEC zone signing and
-key management, catalog zones to facilitate provisioning of zone data
-throughout a name server constellation, response policy zones (RPZ) to
-protect clients from malicious data, response rate limiting (RRL) and
-recursive query limits to reduce distributed denial of service attacks,
-and many other advanced DNS features. BIND also includes a suite of
-administrative tools, including the dig and delv DNS lookup tools,
-nsupdate for dynamic DNS zone updates, rndc for remote name server
-administration, and more.
-
-BIND 9 is a complete re-write of the BIND architecture that was used in
-versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
-(c)(3) public benefit corporation dedicated to providing software and
-services in support of the Internet infrastructure, developed BIND 9 and
-is responsible for its ongoing maintenance and improvement. BIND is open
-source software licenced under the terms of the Mozilla Public License,
-version 2.0.
-
-For a summary of features introduced in past major releases of BIND, see
-the file HISTORY.
-
-For a detailed list of changes made throughout the history of BIND 9, see
-the file CHANGES. See below for details on the CHANGES file format.
-
-For up-to-date release notes and errata, see http://www.isc.org/software/
-bind9/releasenotes
-
-Reporting bugs and getting help
-
-Please report assertion failure errors and suspected security issues to
-security-officer@isc.org.
-
-General bug reports can be sent to bind9-bugs@isc.org.
-
-Feature requests can be sent to bind-suggest@isc.org.
-
-Please note that, while ISC's ticketing system is not currently publicly
-readable, this may change in the future. Please do not include information
-in bug reports that you consider to be confidential. For example, when
-sending the contents of your configuration file, it is advisable to
-obscure key secrets; this can be done automatically by using
-named-checkconf -px.
-
-Professional support and training for BIND are available from ISC at
-https://www.isc.org/support.
-
-To join the BIND Users mailing list, or view the archives, visit https://
-lists.isc.org/mailman/listinfo/bind-users.
-
-If you're planning on making changes to the BIND 9 source code, you may
-also want to join the BIND Workers mailing list, at https://lists.isc.org/
-mailman/listinfo/bind-workers.
-
-Contributing to BIND
-
-A public git repository for BIND is maintained at http://www.isc.org/git/,
-and also on Github at https://github.com/isc-projects.
-
-Information for BIND contributors can be found in the following files: -
-General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
-style.md - BIND architecture and developer guide: doc/dev/dev.md
-
-Patches for BIND may be submitted either as Github pull requests or via
-email. When submitting a patch via email, please prepend the subject
-header with "[PATCH]" so it will be easier for us to find. If your patch
-introduces a new feature in BIND, please submit it to bind-suggest@isc.org
-; if it fixes a bug, please submit it to bind9-bugs@isc.org.
-
-BIND 9.11 features
-
-BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
-releases. New features include:
-
-  * Added support for Catalog Zones, a new method for provisioning
-    servers: a list of zones to be served is stored in a DNS zone, along
-    with their configuration parameters. Changes to the catalog zone are
-    propagated to slaves via normal AXFR/IXFR, whereupon the zones that
-    are listed in it are automatically added, deleted or reconfigured.
-  * Added support for "dnstap", a fast and flexible method of capturing
-    and logging DNS traffic.
-  * Added support for "dyndb", a new API for loading zone data from an
-    external database, developed by Red Hat for the FreeIPA project.
-  * "fetchlimit" quotas are now compiled in by default. These are for the
-    use of recursive resolvers that are are under high query load for
-    domains whose authoritative servers are nonresponsive or are
-    experiencing a denial of service attack:
-      + fetches-per-server limits the number of simultaneous queries that
-        can be sent to any single authoritative server. The configured
-        value is a starting point; it is automatically adjusted downward
-        if the server is partially or completely non-responsive. The
-        algorithm used to adjust the quota can be configured via the
-        "fetch-quota-params" option.
-      + fetches-per-zone limits the number of simultaneous queries that
-        can be sent for names within a single domain. (Note: Unlike
-        fetches-per-server, this value is not self-tuning.)
-      + New stats counters have been added to count queries spilled due to
-        these quotas.
-  * Added a new dnssec-keymgr key mainenance utility, which can generate
-    or update keys as needed to ensure that a zone's keys match a defined
-    DNSSEC policy.
-  * The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
-    and is no longer optional. EDNS COOKIE is a mechanism enabling clients
-    to detect off-path spoofed responses, and servers to detect
-    spoofed-source queries. Clients that identify themselves using COOKIE
-    options are not subject to response rate limiting (RRL) and can
-    receive larger UDP responses.
-  * SERVFAIL responses can now be cached for a limited time (defaulting to
-    1 second, with an upper limit of 30). This can reduce the frequency of
-    retries when a query is persistently failing.
-  * Added an nsip-wait-recurse switch to RPZ. This causes NSIP rules to be
-    skipped if a name server IP address isn't in the cache yet; the
-    address will be looked up and the rule will be applied on future
-    queries.
-  * Added a Python RNDC module. This allows multiple commands to sent over
-    a persistent RNDC channel, which saves time.
-  * The controls block in named.conf can now grant read-only rndc access
-    to specified clients or keys. Read-only clients could, for example,
-    check rndc status but could not reconfigure or shut down the server.
-  * rndc commands can now return arbitrarily large amounts of text to the
-    caller.
-  * The zone serial number of a dynamically updatable zone can now be set
-    via rndc signing -serial <number> <zonename>. This allows
-    inline-signing zones to be set to a specific serial number.
-  * The new rndc nta command can be used to set a Negative Trust Anchor
-    (NTA), disabling DNSSEC validation for a specific domain; this can be
-    used when responses from a domain are known to be failing validation
-    due to administrative error rather than because of a spoofing attack.
-    Negative trust anchors are strictly temporary; by default they expire
-    after one hour, but can be configured to last up to one week.
-  * rndc delzone can now be used on zones that were not originally created
-    by "rndc addzone".
-  * rndc modzone reconfigures a single zone, without requiring the entire
-    server to be reconfigured.
-  * rndc showzone displays the current configuration of a zone.
-  * rndc managed-keys can be used to check the status of RFC 5001 managed
-    trust anchors, or to force trust anchors to be refreshed.
-  * max-cache-size can now be set to a percentage of available memory. The
-    default is 90%.
-  * Update forwarding performance has been improved by allowing a single
-    TCP connection to be shared by multiple updates.
-  * The EDNS Client Subnet (ECS) option is now supported for authoritative
-    servers; if a query contains an ECS option then ACLs containing geoip
-    or ecs elements can match against the the address encoded in the
-    option. This can be used to select a view for a query, so that
-    different answers can be provided depending on the client network.
-  * The EDNS EXPIRE option has been implemented on the client side,
-    allowing a slave server to set the expiration timer correctly when
-    transferring zone data from another slave server.
-  * The key generation and manipulation tools (dnssec-keygen,
-    dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take -Psync
-    and -Dsync options to set the publication and deletion times of CDS
-    and CDNSKEY parent-synchronization records. Both named and
-    dnssec-signzone can now publish and remove these records at the
-    scheduled times.
-  * A new minimal-any option reduces the size of UDP responses for query
-    type ANY by returning a single arbitrarily selected RRset instead of
-    all RRsets.
-  * A new masterfile-style zone option controls the formatting of text
-    zone files: When set to full, a zone file is dumped in
-    single-line-per-record format.
-  * serial-update-method can now be set to date. On update, the serial
-    number will be set to the current date in YYYYMMDDNN format.
-  * dnssec-signzone -N date sets the serial number to YYYYMMDDNN.
-  * named -L <filename> causes named to send log messages to the specified
-    file by default instead of to the system log.
-  * dig +ttlunits prints TTL values with time-unit suffixes: w, d, h, m, s
-    for weeks, days, hours, minutes, and seconds.
-  * dig +unknownformat prints dig output in RFC 3597 "unknown record"
-    presentation format.
-  * dig +ednsopt allows dig to set arbitrary EDNS options on requests.
-  * dig +ednsflags allows dig to set yet-to-be-defined EDNS flags on
-    requests.
-  * mdig is an alternate version of dig which sends multiple pipelined TCP
-    queries to a server. Instead of waiting for a response after sending a
-    query, it sends all queries immediately and displays responses in the
-    order received.
-  * serial-query-rate no longer controls NOTIFY messages. These are
-    separately controlled by notify-rate and startup-notify-rate.
-  * nsupdate now performs check-names processing by default on records to
-    be added. This can be disabled with check-names no.
-  * The statistics channel now supports DEFLATE compression, reducing the
-    size of the data sent over the network when querying statistics.
-  * New counters have been added to the statistics channel to track the
-    sizes of incoming queries and outgoing responses in histogram buckets,
-    as specified in RSSAC002.
-  * A new NXDOMAIN redirect method (option nxdomain-redirect) has been
-    added, allowing redirection to a specified DNS namespace instead of a
-    single redirect zone.
-  * When starting up, named now ensures that no other named process is
-    already running.
-  * Files created by named to store information, including mkeys and nzf
-    files, are now named after their corresponding views unless the view
-    name contains characters incompatible with use as a filename. Old
-    style filenames (based on the hash of the view name) will still work.
-
-BIND 9.11.1
-
-BIND 9.11.1 is a maintenance release, and addresses the security flaws
-disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131, CVE-2016-9147,
-CVE-2016-9444, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136, CVE-2017-3137
-and CVE-2017-3138.
-
-Building BIND
-
-BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
-support, and a 64-bit integer type. Successful builds have been observed
-on many versions of Linux and UNIX, including RedHat, Fedora, Debian,
-Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
-HP-UX, AIX, SCO OpenServer, and OpenWRT.
-
-BIND is also available for Windows XP, 2003, 2008, and higher. See
-win32utils/readme1st.txt for details on building for Windows systems.
-
-To build on a UNIX or Linux system, use:
-
-    $ ./configure
-    $ make
-
-(NOTE: Using multiple processors in make is not reliable and is not
-advised.)
-
-If you're planning on making changes to the BIND 9 source, you should run
-make depend. If you're using Emacs, you might find make tags helpful.
-
-Several environment variables that can be set before running configure
-will affect compilation:
-
-Variable       Description
-CC             The C compiler to use. configure tries to figure out the
-               right one for supported systems.
-               C compiler flags. Defaults to include -g and/or -O2 as
-CFLAGS         supported by the compiler. Please include '-g' if you need
-               to set CFLAGS.
-               System header file directories. Can be used to specify
-STD_CINCLUDES  where add-on thread or IPv6 support is, for example.
-               Defaults to empty string.
-               Any additional preprocessor symbols you want defined.
-STD_CDEFINES   Defaults to empty string. For a list of possible settings,
-               see the file OPTIONS.
-LDFLAGS        Linker flags. Defaults to empty string.
-BUILD_CC       Needed when cross-compiling: the native C compiler to use
-               when building for the target system.
-BUILD_CFLAGS   Optional, used for cross-compiling
-BUILD_CPPFLAGS
-BUILD_LDFLAGS
-BUILD_LIBS
-
-Compile-time options
-
-To see a full list of configuration options, run configure --help.
-
-On most platforms, BIND 9 is built with multithreading support, allowing
-it to take advantage of multiple CPUs. You can configure this by
-specifying --enable-threads or --disable-threads on the configure command
-line. The default is to enable threads, except on some older operating
-systems on which threads are known to have had problems in the past.
-(Note: Prior to BIND 9.10, the default was to disable threads on Linux
-systems; this has now been reversed. On Linux systems, the threaded build
-is known to change BIND's behavior with respect to file permissions; it
-may be necessary to specify a user with the -u option when running named.)
-
-To build shared libraries, specify --with-libtool on the configure command
-line.
-
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying --with-tuning=
-large on the configure command line. This can improve performance on big
-servers, but will consume more memory and may degrade performance on
-smaller systems.
-
-For the server to support DNSSEC, you need to build it with crypto
-support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
-installed. If the OpenSSL library is installed in a nonstandard location,
-specify the prefix using "--with-openssl=/prefix" on the configure command
-line. To use a PKCS#11 hardware service module for cryptographic
-operations, specify the path to the PKCS#11 provider library using
-"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11".
-
-To support the HTTP statistics channel, the server must be linked with at
-least one of the following: libxml2 http://xmlsoft.org or json-c https://
-github.com/json-c. If these are installed at a nonstandard location,
-specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
-
-To support compression on the HTTP statistics channel, the server must be
-linked against libzlib. If this is installed in a nonstandard location,
-specify the prefix using --with-zlib=/prefix.
-
-To support storing configuration data for runtime-added zones in an LMDB
-database, the server must be linked with liblmdb. If this is installed in
-a nonstandard location, specify the prefix using "with-lmdb=/prefix".
-
-To support GeoIP location-based ACLs, the server must be linked with
-libGeoIP. This is not turned on by default; BIND must be configured with
-"--with-geoip". If the library is installed in a nonstandard location, use
-specify the prefix using "--with-geoip=/prefix".
-
-For DNSTAP packet logging, you must have libfstrm https://github.com/
-farsightsec/fstrm and libprotobuf-c https://developers.google.com/
-protocol-buffers, and BIND must be configured with "--enable-dnstap".
-
-Python requires the 'argparse' and 'ply' modules to be available.
-'argparse' is a standard module as of Python 2.7 and Python 3.2. 'ply' is
-available from https://pypi.python.org/pypi/ply.
-
-On some platforms it is necessary to explicitly request large file support
-to handle files bigger than 2GB. This can be done by using
---enable-largefile on the configure command line.
-
-Support for the "fixed" rrset-order option can be enabled or disabled by
-specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
-command line. By default, fixed rrset-order is disabled to reduce memory
-footprint.
-
-If your operating system has integrated support for IPv6, it will be used
-automatically. If you have installed KAME IPv6 separately, use --with-kame
-[=PATH] to specify its location.
-
-make install will install named and the various BIND 9 libraries. By
-default, installation is into /usr/local, but this can be changed with the
---prefix option when running configure.
-
-You may specify the option --sysconfdir to set the directory where
-configuration files like named.conf go by default, and --localstatedir to
-set the default parent directory of run/named.pid. For backwards
-compatibility with BIND 8, --sysconfdir defaults to /etc and
---localstatedir defaults to /var if no --prefix option is given. If there
-is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
-defaults to $prefix/var.
-
-Automated testing
-
-A system test suite can be run with make test. The system tests require
-you to configure a set of virtual IP addresses on your system (this allows
-multiple servers to run locally and communicate with one another). These
-IP addresses can be configured by by running the script bin/tests/system/
-ifconfig.sh up as root.
-
-Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
-and will be skipped if these are not available. Some tests require Python
-and the 'dnspython' module and will be skipped if these are not available.
-See bin/tests/system/README for further details.
-
-Unit tests are implemented using Automated Testing Framework (ATF). To run
-them, use configure --with-atf, then run make test or make unit.
-
-Documentation
-
-The BIND 9 Administrator Reference Manual is included with the source
-distribution, in DocBook XML, HTML and PDF format, in the doc/arm
-directory.
-
-Some of the programs in the BIND 9 distribution have man pages in their
-directories. In particular, the command line options of named are
-documented in bin/named/named.8.
-
-Frequently (and not-so-frequently) asked questions and their answers can
-be found in the ISC Knowledge Base at https://kb.isc.org.
-
-Additional information on various subjects can be found in other README
-files throughout the source tree.
-
-Change log
-
-A detailed list of all changes that have been made throughout the
-development BIND 9 is included in the file CHANGES, with the most recent
-changes listed first. Change notes include tags indicating the category of
-the change that was made; these categories are:
-
-Category       Description
-[func]         New feature
-[bug]          General bug fix
-[security]     Fix for a significant security flaw
-[experimental] Used for new features when the syntax or other aspects of
-               the design are still in flux and may change
-[port]         Portability enhancement
-[maint]        Updates to built-in data such as root server addresses and
-               keys
-[tuning]       Changes to built-in configuration defaults and constants to
-               improve performance
-[performance]  Other changes to improve server performance
-[protocol]     Updates to the DNS protocol such as new RR types
-[test]         Changes to the automatic tests, not affecting server
-               functionality
-[cleanup]      Minor corrections and refactoring
-[doc]          Documentation
-[contrib]      Changes to the contributed tools and libraries in the
-               'contrib' subdirectory
-               Used in the master development branch to reserve change
-[placeholder]  numbers for use in other branches, e.g. when fixing a bug
-               that only exists in older releases
-
-In general, [func] and [experimental] tags will only appear in new-feature
-releases (i.e., those with version numbers ending in zero). Some new
-functionality may be backported to older releases on a case-by-case basis.
-All other change types may be applied to all currently-supported releases.
-
-Acknowledgments
-
-  * The original development of BIND 9 was underwritten by the following
-    organizations:
-
-    Sun Microsystems, Inc.
-    Hewlett Packard
-    Compaq Computer Corporation
-    IBM
-    Process Software Corporation
-    Silicon Graphics, Inc.
-    Network Associates, Inc.
-    U.S. Defense Information Systems Agency
-    USENIX Association
-    Stichting NLnet - NLnet Foundation
-    Nominum, Inc.
-
-  * This product includes software developed by the OpenSSL Project for
-    use in the OpenSSL Toolkit. http://www.OpenSSL.org/
-  * This product includes cryptographic software written by Eric Young
-    (eay@cryptsoft.com)
-  * This product includes software written by Tim Hudson
-    (tjh@cryptsoft.com)
-
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 9f548cc63c..741d59340f 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -10,12 +10,12 @@
 .\"     Title: named.conf
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2014-01-08
+.\"      Date: 2016-12-02
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "NAMED\&.CONF" "5" "2014\-01\-08" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2016\-12\-02" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -62,87 +62,6 @@ acl \fIstring\fR { \fIaddress_match_element\fR; \&.\&.\&. };
 .if n \{\
 .RE
 .\}
-.SH "KEY"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-key \fIdomain_name\fR {
-	algorithm \fIstring\fR;
-	secret \fIstring\fR;
-};
-.fi
-.if n \{\
-.RE
-.\}
-.SH "MASTERS"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-masters \fIstring\fR [ port \fIinteger\fR ] {
-	( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] |
-	\fIipv6_address\fR [port \fIinteger\fR] ) [ key \fIstring\fR ]; \&.\&.\&.
-};
-.fi
-.if n \{\
-.RE
-.\}
-.SH "SERVER"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) {
-	bogus \fIboolean\fR;
-	edns \fIboolean\fR;
-	edns\-udp\-size \fIinteger\fR;
-	max\-udp\-size \fIinteger\fR;
-	tcp\-only \fIboolean\fR;
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	keys \fIserver_key\fR;
-	transfers \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	support\-ixfr \fIboolean\fR; // obsolete
-};
-.fi
-.if n \{\
-.RE
-.\}
-.SH "TRUSTED-KEYS"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-trusted\-keys {
-	\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; \&.\&.\&.
-};
-.fi
-.if n \{\
-.RE
-.\}
-.SH "MANAGED-KEYS"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-managed\-keys {
-	\fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; \&.\&.\&.
-};
-.fi
-.if n \{\
-.RE
-.\}
 .SH "CONTROLS"
 .sp
 .if n \{\
@@ -150,11 +69,55 @@ managed\-keys {
 .\}
 .nf
 controls {
-	inet ( \fIipv4_address\fR | \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ]
-		allow { \fIaddress_match_element\fR; \&.\&.\&. }
-		[ keys { \fIstring\fR; \&.\&.\&. } ];
-	unix \fIunsupported\fR; // not implemented
+	inet ( \fIipv4_address\fR | \fIipv6_address\fR |
+	    * ) [ port ( \fIinteger\fR | * ) ] allow
+	    { \fIaddress_match_element\fR; \&.\&.\&. } [
+	    keys { \fIstring\fR; \&.\&.\&. } ] [ read\-only
+	    \fIboolean\fR ];
+	unix \fIquoted_string\fR perm \fIinteger\fR
+	    owner \fIinteger\fR group \fIinteger\fR [
+	    keys { \fIstring\fR; \&.\&.\&. } ] [ read\-only
+	    \fIboolean\fR ];
+};
+.fi
+.if n \{\
+.RE
+.\}
+.SH "DLZ"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+dlz \fIstring\fR {
+	database \fIstring\fR;
+	search \fIboolean\fR;
+};
+.fi
+.if n \{\
+.RE
+.\}
+.SH "DYNDB"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+dyndb \fIstring\fR \fIquoted_string\fR {
+    \fIunspecified\-text\fR };
+.fi
+.if n \{\
+.RE
+.\}
+.SH "KEY"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+key \fIstring\fR {
+	algorithm \fIstring\fR;
+	secret \fIstring\fR;
 };
 .fi
 .if n \{\
@@ -167,17 +130,19 @@ controls {
 .\}
 .nf
 logging {
-	channel \fIstring\fR {
-		file \fIlog_file\fR;
-		syslog \fIoptional_facility\fR;
-		null;
-		stderr;
-		severity \fIlog_severity\fR;
-		print\-time \fIboolean\fR;
-		print\-severity \fIboolean\fR;
-		print\-category \fIboolean\fR;
-	};
 	category \fIstring\fR { \fIstring\fR; \&.\&.\&. };
+	channel \fIstring\fR {
+		buffered \fIboolean\fR;
+		file \fIquoted_string\fR [ versions ( "unlimited" | \fIinteger\fR )
+		    ] [ size \fIsize\fR ];
+		null;
+		print\-category \fIboolean\fR;
+		print\-severity \fIboolean\fR;
+		print\-time \fIboolean\fR;
+		severity \fIlog_severity\fR;
+		stderr;
+		syslog [ \fIsyslog_facility\fR ];
+	};
 };
 .fi
 .if n \{\
@@ -190,19 +155,44 @@ logging {
 .\}
 .nf
 lwres {
-	listen\-on [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
-	};
-	view \fIstring\fR \fIoptional_class\fR;
-	search { \fIstring\fR; \&.\&.\&. };
-	ndots \fIinteger\fR;
-	lwres\-tasks \fIinteger\fR;
+	listen\-on [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fIipv4_address\fR
+	    | \fIipv6_address\fR ) [ port \fIinteger\fR ] [ dscp \fIinteger\fR ]; \&.\&.\&. };
 	lwres\-clients \fIinteger\fR;
+	lwres\-tasks \fIinteger\fR;
+	ndots \fIinteger\fR;
+	search { \fIstring\fR; \&.\&.\&. };
+	view \fIstring\fR [ \fIclass\fR ];
 };
 .fi
 .if n \{\
 .RE
 .\}
+.SH "MANAGED-KEYS"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+managed\-keys { \fIstring\fR \fIstring\fR \fIinteger\fR
+    \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
+.fi
+.if n \{\
+.RE
+.\}
+.SH "MASTERS"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+masters \fIstring\fR [ port \fIinteger\fR ] [ dscp
+    \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [
+    port \fIinteger\fR ] | \fIipv6_address\fR [ port
+    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+.fi
+.if n \{\
+.RE
+.\}
 .SH "OPTIONS"
 .sp
 .if n \{\
@@ -210,386 +200,704 @@ lwres {
 .\}
 .nf
 options {
-	avoid\-v4\-udp\-ports { \fIport\fR; \&.\&.\&. };
-	avoid\-v6\-udp\-ports { \fIport\fR; \&.\&.\&. };
-	blackhole { \fIaddress_match_element\fR; \&.\&.\&. };
-	coresize \fIsize\fR;
-	datasize \fIsize\fR;
-	directory \fIquoted_string\fR;
-	dnstap { \fImessage_type\fR; \&.\&.\&. };
-	dnstap\-output ( file | unix ) \fIpath_name\fR;
-	dnstap\-identity ( \fIstring\fR | hostname | none );
-	dnstap\-version ( \fIstring\fR | none );
-	dump\-file \fIquoted_string\fR;
-	files \fIsize\fR;
-	fstrm\-set\-buffer\-hint \fInumber\fR;
-	fstrm\-set\-flush\-timeout \fInumber\fR;
-	fstrm\-set\-input\-queue\-size \fInumber\fR;
-	fstrm\-set\-output\-notify\-threshold \fInumber\fR;
-	fstrm\-set\-output\-queue\-model ( \fImpsc\fR | \fIspsc\fR ) ;
-	fstrm\-set\-output\-queue\-size \fInumber\fR;
-	fstrm\-set\-reopen\-interval \fInumber\fR;
-	heartbeat\-interval \fIinteger\fR;
-	host\-statistics \fIboolean\fR; // not implemented
-	host\-statistics\-max \fInumber\fR; // not implemented
-	hostname ( \fIquoted_string\fR | none );
-	interface\-interval \fIinteger\fR;
-	keep\-response\-order { \fIaddress_match_element\fR; \&.\&.\&. };
-	listen\-on [ port \fIinteger\fR ] { \fIaddress_match_element\fR; \&.\&.\&. };
-	listen\-on\-v6 [ port \fIinteger\fR ] { \fIaddress_match_element\fR; \&.\&.\&. };
-	match\-mapped\-addresses \fIboolean\fR;
-	memstatistics\-file \fIquoted_string\fR;
-	pid\-file ( \fIquoted_string\fR | none );
-	port \fIinteger\fR;
-	querylog \fIboolean\fR;
-	recursing\-file \fIquoted_string\fR;
-	reserved\-sockets \fIinteger\fR;
-	random\-device \fIquoted_string\fR;
-	recursive\-clients \fIinteger\fR;
-	serial\-query\-rate \fIinteger\fR;
-	server\-id ( \fIquoted_string\fR | hostname | none );
-	stacksize \fIsize\fR;
-	statistics\-file \fIquoted_string\fR;
-	statistics\-interval \fIinteger\fR; // not yet implemented
-	tcp\-clients \fIinteger\fR;
-	tcp\-listen\-queue \fIinteger\fR;
-	tkey\-dhkey \fIquoted_string\fR \fIinteger\fR;
-	tkey\-gssapi\-credential \fIquoted_string\fR;
-	tkey\-gssapi\-keytab \fIquoted_string\fR;
-	tkey\-domain \fIquoted_string\fR;
-	transfer\-message\-size \fIinteger\fR;
-	transfers\-per\-ns \fIinteger\fR;
-	transfers\-in \fIinteger\fR;
-	transfers\-out \fIinteger\fR;
-	version ( \fIquoted_string\fR | none );
-	allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
-	topology { \fIaddress_match_element\fR; \&.\&.\&. }; // not implemented
-	auth\-nxdomain \fIboolean\fR; // default changed
-	minimal\-any \fIboolean\fR;
-	minimal\-responses ( \fIboolean\fR | no\-auth | no\-auth\-recursive );
-	recursion \fIboolean\fR;
-	rrset\-order {
-		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&.
-	};
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	rfc2308\-type1 \fIboolean\fR; // not yet implemented
+	acache\-cleaning\-interval \fIinteger\fR;
+	acache\-enable \fIboolean\fR;
 	additional\-from\-auth \fIboolean\fR;
 	additional\-from\-cache \fIboolean\fR;
-	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	use\-queryport\-pool \fIboolean\fR;
-	queryport\-pool\-ports \fIinteger\fR;
-	queryport\-pool\-updateinterval \fIinteger\fR;
-	cleaning\-interval \fIinteger\fR;
-	resolver\-query\-timeout \fIinteger\fR;
-	min\-roots \fIinteger\fR; // not implemented
-	lame\-ttl \fIinteger\fR;
-	max\-ncache\-ttl \fIinteger\fR;
-	max\-cache\-ttl \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize\fR;
-	max\-acache\-size \fIsize\fR;
-	clients\-per\-query \fInumber\fR;
-	max\-clients\-per\-query \fInumber\fR;
-	check\-names ( master | slave | response )
-		( fail | warn | ignore );
-	check\-mx ( fail | warn | ignore );
-	check\-integrity \fIboolean\fR;
-	check\-mx\-cname ( fail | warn | ignore );
-	check\-srv\-cname ( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR; // test option
-	catalog\-zones {
-	    zone \fIquoted_string\fR
-		[ default\-masters
-		[port \fIip_port\fR]
-		[dscp \fIip_dscp\fR]
-		{ ( \fImasters_list\fR | \fIip_addr\fR [port \fIip_port\fR] [key \fIkey\fR] ) ; [\&.\&.\&.] }]
-	    [in\-memory \fIyes_or_no\fR]
-	    [min\-update\-interval \fIinterval\fR]
-	    ; \&.\&.\&. };
-	;
-	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
-	preferred\-glue \fIstring\fR;
-	dual\-stack\-servers [ port \fIinteger\fR ] {
-		( \fIquoted_string\fR [port \fIinteger\fR] |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [port \fIinteger\fR] ); \&.\&.\&.
-	};
-	edns\-udp\-size \fIinteger\fR;
-	max\-udp\-size \fIinteger\fR;
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
-	disable\-algorithms \fIstring\fR { \fIstring\fR; \&.\&.\&. };
-	disable\-ds\-digests \fIstring\fR { \fIstring\fR; \&.\&.\&. };
-	dnssec\-enable \fIboolean\fR;
-	dnssec\-validation \fIboolean\fR;
-	dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
-	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
-	dnssec\-accept\-expired \fIboolean\fR;
-	dns64\-server \fIstring\fR;
-	dns64\-contact \fIstring\fR;
-	dns64 \fIprefix\fR {
-		clients { \fIacl\fR; };
-		exclude { \fIacl\fR; };
-		mapped { \fIacl\fR; };
-		break\-dnssec \fIboolean\fR;
-		recursive\-only \fIboolean\fR;
-		suffix \fIipv6_address\fR;
-	};
-	empty\-server \fIstring\fR;
-	empty\-contact \fIstring\fR;
-	empty\-zones\-enable \fIboolean\fR;
-	disable\-empty\-zone \fIstring\fR;
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIixfrdiff\fR;
+	allow\-new\-zones \fIboolean\fR;
+	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query\-cache { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query\-cache\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
-	update\-check\-ksk \fIboolean\fR;
-	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	masterfile\-format ( text | raw | map );
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-delay \fIseconds\fR;
-	notify\-to\-soa \fIboolean\fR;
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; \&.\&.\&.
-		[ key \fIkeyname\fR ] \&.\&.\&. };
-	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
+	also\-notify [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR |
+	    \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+	alt\-transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR |
+	    * ) ] [ dscp \fIinteger\fR ];
+	attach\-cache \fIstring\fR;
+	auth\-nxdomain \fIboolean\fR; // default changed
+	auto\-dnssec ( allow | maintain | off );
+	automatic\-interface\-scan \fIboolean\fR;
+	avoid\-v4\-udp\-ports { \fIportrange\fR; \&.\&.\&. };
+	avoid\-v6\-udp\-ports { \fIportrange\fR; \&.\&.\&. };
+	bindkeys\-file \fIquoted_string\fR;
+	blackhole { \fIaddress_match_element\fR; \&.\&.\&. };
+	cache\-file \fIquoted_string\fR;
+	catalog\-zones { zone \fIquoted_string\fR [ default\-masters [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [
+	    port \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
+	    \fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
+	    in\-memory \fIboolean\fR ] [ min\-update\-interval \fIinteger\fR ]; \&.\&.\&. };
+	check\-dup\-records ( fail | warn | ignore );
+	check\-integrity \fIboolean\fR;
+	check\-mx ( fail | warn | ignore );
+	check\-mx\-cname ( fail | warn | ignore );
+	check\-names ( master | slave | response
+	    ) ( fail | warn | ignore );
+	check\-sibling \fIboolean\fR;
+	check\-spf ( warn | ignore );
+	check\-srv\-cname ( fail | warn | ignore );
+	check\-wildcard \fIboolean\fR;
+	cleaning\-interval \fIinteger\fR;
+	clients\-per\-query \fIinteger\fR;
+	cookie\-algorithm ( aes | sha1 | sha256 );
+	cookie\-secret \fIstring\fR;
+	coresize ( default | unlimited | \fIsizeval\fR );
+	datasize ( default | unlimited | \fIsizeval\fR );
+	deny\-answer\-addresses { \fIaddress_match_element\fR; \&.\&.\&. } [
+	    except\-from { \fIquoted_string\fR; \&.\&.\&. } ];
+	deny\-answer\-aliases { \fIquoted_string\fR; \&.\&.\&. } [ except\-from {
+	    \fIquoted_string\fR; \&.\&.\&. } ];
+	dialup ( notify | notify\-passive | passive | refresh | \fIboolean\fR );
+	directory \fIquoted_string\fR;
+	disable\-algorithms \fIstring\fR { \fIstring\fR;
+	    \&.\&.\&. };
+	disable\-ds\-digests \fIstring\fR { \fIstring\fR;
+	    \&.\&.\&. };
+	disable\-empty\-zone \fIstring\fR;
+	dns64 \fInetprefix\fR {
+		break\-dnssec \fIboolean\fR;
+		clients { \fIaddress_match_element\fR; \&.\&.\&. };
+		exclude { \fIaddress_match_element\fR; \&.\&.\&. };
+		mapped { \fIaddress_match_element\fR; \&.\&.\&. };
+		recursive\-only \fIboolean\fR;
+		suffix \fIipv6_address\fR;
 	};
-	max\-journal\-size \fIsize_no_default\fR;
+	dns64\-contact \fIstring\fR;
+	dns64\-server \fIstring\fR;
+	dnssec\-accept\-expired \fIboolean\fR;
+	dnssec\-dnskey\-kskonly \fIboolean\fR;
+	dnssec\-enable \fIboolean\fR;
+	dnssec\-loadkeys\-interval \fIinteger\fR;
+	dnssec\-lookaside ( \fIstring\fR trust\-anchor
+	    \fIstring\fR | auto | no );
+	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
+	dnssec\-secure\-to\-insecure \fIboolean\fR;
+	dnssec\-update\-mode ( maintain | no\-resign );
+	dnssec\-validation ( yes | no | auto );
+	dnstap { ( all | auth | client | forwarder |
+	    resolver ) [ ( query | response ) ]; \&.\&.\&. };
+	dnstap\-identity ( \fIquoted_string\fR | none |
+	    hostname );
+	dnstap\-output ( file | unix ) \fIquoted_string\fR;
+	dnstap\-version ( \fIquoted_string\fR | none );
+	dscp \fIinteger\fR;
+	dual\-stack\-servers [ port \fIinteger\fR ] { ( \fIquoted_string\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv4_address\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] ); \&.\&.\&. };
+	dump\-file \fIquoted_string\fR;
+	edns\-udp\-size \fIinteger\fR;
+	empty\-contact \fIstring\fR;
+	empty\-server \fIstring\fR;
+	empty\-zones\-enable \fIboolean\fR;
+	fetch\-quota\-params \fIinteger\fR \fIfixedpoint\fR \fIfixedpoint\fR \fIfixedpoint\fR;
+	fetches\-per\-server \fIinteger\fR [ ( drop | fail ) ];
+	fetches\-per\-zone \fIinteger\fR [ ( drop | fail ) ];
+	files ( default | unlimited | \fIsizeval\fR );
+	filter\-aaaa { \fIaddress_match_element\fR; \&.\&.\&. };
+	filter\-aaaa\-on\-v4 ( break\-dnssec | \fIboolean\fR );
+	filter\-aaaa\-on\-v6 ( break\-dnssec | \fIboolean\fR );
+	flush\-zones\-on\-shutdown \fIboolean\fR;
+	forward ( first | only );
+	forwarders [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fIipv4_address\fR
+	    | \fIipv6_address\fR ) [ port \fIinteger\fR ] [ dscp \fIinteger\fR ]; \&.\&.\&. };
+	fstrm\-set\-buffer\-hint \fIinteger\fR;
+	fstrm\-set\-flush\-timeout \fIinteger\fR;
+	fstrm\-set\-input\-queue\-size \fIinteger\fR;
+	fstrm\-set\-output\-notify\-threshold \fIinteger\fR;
+	fstrm\-set\-output\-queue\-model ( mpsc | spsc );
+	fstrm\-set\-output\-queue\-size \fIinteger\fR;
+	fstrm\-set\-reopen\-interval \fIinteger\fR;
+	geoip\-directory ( \fIquoted_string\fR | none );
+	geoip\-use\-ecs ( \fIquoted_string\fR | none );
+	heartbeat\-interval \fIinteger\fR;
+	hostname ( \fIquoted_string\fR | none );
+	inline\-signing \fIboolean\fR;
+	interface\-interval \fIinteger\fR;
+	ixfr\-from\-differences ( master | slave | \fIboolean\fR );
+	keep\-response\-order { \fIaddress_match_element\fR; \&.\&.\&. };
+	key\-directory \fIquoted_string\fR;
+	lame\-ttl \fIttlval\fR;
+	listen\-on [ port \fIinteger\fR ] [ dscp
+	    \fIinteger\fR ] {
+	    \fIaddress_match_element\fR; \&.\&.\&. };
+	listen\-on\-v6 [ port \fIinteger\fR ] [ dscp
+	    \fIinteger\fR ] {
+	    \fIaddress_match_element\fR; \&.\&.\&. };
+	lock\-file ( \fIquoted_string\fR | none );
+	managed\-keys\-directory \fIquoted_string\fR;
+	masterfile\-format ( map | raw | text );
+	masterfile\-style ( full | relative );
+	match\-mapped\-addresses \fIboolean\fR;
+	max\-acache\-size ( unlimited | \fIsizeval\fR );
+	max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
+	max\-cache\-ttl \fIinteger\fR;
+	max\-clients\-per\-query \fIinteger\fR;
+	max\-journal\-size ( unlimited | \fIsizeval\fR );
+	max\-ncache\-ttl \fIinteger\fR;
 	max\-records \fIinteger\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
+	max\-recursion\-depth \fIinteger\fR;
+	max\-recursion\-queries \fIinteger\fR;
+	max\-refresh\-time \fIinteger\fR;
+	max\-retry\-time \fIinteger\fR;
+	max\-rsa\-exponent\-size \fIinteger\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
 	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
+	max\-transfer\-time\-in \fIinteger\fR;
+	max\-transfer\-time\-out \fIinteger\fR;
+	max\-udp\-size \fIinteger\fR;
+	max\-zone\-ttl ( unlimited | \fIttlval\fR );
+	memstatistics \fIboolean\fR;
+	memstatistics\-file \fIquoted_string\fR;
+	message\-compression \fIboolean\fR;
 	min\-refresh\-time \fIinteger\fR;
+	min\-retry\-time \fIinteger\fR;
+	minimal\-any \fIboolean\fR;
+	minimal\-responses ( no\-auth | no\-auth\-recursive | \fIboolean\fR );
 	multi\-master \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	sig\-re\-signing\-interval \fIinteger\fR;
+	no\-case\-compress { \fIaddress_match_element\fR; \&.\&.\&. };
+	nocookie\-udp\-size \fIinteger\fR;
+	notify ( explicit | master\-only | \fIboolean\fR );
+	notify\-delay \fIinteger\fR;
+	notify\-rate \fIinteger\fR;
+	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
+	    [ dscp \fIinteger\fR ];
+	notify\-to\-soa \fIboolean\fR;
+	nsec3\-test\-zone \fIboolean\fR; // test only
+	nta\-lifetime \fIttlval\fR;
+	nta\-recheck \fIttlval\fR;
+	nxdomain\-redirect \fIstring\fR;
+	pid\-file ( \fIquoted_string\fR | none );
+	port \fIinteger\fR;
+	preferred\-glue \fIstring\fR;
+	prefetch \fIinteger\fR [ \fIinteger\fR ];
+	provide\-ixfr \fIboolean\fR;
+	query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv4_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	query\-source\-v6 ( ( [ address ] ( \fIipv6_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv6_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	querylog \fIboolean\fR;
+	random\-device \fIquoted_string\fR;
+	rate\-limit {
+		all\-per\-second \fIinteger\fR;
+		errors\-per\-second \fIinteger\fR;
+		exempt\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
+		ipv4\-prefix\-length \fIinteger\fR;
+		ipv6\-prefix\-length \fIinteger\fR;
+		log\-only \fIboolean\fR;
+		max\-table\-size \fIinteger\fR;
+		min\-table\-size \fIinteger\fR;
+		nodata\-per\-second \fIinteger\fR;
+		nxdomains\-per\-second \fIinteger\fR;
+		qps\-scale \fIinteger\fR;
+		referrals\-per\-second \fIinteger\fR;
+		responses\-per\-second \fIinteger\fR;
+		slip \fIinteger\fR;
+		window \fIinteger\fR;
+	};
+	recursing\-file \fIquoted_string\fR;
+	recursion \fIboolean\fR;
+	recursive\-clients \fIinteger\fR;
+	request\-expire \fIboolean\fR;
+	request\-ixfr \fIboolean\fR;
+	request\-nsid \fIboolean\fR;
+	require\-server\-cookie \fIboolean\fR;
+	reserved\-sockets \fIinteger\fR;
+	resolver\-query\-timeout \fIinteger\fR;
+	response\-policy { zone \fIquoted_string\fR [ log \fIboolean\fR ] [
+	    max\-policy\-ttl \fIinteger\fR ] [ policy ( cname | disabled | drop |
+	    given | no\-op | nodata | nxdomain | passthru | tcp\-only
+	    \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ]; \&.\&.\&. } [
+	    break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIinteger\fR ] [
+	    min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [
+	    qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ];
+	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
+	rrset\-order { [ class \fIstring\fR ] [ type \fIstring\fR ] [ name
+	    \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&. };
+	secroots\-file \fIquoted_string\fR;
+	send\-cookie \fIboolean\fR;
+	serial\-query\-rate \fIinteger\fR;
+	serial\-update\-method ( date | increment | unixtime );
+	server\-id ( \fIquoted_string\fR | none | hostname );
+	servfail\-ttl \fIttlval\fR;
+	session\-keyalg \fIstring\fR;
+	session\-keyfile ( \fIquoted_string\fR | none );
+	session\-keyname \fIstring\fR;
 	sig\-signing\-nodes \fIinteger\fR;
 	sig\-signing\-signatures \fIinteger\fR;
 	sig\-signing\-type \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
-	managed\-keys\-directory \fIquoted_string\fR;
-	auto\-dnssec \fBallow\fR|\fBmaintain\fR|\fBoff\fR;
+	sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
+	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
+	stacksize ( default | unlimited | \fIsizeval\fR );
+	startup\-notify\-rate \fIinteger\fR;
+	statistics\-file \fIquoted_string\fR;
+	tcp\-clients \fIinteger\fR;
+	tcp\-listen\-queue \fIinteger\fR;
+	tkey\-dhkey \fIquoted_string\fR \fIinteger\fR;
+	tkey\-domain \fIquoted_string\fR;
+	tkey\-gssapi\-credential \fIquoted_string\fR;
+	tkey\-gssapi\-keytab \fIquoted_string\fR;
+	transfer\-format ( many\-answers | one\-answer );
+	transfer\-message\-size \fIinteger\fR;
+	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	transfers\-in \fIinteger\fR;
+	transfers\-out \fIinteger\fR;
+	transfers\-per\-ns \fIinteger\fR;
+	trust\-anchor\-telemetry \fIboolean\fR; // experimental
 	try\-tcp\-refresh \fIboolean\fR;
+	update\-check\-ksk \fIboolean\fR;
+	use\-alt\-transfer\-source \fIboolean\fR;
+	use\-v4\-udp\-ports { \fIportrange\fR; \&.\&.\&. };
+	use\-v6\-udp\-ports { \fIportrange\fR; \&.\&.\&. };
+	v6\-bias \fIinteger\fR;
+	version ( \fIquoted_string\fR | none );
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
-	dnssec\-secure\-to\-insecure \fIboolean\fR;
-	automatic\-interface\-scan \fIboolean\fR;
-	cookie\-algorithm ( \fIaes\fR | \fIsha1\fR | \fIsha256\fR );
-	cookie\-secret \fIstring\fR;
-	require\-server\-cookie \fIboolean\fR;
-	send\-cookie \fIboolean\fR;
-	nocookie\-udp\-size \fIinteger\fR;
-	deny\-answer\-addresses {
-		\fIaddress_match_list\fR
-	} [ except\-from { \fInamelist\fR } ];
-	deny\-answer\-aliases {
-		\fInamelist\fR
-	} [ except\-from { \fInamelist\fR } ];
-	nsec3\-test\-zone \fIboolean\fR;  // testing only
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; \&.\&.\&. }; // obsolete
-	deallocate\-on\-exit \fIboolean\fR; // obsolete
-	fake\-iquery \fIboolean\fR; // obsolete
-	fetch\-glue \fIboolean\fR; // obsolete
-	has\-old\-clients \fIboolean\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-	multiple\-cnames \fIboolean\fR; // obsolete
-	named\-xfer \fIquoted_string\fR; // obsolete
-	serial\-queries \fIinteger\fR; // obsolete
-	treat\-cr\-as\-space \fIboolean\fR; // obsolete
-	use\-id\-pool \fIboolean\fR; // obsolete
-	use\-ixfr \fIboolean\fR; // obsolete
+	zone\-statistics ( full | terse | none | \fIboolean\fR );
 };
 .fi
 .if n \{\
 .RE
 .\}
+.SH "SERVER"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+server \fInetprefix\fR {
+	bogus \fIboolean\fR;
+	edns \fIboolean\fR;
+	edns\-udp\-size \fIinteger\fR;
+	edns\-version \fIinteger\fR;
+	keys \fIserver_key\fR;
+	max\-udp\-size \fIinteger\fR;
+	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
+	    [ dscp \fIinteger\fR ];
+	provide\-ixfr \fIboolean\fR;
+	query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv4_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	query\-source\-v6 ( ( [ address ] ( \fIipv6_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv6_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	request\-expire \fIboolean\fR;
+	request\-ixfr \fIboolean\fR;
+	request\-nsid \fIboolean\fR;
+	send\-cookie \fIboolean\fR;
+	tcp\-only \fIboolean\fR;
+	transfer\-format ( many\-answers | one\-answer );
+	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	transfers \fIinteger\fR;
+};
+.fi
+.if n \{\
+.RE
+.\}
+.SH "STATISTICS-CHANNELS"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+statistics\-channels {
+	inet ( \fIipv4_address\fR | \fIipv6_address\fR |
+	    * ) [ port ( \fIinteger\fR | * ) ] [
+	    allow { \fIaddress_match_element\fR; \&.\&.\&.
+	    } ];
+};
+.fi
+.if n \{\
+.RE
+.\}
+.SH "TRUSTED-KEYS"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+trusted\-keys { \fIstring\fR \fIinteger\fR \fIinteger\fR
+    \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
+.fi
+.if n \{\
+.RE
+.\}
 .SH "VIEW"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-view \fIstring\fR \fIoptional_class\fR {
-	match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
-	match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. };
-	match\-recursive\-only \fIboolean\fR;
+view \fIstring\fR [ \fIclass\fR ] {
+	acache\-cleaning\-interval \fIinteger\fR;
+	acache\-enable \fIboolean\fR;
+	additional\-from\-auth \fIboolean\fR;
+	additional\-from\-cache \fIboolean\fR;
+	allow\-new\-zones \fIboolean\fR;
+	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-cache { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-cache\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
+	also\-notify [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR |
+	    \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+	alt\-transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR |
+	    * ) ] [ dscp \fIinteger\fR ];
+	attach\-cache \fIstring\fR;
+	auth\-nxdomain \fIboolean\fR; // default changed
+	auto\-dnssec ( allow | maintain | off );
+	cache\-file \fIquoted_string\fR;
+	catalog\-zones { zone \fIquoted_string\fR [ default\-masters [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [
+	    port \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
+	    \fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
+	    in\-memory \fIboolean\fR ] [ min\-update\-interval \fIinteger\fR ]; \&.\&.\&. };
+	check\-dup\-records ( fail | warn | ignore );
+	check\-integrity \fIboolean\fR;
+	check\-mx ( fail | warn | ignore );
+	check\-mx\-cname ( fail | warn | ignore );
+	check\-names ( master | slave | response
+	    ) ( fail | warn | ignore );
+	check\-sibling \fIboolean\fR;
+	check\-spf ( warn | ignore );
+	check\-srv\-cname ( fail | warn | ignore );
+	check\-wildcard \fIboolean\fR;
+	cleaning\-interval \fIinteger\fR;
+	clients\-per\-query \fIinteger\fR;
+	deny\-answer\-addresses { \fIaddress_match_element\fR; \&.\&.\&. } [
+	    except\-from { \fIquoted_string\fR; \&.\&.\&. } ];
+	deny\-answer\-aliases { \fIquoted_string\fR; \&.\&.\&. } [ except\-from {
+	    \fIquoted_string\fR; \&.\&.\&. } ];
+	dialup ( notify | notify\-passive | passive | refresh | \fIboolean\fR );
+	disable\-algorithms \fIstring\fR { \fIstring\fR;
+	    \&.\&.\&. };
+	disable\-ds\-digests \fIstring\fR { \fIstring\fR;
+	    \&.\&.\&. };
+	disable\-empty\-zone \fIstring\fR;
+	dlz \fIstring\fR {
+		database \fIstring\fR;
+		search \fIboolean\fR;
+	};
+	dns64 \fInetprefix\fR {
+		break\-dnssec \fIboolean\fR;
+		clients { \fIaddress_match_element\fR; \&.\&.\&. };
+		exclude { \fIaddress_match_element\fR; \&.\&.\&. };
+		mapped { \fIaddress_match_element\fR; \&.\&.\&. };
+		recursive\-only \fIboolean\fR;
+		suffix \fIipv6_address\fR;
+	};
+	dns64\-contact \fIstring\fR;
+	dns64\-server \fIstring\fR;
+	dnssec\-accept\-expired \fIboolean\fR;
+	dnssec\-dnskey\-kskonly \fIboolean\fR;
+	dnssec\-enable \fIboolean\fR;
+	dnssec\-loadkeys\-interval \fIinteger\fR;
+	dnssec\-lookaside ( \fIstring\fR trust\-anchor
+	    \fIstring\fR | auto | no );
+	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
+	dnssec\-secure\-to\-insecure \fIboolean\fR;
+	dnssec\-update\-mode ( maintain | no\-resign );
+	dnssec\-validation ( yes | no | auto );
+	dnstap { ( all | auth | client | forwarder |
+	    resolver ) [ ( query | response ) ]; \&.\&.\&. };
+	dual\-stack\-servers [ port \fIinteger\fR ] { ( \fIquoted_string\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv4_address\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] ); \&.\&.\&. };
+	dyndb \fIstring\fR \fIquoted_string\fR {
+	    \fIunspecified\-text\fR };
+	edns\-udp\-size \fIinteger\fR;
+	empty\-contact \fIstring\fR;
+	empty\-server \fIstring\fR;
+	empty\-zones\-enable \fIboolean\fR;
+	fetch\-quota\-params \fIinteger\fR \fIfixedpoint\fR \fIfixedpoint\fR \fIfixedpoint\fR;
+	fetches\-per\-server \fIinteger\fR [ ( drop | fail ) ];
+	fetches\-per\-zone \fIinteger\fR [ ( drop | fail ) ];
+	filter\-aaaa { \fIaddress_match_element\fR; \&.\&.\&. };
+	filter\-aaaa\-on\-v4 ( break\-dnssec | \fIboolean\fR );
+	filter\-aaaa\-on\-v6 ( break\-dnssec | \fIboolean\fR );
+	forward ( first | only );
+	forwarders [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fIipv4_address\fR
+	    | \fIipv6_address\fR ) [ port \fIinteger\fR ] [ dscp \fIinteger\fR ]; \&.\&.\&. };
+	inline\-signing \fIboolean\fR;
+	ixfr\-from\-differences ( master | slave | \fIboolean\fR );
 	key \fIstring\fR {
 		algorithm \fIstring\fR;
 		secret \fIstring\fR;
 	};
-	zone \fIstring\fR \fIoptional_class\fR {
-		\&.\&.\&.
-	};
-	server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) {
-		\&.\&.\&.
-	};
-	trusted\-keys {
-		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
-		[\&.\&.\&.]
-	};
-	managed\-keys {
-		\fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR;
-		[\&.\&.\&.]
-	};
-	allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
-	topology { \fIaddress_match_element\fR; \&.\&.\&. }; // not implemented
-	auth\-nxdomain \fIboolean\fR; // default changed
-	minimal\-any \fIboolean\fR;
-	minimal\-responses \fIboolean\fR;
-	recursion \fIboolean\fR;
-	rrset\-order {
-		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&.
-	};
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	rfc2308\-type1 \fIboolean\fR; // not yet implemented
-	additional\-from\-auth \fIboolean\fR;
-	additional\-from\-cache \fIboolean\fR;
-	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	use\-queryport\-pool \fIboolean\fR;
-	queryport\-pool\-ports \fIinteger\fR;
-	queryport\-pool\-updateinterval \fIinteger\fR;
-	cleaning\-interval \fIinteger\fR;
-	resolver\-query\-timeout \fIinteger\fR;
-	min\-roots \fIinteger\fR; // not implemented
-	lame\-ttl \fIinteger\fR;
-	max\-ncache\-ttl \fIinteger\fR;
+	key\-directory \fIquoted_string\fR;
+	lame\-ttl \fIttlval\fR;
+	managed\-keys { \fIstring\fR \fIstring\fR
+	    \fIinteger\fR \fIinteger\fR \fIinteger\fR
+	    \fIquoted_string\fR; \&.\&.\&. };
+	masterfile\-format ( map | raw | text );
+	masterfile\-style ( full | relative );
+	match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
+	match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. };
+	match\-recursive\-only \fIboolean\fR;
+	max\-acache\-size ( unlimited | \fIsizeval\fR );
+	max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
 	max\-cache\-ttl \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize\fR;
-	max\-acache\-size \fIsize\fR;
-	clients\-per\-query \fInumber\fR;
-	max\-clients\-per\-query \fInumber\fR;
-	check\-names ( master | slave | response )
-		( fail | warn | ignore );
-	check\-mx ( fail | warn | ignore );
-	check\-integrity \fIboolean\fR;
-	check\-mx\-cname ( fail | warn | ignore );
-	check\-srv\-cname ( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR; // test option
-	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
-	preferred\-glue \fIstring\fR;
-	dual\-stack\-servers [ port \fIinteger\fR ] {
-		( \fIquoted_string\fR [port \fIinteger\fR] |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [port \fIinteger\fR] ); \&.\&.\&.
-	};
-	edns\-udp\-size \fIinteger\fR;
-	max\-udp\-size \fIinteger\fR;
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
-	disable\-algorithms \fIstring\fR { \fIstring\fR; \&.\&.\&. };
-	disable\-ds\-digests \fIstring\fR { \fIstring\fR; \&.\&.\&. };
-	dnssec\-enable \fIboolean\fR;
-	dnssec\-validation \fIboolean\fR;
-	dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
-	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
-	dnssec\-accept\-expired \fIboolean\fR;
-	dns64\-server \fIstring\fR;
-	dns64\-contact \fIstring\fR;
-	dns64 \fIprefix\fR {
-		clients { \fIacl\fR; };
-		exclude { \fIacl\fR; };
-		mapped { \fIacl\fR; };
-		break\-dnssec \fIboolean\fR;
-		recursive\-only \fIboolean\fR;
-		suffix \fIipv6_address\fR;
-	};
-	empty\-server \fIstring\fR;
-	empty\-contact \fIstring\fR;
-	empty\-zones\-enable \fIboolean\fR;
-	disable\-empty\-zone \fIstring\fR;
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIixfrdiff\fR;
-	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-cache { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-cache\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
-	update\-check\-ksk \fIboolean\fR;
-	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	masterfile\-format ( text | raw | map );
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-delay \fIseconds\fR;
-	notify\-to\-soa \fIboolean\fR;
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; \&.\&.\&.
-		[ key \fIkeyname\fR ] \&.\&.\&. };
-	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
-	};
-	max\-journal\-size \fIsize_no_default\fR;
+	max\-clients\-per\-query \fIinteger\fR;
+	max\-journal\-size ( unlimited | \fIsizeval\fR );
+	max\-ncache\-ttl \fIinteger\fR;
 	max\-records \fIinteger\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
+	max\-recursion\-depth \fIinteger\fR;
+	max\-recursion\-queries \fIinteger\fR;
+	max\-refresh\-time \fIinteger\fR;
+	max\-retry\-time \fIinteger\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
 	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
+	max\-transfer\-time\-in \fIinteger\fR;
+	max\-transfer\-time\-out \fIinteger\fR;
+	max\-udp\-size \fIinteger\fR;
+	max\-zone\-ttl ( unlimited | \fIttlval\fR );
+	message\-compression \fIboolean\fR;
 	min\-refresh\-time \fIinteger\fR;
+	min\-retry\-time \fIinteger\fR;
+	minimal\-any \fIboolean\fR;
+	minimal\-responses ( no\-auth | no\-auth\-recursive | \fIboolean\fR );
 	multi\-master \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
+	no\-case\-compress { \fIaddress_match_element\fR; \&.\&.\&. };
+	nocookie\-udp\-size \fIinteger\fR;
+	notify ( explicit | master\-only | \fIboolean\fR );
+	notify\-delay \fIinteger\fR;
+	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
+	    [ dscp \fIinteger\fR ];
+	notify\-to\-soa \fIboolean\fR;
+	nsec3\-test\-zone \fIboolean\fR; // test only
+	nta\-lifetime \fIttlval\fR;
+	nta\-recheck \fIttlval\fR;
+	nxdomain\-redirect \fIstring\fR;
+	preferred\-glue \fIstring\fR;
+	prefetch \fIinteger\fR [ \fIinteger\fR ];
+	provide\-ixfr \fIboolean\fR;
+	query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv4_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	query\-source\-v6 ( ( [ address ] ( \fIipv6_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv6_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	rate\-limit {
+		all\-per\-second \fIinteger\fR;
+		errors\-per\-second \fIinteger\fR;
+		exempt\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
+		ipv4\-prefix\-length \fIinteger\fR;
+		ipv6\-prefix\-length \fIinteger\fR;
+		log\-only \fIboolean\fR;
+		max\-table\-size \fIinteger\fR;
+		min\-table\-size \fIinteger\fR;
+		nodata\-per\-second \fIinteger\fR;
+		nxdomains\-per\-second \fIinteger\fR;
+		qps\-scale \fIinteger\fR;
+		referrals\-per\-second \fIinteger\fR;
+		responses\-per\-second \fIinteger\fR;
+		slip \fIinteger\fR;
+		window \fIinteger\fR;
+	};
+	recursion \fIboolean\fR;
+	request\-expire \fIboolean\fR;
+	request\-ixfr \fIboolean\fR;
+	request\-nsid \fIboolean\fR;
+	require\-server\-cookie \fIboolean\fR;
+	resolver\-query\-timeout \fIinteger\fR;
+	response\-policy { zone \fIquoted_string\fR [ log \fIboolean\fR ] [
+	    max\-policy\-ttl \fIinteger\fR ] [ policy ( cname | disabled | drop |
+	    given | no\-op | nodata | nxdomain | passthru | tcp\-only
+	    \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ]; \&.\&.\&. } [
+	    break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIinteger\fR ] [
+	    min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [
+	    qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ];
+	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
+	rrset\-order { [ class \fIstring\fR ] [ type \fIstring\fR ] [ name
+	    \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&. };
+	send\-cookie \fIboolean\fR;
+	serial\-update\-method ( date | increment | unixtime );
+	server \fInetprefix\fR {
+		bogus \fIboolean\fR;
+		edns \fIboolean\fR;
+		edns\-udp\-size \fIinteger\fR;
+		edns\-version \fIinteger\fR;
+		keys \fIserver_key\fR;
+		max\-udp\-size \fIinteger\fR;
+		notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | *
+		    ) ] [ dscp \fIinteger\fR ];
+		notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR
+		    | * ) ] [ dscp \fIinteger\fR ];
+		provide\-ixfr \fIboolean\fR;
+		query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port
+		    ( \fIinteger\fR | * ) ] ) | ( [ [ address ] (
+		    \fIipv4_address\fR | * ) ] port ( \fIinteger\fR | * ) ) ) [
+		    dscp \fIinteger\fR ];
+		query\-source\-v6 ( ( [ address ] ( \fIipv6_address\fR | * ) [
+		    port ( \fIinteger\fR | * ) ] ) | ( [ [ address ] (
+		    \fIipv6_address\fR | * ) ] port ( \fIinteger\fR | * ) ) ) [
+		    dscp \fIinteger\fR ];
+		request\-expire \fIboolean\fR;
+		request\-ixfr \fIboolean\fR;
+		request\-nsid \fIboolean\fR;
+		send\-cookie \fIboolean\fR;
+		tcp\-only \fIboolean\fR;
+		transfer\-format ( many\-answers | one\-answer );
+		transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR |
+		    * ) ] [ dscp \fIinteger\fR ];
+		transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port (
+		    \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
+		transfers \fIinteger\fR;
+	};
+	servfail\-ttl \fIttlval\fR;
+	sig\-signing\-nodes \fIinteger\fR;
+	sig\-signing\-signatures \fIinteger\fR;
+	sig\-signing\-type \fIinteger\fR;
+	sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
+	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
+	transfer\-format ( many\-answers | one\-answer );
+	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	trust\-anchor\-telemetry \fIboolean\fR; // experimental
+	trusted\-keys { \fIstring\fR \fIinteger\fR
+	    \fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
+	    \&.\&.\&. };
 	try\-tcp\-refresh \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
+	update\-check\-ksk \fIboolean\fR;
+	use\-alt\-transfer\-source \fIboolean\fR;
+	v6\-bias \fIinteger\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
-	dnssec\-secure\-to\-insecure \fIboolean\fR;
-	require\-server\-cookie \fIboolean\fR;
-	send\-cookie \fIboolean\fR;
-	nocookie\-udp\-size \fIinteger\fR;
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; \&.\&.\&. }; // obsolete
-	fetch\-glue \fIboolean\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
+	zone \fIstring\fR [ \fIclass\fR ] {
+		allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
+		also\-notify [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { (
+		    \fImasters\fR | \fIipv4_address\fR [ port \fIinteger\fR ] |
+		    \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ];
+		    \&.\&.\&. };
+		alt\-transfer\-source ( \fIipv4_address\fR | * ) [ port (
+		    \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
+		alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port (
+		    \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
+		auto\-dnssec ( allow | maintain | off );
+		check\-dup\-records ( fail | warn | ignore );
+		check\-integrity \fIboolean\fR;
+		check\-mx ( fail | warn | ignore );
+		check\-mx\-cname ( fail | warn | ignore );
+		check\-names ( fail | warn | ignore );
+		check\-sibling \fIboolean\fR;
+		check\-spf ( warn | ignore );
+		check\-srv\-cname ( fail | warn | ignore );
+		check\-wildcard \fIboolean\fR;
+		database \fIstring\fR;
+		delegation\-only \fIboolean\fR;
+		dialup ( notify | notify\-passive | passive | refresh |
+		    \fIboolean\fR );
+		dlz \fIstring\fR;
+		dnssec\-dnskey\-kskonly \fIboolean\fR;
+		dnssec\-loadkeys\-interval \fIinteger\fR;
+		dnssec\-secure\-to\-insecure \fIboolean\fR;
+		dnssec\-update\-mode ( maintain | no\-resign );
+		file \fIquoted_string\fR;
+		forward ( first | only );
+		forwarders [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { (
+		    \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ] [
+		    dscp \fIinteger\fR ]; \&.\&.\&. };
+		in\-view \fIstring\fR;
+		inline\-signing \fIboolean\fR;
+		ixfr\-from\-differences \fIboolean\fR;
+		journal \fIquoted_string\fR;
+		key\-directory \fIquoted_string\fR;
+		masterfile\-format ( map | raw | text );
+		masterfile\-style ( full | relative );
+		masters [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR
+		    | \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [
+		    port \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+		max\-ixfr\-log\-size ( default | unlimited |
+		max\-journal\-size ( unlimited | \fIsizeval\fR );
+		max\-records \fIinteger\fR;
+		max\-refresh\-time \fIinteger\fR;
+		max\-retry\-time \fIinteger\fR;
+		max\-transfer\-idle\-in \fIinteger\fR;
+		max\-transfer\-idle\-out \fIinteger\fR;
+		max\-transfer\-time\-in \fIinteger\fR;
+		max\-transfer\-time\-out \fIinteger\fR;
+		max\-zone\-ttl ( unlimited | \fIttlval\fR );
+		min\-refresh\-time \fIinteger\fR;
+		min\-retry\-time \fIinteger\fR;
+		multi\-master \fIboolean\fR;
+		notify ( explicit | master\-only | \fIboolean\fR );
+		notify\-delay \fIinteger\fR;
+		notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | *
+		    ) ] [ dscp \fIinteger\fR ];
+		notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR
+		    | * ) ] [ dscp \fIinteger\fR ];
+		notify\-to\-soa \fIboolean\fR;
+		nsec3\-test\-zone \fIboolean\fR; // test only
+		pubkey \fIinteger\fR
+		    \fIinteger\fR
+		    \fIinteger\fR
+		request\-expire \fIboolean\fR;
+		request\-ixfr \fIboolean\fR;
+		serial\-update\-method ( date | increment | unixtime );
+		server\-addresses { ( \fIipv4_address\fR | \fIipv6_address\fR ) [
+		    port \fIinteger\fR ]; \&.\&.\&. };
+		server\-names { \fIquoted_string\fR; \&.\&.\&. };
+		sig\-signing\-nodes \fIinteger\fR;
+		sig\-signing\-signatures \fIinteger\fR;
+		sig\-signing\-type \fIinteger\fR;
+		sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
+		transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR |
+		    * ) ] [ dscp \fIinteger\fR ];
+		transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port (
+		    \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
+		try\-tcp\-refresh \fIboolean\fR;
+		type ( delegation\-only | forward | hint | master | redirect
+		    | slave | static\-stub | stub );
+		update\-check\-ksk \fIboolean\fR;
+		update\-policy ( local | { ( deny | grant ) \fIstring\fR (
+		    6to4\-self | external | krb5\-self | krb5\-subdomain |
+		    ms\-self | ms\-subdomain | name | self | selfsub |
+		    selfwild | subdomain | tcp\-self | wildcard | zonesub )
+		    [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. };
+		use\-alt\-transfer\-source \fIboolean\fR;
+		zero\-no\-soa\-ttl \fIboolean\fR;
+		zone\-statistics ( full | terse | none | \fIboolean\fR );
+	};
+	zone\-statistics ( full | terse | none | \fIboolean\fR );
 };
 .fi
 .if n \{\
@@ -601,87 +909,98 @@ view \fIstring\fR \fIoptional_class\fR {
 .RS 4
 .\}
 .nf
-zone \fIstring\fR \fIoptional_class\fR {
-	type ( master | slave | stub | hint | redirect |
-		forward | delegation\-only );
-	file \fIquoted_string\fR;
-	masters [ port \fIinteger\fR ] {
-		( \fImasters\fR |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&.
-	};
-	database \fIstring\fR;
-	delegation\-only \fIboolean\fR;
-	check\-names ( fail | warn | ignore );
-	check\-mx ( fail | warn | ignore );
-	check\-integrity \fIboolean\fR;
-	check\-mx\-cname ( fail | warn | ignore );
-	check\-srv\-cname ( fail | warn | ignore );
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIboolean\fR;
-	journal \fIquoted_string\fR;
-	zero\-no\-soa\-ttl \fIboolean\fR;
-	dnssec\-secure\-to\-insecure \fIboolean\fR;
+zone \fIstring\fR [ \fIclass\fR ] {
+	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
-	update\-policy \fIlocal\fR | \fI {
-		( grant | deny ) \fR\fI\fIstring\fR\fR\fI
-		( name | subdomain | wildcard | self | selfsub | selfwild |
-		  krb5\-self | ms\-self | krb5\-subdomain | ms\-subdomain |
-		  tcp\-self | zonesub | 6to4\-self ) \fR\fI\fIstring\fR\fR\fI
-		\fR\fI\fIrrtypelist\fR\fR\fI;
-		\fR\fI[\&.\&.\&.]\fR\fI
-	}\fR;
-	update\-check\-ksk \fIboolean\fR;
+	also\-notify [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR |
+	    \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+	alt\-transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR |
+	    * ) ] [ dscp \fIinteger\fR ];
+	auto\-dnssec ( allow | maintain | off );
+	check\-dup\-records ( fail | warn | ignore );
+	check\-integrity \fIboolean\fR;
+	check\-mx ( fail | warn | ignore );
+	check\-mx\-cname ( fail | warn | ignore );
+	check\-names ( fail | warn | ignore );
+	check\-sibling \fIboolean\fR;
+	check\-spf ( warn | ignore );
+	check\-srv\-cname ( fail | warn | ignore );
+	check\-wildcard \fIboolean\fR;
+	database \fIstring\fR;
+	delegation\-only \fIboolean\fR;
+	dialup ( notify | notify\-passive | passive | refresh | \fIboolean\fR );
+	dlz \fIstring\fR;
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	masterfile\-format ( text | raw | map );
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-delay \fIseconds\fR;
-	notify\-to\-soa \fIboolean\fR;
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; \&.\&.\&.
-		[ key \fIkeyname\fR ] \&.\&.\&. };
-	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
+	dnssec\-loadkeys\-interval \fIinteger\fR;
+	dnssec\-secure\-to\-insecure \fIboolean\fR;
+	dnssec\-update\-mode ( maintain | no\-resign );
+	file \fIquoted_string\fR;
 	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
-	};
-	max\-journal\-size \fIsize_no_default\fR;
+	forwarders [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fIipv4_address\fR
+	    | \fIipv6_address\fR ) [ port \fIinteger\fR ] [ dscp \fIinteger\fR ]; \&.\&.\&. };
+	in\-view \fIstring\fR;
+	inline\-signing \fIboolean\fR;
+	ixfr\-from\-differences \fIboolean\fR;
+	journal \fIquoted_string\fR;
+	key\-directory \fIquoted_string\fR;
+	masterfile\-format ( map | raw | text );
+	masterfile\-style ( full | relative );
+	masters [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR |
+	    \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+	max\-journal\-size ( unlimited | \fIsizeval\fR );
 	max\-records \fIinteger\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
+	max\-refresh\-time \fIinteger\fR;
+	max\-retry\-time \fIinteger\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
 	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
+	max\-transfer\-time\-in \fIinteger\fR;
+	max\-transfer\-time\-out \fIinteger\fR;
+	max\-zone\-ttl ( unlimited | \fIttlval\fR );
 	min\-refresh\-time \fIinteger\fR;
+	min\-retry\-time \fIinteger\fR;
 	multi\-master \fIboolean\fR;
+	notify ( explicit | master\-only | \fIboolean\fR );
+	notify\-delay \fIinteger\fR;
+	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
+	    [ dscp \fIinteger\fR ];
+	notify\-to\-soa \fIboolean\fR;
+	nsec3\-test\-zone \fIboolean\fR; // test only
+	pubkey \fIinteger\fR \fIinteger\fR
+	request\-expire \fIboolean\fR;
 	request\-ixfr \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
+	serial\-update\-method ( date | increment | unixtime );
+	server\-addresses { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port
+	    \fIinteger\fR ]; \&.\&.\&. };
+	server\-names { \fIquoted_string\fR; \&.\&.\&. };
+	sig\-signing\-nodes \fIinteger\fR;
+	sig\-signing\-signatures \fIinteger\fR;
+	sig\-signing\-type \fIinteger\fR;
+	sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
+	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
 	try\-tcp\-refresh \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
-	nsec3\-test\-zone \fIboolean\fR;  // testing only
-	ixfr\-base \fIquoted_string\fR; // obsolete
-	ixfr\-tmp\-file \fIquoted_string\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-	pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; // obsolete
+	type ( delegation\-only | forward | hint | master | redirect | slave
+	    | static\-stub | stub );
+	update\-check\-ksk \fIboolean\fR;
+	update\-policy ( local | { ( deny | grant ) \fIstring\fR ( 6to4\-self |
+	    external | krb5\-self | krb5\-subdomain | ms\-self | ms\-subdomain
+	    | name | self | selfsub | selfwild | subdomain | tcp\-self |
+	    wildcard | zonesub ) [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. };
+	use\-alt\-transfer\-source \fIboolean\fR;
+	zero\-no\-soa\-ttl \fIboolean\fR;
+	zone\-statistics ( full | terse | none | \fIboolean\fR );
 };
 .fi
 .if n \{\
@@ -692,9 +1011,11 @@ zone \fIstring\fR \fIoptional_class\fR {
 /etc/named\&.conf
 .SH "SEE ALSO"
 .PP
+\fBddns-confgen\fR(8),
 \fBnamed\fR(8),
 \fBnamed-checkconf\fR(8),
 \fBrndc\fR(8),
+\fBrndc-confgen\fR(8),
 BIND 9 Administrator Reference Manual\&.
 .SH "AUTHOR"
 .PP
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index 054d5d0c97..b5c241454a 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -62,15 +62,52 @@
 
     <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.9"></a><h2>KEY</h2>
+<a name="id-1.9"></a><h2>CONTROLS</h2>
 
     <div class="literallayout"><p><br>
-key <em class="replaceable"><code>domain_name</code></em> {<br>
+controls {<br>
+	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
+	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] allow<br>
+	    { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
+	    <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	unix <em class="replaceable"><code>quoted_string</code></em> perm <em class="replaceable"><code>integer</code></em><br>
+	    owner <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [<span class="optional"><br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
+	    <em class="replaceable"><code>boolean</code></em> </span>];<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>DLZ</h2>
+
+    <div class="literallayout"><p><br>
+dlz <em class="replaceable"><code>string</code></em> {<br>
+	database <em class="replaceable"><code>string</code></em>;<br>
+	search <em class="replaceable"><code>boolean</code></em>;<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.11"></a><h2>DYNDB</h2>
+
+    <div class="literallayout"><p><br>
+dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
+    <em class="replaceable"><code>unspecified-text</code></em> };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.12"></a><h2>KEY</h2>
+
+    <div class="literallayout"><p><br>
+key <em class="replaceable"><code>string</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
 	secret <em class="replaceable"><code>string</code></em>;<br>
 };<br>
@@ -78,642 +115,872 @@ key
   </div>
 
   <div class="refsection">
-<a name="id-1.10"></a><h2>MASTERS</h2>
-
-    <div class="literallayout"><p><br>
-masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-	<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.11"></a><h2>SERVER</h2>
-
-    <div class="literallayout"><p><br>
-server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-	bogus <em class="replaceable"><code>boolean</code></em>;<br>
-	edns <em class="replaceable"><code>boolean</code></em>;<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	keys <em class="replaceable"><code>server_key</code></em>;<br>
-	transfers <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	support-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.12"></a><h2>TRUSTED-KEYS</h2>
-
-    <div class="literallayout"><p><br>
-trusted-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.13"></a><h2>MANAGED-KEYS</h2>
-
-    <div class="literallayout"><p><br>
-managed-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14"></a><h2>CONTROLS</h2>
-
-    <div class="literallayout"><p><br>
-controls {<br>
-	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-		allow { <em class="replaceable"><code>address_match_element</code></em>; ... }<br>
-		[<span class="optional"> keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br>
-	unix <em class="replaceable"><code>unsupported</code></em>; // not implemented<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.15"></a><h2>LOGGING</h2>
+<a name="id-1.13"></a><h2>LOGGING</h2>
 
     <div class="literallayout"><p><br>
 logging {<br>
-	channel <em class="replaceable"><code>string</code></em> {<br>
-		file <em class="replaceable"><code>log_file</code></em>;<br>
-		syslog <em class="replaceable"><code>optional_facility</code></em>;<br>
-		null;<br>
-		stderr;<br>
-		severity <em class="replaceable"><code>log_severity</code></em>;<br>
-		print-time <em class="replaceable"><code>boolean</code></em>;<br>
-		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
-		print-category <em class="replaceable"><code>boolean</code></em>;<br>
-	};<br>
 	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
+	channel <em class="replaceable"><code>string</code></em> {<br>
+		buffered <em class="replaceable"><code>boolean</code></em>;<br>
+		file <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> versions ( "unlimited" | <em class="replaceable"><code>integer</code></em> )<br>
+		    </span>] [<span class="optional"> size <em class="replaceable"><code>size</code></em> </span>];<br>
+		null;<br>
+		print-category <em class="replaceable"><code>boolean</code></em>;<br>
+		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
+		print-time <em class="replaceable"><code>boolean</code></em>;<br>
+		severity <em class="replaceable"><code>log_severity</code></em>;<br>
+		stderr;<br>
+		syslog [<span class="optional"> <em class="replaceable"><code>syslog_facility</code></em> </span>];<br>
+	};<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.16"></a><h2>LWRES</h2>
+<a name="id-1.14"></a><h2>LWRES</h2>
 
     <div class="literallayout"><p><br>
 lwres {<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-	view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em>;<br>
-	search { <em class="replaceable"><code>string</code></em>; ... };<br>
-	ndots <em class="replaceable"><code>integer</code></em>;<br>
-	lwres-tasks <em class="replaceable"><code>integer</code></em>;<br>
+	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
 	lwres-clients <em class="replaceable"><code>integer</code></em>;<br>
+	lwres-tasks <em class="replaceable"><code>integer</code></em>;<br>
+	ndots <em class="replaceable"><code>integer</code></em>;<br>
+	search { <em class="replaceable"><code>string</code></em>; ... };<br>
+	view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>];<br>
 };<br>
 </p></div>
   </div>
 
+  <div class="refsection">
+<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
+
+    <div class="literallayout"><p><br>
+managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.16"></a><h2>MASTERS</h2>
+
+    <div class="literallayout"><p><br>
+masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+    <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+</p></div>
+  </div>
+
   <div class="refsection">
 <a name="id-1.17"></a><h2>OPTIONS</h2>
 
     <div class="literallayout"><p><br>
 options {<br>
-	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	avoid-v6-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	coresize <em class="replaceable"><code>size</code></em>;<br>
-	datasize <em class="replaceable"><code>size</code></em>;<br>
-	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	dnstap { <em class="replaceable"><code>message_type</code></em>; ... };<br>
-	dnstap-output ( <code class="literal">file</code> | <code class="literal">unix</code> ) <em class="replaceable"><code>path_name</code></em>;<br>
-	dnstap-identity ( <em class="replaceable"><code>string</code></em> | <code class="literal">hostname</code> | <code class="literal">none</code> );<br>
-	dnstap-version ( <em class="replaceable"><code>string</code></em> | <code class="literal">none</code> );<br>
-	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	files <em class="replaceable"><code>size</code></em>;<br>
-	fstrm-set-buffer-hint <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-flush-timeout <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-input-queue-size <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-output-notify-threshold <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-output-queue-model ( <em class="replaceable"><code>mpsc</code></em> | <em class="replaceable"><code>spsc</code></em> ) ;<br>
-	fstrm-set-output-queue-size <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-reopen-interval <em class="replaceable"><code>number</code></em>;<br>
-	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
-	host-statistics <em class="replaceable"><code>boolean</code></em>; // not implemented<br>
-	host-statistics-max <em class="replaceable"><code>number</code></em>; // not implemented<br>
-	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
-	keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
-	memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	port <em class="replaceable"><code>integer</code></em>;<br>
-	querylog <em class="replaceable"><code>boolean</code></em>;<br>
-	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
-	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
-	recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
-	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
-	server-id ( <em class="replaceable"><code>quoted_string</code></em> | hostname | none );<br>
-	stacksize <em class="replaceable"><code>size</code></em>;<br>
-	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	statistics-interval <em class="replaceable"><code>integer</code></em>; // not yet implemented<br>
-	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
-	tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
-	transfer-message-size <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
-	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
-	minimal-responses ( <em class="replaceable"><code>boolean</code></em> | no-auth | no-auth-recursive );<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
+	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	catalog-zones {<br>
-	    zone <em class="replaceable"><code>quoted_string</code></em><br>
-		[<span class="optional"> default-masters<br>
-		[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]<br>
-		[<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]<br>
-		{ ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }</span>]<br>
-	    [<span class="optional">in-memory <em class="replaceable"><code>yes_or_no</code></em></span>]<br>
-	    [<span class="optional">min-update-interval <em class="replaceable"><code>interval</code></em></span>]<br>
-	    ; ... };<br>
-	;<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <em class="replaceable"><code>acl</code></em>; };<br>
-		exclude { <em class="replaceable"><code>acl</code></em>; };<br>
-		mapped { <em class="replaceable"><code>acl</code></em>; };<br>
-		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
-		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
-	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
-	empty-contact <em class="replaceable"><code>string</code></em>;<br>
-	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
+	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	attach-cache <em class="replaceable"><code>string</code></em>;<br>
+	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	automatic-interface-scan <em class="replaceable"><code>boolean</code></em>;<br>
+	avoid-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	avoid-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	bindkeys-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+	    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
+	    <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( master | slave | response<br>
+	    ) ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	cookie-algorithm ( aes | sha1 | sha256 );<br>
+	cookie-secret <em class="replaceable"><code>string</code></em>;<br>
+	coresize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	datasize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
+	dns64 <em class="replaceable"><code>netprefix</code></em> {<br>
+		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
 	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
+	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
+	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	dnssec-validation ( yes | no | auto );<br>
+	dnstap { ( all | auth | client | forwarder |<br>
+	    resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
+	dnstap-identity ( <em class="replaceable"><code>quoted_string</code></em> | none |<br>
+	    hostname );<br>
+	dnstap-output ( file | unix ) <em class="replaceable"><code>quoted_string</code></em>;<br>
+	dnstap-version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	dscp <em class="replaceable"><code>integer</code></em>;<br>
+	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	files ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	flush-zones-on-shutdown <em class="replaceable"><code>boolean</code></em>;<br>
+	forward ( first | only );<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	fstrm-set-buffer-hint <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-flush-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-input-queue-size <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-output-notify-threshold <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-output-queue-model ( mpsc | spsc );<br>
+	fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-reopen-interval <em class="replaceable"><code>integer</code></em>;<br>
+	geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	geoip-use-ecs ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
+	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
+	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
+	keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	lock-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	masterfile-format ( map | raw | text );<br>
+	masterfile-style ( full | relative );<br>
+	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
+	max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
+	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-rsa-exponent-size <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+	memstatistics <em class="replaceable"><code>boolean</code></em>;<br>
+	memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	message-compression <em class="replaceable"><code>boolean</code></em>;<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
+	minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-	sig-re-signing-interval <em class="replaceable"><code>integer</code></em>;<br>
+	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-rate <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
+	nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
+	nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
+	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	port <em class="replaceable"><code>integer</code></em>;<br>
+	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	querylog <em class="replaceable"><code>boolean</code></em>;<br>
+	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
+	rate-limit {<br>
+		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		log-only <em class="replaceable"><code>boolean</code></em>;<br>
+		max-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		min-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		qps-scale <em class="replaceable"><code>integer</code></em>;<br>
+		referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		slip <em class="replaceable"><code>integer</code></em>;<br>
+		window <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	recursion <em class="replaceable"><code>boolean</code></em>;<br>
+	recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> policy ( cname | disabled | drop |<br>
+	    given | no-op | nodata | nxdomain | passthru | tcp-only<br>
+	    <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"><br>
+	    break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	secroots-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
+	serial-update-method ( date | increment | unixtime );<br>
+	server-id ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );<br>
+	servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	session-keyalg <em class="replaceable"><code>string</code></em>;<br>
+	session-keyfile ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	session-keyname <em class="replaceable"><code>string</code></em>;<br>
 	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	startup-notify-rate <em class="replaceable"><code>integer</code></em>;<br>
+	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
+	tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
+	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
+	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
+	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
+	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-message-size <em class="replaceable"><code>integer</code></em>;<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
+	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
+	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
+	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	use-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	use-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	v6-bias <em class="replaceable"><code>integer</code></em>;<br>
+	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-	automatic-interface-scan <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	cookie-algorithm ( <em class="replaceable"><code>aes</code></em> | <em class="replaceable"><code>sha1</code></em> | <em class="replaceable"><code>sha256</code></em> );<br>
-	cookie-secret <em class="replaceable"><code>string</code></em>;<br>
-	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	deny-answer-addresses {<br>
-		<em class="replaceable"><code>address_match_list</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-	deny-answer-aliases {<br>
-		<em class="replaceable"><code>namelist</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fake-iquery <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	has-old-clients <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	multiple-cnames <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	named-xfer <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	serial-queries <em class="replaceable"><code>integer</code></em>; // obsolete<br>
-	treat-cr-as-space <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-id-pool <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.18"></a><h2>VIEW</h2>
+<a name="id-1.18"></a><h2>SERVER</h2>
 
     <div class="literallayout"><p><br>
-view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
+server <em class="replaceable"><code>netprefix</code></em> {<br>
+	bogus <em class="replaceable"><code>boolean</code></em>;<br>
+	edns <em class="replaceable"><code>boolean</code></em>;<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	edns-version <em class="replaceable"><code>integer</code></em>;<br>
+	keys <em class="replaceable"><code>server_key</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfers <em class="replaceable"><code>integer</code></em>;<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.19"></a><h2>STATISTICS-CHANNELS</h2>
+
+    <div class="literallayout"><p><br>
+statistics-channels {<br>
+	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
+	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    allow { <em class="replaceable"><code>address_match_element</code></em>; ...<br>
+	    } </span>];<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.20"></a><h2>TRUSTED-KEYS</h2>
+
+    <div class="literallayout"><p><br>
+trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.21"></a><h2>VIEW</h2>
+
+    <div class="literallayout"><p><br>
+view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
+	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	attach-cache <em class="replaceable"><code>string</code></em>;<br>
+	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+	    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
+	    <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( master | slave | response<br>
+	    ) ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
+	dlz <em class="replaceable"><code>string</code></em> {<br>
+		database <em class="replaceable"><code>string</code></em>;<br>
+		search <em class="replaceable"><code>boolean</code></em>;<br>
+	};<br>
+	dns64 <em class="replaceable"><code>netprefix</code></em> {<br>
+		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
+	};<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
+	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
+	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	dnssec-validation ( yes | no | auto );<br>
+	dnstap { ( all | auth | client | forwarder |<br>
+	    resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
+	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
+	    <em class="replaceable"><code>unspecified-text</code></em> };<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	forward ( first | only );<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
 	key <em class="replaceable"><code>string</code></em> {<br>
 		algorithm <em class="replaceable"><code>string</code></em>;<br>
 		secret <em class="replaceable"><code>string</code></em>;<br>
 	};<br>
-<br>
-	zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-		...<br>
-	};<br>
-<br>
-	server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-		...<br>
-	};<br>
-<br>
-	trusted-keys {<br>
-		<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	};<br>
-<br>
-	managed-keys {<br>
-		<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	};<br>
-<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em><br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	masterfile-format ( map | raw | text );<br>
+	masterfile-style ( full | relative );<br>
+	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+	max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
 	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <em class="replaceable"><code>acl</code></em>; };<br>
-		exclude { <em class="replaceable"><code>acl</code></em>; };<br>
-		mapped { <em class="replaceable"><code>acl</code></em>; };<br>
-		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
-		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
-	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
-	empty-contact <em class="replaceable"><code>string</code></em>;<br>
-	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+	message-compression <em class="replaceable"><code>boolean</code></em>;<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
+	minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
+	nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
+	nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
+	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	rate-limit {<br>
+		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		log-only <em class="replaceable"><code>boolean</code></em>;<br>
+		max-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		min-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		qps-scale <em class="replaceable"><code>integer</code></em>;<br>
+		referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		slip <em class="replaceable"><code>integer</code></em>;<br>
+		window <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	recursion <em class="replaceable"><code>boolean</code></em>;<br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> policy ( cname | disabled | drop |<br>
+	    given | no-op | nodata | nxdomain | passthru | tcp-only<br>
+	    <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"><br>
+	    break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	serial-update-method ( date | increment | unixtime );<br>
+	server <em class="replaceable"><code>netprefix</code></em> {<br>
+		bogus <em class="replaceable"><code>boolean</code></em>;<br>
+		edns <em class="replaceable"><code>boolean</code></em>;<br>
+		edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+		edns-version <em class="replaceable"><code>integer</code></em>;<br>
+		keys <em class="replaceable"><code>server_key</code></em>;<br>
+		max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port<br>
+		    ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"><br>
+		    port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+		send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+		tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
+		transfer-format ( many-answers | one-answer );<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfers <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
+	trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
+	    ... };<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	v6-bias <em class="replaceable"><code>integer</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
+	zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+		allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
+		    <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] |<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>];<br>
+		    ... };<br>
+		alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		auto-dnssec ( allow | maintain | off );<br>
+		check-dup-records ( fail | warn | ignore );<br>
+		check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+		check-mx ( fail | warn | ignore );<br>
+		check-mx-cname ( fail | warn | ignore );<br>
+		check-names ( fail | warn | ignore );<br>
+		check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+		check-spf ( warn | ignore );<br>
+		check-srv-cname ( fail | warn | ignore );<br>
+		check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+		database <em class="replaceable"><code>string</code></em>;<br>
+		delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
+		dialup ( notify | notify-passive | passive | refresh |<br>
+		    <em class="replaceable"><code>boolean</code></em> );<br>
+		dlz <em class="replaceable"><code>string</code></em>;<br>
+		dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+		dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+		dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+		dnssec-update-mode ( maintain | no-resign );<br>
+		file <em class="replaceable"><code>quoted_string</code></em>;<br>
+		forward ( first | only );<br>
+		forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		in-view <em class="replaceable"><code>string</code></em>;<br>
+		inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+		ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
+		journal <em class="replaceable"><code>quoted_string</code></em>;<br>
+		key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+		masterfile-format ( map | raw | text );<br>
+		masterfile-style ( full | relative );<br>
+		masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em><br>
+		    | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"><br>
+		    port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+		max-ixfr-log-size ( default | unlimited |<br>
+		max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+		max-records <em class="replaceable"><code>integer</code></em>;<br>
+		max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+		max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+		max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+		min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+		min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+		notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+		notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+		nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+		pubkey <em class="replaceable"><code>integer</code></em><br>
+		    <em class="replaceable"><code>integer</code></em><br>
+		    <em class="replaceable"><code>integer</code></em><br>
+		request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		serial-update-method ( date | increment | unixtime );<br>
+		server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"><br>
+		    port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+		sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+		sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+		sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+		sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
+		type ( delegation-only | forward | hint | master | redirect<br>
+		    | slave | static-stub | stub );<br>
+		update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+		update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> (<br>
+		    6to4-self | external | krb5-self | krb5-subdomain |<br>
+		    ms-self | ms-subdomain | name | self | selfsub |<br>
+		    selfwild | subdomain | tcp-self | wildcard | zonesub )<br>
+		    [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+		use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+		zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+		zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
+	};<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.19"></a><h2>ZONE</h2>
+<a name="id-1.22"></a><h2>ZONE</h2>
 
     <div class="literallayout"><p><br>
-zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	type ( master | slave | stub | hint | redirect |<br>
-		forward | delegation-only );<br>
-	file <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>masters</code></em> |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	database <em class="replaceable"><code>string</code></em>;<br>
-	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
-	check-names ( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
-	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
-	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
+zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-policy <em class="replaceable"><code>local</code></em> | <em class="replaceable"><code> {<br>
-		( grant | deny ) <em class="replaceable"><code>string</code></em><br>
-		( name | subdomain | wildcard | self | selfsub | selfwild |<br>
-		  krb5-self | ms-self | krb5-subdomain | ms-subdomain |<br>
-		  tcp-self | zonesub | 6to4-self ) <em class="replaceable"><code>string</code></em><br>
-		<em class="replaceable"><code>rrtypelist</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	}</code></em>;<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	database <em class="replaceable"><code>string</code></em>;<br>
+	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	dlz <em class="replaceable"><code>string</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	in-view <em class="replaceable"><code>string</code></em>;<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
+	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	masterfile-format ( map | raw | text );<br>
+	masterfile-style ( full | relative );<br>
+	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	serial-update-method ( date | increment | unixtime );<br>
+	server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	ixfr-base <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	ixfr-tmp-file <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
+	type ( delegation-only | forward | hint | master | redirect | slave<br>
+	    | static-stub | stub );<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self |<br>
+	    external | krb5-self | krb5-subdomain | ms-self | ms-subdomain<br>
+	    | name | self | selfsub | selfwild | subdomain | tcp-self |<br>
+	    wildcard | zonesub ) [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.20"></a><h2>FILES</h2>
+<a name="id-1.23"></a><h2>FILES</h2>
 
     <p><code class="filename">/etc/named.conf</code>
     </p>
   </div>
 
   <div class="refsection">
-<a name="id-1.21"></a><h2>SEE ALSO</h2>
+<a name="id-1.24"></a><h2>SEE ALSO</h2>
 
     <p><span class="citerefentry">
+	<span class="refentrytitle">ddns-confgen</span>(8)
+      </span>,
+      <span class="citerefentry">
 	<span class="refentrytitle">named</span>(8)
       </span>,
       <span class="citerefentry">
@@ -722,6 +989,9 @@ zone
       <span class="citerefentry">
 	<span class="refentrytitle">rndc</span>(8)
       </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">rndc-confgen</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
   </div>
diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8
index 6ac7f103a0..0973ffef5a 100644
--- a/bin/rndc/rndc.8
+++ b/bin/rndc/rndc.8
@@ -214,7 +214,7 @@ causes the output file to be rolled automatically, similar to log files; the mos
 is specified, then the number of backup log files is limited to that number\&.
 .RE
 .PP
-\fBdumpdb \fR\fB[\-all|\-cache|\-zone|\-adb|\-bad|\-fail]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
+\fBdumpdb \fR\fB[\-all|\-cache|\-zones|\-adb|\-bad|\-fail]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
 .RS 4
 Dump the server\*(Aqs caches (default) and/or zones to the dump file for the specified views\&. If no view is specified, all views are dumped\&. (See the
 \fBdump\-file\fR
diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html
index 63e02d326a..31e1e47475 100644
--- a/bin/rndc/rndc.html
+++ b/bin/rndc/rndc.html
@@ -274,14 +274,12 @@
 	    number of backup log files is limited to that number.
 	  </p>
 	</dd>
-<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
+<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zones|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
 <dd>
 	  <p>
 	    Dump the server's caches (default) and/or zones to
-	    the
-	    dump file for the specified views.  If no view is
-	    specified, all
-	    views are dumped.
+	    the dump file for the specified views.  If no view
+            is specified, all views are dumped.
 	    (See the <span class="command"><strong>dump-file</strong></span> option in
 	    the BIND 9 Administrator Reference Manual.)
 	  </p>
diff --git a/configure b/configure
index 3dac59d422..399e309641 100755
--- a/configure
+++ b/configure
@@ -956,7 +956,6 @@ infodir
 docdir
 oldincludedir
 includedir
-runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -1112,7 +1111,6 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1365,15 +1363,6 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
-  -runstatedir | --runstatedir | --runstatedi | --runstated \
-  | --runstate | --runstat | --runsta | --runst | --runs \
-  | --run | --ru | --r)
-    ac_prev=runstatedir ;;
-  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
-  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
-  | --run=* | --ru=* | --r=*)
-    runstatedir=$ac_optarg ;;
-
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1511,7 +1500,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir runstatedir
+		libdir localedir mandir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1664,7 +1653,6 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
-  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index a89edbe5be..f2d390a012 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -602,6 +602,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index 9611c234e6..6c0dee4721 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -151,6 +151,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index 2b5f8edef3..022fbff1d1 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -759,6 +759,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 0be6c0b095..7cf86e8ad3 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -2870,6 +2870,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index ccba8299f3..1aa1591262 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -142,6 +142,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 61c8ca74a1..6e44ef5985 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14509,6 +14509,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 05e6886c96..8336d08ebc 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -399,6 +399,6 @@ allow-query { !{ !10/8; any; }; key example; };
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index ab83db0838..8d7264ef88 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -136,6 +136,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index de0cdd005b..6bec6b5989 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -36,7 +36,7 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.2b1</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -45,8 +45,6 @@
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_maint">Maintenance</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_misc">Miscellaneous Notes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
 </dl></dd>
@@ -54,7 +52,7 @@
 </div>
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.1</h2></div></div></div>
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.2b1</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -141,209 +139,34 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>rndc ""</strong></span> could trigger an assertion failure
-	  in <span class="command"><strong>named</strong></span>. This flaw is disclosed in
-	  (CVE-2017-3138). [RT #44924]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
-	  queries could trigger assertion failures. This flaw is disclosed
-	  in CVE-2017-3137. [RT #44734]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
-	  can result in an assertion failure. This flaw is disclosed in
-	  CVE-2017-3136. [RT #44653]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If a server is configured with a response policy zone (RPZ)
-	  that rewrites an answer with local data, and is also configured
-	  for DNS64 address mapping, a NULL pointer can be read
-	  triggering a server crash.  This flaw is disclosed in
-	  CVE-2017-3135. [RT #44434]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A coding error in the <code class="option">nxdomain-redirect</code>
-	  feature could lead to an assertion failure if the redirection
-	  namespace was served from a local authoritative data source
-	  such as a local zone or a DLZ instead of via recursive
-	  lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could mishandle authority sections
-	  with missing RRSIGs, triggering an assertion failure. This
-	  flaw is disclosed in CVE-2016-9444. [RT #43632]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> mishandled some responses where
-	  covering RRSIG records were returned without the requested
-	  data, resulting in an assertion failure. This flaw is
-	  disclosed in CVE-2016-9147. [RT #43548]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
-	  records which could trigger an assertion failure when there was
-	  a class mismatch. This flaw is disclosed in CVE-2016-9131.
-	  [RT #43522]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  It was possible to trigger assertions when processing
-	  responses containing answers of type DNAME. This flaw is
-	  disclosed in CVE-2016-8864. [RT #43465]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Added the ability to specify the maximum number of records
-	  permitted in a zone (<code class="option">max-records #;</code>).
-	  This provides a mechanism to block overly large zone
-	  transfers, which is a potential risk with slave zones from
-	  other parties, as described in CVE-2016-6170.
-	  [RT #42143]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
-	  addresses for all messages, instead of only the remote address.
-	  The default output format for <span class="command"><strong>dnstap-read</strong></span> has
-	  been updated to include these addresses, with the initiating
-	  address first and the responding address second, separated by
-	  "-%gt;" or "%lt;-" to indicate in which direction the message
-	  was sent. [RT #43595]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Expanded and improved the YAML output from
-	  <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
-	  size and a detailed breakdown of message contents.
-	  [RT #43622] [RT #43642]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If an ACL is specified with an address prefix in which the
-	  prefix length is longer than the address portion (for example,
-	  192.0.2.1/8), <span class="command"><strong>named</strong></span> will now log a warning.
-	  In future releases this will be a fatal configuration error.
-	  [RT #43367]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  A synthesized CNAME record appearing in a response before the
-	  associated DNAME could be cached, when it should not have been.
-	  This was a regression introduced while addressing CVE-2016-8864.
-	  [RT #44318]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could deadlock if multiple changes
-	  to NSEC/NSEC3 parameters for the same zone were being processed
-	  at the same time. [RT #42770]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could trigger an assertion when
-	  sending NOTIFY messages. [RT #44019]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
-	  statement could cause an assertion failure during configuration.
-	  [RT #43787]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>rndc addzone</strong></span> could cause a crash
-	  when attempting to add a zone with a type other than
-	  <span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
-	  Such zones are now rejected. [RT #43665]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could hang when encountering log
-	  file names with large apparent gaps in version number (for
-	  example, when files exist called "logfile.0", "logfile.1",
-	  and "logfile.1482954169").  This is now handled correctly.
-	  [RT #38688]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If a zone was updated while <span class="command"><strong>named</strong></span> was
-	  processing a query for nonexistent data, it could return
-	  out-of-sync NSEC3 records causing potential DNSSEC validation
-	  failure. [RT #43247]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_maint"></a>Maintenance</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  The built-in root hints have been updated to include an
-	  IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
+	  None.
 	</p>
       </li></ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_misc"></a>Miscellaneous Notes</h3></div></div></div>
+<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  Authoritative server support for the EDNS Client Subnet option
-	  (ECS), introduced in BIND 9.11.0, was based on an early version
-	  of the specification, and is now known to have incompatibilities
-	  with other ECS implementations. It is also inefficient, requiring
-	  a separate view for each answer, and is unable to correct for
-	  overlapping subnets in the configuration.  It is intended for
-	  testing purposes but is not recommended for for production use.
-	  This was not made sufficiently clear in the documentation at
-	  the time of release.
+	  Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
+	  names to assist debugging on operating systems that support that.
+	  Threads will have names such as "isc-timer", "isc-sockmgr",
+	  "isc-worker0001", and so on. This will affect the reporting of
+	  subsidiary thread names in <span class="command"><strong>ps</strong></span> and
+	  <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
+	</p>
+      </li></ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+	<p>
+	  None.
 	</p>
       </li></ul></div>
   </div>
@@ -388,6 +211,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index 90d5f7e238..22188c22ed 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index a4d0e69241..e496050f6f 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -914,6 +914,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index 425d0b0571..1d78ce33a5 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -575,6 +575,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch13.html b/doc/arm/Bv9ARM.ch13.html
index 0ce586cce3..47cc23685e 100644
--- a/doc/arm/Bv9ARM.ch13.html
+++ b/doc/arm/Bv9ARM.ch13.html
@@ -213,6 +213,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index ff68eff225..51d04d500b 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.11.1</p></div>
+<div><p class="releaseinfo">BIND Version 9.11.2b1</p></div>
 <div><p class="copyright">Copyright © 2000-2016 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
@@ -241,7 +241,7 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.2b1</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -250,8 +250,6 @@
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_maint">Maintenance</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_misc">Miscellaneous Notes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
 </dl></dd>
@@ -445,6 +443,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 0cc617ce2d..5b99bb808e 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -91,6 +91,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 5b2f7faa9b..f713473f0c 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -236,6 +236,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index c302c162a1..a02e0a33b8 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -625,6 +625,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 4a358b1e62..87f8aa7f59 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -1084,6 +1084,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 3e15b0d6f6..53d2d861c7 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -151,6 +151,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 8e4f5f7196..d5e26feef6 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -270,6 +270,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 30301eae1e..ab910e75ab 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -289,6 +289,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index 52d0f34090..ba057b8b86 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -250,6 +250,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 83fd27aaff..6291d365f8 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -492,6 +492,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 11315b09bb..7fb8b6e6d9 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -579,6 +579,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html
index bc4700712a..c9f358dca5 100644
--- a/doc/arm/man.dnssec-keymgr.html
+++ b/doc/arm/man.dnssec-keymgr.html
@@ -397,6 +397,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 70b6e8a47c..22a3f3a9d1 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -171,6 +171,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 31ffa6dae7..20d8636966 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -347,6 +347,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index e38e188764..27ae8b4b75 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -708,6 +708,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index 2880f61d8d..cdae013cf2 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -202,6 +202,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html
index 43779bb4ae..c054cdf29c 100644
--- a/doc/arm/man.dnstap-read.html
+++ b/doc/arm/man.dnstap-read.html
@@ -134,6 +134,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 9a9c2ce702..07e566abb3 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -127,6 +127,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 7bd6c0898f..cf11fd1aa3 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -364,6 +364,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index 5e8a2eea93..6c6070ba85 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -126,6 +126,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.lwresd.html b/doc/arm/man.lwresd.html
index b7f3a68a03..731036c200 100644
--- a/doc/arm/man.lwresd.html
+++ b/doc/arm/man.lwresd.html
@@ -327,6 +327,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html
index 85a020ae24..b6dbeb8892 100644
--- a/doc/arm/man.mdig.html
+++ b/doc/arm/man.mdig.html
@@ -607,6 +607,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 01e3d573ca..31d2cab68b 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -192,6 +192,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 2428751d70..f7240f18cc 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -463,6 +463,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 79070bdf1e..63802bc912 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -117,6 +117,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html
index a932cb62ff..be722a7391 100644
--- a/doc/arm/man.named-nzd2nzf.html
+++ b/doc/arm/man.named-nzd2nzf.html
@@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 94db774855..db0ce7e778 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -121,6 +121,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index 0a035a36b3..e7d9b70538 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -80,15 +80,52 @@
 
     <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.9"></a><h2>KEY</h2>
+<a name="id-1.14.20.9"></a><h2>CONTROLS</h2>
 
     <div class="literallayout"><p><br>
-key <em class="replaceable"><code>domain_name</code></em> {<br>
+controls {<br>
+	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
+	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] allow<br>
+	    { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
+	    <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	unix <em class="replaceable"><code>quoted_string</code></em> perm <em class="replaceable"><code>integer</code></em><br>
+	    owner <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [<span class="optional"><br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
+	    <em class="replaceable"><code>boolean</code></em> </span>];<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.20.10"></a><h2>DLZ</h2>
+
+    <div class="literallayout"><p><br>
+dlz <em class="replaceable"><code>string</code></em> {<br>
+	database <em class="replaceable"><code>string</code></em>;<br>
+	search <em class="replaceable"><code>boolean</code></em>;<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.20.11"></a><h2>DYNDB</h2>
+
+    <div class="literallayout"><p><br>
+dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
+    <em class="replaceable"><code>unspecified-text</code></em> };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.20.12"></a><h2>KEY</h2>
+
+    <div class="literallayout"><p><br>
+key <em class="replaceable"><code>string</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
 	secret <em class="replaceable"><code>string</code></em>;<br>
 };<br>
@@ -96,642 +133,872 @@ key
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.10"></a><h2>MASTERS</h2>
-
-    <div class="literallayout"><p><br>
-masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-	<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.11"></a><h2>SERVER</h2>
-
-    <div class="literallayout"><p><br>
-server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-	bogus <em class="replaceable"><code>boolean</code></em>;<br>
-	edns <em class="replaceable"><code>boolean</code></em>;<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	keys <em class="replaceable"><code>server_key</code></em>;<br>
-	transfers <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	support-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.12"></a><h2>TRUSTED-KEYS</h2>
-
-    <div class="literallayout"><p><br>
-trusted-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.13"></a><h2>MANAGED-KEYS</h2>
-
-    <div class="literallayout"><p><br>
-managed-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.14"></a><h2>CONTROLS</h2>
-
-    <div class="literallayout"><p><br>
-controls {<br>
-	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-		allow { <em class="replaceable"><code>address_match_element</code></em>; ... }<br>
-		[<span class="optional"> keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br>
-	unix <em class="replaceable"><code>unsupported</code></em>; // not implemented<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.15"></a><h2>LOGGING</h2>
+<a name="id-1.14.20.13"></a><h2>LOGGING</h2>
 
     <div class="literallayout"><p><br>
 logging {<br>
-	channel <em class="replaceable"><code>string</code></em> {<br>
-		file <em class="replaceable"><code>log_file</code></em>;<br>
-		syslog <em class="replaceable"><code>optional_facility</code></em>;<br>
-		null;<br>
-		stderr;<br>
-		severity <em class="replaceable"><code>log_severity</code></em>;<br>
-		print-time <em class="replaceable"><code>boolean</code></em>;<br>
-		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
-		print-category <em class="replaceable"><code>boolean</code></em>;<br>
-	};<br>
 	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
+	channel <em class="replaceable"><code>string</code></em> {<br>
+		buffered <em class="replaceable"><code>boolean</code></em>;<br>
+		file <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> versions ( "unlimited" | <em class="replaceable"><code>integer</code></em> )<br>
+		    </span>] [<span class="optional"> size <em class="replaceable"><code>size</code></em> </span>];<br>
+		null;<br>
+		print-category <em class="replaceable"><code>boolean</code></em>;<br>
+		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
+		print-time <em class="replaceable"><code>boolean</code></em>;<br>
+		severity <em class="replaceable"><code>log_severity</code></em>;<br>
+		stderr;<br>
+		syslog [<span class="optional"> <em class="replaceable"><code>syslog_facility</code></em> </span>];<br>
+	};<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.16"></a><h2>LWRES</h2>
+<a name="id-1.14.20.14"></a><h2>LWRES</h2>
 
     <div class="literallayout"><p><br>
 lwres {<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-	view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em>;<br>
-	search { <em class="replaceable"><code>string</code></em>; ... };<br>
-	ndots <em class="replaceable"><code>integer</code></em>;<br>
-	lwres-tasks <em class="replaceable"><code>integer</code></em>;<br>
+	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
 	lwres-clients <em class="replaceable"><code>integer</code></em>;<br>
+	lwres-tasks <em class="replaceable"><code>integer</code></em>;<br>
+	ndots <em class="replaceable"><code>integer</code></em>;<br>
+	search { <em class="replaceable"><code>string</code></em>; ... };<br>
+	view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>];<br>
 };<br>
 </p></div>
   </div>
 
+  <div class="refsection">
+<a name="id-1.14.20.15"></a><h2>MANAGED-KEYS</h2>
+
+    <div class="literallayout"><p><br>
+managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.20.16"></a><h2>MASTERS</h2>
+
+    <div class="literallayout"><p><br>
+masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+    <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+</p></div>
+  </div>
+
   <div class="refsection">
 <a name="id-1.14.20.17"></a><h2>OPTIONS</h2>
 
     <div class="literallayout"><p><br>
 options {<br>
-	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	avoid-v6-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	coresize <em class="replaceable"><code>size</code></em>;<br>
-	datasize <em class="replaceable"><code>size</code></em>;<br>
-	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	dnstap { <em class="replaceable"><code>message_type</code></em>; ... };<br>
-	dnstap-output ( <code class="literal">file</code> | <code class="literal">unix</code> ) <em class="replaceable"><code>path_name</code></em>;<br>
-	dnstap-identity ( <em class="replaceable"><code>string</code></em> | <code class="literal">hostname</code> | <code class="literal">none</code> );<br>
-	dnstap-version ( <em class="replaceable"><code>string</code></em> | <code class="literal">none</code> );<br>
-	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	files <em class="replaceable"><code>size</code></em>;<br>
-	fstrm-set-buffer-hint <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-flush-timeout <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-input-queue-size <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-output-notify-threshold <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-output-queue-model ( <em class="replaceable"><code>mpsc</code></em> | <em class="replaceable"><code>spsc</code></em> ) ;<br>
-	fstrm-set-output-queue-size <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-reopen-interval <em class="replaceable"><code>number</code></em>;<br>
-	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
-	host-statistics <em class="replaceable"><code>boolean</code></em>; // not implemented<br>
-	host-statistics-max <em class="replaceable"><code>number</code></em>; // not implemented<br>
-	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
-	keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
-	memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	port <em class="replaceable"><code>integer</code></em>;<br>
-	querylog <em class="replaceable"><code>boolean</code></em>;<br>
-	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
-	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
-	recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
-	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
-	server-id ( <em class="replaceable"><code>quoted_string</code></em> | hostname | none );<br>
-	stacksize <em class="replaceable"><code>size</code></em>;<br>
-	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	statistics-interval <em class="replaceable"><code>integer</code></em>; // not yet implemented<br>
-	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
-	tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
-	transfer-message-size <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
-	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
-	minimal-responses ( <em class="replaceable"><code>boolean</code></em> | no-auth | no-auth-recursive );<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
+	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	catalog-zones {<br>
-	    zone <em class="replaceable"><code>quoted_string</code></em><br>
-		[<span class="optional"> default-masters<br>
-		[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]<br>
-		[<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]<br>
-		{ ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }</span>]<br>
-	    [<span class="optional">in-memory <em class="replaceable"><code>yes_or_no</code></em></span>]<br>
-	    [<span class="optional">min-update-interval <em class="replaceable"><code>interval</code></em></span>]<br>
-	    ; ... };<br>
-	;<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <em class="replaceable"><code>acl</code></em>; };<br>
-		exclude { <em class="replaceable"><code>acl</code></em>; };<br>
-		mapped { <em class="replaceable"><code>acl</code></em>; };<br>
-		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
-		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
-	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
-	empty-contact <em class="replaceable"><code>string</code></em>;<br>
-	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
+	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	attach-cache <em class="replaceable"><code>string</code></em>;<br>
+	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	automatic-interface-scan <em class="replaceable"><code>boolean</code></em>;<br>
+	avoid-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	avoid-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	bindkeys-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+	    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
+	    <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( master | slave | response<br>
+	    ) ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	cookie-algorithm ( aes | sha1 | sha256 );<br>
+	cookie-secret <em class="replaceable"><code>string</code></em>;<br>
+	coresize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	datasize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
+	dns64 <em class="replaceable"><code>netprefix</code></em> {<br>
+		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
 	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
+	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
+	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	dnssec-validation ( yes | no | auto );<br>
+	dnstap { ( all | auth | client | forwarder |<br>
+	    resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
+	dnstap-identity ( <em class="replaceable"><code>quoted_string</code></em> | none |<br>
+	    hostname );<br>
+	dnstap-output ( file | unix ) <em class="replaceable"><code>quoted_string</code></em>;<br>
+	dnstap-version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	dscp <em class="replaceable"><code>integer</code></em>;<br>
+	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	files ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	flush-zones-on-shutdown <em class="replaceable"><code>boolean</code></em>;<br>
+	forward ( first | only );<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	fstrm-set-buffer-hint <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-flush-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-input-queue-size <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-output-notify-threshold <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-output-queue-model ( mpsc | spsc );<br>
+	fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-reopen-interval <em class="replaceable"><code>integer</code></em>;<br>
+	geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	geoip-use-ecs ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
+	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
+	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
+	keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	lock-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	masterfile-format ( map | raw | text );<br>
+	masterfile-style ( full | relative );<br>
+	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
+	max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
+	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-rsa-exponent-size <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+	memstatistics <em class="replaceable"><code>boolean</code></em>;<br>
+	memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	message-compression <em class="replaceable"><code>boolean</code></em>;<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
+	minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-	sig-re-signing-interval <em class="replaceable"><code>integer</code></em>;<br>
+	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-rate <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
+	nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
+	nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
+	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	port <em class="replaceable"><code>integer</code></em>;<br>
+	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	querylog <em class="replaceable"><code>boolean</code></em>;<br>
+	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
+	rate-limit {<br>
+		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		log-only <em class="replaceable"><code>boolean</code></em>;<br>
+		max-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		min-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		qps-scale <em class="replaceable"><code>integer</code></em>;<br>
+		referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		slip <em class="replaceable"><code>integer</code></em>;<br>
+		window <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	recursion <em class="replaceable"><code>boolean</code></em>;<br>
+	recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> policy ( cname | disabled | drop |<br>
+	    given | no-op | nodata | nxdomain | passthru | tcp-only<br>
+	    <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"><br>
+	    break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	secroots-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
+	serial-update-method ( date | increment | unixtime );<br>
+	server-id ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );<br>
+	servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	session-keyalg <em class="replaceable"><code>string</code></em>;<br>
+	session-keyfile ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	session-keyname <em class="replaceable"><code>string</code></em>;<br>
 	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	startup-notify-rate <em class="replaceable"><code>integer</code></em>;<br>
+	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
+	tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
+	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
+	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
+	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
+	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-message-size <em class="replaceable"><code>integer</code></em>;<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
+	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
+	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
+	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	use-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	use-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	v6-bias <em class="replaceable"><code>integer</code></em>;<br>
+	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-	automatic-interface-scan <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	cookie-algorithm ( <em class="replaceable"><code>aes</code></em> | <em class="replaceable"><code>sha1</code></em> | <em class="replaceable"><code>sha256</code></em> );<br>
-	cookie-secret <em class="replaceable"><code>string</code></em>;<br>
-	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	deny-answer-addresses {<br>
-		<em class="replaceable"><code>address_match_list</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-	deny-answer-aliases {<br>
-		<em class="replaceable"><code>namelist</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fake-iquery <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	has-old-clients <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	multiple-cnames <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	named-xfer <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	serial-queries <em class="replaceable"><code>integer</code></em>; // obsolete<br>
-	treat-cr-as-space <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-id-pool <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.18"></a><h2>VIEW</h2>
+<a name="id-1.14.20.18"></a><h2>SERVER</h2>
 
     <div class="literallayout"><p><br>
-view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
+server <em class="replaceable"><code>netprefix</code></em> {<br>
+	bogus <em class="replaceable"><code>boolean</code></em>;<br>
+	edns <em class="replaceable"><code>boolean</code></em>;<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	edns-version <em class="replaceable"><code>integer</code></em>;<br>
+	keys <em class="replaceable"><code>server_key</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfers <em class="replaceable"><code>integer</code></em>;<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.20.19"></a><h2>STATISTICS-CHANNELS</h2>
+
+    <div class="literallayout"><p><br>
+statistics-channels {<br>
+	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
+	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    allow { <em class="replaceable"><code>address_match_element</code></em>; ...<br>
+	    } </span>];<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.20.20"></a><h2>TRUSTED-KEYS</h2>
+
+    <div class="literallayout"><p><br>
+trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.20.21"></a><h2>VIEW</h2>
+
+    <div class="literallayout"><p><br>
+view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
+	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	attach-cache <em class="replaceable"><code>string</code></em>;<br>
+	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+	    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
+	    <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( master | slave | response<br>
+	    ) ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
+	dlz <em class="replaceable"><code>string</code></em> {<br>
+		database <em class="replaceable"><code>string</code></em>;<br>
+		search <em class="replaceable"><code>boolean</code></em>;<br>
+	};<br>
+	dns64 <em class="replaceable"><code>netprefix</code></em> {<br>
+		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
+	};<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
+	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
+	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	dnssec-validation ( yes | no | auto );<br>
+	dnstap { ( all | auth | client | forwarder |<br>
+	    resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
+	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
+	    <em class="replaceable"><code>unspecified-text</code></em> };<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	forward ( first | only );<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
 	key <em class="replaceable"><code>string</code></em> {<br>
 		algorithm <em class="replaceable"><code>string</code></em>;<br>
 		secret <em class="replaceable"><code>string</code></em>;<br>
 	};<br>
-<br>
-	zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-		...<br>
-	};<br>
-<br>
-	server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-		...<br>
-	};<br>
-<br>
-	trusted-keys {<br>
-		<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	};<br>
-<br>
-	managed-keys {<br>
-		<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	};<br>
-<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em><br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	masterfile-format ( map | raw | text );<br>
+	masterfile-style ( full | relative );<br>
+	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+	max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
 	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <em class="replaceable"><code>acl</code></em>; };<br>
-		exclude { <em class="replaceable"><code>acl</code></em>; };<br>
-		mapped { <em class="replaceable"><code>acl</code></em>; };<br>
-		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
-		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
-	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
-	empty-contact <em class="replaceable"><code>string</code></em>;<br>
-	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+	message-compression <em class="replaceable"><code>boolean</code></em>;<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
+	minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
+	nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
+	nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
+	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	rate-limit {<br>
+		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		log-only <em class="replaceable"><code>boolean</code></em>;<br>
+		max-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		min-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		qps-scale <em class="replaceable"><code>integer</code></em>;<br>
+		referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		slip <em class="replaceable"><code>integer</code></em>;<br>
+		window <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	recursion <em class="replaceable"><code>boolean</code></em>;<br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> policy ( cname | disabled | drop |<br>
+	    given | no-op | nodata | nxdomain | passthru | tcp-only<br>
+	    <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"><br>
+	    break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	serial-update-method ( date | increment | unixtime );<br>
+	server <em class="replaceable"><code>netprefix</code></em> {<br>
+		bogus <em class="replaceable"><code>boolean</code></em>;<br>
+		edns <em class="replaceable"><code>boolean</code></em>;<br>
+		edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+		edns-version <em class="replaceable"><code>integer</code></em>;<br>
+		keys <em class="replaceable"><code>server_key</code></em>;<br>
+		max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port<br>
+		    ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"><br>
+		    port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+		send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+		tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
+		transfer-format ( many-answers | one-answer );<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfers <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
+	trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
+	    ... };<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	v6-bias <em class="replaceable"><code>integer</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
+	zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+		allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
+		    <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] |<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>];<br>
+		    ... };<br>
+		alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		auto-dnssec ( allow | maintain | off );<br>
+		check-dup-records ( fail | warn | ignore );<br>
+		check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+		check-mx ( fail | warn | ignore );<br>
+		check-mx-cname ( fail | warn | ignore );<br>
+		check-names ( fail | warn | ignore );<br>
+		check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+		check-spf ( warn | ignore );<br>
+		check-srv-cname ( fail | warn | ignore );<br>
+		check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+		database <em class="replaceable"><code>string</code></em>;<br>
+		delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
+		dialup ( notify | notify-passive | passive | refresh |<br>
+		    <em class="replaceable"><code>boolean</code></em> );<br>
+		dlz <em class="replaceable"><code>string</code></em>;<br>
+		dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+		dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+		dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+		dnssec-update-mode ( maintain | no-resign );<br>
+		file <em class="replaceable"><code>quoted_string</code></em>;<br>
+		forward ( first | only );<br>
+		forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		in-view <em class="replaceable"><code>string</code></em>;<br>
+		inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+		ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
+		journal <em class="replaceable"><code>quoted_string</code></em>;<br>
+		key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+		masterfile-format ( map | raw | text );<br>
+		masterfile-style ( full | relative );<br>
+		masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em><br>
+		    | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"><br>
+		    port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+		max-ixfr-log-size ( default | unlimited |<br>
+		max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+		max-records <em class="replaceable"><code>integer</code></em>;<br>
+		max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+		max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+		max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+		min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+		min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+		notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+		notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+		nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+		pubkey <em class="replaceable"><code>integer</code></em><br>
+		    <em class="replaceable"><code>integer</code></em><br>
+		    <em class="replaceable"><code>integer</code></em><br>
+		request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		serial-update-method ( date | increment | unixtime );<br>
+		server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"><br>
+		    port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+		sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+		sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+		sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+		sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
+		type ( delegation-only | forward | hint | master | redirect<br>
+		    | slave | static-stub | stub );<br>
+		update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+		update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> (<br>
+		    6to4-self | external | krb5-self | krb5-subdomain |<br>
+		    ms-self | ms-subdomain | name | self | selfsub |<br>
+		    selfwild | subdomain | tcp-self | wildcard | zonesub )<br>
+		    [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+		use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+		zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+		zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
+	};<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.19"></a><h2>ZONE</h2>
+<a name="id-1.14.20.22"></a><h2>ZONE</h2>
 
     <div class="literallayout"><p><br>
-zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	type ( master | slave | stub | hint | redirect |<br>
-		forward | delegation-only );<br>
-	file <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>masters</code></em> |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	database <em class="replaceable"><code>string</code></em>;<br>
-	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
-	check-names ( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
-	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
-	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
+zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-policy <em class="replaceable"><code>local</code></em> | <em class="replaceable"><code> {<br>
-		( grant | deny ) <em class="replaceable"><code>string</code></em><br>
-		( name | subdomain | wildcard | self | selfsub | selfwild |<br>
-		  krb5-self | ms-self | krb5-subdomain | ms-subdomain |<br>
-		  tcp-self | zonesub | 6to4-self ) <em class="replaceable"><code>string</code></em><br>
-		<em class="replaceable"><code>rrtypelist</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	}</code></em>;<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	database <em class="replaceable"><code>string</code></em>;<br>
+	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	dlz <em class="replaceable"><code>string</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	in-view <em class="replaceable"><code>string</code></em>;<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
+	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	masterfile-format ( map | raw | text );<br>
+	masterfile-style ( full | relative );<br>
+	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	serial-update-method ( date | increment | unixtime );<br>
+	server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	ixfr-base <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	ixfr-tmp-file <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
+	type ( delegation-only | forward | hint | master | redirect | slave<br>
+	    | static-stub | stub );<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self |<br>
+	    external | krb5-self | krb5-subdomain | ms-self | ms-subdomain<br>
+	    | name | self | selfsub | selfwild | subdomain | tcp-self |<br>
+	    wildcard | zonesub ) [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.20"></a><h2>FILES</h2>
+<a name="id-1.14.20.23"></a><h2>FILES</h2>
 
     <p><code class="filename">/etc/named.conf</code>
     </p>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.21"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.20.24"></a><h2>SEE ALSO</h2>
 
     <p><span class="citerefentry">
+	<span class="refentrytitle">ddns-confgen</span>(8)
+      </span>,
+      <span class="citerefentry">
 	<span class="refentrytitle">named</span>(8)
       </span>,
       <span class="citerefentry">
@@ -740,6 +1007,9 @@ zone
       <span class="citerefentry">
 	<span class="refentrytitle">rndc</span>(8)
       </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">rndc-confgen</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
   </div>
@@ -764,6 +1034,6 @@ zone
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 3721708972..641224270b 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -488,6 +488,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 47f552a301..f40a784ec6 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -131,6 +131,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html
index 8dfbbce224..2e97e31007 100644
--- a/doc/arm/man.nslookup.html
+++ b/doc/arm/man.nslookup.html
@@ -419,6 +419,6 @@ nslookup -query=hinfo  -timeout=10
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 9f7e66db0b..c6b8342d7a 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -810,6 +810,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html
index 098e63d5fe..25d7d8c96f 100644
--- a/doc/arm/man.pkcs11-destroy.html
+++ b/doc/arm/man.pkcs11-destroy.html
@@ -162,6 +162,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html
index d5f1f4d9ab..bbba5f0112 100644
--- a/doc/arm/man.pkcs11-keygen.html
+++ b/doc/arm/man.pkcs11-keygen.html
@@ -199,6 +199,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html
index d5301e7fa6..69b194f2c5 100644
--- a/doc/arm/man.pkcs11-list.html
+++ b/doc/arm/man.pkcs11-list.html
@@ -158,6 +158,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html
index fe45a2a899..a35641d8a7 100644
--- a/doc/arm/man.pkcs11-tokens.html
+++ b/doc/arm/man.pkcs11-tokens.html
@@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 304edbaec4..fa934a97af 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -277,6 +277,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 48b8bf3553..afcc0ba99d 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -268,6 +268,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 5ca6e2a9e4..fc9d49952e 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -292,14 +292,12 @@
 	    number of backup log files is limited to that number.
 	  </p>
 	</dd>
-<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
+<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zones|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
 <dd>
 	  <p>
 	    Dump the server's caches (default) and/or zones to
-	    the
-	    dump file for the specified views.  If no view is
-	    specified, all
-	    views are dumped.
+	    the dump file for the specified views.  If no view
+            is specified, all views are dumped.
 	    (See the <span class="command"><strong>dump-file</strong></span> option in
 	    the BIND 9 Administrator Reference Manual.)
 	  </p>
@@ -891,6 +889,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
 </body>
 </html>
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index b4c8ae3f5d..7231984eb3 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -15,7 +15,7 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.11.1</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.11.2b1</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -102,209 +102,34 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>rndc ""</strong></span> could trigger an assertion failure
-	  in <span class="command"><strong>named</strong></span>. This flaw is disclosed in
-	  (CVE-2017-3138). [RT #44924]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
-	  queries could trigger assertion failures. This flaw is disclosed
-	  in CVE-2017-3137. [RT #44734]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
-	  can result in an assertion failure. This flaw is disclosed in
-	  CVE-2017-3136. [RT #44653]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If a server is configured with a response policy zone (RPZ)
-	  that rewrites an answer with local data, and is also configured
-	  for DNS64 address mapping, a NULL pointer can be read
-	  triggering a server crash.  This flaw is disclosed in
-	  CVE-2017-3135. [RT #44434]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A coding error in the <code class="option">nxdomain-redirect</code>
-	  feature could lead to an assertion failure if the redirection
-	  namespace was served from a local authoritative data source
-	  such as a local zone or a DLZ instead of via recursive
-	  lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could mishandle authority sections
-	  with missing RRSIGs, triggering an assertion failure. This
-	  flaw is disclosed in CVE-2016-9444. [RT #43632]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> mishandled some responses where
-	  covering RRSIG records were returned without the requested
-	  data, resulting in an assertion failure. This flaw is
-	  disclosed in CVE-2016-9147. [RT #43548]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
-	  records which could trigger an assertion failure when there was
-	  a class mismatch. This flaw is disclosed in CVE-2016-9131.
-	  [RT #43522]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  It was possible to trigger assertions when processing
-	  responses containing answers of type DNAME. This flaw is
-	  disclosed in CVE-2016-8864. [RT #43465]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Added the ability to specify the maximum number of records
-	  permitted in a zone (<code class="option">max-records #;</code>).
-	  This provides a mechanism to block overly large zone
-	  transfers, which is a potential risk with slave zones from
-	  other parties, as described in CVE-2016-6170.
-	  [RT #42143]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
-	  addresses for all messages, instead of only the remote address.
-	  The default output format for <span class="command"><strong>dnstap-read</strong></span> has
-	  been updated to include these addresses, with the initiating
-	  address first and the responding address second, separated by
-	  "-%gt;" or "%lt;-" to indicate in which direction the message
-	  was sent. [RT #43595]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Expanded and improved the YAML output from
-	  <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
-	  size and a detailed breakdown of message contents.
-	  [RT #43622] [RT #43642]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If an ACL is specified with an address prefix in which the
-	  prefix length is longer than the address portion (for example,
-	  192.0.2.1/8), <span class="command"><strong>named</strong></span> will now log a warning.
-	  In future releases this will be a fatal configuration error.
-	  [RT #43367]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  A synthesized CNAME record appearing in a response before the
-	  associated DNAME could be cached, when it should not have been.
-	  This was a regression introduced while addressing CVE-2016-8864.
-	  [RT #44318]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could deadlock if multiple changes
-	  to NSEC/NSEC3 parameters for the same zone were being processed
-	  at the same time. [RT #42770]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could trigger an assertion when
-	  sending NOTIFY messages. [RT #44019]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
-	  statement could cause an assertion failure during configuration.
-	  [RT #43787]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>rndc addzone</strong></span> could cause a crash
-	  when attempting to add a zone with a type other than
-	  <span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
-	  Such zones are now rejected. [RT #43665]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could hang when encountering log
-	  file names with large apparent gaps in version number (for
-	  example, when files exist called "logfile.0", "logfile.1",
-	  and "logfile.1482954169").  This is now handled correctly.
-	  [RT #38688]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If a zone was updated while <span class="command"><strong>named</strong></span> was
-	  processing a query for nonexistent data, it could return
-	  out-of-sync NSEC3 records causing potential DNSSEC validation
-	  failure. [RT #43247]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_maint"></a>Maintenance</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  The built-in root hints have been updated to include an
-	  IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
+	  None.
 	</p>
       </li></ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_misc"></a>Miscellaneous Notes</h3></div></div></div>
+<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  Authoritative server support for the EDNS Client Subnet option
-	  (ECS), introduced in BIND 9.11.0, was based on an early version
-	  of the specification, and is now known to have incompatibilities
-	  with other ECS implementations. It is also inefficient, requiring
-	  a separate view for each answer, and is unable to correct for
-	  overlapping subnets in the configuration.  It is intended for
-	  testing purposes but is not recommended for for production use.
-	  This was not made sufficiently clear in the documentation at
-	  the time of release.
+	  Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
+	  names to assist debugging on operating systems that support that.
+	  Threads will have names such as "isc-timer", "isc-sockmgr",
+	  "isc-worker0001", and so on. This will affect the reporting of
+	  subsidiary thread names in <span class="command"><strong>ps</strong></span> and
+	  <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
+	</p>
+      </li></ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+	<p>
+	  None.
 	</p>
       </li></ul></div>
   </div>