upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-23 07:07:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

prep 9.15.0

Browse source
This commit is contained in:
Tinderbox User 2019-05-10 04:32:56 +00:00
parent 07218e08ce
commit 25e416fb67
73 changed files with 726 additions and 1897 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGES
View file

@ -1,3 +1,5 @@
--- 9.15.0 released ---
5233. [bug] Negative trust anchors did not work with "forward only;"
to validating resolvers. [GL #997]

8
PLATFORMS
View file

@ -88,3 +88,11 @@ Debian armhf documentation):
The configure command should look like this:
CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
NetBSD 6 i386
The i386 build of NetBSD requires the libatomic library, available from
the gcc5-libs package. Because this library is in a non-standard path, its
location must be specified in the configure command line:
LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure

4
README
View file

@ -103,9 +103,7 @@ format-patch.
BIND 9.15 features
BIND 9.15 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.14 and earlier releases. New features include:
* TBD
of changes from BIND 9.14 and earlier releases.
Building BIND

5
README.md
View file

@ -120,10 +120,7 @@ including your patch as an attachment, preferably generated by
### <a name="features"/> BIND 9.15 features
BIND 9.15 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.14 and earlier releases. New features
include:
* TBD
number of changes from BIND 9.14 and earlier releases.
### <a name="build"/> Building BIND

5
bin/dig/dig.1
View file

@ -450,6 +450,11 @@ clears the EDNS options to be sent\&.
Send an EDNS Expire option\&.
.RE
.PP
\fB+[no]expandaaaa\fR
.RS 4
When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format\&.
.RE
.PP
\fB+[no]fail\fR
.RS 4
Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&.

7
bin/dig/dig.html
View file

@ -598,6 +598,13 @@
Send an EDNS Expire option.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]expandaaaa</code></span></dt>
<dd>
<p>
When printing AAAA record print all zero nibbles rather
than the default RFC 5952 preferred presentation format.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
<dd>
<p>

10
bin/dnssec/dnssec-dsfromkey.8
View file

@ -10,12 +10,12 @@
.\" Title: dnssec-dsfromkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2012-05-02
.\" Date: 2019-05-08
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-DSFROMKEY" "8" "2012\-05\-02" "ISC" "BIND9"
.TH "DNSSEC\-DSFROMKEY" "8" "2019\-05\-08" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -83,13 +83,13 @@ file, as generated by
\-1
.RS 4
An abbreviation for
\fB\-a SHA1\fR
\fB\-a SHA\-1\fR\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
.RE
.PP
\-2
.RS 4
An abbreviation for
\fB\-a SHA\-256\fR
\fB\-a SHA\-256\fR\&.
.RE
.PP
\-a \fIalgorithm\fR
@ -98,7 +98,7 @@ Specify a digest algorithm to use when converting DNSKEY records to DS records\&
.sp
The
\fIalgorithm\fR
must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
.RE
.PP
\-A

8
bin/dnssec/dnssec-dsfromkey.html
View file

@ -135,13 +135,15 @@
<dt><span class="term">-1</span></dt>
<dd>
<p>
An abbreviation for <code class="option">-a SHA1</code>
An abbreviation for <code class="option">-a SHA-1</code>.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-2</span></dt>
<dd>
<p>
An abbreviation for <code class="option">-a SHA-256</code>
An abbreviation for <code class="option">-a SHA-256</code>.
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
@ -157,6 +159,8 @@
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-A</span></dt>

83
bin/dnssec/dnssec-keygen.8
View file

@ -39,7 +39,7 @@
dnssec-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keygen\fR\ 'u
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
@ -58,6 +58,13 @@ may be preferable to direct use of
\fBdnssec\-keygen\fR\&.
.SH "OPTIONS"
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
\fBdnssec\-keygen \-3a RSASHA1\fR
specifies the NSEC3RSASHA1 algorithm\&.
.RE
.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
@ -83,29 +90,15 @@ to generate TSIG keys\&.
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
.sp
If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with
\fB\-f KSK\fR) default to 2048 bits\&.
.RE
.PP
\-n \fInametype\fR
.RS 4
Specifies the owner type of the key\&. The value of
\fBnametype\fR
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
.RE
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
\fBdnssec\-keygen \-3a RSASHA1\fR
specifies the NSEC3RSASHA1 algorithm\&.
.RE
.PP
\-C
.RS 4
Compatibility mode: generates an old\-style key, without any metadata\&. By default,
Compatibility mode: generates an old\-style key, without any timing metadata\&. By default,
\fBdnssec\-keygen\fR
will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
\fB\-C\fR
@ -150,11 +143,6 @@ Prints a short summary of the options and arguments to
Sets the directory in which the key files are to be written\&.
.RE
.PP
\-k
.RS 4
Deprecated in favor of \-T KEY\&.
.RE
.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
@ -164,9 +152,17 @@ none
is the same as leaving it unset\&.
.RE
.PP
\-n \fInametype\fR
.RS 4
Specifies the owner type of the key\&. The value of
\fBnametype\fR
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
.RE
.PP
\-p \fIprotocol\fR
.RS 4
Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
Sets the protocol value for the generated key, for use with
\fB\-T KEY\fR\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
.RE
.PP
\-q
@ -193,27 +189,25 @@ Specifies the strength value of the key\&. The strength is a number between 0 an
Specifies the resource record type to use for the key\&.
\fBrrtype\fR
must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
Specifying any TSIG algorithm (HMAC\-* or DH) with
\fB\-a\fR
forces this option to KEY\&.
.RE
.PP
\-t \fItype\fR
.RS 4
Indicates the use of the key\&.
Indicates the use of the key, for use with
\fB\-T KEY\fR\&.
\fBtype\fR
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&.
.RE
.PP
\-V
.RS 4
Prints version information\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&.
.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
@ -314,23 +308,24 @@ contains the private key\&.
.PP
The
\&.key
file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
file contains a DNSKEY or KEY record\&. When a zone is being signed by
\fBnamed\fR
or
\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the
\&.key
file can be inserted into a zone file manually or with a
\fB$INCLUDE\fR
statement\&.
.PP
The
\&.private
file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
.PP
Both
\&.key
and
\&.private
files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
.SH "EXAMPLE"
.PP
To generate an ECDSAP256SHA256 key for the domain
\fBexample\&.com\fR, the following command would be issued:
To generate an ECDSAP256SHA256 zone\-signing key for the zone
\fBexample\&.com\fR, issue the command:
.PP
\fBdnssec\-keygen \-a ECDSAP256SHA256 \-n ZONE example\&.com\fR
\fBdnssec\-keygen \-a ECDSAP256SHA256 example\&.com\fR
.PP
The command would print a string of the form:
.PP
@ -342,6 +337,10 @@ creates the files
Kexample\&.com\&.+013+26160\&.key
and
Kexample\&.com\&.+013+26160\&.private\&.
.PP
To generate a matching key\-signing key, issue the command:
.PP
\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example\&.com\fR
.SH "SEE ALSO"
.PP
\fBdnssec-signzone\fR(8),

139
bin/dnssec/dnssec-keygen.html
View file

@ -33,11 +33,10 @@
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keygen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-3</code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-C</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
@ -52,6 +51,7 @@
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
@ -62,7 +62,6 @@
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-z</code>]
{name}
</p></div>
</div>
@ -95,6 +94,16 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
@ -130,11 +139,9 @@
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 1024 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
between 1024 and 4096 bits. Diffie Hellman keys must be between
128 and 4096 bits. Elliptic curve algorithms don't need this
parameter.
</p>
<p>
If the key size is not specified, some algorithms have
@ -144,36 +151,15 @@
<code class="option">-f KSK</code>) default to 2048 bits.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
Compatibility mode: generates an old-style key, without any
timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored with
the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include this
data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p>
</dd>
@ -234,12 +220,6 @@
Sets the directory in which the key files are to be written.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Deprecated in favor of -T KEY.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
@ -253,13 +233,24 @@
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd>
<p>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
Sets the protocol value for the generated key, for use
with <code class="option">-T KEY</code>. The protocol is a number between 0
and 255. The default is 3 (DNSSEC). Other possible values for
this argument are listed in RFC 2535 and its successors.
</p>
</dd>
<dt><span class="term">-q</span></dt>
@ -306,26 +297,15 @@
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
<p>
</p>
<p>
Specifying any TSIG algorithm (HMAC-* or DH) with
<code class="option">-a</code> forces this option to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
Indicates the use of the key, for use with <code class="option">-T
KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
refers to the ability to authenticate data, and CONF the ability
to encrypt data.
</p>
</dd>
<dt><span class="term">-V</span></dt>
@ -334,6 +314,12 @@
Prints version information.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
</p>
</dd>
</dl></div>
</div>
@ -476,10 +462,12 @@
key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
When a zone is being signed by <span class="command"><strong>named</strong></span>
or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
records are included automatically. In other cases,
the <code class="filename">.key</code> file can be inserted into a zone file
manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
</p>
<p>
The <code class="filename">.private</code> file contains
@ -487,22 +475,17 @@
fields. For obvious security reasons, this file does not have
general read permission.
</p>
<p>
Both <code class="filename">.key</code> and <code class="filename">.private</code>
files are generated for symmetric cryptography algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>EXAMPLE</h2>
<p>
To generate an ECDSAP256SHA256 key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
To generate an ECDSAP256SHA256 zone-signing key for the zone
<strong class="userinput"><code>example.com</code></strong>, issue the command:
</p>
<p><strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com</code></strong>
<p>
<strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 example.com</code></strong>
</p>
<p>
The command would print a string of the form:
@ -515,6 +498,12 @@
and
<code class="filename">Kexample.com.+013+26160.private</code>.
</p>
<p>
To generate a matching key-signing key, issue the command:
</p>
<p>
<strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</code></strong>
</p>
</div>
<div class="refsection">

9
bin/python/dnssec-checkds.8
View file

@ -46,6 +46,15 @@ dnssec-checkds \- DNSSEC delegation consistency checking tool
verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified zone\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specify a digest algorithm to use when converting the zone\*(Aqs DNSKEY records to expected DS or DLV records\&. This option can be repeated, so that multiple records are checked for each DNSKEY record\&.
.sp
The
\fIalgorithm\fR
must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
.RE
.PP
\-f \fIfile\fR
.RS 4
If a

16
bin/python/dnssec-checkds.html
View file

@ -55,8 +55,22 @@
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specify a digest algorithm to use when converting the
zone's DNSKEY records to expected DS or DLV records. This
option can be repeated, so that multiple records are
checked for each DNSKEY record.
</p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>

36
bin/python/dnssec-keymgr.8
View file

@ -49,7 +49,7 @@ and
\fBdnssec\-settime\fR\&.
.PP
DNSSEC policy can be read from a configuration file (default
/etc/dnssec\-policy\&.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined\&. This file may be used to define individual DNSSEC policies on a per\-zone basis, or to set a default policy used for all zones\&.
/etc/dnssec\-policy\&.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined\&. This file may be used to define individual DNSSEC policies on a per\-zone basis, or to set a "default" policy used for all zones\&.
.PP
When
\fBdnssec\-keymgr\fR
@ -181,7 +181,8 @@ would be used for zones that had unusually high security needs\&.
.sp -1
.IP \(bu 2.3
.\}
Algorithm policies: (\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR
\fIAlgorithm policies:\fR
(\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR
) override default per\-algorithm settings\&. For example, by default, RSASHA256 keys use 2048\-bit key sizes for both KSK and ZSK\&. This can be modified using
\fBalgorithm\-policy\fR, and the new key sizes would then be used for any key of type RSASHA256\&.
.RE
@ -194,59 +195,60 @@ Algorithm policies: (\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&
.sp -1
.IP \(bu 2.3
.\}
Zone policies: (\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR
\fIZone policies:\fR
(\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR
) set policy for a single zone by name\&. A zone policy can inherit a policy class by including a
\fBpolicy\fR
option\&. Zone names beginning with digits (i\&.e\&., 0\-9) must be quoted\&.
option\&. Zone names beginning with digits (i\&.e\&., 0\-9) must be quoted\&. If a zone does not have its own policy then the "default" policy applies\&.
.RE
.PP
Options that can be specified in policies:
.PP
\fBalgorithm\fR
\fBalgorithm\fR \fIname\fR;
.RS 4
The key algorithm\&. If no policy is defined, the default is RSASHA256\&.
.RE
.PP
\fBcoverage\fR
\fBcoverage\fR \fIduration\fR;
.RS 4
The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time\&. This can be represented as a number of seconds, or as a duration using human\-readable units (examples: "1y" or "6 months")\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is six months\&.
.RE
.PP
\fBdirectory\fR
\fBdirectory\fR \fIpath\fR;
.RS 4
Specifies the directory in which keys should be stored\&.
.RE
.PP
\fBkey\-size\fR
\fBkey\-size\fR \fIkeytype\fR \fIsize\fR;
.RS 4
Specifies the number of bits to use in creating keys\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 2048 bits for RSA keys\&.
Specifies the number of bits to use in creating keys\&. The keytype is either "zsk" or "ksk"\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 2048 bits for RSA keys\&.
.RE
.PP
\fBkeyttl\fR
\fBkeyttl\fR \fIduration\fR;
.RS 4
The key TTL\&. If no policy is defined, the default is one hour\&.
.RE
.PP
\fBpost\-publish\fR
\fBpost\-publish\fR \fIkeytype\fR \fIduration\fR;
.RS 4
How long after inactivation a key should be deleted from the zone\&. Note: If
\fBroll\-period\fR
is not set, this value is ignored\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
is not set, this value is ignored\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
.RE
.PP
\fBpre\-publish\fR
\fBpre\-publish\fR \fIkeytype\fR \fIduration\fR;
.RS 4
How long before activation a key should be published\&. Note: If
\fBroll\-period\fR
is not set, this value is ignored\&. Takes two arguments: keytype (either "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
is not set, this value is ignored\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
.RE
.PP
\fBroll\-period\fR
\fBroll\-period\fR \fIkeytype\fR \fIduration\fR;
.RS 4
How frequently keys should be rolled over\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is one year for ZSK\*(Aqs\&. KSK\*(Aqs do not roll over by default\&.
How frequently keys should be rolled over\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is one year for ZSKs\&. KSKs do not roll over by default\&.
.RE
.PP
\fBstandby\fR
\fBstandby\fR \fIkeytype\fR \fInumber\fR;
.RS 4
Not yet implemented\&.
.RE

62
bin/python/dnssec-keymgr.html
View file

@ -57,11 +57,12 @@
</p>
<p>
DNSSEC policy can be read from a configuration file (default
<code class="filename">/etc/dnssec-policy.conf</code>), from which the key
parameters, publication and rollover schedule, and desired
coverage duration for any given zone can be determined. This
<code class="filename">/etc/dnssec-policy.conf</code>), from which the
key parameters, publication and rollover schedule, and desired
coverage duration for any given zone can be determined. This
file may be used to define individual DNSSEC policies on a
per-zone basis, or to set a default policy used for all zones.
per-zone basis, or to set a "<code class="literal">default</code>" policy
used for all zones.
</p>
<p>
When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
@ -210,7 +211,7 @@
</li>
<li class="listitem">
<p>
Algorithm policies:
<span class="emphasis"><em>Algorithm policies:</em></span>
(<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
override default per-algorithm settings. For example, by default,
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
@ -220,11 +221,13 @@
</li>
<li class="listitem">
<p>
Zone policies:
<span class="emphasis"><em>Zone policies:</em></span>
(<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <code class="option">policy</code> option.
Zone names beginning with digits (i.e., 0-9) must be quoted.
If a zone does not have its own policy then the
"<code class="literal">default</code>" policy applies.
</p>
</li>
</ul></div>
@ -232,81 +235,90 @@
Options that can be specified in policies:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><span class="command"><strong>algorithm</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>algorithm</strong></span>
<em class="replaceable"><code>name</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key algorithm. If no policy is defined, the default is
RSASHA256.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>coverage</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>coverage</strong></span>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
This can be represented as a number of seconds, or as a duration using
human-readable units (examples: "1y" or "6 months").
This can be represented as a number of seconds, or as a duration
using human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>directory</strong></span>
<em class="replaceable"><code>path</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the directory in which keys should be stored.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>key-size</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>key-size</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>size</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the number of bits to use in creating keys.
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
The keytype is either "zsk" or "ksk".
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 2048 bits for RSA keys.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>keyttl</strong></span>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key TTL. If no policy is defined, the default is one hour.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>post-publish</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>post-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long after inactivation a key should be deleted from the zone.
Note: If <code class="option">roll-period</code> is not set, this value is
ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
duration. A default value for this option can be set in algorithm
ignored. The keytype is either "zsk" or "ksk".
A default duration for this option can be set in algorithm
policies as well as in policy classes or zone policies. The default
is one month.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>pre-publish</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>pre-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long before activation a key should be published. Note: If
<code class="option">roll-period</code> is not set, this value is ignored.
Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
The keytype is either "zsk" or "ksk".
A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>roll-period</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>roll-period</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How frequently keys should be rolled over.
Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
The keytype is either "zsk" or "ksk".
A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is one year for ZSK's. KSK's do not
configured, the default is one year for ZSKs. KSKs do not
roll over by default.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>standby</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>standby</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>number</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Not yet implemented.

9
bin/rndc/rndc.8
View file

@ -702,14 +702,7 @@ in each view\&. The list both statically configured keys and dynamic TKEY\-negot
.PP
\fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR
.RS 4
Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&. (Note that
\fBdnssec\-enable\fR
must also be
\fByes\fR
(the default value) for signatures to be returned along with validated data\&. If validation is enabled while
\fBdnssec\-enable\fR
is set to
\fBno\fR, the server will validate internally, but will not supply clients with the necessary records to allow validity to be confirmed\&.)
Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&.
.RE
.PP
\fBzonestatus \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR

7
bin/rndc/rndc.html
View file

@ -914,13 +914,6 @@
<p>
Enable, disable, or check the current status of
DNSSEC validation. By default, validation is enabled.
(Note that <span class="command"><strong>dnssec-enable</strong></span> must also be
<strong class="userinput"><code>yes</code></strong> (the default value) for signatures
to be returned along with validated data. If validation is
enabled while <span class="command"><strong>dnssec-enable</strong></span> is set to
<strong class="userinput"><code>no</code></strong>, the server will validate internally,
but will not supply clients with the necessary records to allow
validity to be confirmed.)
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>

4
doc/arm/Bv9ARM.ch01.html
View file

@ -75,7 +75,7 @@
<acronym class="acronym">BIND</acronym> version 9 software package for
system administrators.
</p>
<p>This version of the manual corresponds to BIND version 9.13.</p>
<p>This version of the manual corresponds to BIND version 9.15.</p>
</div>
<div class="section">
@ -614,6 +614,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch02.html
View file

@ -146,6 +146,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch03.html
View file

@ -856,6 +856,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

20
doc/arm/Bv9ARM.ch04.html
View file

@ -1024,12 +1024,6 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="dnssec_config"></a>Configuring Servers for DNSSEC</h3></div></div></div>
<p>
To enable <span class="command"><strong>named</strong></span> to respond appropriately
to DNS requests from DNSSEC-aware clients,
<span class="command"><strong>dnssec-enable</strong></span> must be set to
<strong class="userinput"><code>yes</code></strong>. This is the default setting.
</p>
<p>
To enable <span class="command"><strong>named</strong></span> to validate answers
received from other servers, the
@ -1060,17 +1054,6 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
built with <span class="command"><strong>configure --disable-auto-validation</strong></span>,
in which case the default is <strong class="userinput"><code>yes</code></strong>.
</p>
<p>
If <span class="command"><strong>dnssec-enable</strong></span> is set to
<strong class="userinput"><code>no</code></strong>, then the default for
<span class="command"><strong>dnssec-validation</strong></span> is also changed to
<strong class="userinput"><code>no</code></strong>. If
<span class="command"><strong>dnssec-validation</strong></span> is set to
<strong class="userinput"><code>yes</code></strong>, the server will
perform DNSSEC validation internally, but will not return
signatures when queried - but it will not be turned on
automatically.
</p>
<p>
<span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
@ -1159,7 +1142,6 @@ trusted-keys {
options {
...
dnssec-enable yes;
dnssec-validation yes;
};
</pre>
@ -2863,6 +2845,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

161
doc/arm/Bv9ARM.ch05.html
View file

@ -3409,6 +3409,12 @@ options {
by the <span class="command"><strong>disable-algorithms</strong></span> will be treated
as insecure.
</p>
<p>
Configured trust anchors in <span class="command"><strong>trusted-keys</strong></span>
or <span class="command"><strong>managed-keys</strong></span> that match a disabled
algorithm will be ignored and treated as if they were not
configured at all.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>disable-ds-digests</strong></span></span></dt>
<dd>
@ -4115,30 +4121,55 @@ options {
<dt><span class="term"><span class="command"><strong>minimal-responses</strong></span></span></dt>
<dd>
<p>
If set to <strong class="userinput"><code>yes</code></strong>, then when generating
responses the server will only add records to the authority
and additional data sections when they are required (e.g.
delegations, negative responses). This may improve the
performance of the server.
This option controls the addition of records to the
authority and additional sections of responses. Such
records may be included in responses to be helpful
to clients; for example, NS or MX records may
have associated address records included in the additional
section, obviating the need for a separate address lookup.
However, adding these records to responses is not mandatory
and requires additional database lookups, causing extra
latency when marshalling responses.
<span class="command"><strong>minimal-responses</strong></span> takes one of
four values:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<strong class="userinput"><code>no</code></strong>: the server will be
as complete as possible when generating responses.
</li>
<li class="listitem">
<strong class="userinput"><code>yes</code></strong>: the server will only add
records to the authority and additional sections when
such records are required by the DNS protocol (for
example, when returning delegations or negative
responses). This provides the best server performance
but may result in more client queries.
</li>
<li class="listitem">
<strong class="userinput"><code>no-auth</code></strong>: the server
will omit records from the authority section except
when they are required, but it may still add records
to the additional section.
</li>
<li class="listitem">
<strong class="userinput"><code>no-auth-recursive</code></strong>: the same
as <strong class="userinput"><code>no-auth</code></strong> when recursion is
requested in the query (RD=1), or the same as
<strong class="userinput"><code>no</code></strong> if recursion is not
requested.
</li>
</ul></div>
<p>
<strong class="userinput"><code>no-auth</code></strong> and
<strong class="userinput"><code>no-auth-recursive</code></strong> are useful when
answering stub clients, which usually ignore the
authority section. <strong class="userinput"><code>no-auth-recursive</code></strong>
is meant for use in mixed-mode servers that handle both
authoritative and recursive queries.
</p>
<p>
When set to <strong class="userinput"><code>no-auth</code></strong>, the
server will omit records from the authority section
unless they are required, but it may still add
records to the additional section. When set to
<strong class="userinput"><code>no-auth-recursive</code></strong>, this
is only done if the query is recursive. When the
query is not recursive, the effect is same as if
<strong class="userinput"><code>no</code></strong> was specified. These
settings are useful when answering stub clients,
which usually ignore the authority section.
<strong class="userinput"><code>no-auth-recursive</code></strong> is
designed for mixed-mode servers which handle
both authoritative and recursive queries.
</p>
<p>
The default is
<strong class="userinput"><code>no-auth-recursive</code></strong>.
The default is <strong class="userinput"><code>no-auth-recursive</code></strong>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>glue-cache</strong></span></span></dt>
@ -4601,12 +4632,7 @@ options {
<dt><span class="term"><span class="command"><strong>dnssec-enable</strong></span></span></dt>
<dd>
<p>
This indicates whether DNSSEC-related resource
records are to be returned by <span class="command"><strong>named</strong></span>.
If set to <strong class="userinput"><code>no</code></strong>,
<span class="command"><strong>named</strong></span> will not return DNSSEC-related
resource records unless specifically queried for.
The default is <strong class="userinput"><code>yes</code></strong>.
This option is obsolete and has no effect.
</p>
</dd>
<dt>
@ -4614,10 +4640,8 @@ options {
</dt>
<dd>
<p>
This enables DNSSEC validation in <span class="command"><strong>named</strong></span>.
Note that <span class="command"><strong>dnssec-enable</strong></span> also needs to
be set to <strong class="userinput"><code>yes</code></strong> for signatures to be
returned to the client along with validated answers.
This option enables DNSSEC validation in
<span class="command"><strong>named</strong></span>.
</p>
<p>
If set to <strong class="userinput"><code>auto</code></strong>,
@ -4641,13 +4665,6 @@ options {
BIND is built with
<span class="command"><strong>configure --disable-auto-validation</strong></span>,
in which case the default is <strong class="userinput"><code>yes</code></strong>.
If <span class="command"><strong>dnssec-enable</strong></span> is set to
<strong class="userinput"><code>no</code></strong>, then the default for
<span class="command"><strong>dnssec-validation</strong></span> is also
<strong class="userinput"><code>no</code></strong>. Validation can still be turned on
if desired - this results in a server that performs DNSSEC
validation but does not return signatures when queried -
but it will not be turned on automatically.
</p>
<p>
The default root trust anchor is stored in the file
@ -5192,15 +5209,21 @@ options {
When set in the <span class="command"><strong>zone</strong></span> statement for
a master zone, specifies which hosts are allowed to
submit Dynamic DNS updates to that zone. The default
is to deny updates from all hosts. This can only
be set at the <span class="command"><strong>zone</strong></span> level, not in
<span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span>.
is to deny updates from all hosts.
</p>
<p>
Note that allowing updates based on the
requestor's IP address is insecure; see
<a class="xref" href="Bv9ARM.ch06.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
</p>
<p>
In general this option should only be set at the
<span class="command"><strong>zone</strong></span> level. While a default
value can be set at the <span class="command"><strong>options</strong></span> or
<span class="command"><strong>view</strong></span> level and inherited by zones,
this could lead to some zones unintentionally allowing
updates.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
<dd>
@ -5210,9 +5233,7 @@ options {
submit Dynamic DNS updates and have them be forwarded
to the master. The default is
<strong class="userinput"><code>{ none; }</code></strong>, which means that no
update forwarding will be performed. This can only be
set at the <span class="command"><strong>zone</strong></span> level, not in
<span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span>.
update forwarding will be performed.
</p>
<p>
To enable update forwarding, specify
@ -5230,6 +5251,14 @@ options {
on insecure IP-address-based access control; see
<a class="xref" href="Bv9ARM.ch06.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for more details.
</p>
<p>
In general this option should only be set at the
<span class="command"><strong>zone</strong></span> level. While a default
value can be set at the <span class="command"><strong>options</strong></span> or
<span class="command"><strong>view</strong></span> level and inherited by zones,
this can lead to some zones unintentionally forwarding
updates.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>allow-v6-synthesis</strong></span></span></dt>
<dd>
@ -6281,7 +6310,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<p>
The number of file descriptors reserved for TCP, stdio,
etc. This needs to be big enough to cover the number of
interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as
interfaces <span class="command"><strong>named</strong></span> listens on plus
<span class="command"><strong>tcp-clients</strong></span>, as well as
to provide room for outgoing TCP queries and incoming zone
transfers. The default is <code class="literal">512</code>.
The minimum value is <code class="literal">128</code> and the
@ -7797,7 +7827,7 @@ deny-answer-aliases { "example.net"; };
The empty set of resource records is specified by
CNAME whose target is the wildcard top-level
domain (*.).
It rewrites the response to NODATA or ANCOUNT=1.
It rewrites the response to NODATA or ANCOUNT=0.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>Local Data</strong></span></span></dt>
@ -8045,6 +8075,14 @@ example.com CNAME rpz-tcp-only.
zone. By default, all rewrites are logged.
</p>
<p>
The <span class="command"><strong>add-soa</strong></span> option controls whether the RPZ's
SOA record is added to the additional section for traceback
of changes from this zone or not. This can be set at the
individual policy zone level or at the response-policy level.
The default is <code class="literal">yes</code>.
</p>
<p>
Updates to RPZ zones are processed asynchronously; if there
is more than one update pending they are bundled together.
@ -11219,6 +11257,20 @@ view external {
</td>
</tr>
<tr>
<td>
<p>
AMTRELAY
</p>
</td>
<td>
<p>
Automatic Multicast Tunneling Relay
discovery record.
Work in progress draft-ietf-mboned-driad-amt-discovery.
</p>
</td>
</tr>
<tr>
<td>
<p>
APL
@ -12175,6 +12227,19 @@ view external {
</p>
</td>
</tr>
<tr>
<td>
<p>
ZONEMD
</p>
</td>
<td>
<p>
Zone Message Digest.
Work in progress draft-wessels-dns-zone-digest.
</p>
</td>
</tr>
</tbody>
</table>
</div>
@ -14804,6 +14869,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch06.html
View file

@ -361,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; };
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch07.html
View file

@ -191,6 +191,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

639
doc/arm/Bv9ARM.ch08.html
View file

@ -36,7 +36,7 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.0</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@ -55,16 +55,16 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.6</h2></div></div></div>
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.0</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
BIND 9.13 is an unstable development release of BIND.
BIND 9.15 is an unstable development release of BIND.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development release
leading up to the stable BIND 9.14 release, this document will be
leading up to the stable BIND 9.16 release, this document will be
updated with additional features added and bugs fixed.
</p>
</div>
@ -73,23 +73,21 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
<p>
Prior to BIND 9.13, new feature development releases were tagged
Until BIND 9.12, new feature development releases were tagged
as "alpha" and "beta", leading up to the first stable release
for a given development branch, which always ended in ".0".
</p>
<p>
Now, however, BIND has adopted the "odd-unstable/even-stable"
More recently, BIND adopted the "odd-unstable/even-stable"
release numbering convention. There will be no "alpha" or "beta"
releases in the 9.13 branch, only increasing version numbers.
So, for example, what would previously have been called 9.13.0a1,
9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0,
9.13.1, 9.13.2, etc.
releases in the 9.15 branch, only increasing version numbers.
So, for example, what would previously have been called 9.15.0a1,
9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
9.15.1, 9.15.2, etc.
</p>
<p>
The first stable release from this development branch will be
renamed as 9.14.0. Thereafter, maintenance releases will continue
on the 9.14 branch, while unstable feature development proceeds in
9.15.
renamed as 9.16.0. Thereafter, maintenance releases will continue
on the 9.16 branch, while unstable feature development proceeds in
9.17.
</p>
</div>
@ -97,34 +95,26 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
<p>
BIND 9.13 has undergone substantial code refactoring and cleanup,
and some very old code has been removed that was needed to support
legacy platforms which are no longer supported by their vendors
and for which ISC is no longer able to perform quality assurance
testing. Specifically, workarounds for old versions of UnixWare,
BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed.
On UNIX-like systems, BIND now requires support for POSIX.1c
To build on UNIX-like systems, BIND requires support for POSIX.1c
threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
IPv6 (RFC 3542), and standard atomic operations provided by the
C compiler.
</p>
<p>
More information can be found in the <code class="filename">PLATFORM.md</code>
file that is included in the source distribution of BIND 9. If your
platform compiler and system libraries provide the above features,
BIND 9 should compile and run. If that isn't the case, the BIND
development team will generally accept patches that add support
for systems that are still supported by their respective vendors.
</p>
<p>
As of BIND 9.13, the BIND development team has also made cryptography
(i.e., TSIG and DNSSEC) an integral part of the DNS server. The
OpenSSL cryptography library must be available for the target
The OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead for Public Key
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
still required for general cryptography operations such as hashing
and random number generation.
</p>
<p>
More information can be found in the <code class="filename">PLATFORMS.md</code>
file that is included in the source distribution of BIND 9. If your
compiler and system libraries provide the above features, BIND 9
should compile and run. If that isn't the case, the BIND
development team will generally accept patches that add support
for systems that are still supported by their respective vendors.
</p>
</div>
<div class="section">
@ -145,47 +135,17 @@
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
There was a long-existing flaw in the documentation for
<span class="command"><strong>ms-self</strong></span>, <span class="command"><strong>krb5-self</strong></span>,
<span class="command"><strong>ms-subdomain</strong></span>, and <span class="command"><strong>krb5-subdomain</strong></span>
rules in <span class="command"><strong>update-policy</strong></span> statements. Though
the policies worked as intended, operators who configured their
servers according to the misleading documentation may have
thought zone updates were more restricted than they were;
users of these rule types are advised to review the documentation
and correct their configurations if necessary. New rule types
matching the previously documented behavior will be introduced
in a future maintenance release. [GL !708]
</p>
</li>
<li class="listitem">
<p>
When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
should be limited to local networks, but they were inadvertently set
to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
In certain configurations, <span class="command"><strong>named</strong></span> could crash
with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
was in use and a redirected query resulted in an NXDOMAIN from the
cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> could crash during recursive processing
of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
</p>
</li>
<li class="listitem">
<p>
Code change #4964, intended to prevent double signatures
when deleting an inactive zone DNSKEY in some situations,
introduced a new problem during zone processing in which
some delegation glue RRsets are incorrectly identified
as needing RRSIGs, which are then created for them using
the current active ZSK for the zone. In some, but not all
cases, the newly-signed RRsets are added to the zone's
NSEC/NSEC3 chain, but incompletely -- this can result in
a broken chain, affecting validation of proof of nonexistence
for records in the zone. [GL #771]
The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
</p>
</li>
</ul></div>
@ -194,333 +154,26 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Task manager and socket code have been substantially modified.
The manager uses per-cpu queues for tasks and network stack runs
multiple event loops in CPU-affinitive threads. This greatly
improves performance on large systems, especially when using
multi-queue NICs.
</p>
</li>
<li class="listitem">
<p>
A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
enables <span class="command"><strong>named</strong></span> to serve a transferred copy
of a zone's contents without acting as an authority for the
zone. A zone must be fully validated against an active trust
anchor before it can be used as a mirror zone. DNS responses
from mirror zones do not set the AA bit ("authoritative answer"),
but do set the AD bit ("authenticated data"). This feature is
meant to facilitate deployment of a local copy of the root zone,
as described in RFC 7706. [GL #33]
</p>
</li>
<li class="listitem">
<p>
A new <span class="command"><strong>plugin</strong></span> mechanism has been added to allow
extension of query processing functionality through the use of
external libraries. The new <code class="filename">filter-aaaa.so</code>
plugin replaces the <span class="command"><strong>filter-aaaa</strong></span> feature that
was formerly implemented as a native part of BIND.
</p>
<p>
The plugin API is a work in progress and is likely to evolve
as further plugins are implemented. [GL #15]
</p>
</li>
<li class="listitem">
<p>
BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
library to add IDNA2008 support. Previously, BIND supported
IDNA2003 using the (now obsolete and unsupported)
<span class="command"><strong>idnkit-1</strong></span> library.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> now supports the "root key sentinel"
mechanism. This enables validating resolvers to indicate
which trust anchors are configured for the root, so that
information about root key rollover status can be gathered.
To disable this feature, add
<span class="command"><strong>root-key-sentinel no;</strong></span> to
<code class="filename">named.conf</code>. [GL #37]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>dnskey-sig-validity</strong></span> option allows the
<span class="command"><strong>sig-validity-interval</strong></span> to be overriden for
signatures covering DNSKEY RRsets. [GL #145]
</p>
</li>
<li class="listitem">
<p>
Support for QNAME minimization was added and enabled by default
in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
to normal resolution if the remote server returns something
unexpected during the query minimization process. This default
setting might change to <span class="command"><strong>strict</strong></span> in the future.
</p>
</li>
<li class="listitem">
<p>
When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
library to set process privileges. The adds a new compile-time
dependency, which can be met on most Linux platforms by installing the
<span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
package. BIND can also be built without capability support by using
<span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
loss of security.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>validate-except</strong></span> option specifies a list of
domains beneath which DNSSEC validation should not be performed,
regardless of whether a trust anchor has been configured above
them. [GL #237]
</p>
</li>
<li class="listitem">
<p>
Two new update policy rule types have been added
<span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
which allow machines with Kerberos principals to update
the name space at or below the machine names identified
in the respective principals.
</p>
</li>
<li class="listitem">
<p>
The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
can be used to make BIND enable and enforce FIPS mode in the
OpenSSL library. When compiled with such option the BIND will
refuse to run if FIPS mode can't be enabled, thus this option
must be only enabled for the systems where FIPS mode is available.
</p>
</li>
<li class="listitem">
<p>
Two new configuration options <span class="command"><strong>min-cache-ttl</strong></span> and
<span class="command"><strong>min-ncache-ttl</strong></span> has been added to allow the BIND 9
administrator to override the minimum TTL in the received DNS records
(positive caching) and for storing the information about non-existent
records (negative caching). The configured minimum TTL for both
configuration options cannot exceed 90 seconds.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>rndc status</strong></span> output now includes a
<span class="command"><strong>reconfig/reload in progress</strong></span> status line if named
configuration is being reloaded.
The new <span class="command"><strong>add-soa</strong></span> option specifies whether
or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
should be included in the additional section of RPZ responses.
[GL #865]
</p>
</li>
</ul></div>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Workarounds for servers that misbehave when queried with EDNS
have been removed, because these broken servers and the
workarounds for their noncompliance cause unnecessary delays,
increase code complexity, and prevent deployment of new DNS
features. See <a class="link" href="https://dnsflagday.net" target="_top">https://dnsflagday.net</a>
for further details.
The <span class="command"><strong>dnssec-enable</strong></span> option has been deprecated and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
<p>
In particular, resolution will no longer fall back to
plain DNS when there was no response from an authoritative
server. This will cause some domains to become non-resolvable
without manual intervention. In these cases, resolution can
be restored by adding <span class="command"><strong>server</strong></span> clauses for the
offending servers, specifying <span class="command"><strong>edns no</strong></span> or
<span class="command"><strong>send-cookie no</strong></span>, depending on the specific
noncompliance.
</p>
<p>
To determine which <span class="command"><strong>server</strong></span> clause to use, run
the following commands to send queries to the authoritative
servers for the broken domain:
</p>
<div class="literallayout"><p><br>
  dig soa &lt;zone&gt; @&lt;server&gt; +dnssec<br>
  dig soa &lt;zone&gt; @&lt;server&gt; +dnssec +nocookie<br>
  dig soa &lt;zone&gt; @&lt;server&gt; +noedns<br>
</p></div>
<p>
If the first command fails but the second succeeds, the
server most likely needs <span class="command"><strong>send-cookie no</strong></span>.
If the first two fail but the third succeeds, then the server
needs EDNS to be fully disabled with <span class="command"><strong>edns no</strong></span>.
</p>
<p>
Please contact the administrators of noncompliant domains
and encourage them to upgrade their broken DNS servers. [GL #150]
</p>
</li>
<li class="listitem">
<p>
Previously, it was possible to build BIND without thread support
for old architectures and systems without threads support.
BIND now requires threading support (either POSIX or Windows) from
the operating system, and it cannot be built without threads.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>filter-aaaa</strong></span>,
<span class="command"><strong>filter-aaaa-on-v4</strong></span>, and
<span class="command"><strong>filter-aaaa-on-v6</strong></span> options have been removed
from <span class="command"><strong>named</strong></span>, and can no longer be
configured using native <code class="filename">named.conf</code> syntax.
However, loading the new <code class="filename">filter-aaaa.so</code>
plugin and setting its parameters provides identical
functionality.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
option for view selection. In its existing form, the authoritative
ECS feature was not fully RFC-compliant, and could not realistically
have been deployed in production for an authoritative server; its
only practical use was for testing and experimentation. In the
interest of code simplification, this feature has now been removed.
</p>
<p>
The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
<span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
and logged when received by <span class="command"><strong>named</strong></span>, but
it is no longer used for ACL processing. The
<span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
a warning will be logged if it is used in
<code class="filename">named.conf</code>.
<span class="command"><strong>ecs</strong></span> tags in an ACL definition are
also obsolete, and will cause the configuration to fail to
load if they are used. [GL #32]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
to generate these keys. [RT #46404]
</p>
</li>
<li class="listitem">
<p>
Support for OpenSSL 0.9.x has been removed. OpenSSL version
1.0.0 or greater, or LibreSSL is now required.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>configure --enable-seccomp</strong></span> option,
which formerly turned on system-call filtering on Linux, has
been removed. [GL #93]
</p>
</li>
<li class="listitem">
<p>
IPv4 addresses in forms other than dotted-quad are no longer
accepted in master files. [GL #13] [GL #56]
</p>
</li>
<li class="listitem">
<p>
IDNA2003 support via (bundled) idnkit-1.0 has been removed.
</p>
</li>
<li class="listitem">
<p>
The "rbtdb64" database implementation (a parallel
implementation of "rbt") has been removed. [GL #217]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>-r randomdev</strong></span> option to explicitly select
random device has been removed from the
<span class="command"><strong>ddns-confgen</strong></span>,
<span class="command"><strong>rndc-confgen</strong></span>,
<span class="command"><strong>nsupdate</strong></span>,
<span class="command"><strong>dnssec-confgen</strong></span>, and
<span class="command"><strong>dnssec-signzone</strong></span> commands.
</p>
<p>
The <span class="command"><strong>-p</strong></span> option to use pseudo-random data
has been removed from the <span class="command"><strong>dnssec-signzone</strong></span>
command.
</p>
</li>
<li class="listitem">
<p>
Support for ECC-GOST (GOST R 34.11-94) algorithm has been
removed from BIND as the algorithm has been superseded by
GOST R 34.11-2012 in RFC6986 and it must not be used in new
deployments. BIND will neither create new DNSSEC keys,
signatures and digest, nor it will validate them.
</p>
</li>
<li class="listitem">
<p>
Add the ability to not return a DNS COOKIE option when one
is present in the request. To prevent a cookie being returned
add 'answer-cookie no;' to named.conf. [GL #173]
</p>
<p>
<span class="command"><strong>answer-cookie</strong></span> is only intended as a temporary
measure, for use when <span class="command"><strong>named</strong></span> shares an IP address
with other servers that do not yet support DNS COOKIE. A mismatch
between servers on the same address is not expected to cause
operational problems, but the option to disable COOKIE responses so
that all servers have the same behavior is provided out of an
abundance of caution. DNS COOKIE is an important security mechanism,
and should not be disabled unless absolutely necessary.
</p>
<p>
Remove support for silently ignoring 'no-change' deltas from
BIND 8 when processing an IXFR stream. 'no-change' deltas
will now trigger a fallback to AXFR as the recovery mechanism.
</p>
<p>
BIND 9 will no longer build on platforms that doesn't have
proper IPv6 support. BIND 9 now also requires non-broken
POSIX-compatible pthread support. Such platforms are
usually long after their end-of-life date and they are
neither developed nor supported by their respective vendors.
</p>
<p>
Support for DSA and DSA-NSEC3-SHA1 algorithms has been
removed from BIND as the DSA key length is limited to 1024
bits and this is not considered secure enough.
</p>
<p>
Support for RSAMD5 algorithm has been removed freom BIND as the usage
of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and
the security of MD5 algorithm has been compromised and the its usage
is considered harmful.
</p>
</li>
<li class="listitem">
<p>
The incomplete support for internationalization message catalogs has
been removed from BIND. Since the internationalization was never
completed, and no localized message catalogs were ever made available
for the portions of BIND in which they could have been used, this
change will have no effect except to simplify the source code. BIND's
log messages and other output were already only available in English.
</p>
</li>
</ul></div>
</li></ul></div>
</div>
<div class="section">
@ -529,132 +182,31 @@
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
BIND will now always use the best CSPRNG (cryptographically-secure
pseudo-random number generator) available on the platform where
it is compiled. It will use <span class="command"><strong>arc4random()</strong></span>
family of functions on BSD operating systems,
<span class="command"><strong>getrandom()</strong></span> on Linux and Solaris,
<span class="command"><strong>CryptGenRandom</strong></span> on Windows, and the selected
cryptography provider library (OpenSSL or PKCS#11) as the last
resort. [GL #221]
When <span class="command"><strong>trusted-keys</strong></span> and
<span class="command"><strong>managed-keys</strong></span> were both configured for the
same name, or when <span class="command"><strong>trusted-keys</strong></span> was used to
configure a trust anchor for the root zone and
<span class="command"><strong>dnssec-validation</strong></span> was set to the default
value of <code class="literal">auto</code>, automatic RFC 5011 key
rollovers would be disabled. This combination of settings was
never intended to work, but there was no check for it in the
parser. This has been corrected, and it is now a fatal
configuration error. [GL #868]
</p>
</li>
<li class="listitem">
<p>
The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
validation using the IANA root key. (The default can be changed
back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
validation only when keys are explicitly configured in
<code class="filename">named.conf</code>, by building BIND with
<span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
</p>
</li>
<li class="listitem">
<p>
BIND can no longer be built without DNSSEC support. A cryptography
provider (i.e., OpenSSL or a hardware service module with
PKCS#11 support) must be available. [GL #244]
</p>
</li>
<li class="listitem">
<p>
Zone types <span class="command"><strong>primary</strong></span> and
<span class="command"><strong>secondary</strong></span> are now available as synonyms for
<span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
respectively, in <code class="filename">named.conf</code>.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now log a warning if the old
root DNSSEC key is explicitly configured and has not been updated.
[RT #43670]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +nssearch</strong></span> will now list name servers
that have timed out, in addition to those that respond. [GL #64]
</p>
</li>
<li class="listitem">
<p>
Up to 64 <span class="command"><strong>response-policy</strong></span> zones are now
supported by default; previously the limit was 32. [GL #123]
</p>
</li>
<li class="listitem">
<p>
Several configuration options for time periods can now use
TTL value suffixes (for example, <code class="literal">2h</code> or
<code class="literal">1d</code>) in addition to an integer number of
seconds. These include
<span class="command"><strong>fstrm-set-reopen-interval</strong></span>,
<span class="command"><strong>interface-interval</strong></span>,
<span class="command"><strong>max-cache-ttl</strong></span>,
<span class="command"><strong>max-ncache-ttl</strong></span>,
<span class="command"><strong>max-policy-ttl</strong></span>, and
<span class="command"><strong>min-update-interval</strong></span>.
[GL #203]
</p>
</li>
<li class="listitem">
<p>
NSID logging (enabled by the <span class="command"><strong>request-nsid</strong></span>
option) now has its own <span class="command"><strong>nsid</strong></span> category,
instead of using the <span class="command"><strong>resolver</strong></span> category.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
between views of the same name but different class; this
has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
option. [GL #105]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>allow-recursion-on</strong></span> and
<span class="command"><strong>allow-query-cache-on</strong></span> each now default to
the other if only one of them is set, in order to be consistent
with the way <span class="command"><strong>allow-recursion</strong></span> and
<span class="command"><strong>allow-query-cache</strong></span> work. [GL #319]
</p>
</li>
<li class="listitem">
<p>
When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and
<span class="command"><strong>nslookup</strong></span> commands now disable IDN processing
when the standard output is not a TTY (i.e., when the output
is not being read by a human). When running from a shell
script, the command line options <span class="command"><strong>+idnin</strong></span> and
<span class="command"><strong>+idnout</strong></span> may be used to enable IDN
processing of input and output domain names, respectively.
When running on a TTY, the <span class="command"><strong>+noidnin</strong></span> and
<span class="command"><strong>+noidnout</strong></span> options may be used to disable
IDN processing of input and output domain names.
</p>
</li>
<li class="listitem">
<p>
The configuration option <span class="command"><strong>max-ncache-ttl</strong></span> cannot
exceed seven days. Previously, larger values than this were silently
lowered; now, they trigger a configuration error.
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>dig -r</strong></span> command line option
disables reading of the file <code class="filename">$HOME/.digrc</code>.
</p>
</li>
<li class="listitem">
<p>
Zone signing and key maintenance events are now logged to the
<span class="command"><strong>dnssec</strong></span> category rather than
<span class="command"><strong>zone</strong></span>.
DS and CDS records are now generated with SHA-256 digests
only, instead of both SHA-1 and SHA-256. This affects the
default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
<code class="filename">dsset</code> files generated by
<span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
<code class="filename">keyset</code> files, the CDS records added to
a zone by <span class="command"><strong>named</strong></span> and
<span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
parameters in key files, and the checks performed by
<span class="command"><strong>dnssec-checkds</strong></span>.
</p>
</li>
</ul></div>
@ -663,59 +215,16 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Running <span class="command"><strong>rndc reconfig</strong></span> could cause
<span class="command"><strong>inline-signing</strong></span> zones to stop signing.
[GL #439]
</p>
</li>
<li class="listitem">
<p>
Reloading all zones caused zone maintenance to stop for
<span class="command"><strong>inline-signing</strong></span> zones. [GL #435]
</p>
</li>
<li class="listitem">
<p>
Signatures loaded from the journal for the signed version
of an <span class="command"><strong>inline-signing</strong></span> zone were not scheduled
for refresh. [GL #482]
</p>
</li>
<li class="listitem">
<p>
A referral response with a non-empty ANSWER section was
incorrectly treated as an error; this caused certain domains
to be non-resolvable. [GL #390]
</p>
</li>
<li class="listitem">
<p>
When a negative trust anchor was added to multiple views
using <span class="command"><strong>rndc nta</strong></span>, the text returned via
<span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
first line, making it appear that only one NTA had been
added. This has been fixed. [GL #105]
The <span class="command"><strong>allow-update</strong></span> and
<span class="command"><strong>allow-update-forwarding</strong></span> options were
inadvertently treated as configuration errors when used at the
<span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
This has now been corrected.
[GL #913]
</p>
</li>
<li class="listitem">
<p>
The view name is now included in the output of
<span class="command"><strong>rndc nta -dump</strong></span>, for consistency with
other options. [GL !816]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> now rejects excessively large
incremental (IXFR) zone transfers in order to prevent
possible corruption of journal files which could cause
<span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
</p>
</li>
</ul></div>
</li></ul></div>
</div>
<div class="section">
@ -746,12 +255,12 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
BIND 9.13 is an unstable development branch. When its development
is complete, it will be renamed to BIND 9.14, which will be a
BIND 9.15 is an unstable development branch. When its development
is complete, it will be renamed to BIND 9.16, which will be a
stable branch.
</p>
<p>
The end of life date for BIND 9.14 has not yet been determined.
The end of life date for BIND 9.16 has not yet been determined.
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at
least December 2021. See
@ -790,6 +299,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch09.html
View file

@ -148,6 +148,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch10.html
View file

@ -914,6 +914,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch11.html
View file

@ -533,6 +533,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch12.html
View file

@ -210,6 +210,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

6
doc/arm/Bv9ARM.html
View file

@ -32,7 +32,7 @@
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
<div><p class="releaseinfo">BIND Version 9.13.6</p></div>
<div><p class="releaseinfo">BIND Version 9.15.0</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
@ -242,7 +242,7 @@
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.0</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@ -440,6 +440,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

BIN
doc/arm/Bv9ARM.pdf
View file

Binary file not shown.

2
doc/arm/man.arpaname.html
View file

@ -90,6 +90,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.ddns-confgen.html
View file

@ -220,6 +220,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.delv.html
View file

@ -625,6 +625,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

9
doc/arm/man.dig.html
View file

@ -616,6 +616,13 @@
Send an EDNS Expire option.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]expandaaaa</code></span></dt>
<dd>
<p>
When printing AAAA record print all zero nibbles rather
than the default RFC 5952 preferred presentation format.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
<dd>
<p>
@ -1151,6 +1158,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-cds.html
View file

@ -376,6 +376,6 @@ nsupdate -l
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

18
doc/arm/man.dnssec-checkds.html
View file

@ -73,8 +73,22 @@
<div class="refsection">
<a name="id-1.13.7.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specify a digest algorithm to use when converting the
zone's DNSKEY records to expected DS or DLV records. This
option can be repeated, so that multiple records are
checked for each DNSKEY record.
</p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
@ -150,6 +164,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-coverage.html
View file

@ -270,6 +270,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

10
doc/arm/man.dnssec-dsfromkey.html
View file

@ -153,13 +153,15 @@
<dt><span class="term">-1</span></dt>
<dd>
<p>
An abbreviation for <code class="option">-a SHA1</code>
An abbreviation for <code class="option">-a SHA-1</code>.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-2</span></dt>
<dd>
<p>
An abbreviation for <code class="option">-a SHA-256</code>
An abbreviation for <code class="option">-a SHA-256</code>.
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
@ -175,6 +177,8 @@
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-A</span></dt>
@ -352,6 +356,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-importkey.html
View file

@ -250,6 +250,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keyfromlabel.html
View file

@ -498,6 +498,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

141
doc/arm/man.dnssec-keygen.html
View file

@ -51,11 +51,10 @@
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keygen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-3</code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-C</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
@ -70,6 +69,7 @@
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
@ -80,7 +80,6 @@
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-z</code>]
{name}
</p></div>
</div>
@ -113,6 +112,16 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
@ -148,11 +157,9 @@
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 1024 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
between 1024 and 4096 bits. Diffie Hellman keys must be between
128 and 4096 bits. Elliptic curve algorithms don't need this
parameter.
</p>
<p>
If the key size is not specified, some algorithms have
@ -162,36 +169,15 @@
<code class="option">-f KSK</code>) default to 2048 bits.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
Compatibility mode: generates an old-style key, without any
timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored with
the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include this
data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p>
</dd>
@ -252,12 +238,6 @@
Sets the directory in which the key files are to be written.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Deprecated in favor of -T KEY.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
@ -271,13 +251,24 @@
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd>
<p>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
Sets the protocol value for the generated key, for use
with <code class="option">-T KEY</code>. The protocol is a number between 0
and 255. The default is 3 (DNSSEC). Other possible values for
this argument are listed in RFC 2535 and its successors.
</p>
</dd>
<dt><span class="term">-q</span></dt>
@ -324,26 +315,15 @@
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
<p>
</p>
<p>
Specifying any TSIG algorithm (HMAC-* or DH) with
<code class="option">-a</code> forces this option to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
Indicates the use of the key, for use with <code class="option">-T
KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
refers to the ability to authenticate data, and CONF the ability
to encrypt data.
</p>
</dd>
<dt><span class="term">-V</span></dt>
@ -352,6 +332,12 @@
Prints version information.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
</p>
</dd>
</dl></div>
</div>
@ -494,10 +480,12 @@
key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
When a zone is being signed by <span class="command"><strong>named</strong></span>
or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
records are included automatically. In other cases,
the <code class="filename">.key</code> file can be inserted into a zone file
manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
</p>
<p>
The <code class="filename">.private</code> file contains
@ -505,22 +493,17 @@
fields. For obvious security reasons, this file does not have
general read permission.
</p>
<p>
Both <code class="filename">.key</code> and <code class="filename">.private</code>
files are generated for symmetric cryptography algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</p>
</div>
<div class="refsection">
<a name="id-1.13.12.11"></a><h2>EXAMPLE</h2>
<p>
To generate an ECDSAP256SHA256 key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
To generate an ECDSAP256SHA256 zone-signing key for the zone
<strong class="userinput"><code>example.com</code></strong>, issue the command:
</p>
<p><strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com</code></strong>
<p>
<strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 example.com</code></strong>
</p>
<p>
The command would print a string of the form:
@ -533,6 +516,12 @@
and
<code class="filename">Kexample.com.+013+26160.private</code>.
</p>
<p>
To generate a matching key-signing key, issue the command:
</p>
<p>
<strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</code></strong>
</p>
</div>
<div class="refsection">
@ -568,6 +557,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

64
doc/arm/man.dnssec-keymgr.html
View file

@ -75,11 +75,12 @@
</p>
<p>
DNSSEC policy can be read from a configuration file (default
<code class="filename">/etc/dnssec-policy.conf</code>), from which the key
parameters, publication and rollover schedule, and desired
coverage duration for any given zone can be determined. This
<code class="filename">/etc/dnssec-policy.conf</code>), from which the
key parameters, publication and rollover schedule, and desired
coverage duration for any given zone can be determined. This
file may be used to define individual DNSSEC policies on a
per-zone basis, or to set a default policy used for all zones.
per-zone basis, or to set a "<code class="literal">default</code>" policy
used for all zones.
</p>
<p>
When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
@ -228,7 +229,7 @@
</li>
<li class="listitem">
<p>
Algorithm policies:
<span class="emphasis"><em>Algorithm policies:</em></span>
(<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
override default per-algorithm settings. For example, by default,
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
@ -238,11 +239,13 @@
</li>
<li class="listitem">
<p>
Zone policies:
<span class="emphasis"><em>Zone policies:</em></span>
(<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <code class="option">policy</code> option.
Zone names beginning with digits (i.e., 0-9) must be quoted.
If a zone does not have its own policy then the
"<code class="literal">default</code>" policy applies.
</p>
</li>
</ul></div>
@ -250,81 +253,90 @@
Options that can be specified in policies:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><span class="command"><strong>algorithm</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>algorithm</strong></span>
<em class="replaceable"><code>name</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key algorithm. If no policy is defined, the default is
RSASHA256.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>coverage</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>coverage</strong></span>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
This can be represented as a number of seconds, or as a duration using
human-readable units (examples: "1y" or "6 months").
This can be represented as a number of seconds, or as a duration
using human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>directory</strong></span>
<em class="replaceable"><code>path</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the directory in which keys should be stored.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>key-size</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>key-size</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>size</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the number of bits to use in creating keys.
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
The keytype is either "zsk" or "ksk".
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 2048 bits for RSA keys.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>keyttl</strong></span>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key TTL. If no policy is defined, the default is one hour.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>post-publish</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>post-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long after inactivation a key should be deleted from the zone.
Note: If <code class="option">roll-period</code> is not set, this value is
ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
duration. A default value for this option can be set in algorithm
ignored. The keytype is either "zsk" or "ksk".
A default duration for this option can be set in algorithm
policies as well as in policy classes or zone policies. The default
is one month.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>pre-publish</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>pre-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long before activation a key should be published. Note: If
<code class="option">roll-period</code> is not set, this value is ignored.
Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
The keytype is either "zsk" or "ksk".
A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>roll-period</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>roll-period</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How frequently keys should be rolled over.
Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
The keytype is either "zsk" or "ksk".
A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is one year for ZSK's. KSK's do not
configured, the default is one year for ZSKs. KSKs do not
roll over by default.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>standby</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>standby</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>number</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Not yet implemented.
@ -393,6 +405,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-revoke.html
View file

@ -171,6 +171,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-settime.html
View file

@ -349,6 +349,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-signzone.html
View file

@ -701,6 +701,6 @@ db.example.com.signed
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-verify.html
View file

@ -202,6 +202,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnstap-read.html
View file

@ -143,6 +143,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.filter-aaaa.html
View file

@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.host.html
View file

@ -366,6 +366,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.mdig.html
View file

@ -604,6 +604,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-checkconf.html
View file

@ -208,6 +208,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-checkzone.html
View file

@ -463,6 +463,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-journalprint.html
View file

@ -117,6 +117,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-nzd2nzf.html
View file

@ -119,6 +119,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-rrchecker.html
View file

@ -121,6 +121,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named.conf.html
View file

@ -1073,6 +1073,6 @@ zone
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named.html
View file

@ -492,6 +492,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nsec3hash.html
View file

@ -155,6 +155,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nslookup.html
View file

@ -437,6 +437,6 @@ nslookup -query=hinfo -timeout=10
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nsupdate.html
View file

@ -818,6 +818,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-destroy.html
View file

@ -162,6 +162,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-keygen.html
View file

@ -200,6 +200,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-list.html
View file

@ -158,6 +158,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-tokens.html
View file

@ -123,6 +123,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc-confgen.html
View file

@ -260,6 +260,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc.conf.html
View file

@ -268,6 +268,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

9
doc/arm/man.rndc.html
View file

@ -930,13 +930,6 @@
<p>
Enable, disable, or check the current status of
DNSSEC validation. By default, validation is enabled.
(Note that <span class="command"><strong>dnssec-enable</strong></span> must also be
<strong class="userinput"><code>yes</code></strong> (the default value) for signatures
to be returned along with validated data. If validation is
enabled while <span class="command"><strong>dnssec-enable</strong></span> is set to
<strong class="userinput"><code>no</code></strong>, the server will validate internally,
but will not supply clients with the necessary records to allow
validity to be confirmed.)
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
@ -1024,6 +1017,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>

635
doc/arm/notes.html
View file

@ -15,16 +15,16 @@
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2"></a>Release Notes for BIND Version 9.13.6</h2></div></div></div>
<a name="id-1.2"></a>Release Notes for BIND Version 9.15.0</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
BIND 9.13 is an unstable development release of BIND.
BIND 9.15 is an unstable development release of BIND.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development release
leading up to the stable BIND 9.14 release, this document will be
leading up to the stable BIND 9.16 release, this document will be
updated with additional features added and bugs fixed.
</p>
</div>
@ -33,23 +33,21 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
<p>
Prior to BIND 9.13, new feature development releases were tagged
Until BIND 9.12, new feature development releases were tagged
as "alpha" and "beta", leading up to the first stable release
for a given development branch, which always ended in ".0".
</p>
<p>
Now, however, BIND has adopted the "odd-unstable/even-stable"
More recently, BIND adopted the "odd-unstable/even-stable"
release numbering convention. There will be no "alpha" or "beta"
releases in the 9.13 branch, only increasing version numbers.
So, for example, what would previously have been called 9.13.0a1,
9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0,
9.13.1, 9.13.2, etc.
releases in the 9.15 branch, only increasing version numbers.
So, for example, what would previously have been called 9.15.0a1,
9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
9.15.1, 9.15.2, etc.
</p>
<p>
The first stable release from this development branch will be
renamed as 9.14.0. Thereafter, maintenance releases will continue
on the 9.14 branch, while unstable feature development proceeds in
9.15.
renamed as 9.16.0. Thereafter, maintenance releases will continue
on the 9.16 branch, while unstable feature development proceeds in
9.17.
</p>
</div>
@ -57,34 +55,26 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
<p>
BIND 9.13 has undergone substantial code refactoring and cleanup,
and some very old code has been removed that was needed to support
legacy platforms which are no longer supported by their vendors
and for which ISC is no longer able to perform quality assurance
testing. Specifically, workarounds for old versions of UnixWare,
BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed.
On UNIX-like systems, BIND now requires support for POSIX.1c
To build on UNIX-like systems, BIND requires support for POSIX.1c
threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
IPv6 (RFC 3542), and standard atomic operations provided by the
C compiler.
</p>
<p>
More information can be found in the <code class="filename">PLATFORM.md</code>
file that is included in the source distribution of BIND 9. If your
platform compiler and system libraries provide the above features,
BIND 9 should compile and run. If that isn't the case, the BIND
development team will generally accept patches that add support
for systems that are still supported by their respective vendors.
</p>
<p>
As of BIND 9.13, the BIND development team has also made cryptography
(i.e., TSIG and DNSSEC) an integral part of the DNS server. The
OpenSSL cryptography library must be available for the target
The OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead for Public Key
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
still required for general cryptography operations such as hashing
and random number generation.
</p>
<p>
More information can be found in the <code class="filename">PLATFORMS.md</code>
file that is included in the source distribution of BIND 9. If your
compiler and system libraries provide the above features, BIND 9
should compile and run. If that isn't the case, the BIND
development team will generally accept patches that add support
for systems that are still supported by their respective vendors.
</p>
</div>
<div class="section">
@ -105,47 +95,17 @@
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
There was a long-existing flaw in the documentation for
<span class="command"><strong>ms-self</strong></span>, <span class="command"><strong>krb5-self</strong></span>,
<span class="command"><strong>ms-subdomain</strong></span>, and <span class="command"><strong>krb5-subdomain</strong></span>
rules in <span class="command"><strong>update-policy</strong></span> statements. Though
the policies worked as intended, operators who configured their
servers according to the misleading documentation may have
thought zone updates were more restricted than they were;
users of these rule types are advised to review the documentation
and correct their configurations if necessary. New rule types
matching the previously documented behavior will be introduced
in a future maintenance release. [GL !708]
</p>
</li>
<li class="listitem">
<p>
When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
should be limited to local networks, but they were inadvertently set
to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
In certain configurations, <span class="command"><strong>named</strong></span> could crash
with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
was in use and a redirected query resulted in an NXDOMAIN from the
cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> could crash during recursive processing
of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
</p>
</li>
<li class="listitem">
<p>
Code change #4964, intended to prevent double signatures
when deleting an inactive zone DNSKEY in some situations,
introduced a new problem during zone processing in which
some delegation glue RRsets are incorrectly identified
as needing RRSIGs, which are then created for them using
the current active ZSK for the zone. In some, but not all
cases, the newly-signed RRsets are added to the zone's
NSEC/NSEC3 chain, but incompletely -- this can result in
a broken chain, affecting validation of proof of nonexistence
for records in the zone. [GL #771]
The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
</p>
</li>
</ul></div>
@ -154,333 +114,26 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Task manager and socket code have been substantially modified.
The manager uses per-cpu queues for tasks and network stack runs
multiple event loops in CPU-affinitive threads. This greatly
improves performance on large systems, especially when using
multi-queue NICs.
</p>
</li>
<li class="listitem">
<p>
A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
enables <span class="command"><strong>named</strong></span> to serve a transferred copy
of a zone's contents without acting as an authority for the
zone. A zone must be fully validated against an active trust
anchor before it can be used as a mirror zone. DNS responses
from mirror zones do not set the AA bit ("authoritative answer"),
but do set the AD bit ("authenticated data"). This feature is
meant to facilitate deployment of a local copy of the root zone,
as described in RFC 7706. [GL #33]
</p>
</li>
<li class="listitem">
<p>
A new <span class="command"><strong>plugin</strong></span> mechanism has been added to allow
extension of query processing functionality through the use of
external libraries. The new <code class="filename">filter-aaaa.so</code>
plugin replaces the <span class="command"><strong>filter-aaaa</strong></span> feature that
was formerly implemented as a native part of BIND.
</p>
<p>
The plugin API is a work in progress and is likely to evolve
as further plugins are implemented. [GL #15]
</p>
</li>
<li class="listitem">
<p>
BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
library to add IDNA2008 support. Previously, BIND supported
IDNA2003 using the (now obsolete and unsupported)
<span class="command"><strong>idnkit-1</strong></span> library.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> now supports the "root key sentinel"
mechanism. This enables validating resolvers to indicate
which trust anchors are configured for the root, so that
information about root key rollover status can be gathered.
To disable this feature, add
<span class="command"><strong>root-key-sentinel no;</strong></span> to
<code class="filename">named.conf</code>. [GL #37]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>dnskey-sig-validity</strong></span> option allows the
<span class="command"><strong>sig-validity-interval</strong></span> to be overriden for
signatures covering DNSKEY RRsets. [GL #145]
</p>
</li>
<li class="listitem">
<p>
Support for QNAME minimization was added and enabled by default
in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
to normal resolution if the remote server returns something
unexpected during the query minimization process. This default
setting might change to <span class="command"><strong>strict</strong></span> in the future.
</p>
</li>
<li class="listitem">
<p>
When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
library to set process privileges. The adds a new compile-time
dependency, which can be met on most Linux platforms by installing the
<span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
package. BIND can also be built without capability support by using
<span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
loss of security.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>validate-except</strong></span> option specifies a list of
domains beneath which DNSSEC validation should not be performed,
regardless of whether a trust anchor has been configured above
them. [GL #237]
</p>
</li>
<li class="listitem">
<p>
Two new update policy rule types have been added
<span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
which allow machines with Kerberos principals to update
the name space at or below the machine names identified
in the respective principals.
</p>
</li>
<li class="listitem">
<p>
The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
can be used to make BIND enable and enforce FIPS mode in the
OpenSSL library. When compiled with such option the BIND will
refuse to run if FIPS mode can't be enabled, thus this option
must be only enabled for the systems where FIPS mode is available.
</p>
</li>
<li class="listitem">
<p>
Two new configuration options <span class="command"><strong>min-cache-ttl</strong></span> and
<span class="command"><strong>min-ncache-ttl</strong></span> has been added to allow the BIND 9
administrator to override the minimum TTL in the received DNS records
(positive caching) and for storing the information about non-existent
records (negative caching). The configured minimum TTL for both
configuration options cannot exceed 90 seconds.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>rndc status</strong></span> output now includes a
<span class="command"><strong>reconfig/reload in progress</strong></span> status line if named
configuration is being reloaded.
The new <span class="command"><strong>add-soa</strong></span> option specifies whether
or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
should be included in the additional section of RPZ responses.
[GL #865]
</p>
</li>
</ul></div>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Workarounds for servers that misbehave when queried with EDNS
have been removed, because these broken servers and the
workarounds for their noncompliance cause unnecessary delays,
increase code complexity, and prevent deployment of new DNS
features. See <a class="link" href="https://dnsflagday.net" target="_top">https://dnsflagday.net</a>
for further details.
The <span class="command"><strong>dnssec-enable</strong></span> option has been deprecated and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
<p>
In particular, resolution will no longer fall back to
plain DNS when there was no response from an authoritative
server. This will cause some domains to become non-resolvable
without manual intervention. In these cases, resolution can
be restored by adding <span class="command"><strong>server</strong></span> clauses for the
offending servers, specifying <span class="command"><strong>edns no</strong></span> or
<span class="command"><strong>send-cookie no</strong></span>, depending on the specific
noncompliance.
</p>
<p>
To determine which <span class="command"><strong>server</strong></span> clause to use, run
the following commands to send queries to the authoritative
servers for the broken domain:
</p>
<div class="literallayout"><p><br>
  dig soa &lt;zone&gt; @&lt;server&gt; +dnssec<br>
  dig soa &lt;zone&gt; @&lt;server&gt; +dnssec +nocookie<br>
  dig soa &lt;zone&gt; @&lt;server&gt; +noedns<br>
</p></div>
<p>
If the first command fails but the second succeeds, the
server most likely needs <span class="command"><strong>send-cookie no</strong></span>.
If the first two fail but the third succeeds, then the server
needs EDNS to be fully disabled with <span class="command"><strong>edns no</strong></span>.
</p>
<p>
Please contact the administrators of noncompliant domains
and encourage them to upgrade their broken DNS servers. [GL #150]
</p>
</li>
<li class="listitem">
<p>
Previously, it was possible to build BIND without thread support
for old architectures and systems without threads support.
BIND now requires threading support (either POSIX or Windows) from
the operating system, and it cannot be built without threads.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>filter-aaaa</strong></span>,
<span class="command"><strong>filter-aaaa-on-v4</strong></span>, and
<span class="command"><strong>filter-aaaa-on-v6</strong></span> options have been removed
from <span class="command"><strong>named</strong></span>, and can no longer be
configured using native <code class="filename">named.conf</code> syntax.
However, loading the new <code class="filename">filter-aaaa.so</code>
plugin and setting its parameters provides identical
functionality.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
option for view selection. In its existing form, the authoritative
ECS feature was not fully RFC-compliant, and could not realistically
have been deployed in production for an authoritative server; its
only practical use was for testing and experimentation. In the
interest of code simplification, this feature has now been removed.
</p>
<p>
The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
<span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
and logged when received by <span class="command"><strong>named</strong></span>, but
it is no longer used for ACL processing. The
<span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
a warning will be logged if it is used in
<code class="filename">named.conf</code>.
<span class="command"><strong>ecs</strong></span> tags in an ACL definition are
also obsolete, and will cause the configuration to fail to
load if they are used. [GL #32]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
to generate these keys. [RT #46404]
</p>
</li>
<li class="listitem">
<p>
Support for OpenSSL 0.9.x has been removed. OpenSSL version
1.0.0 or greater, or LibreSSL is now required.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>configure --enable-seccomp</strong></span> option,
which formerly turned on system-call filtering on Linux, has
been removed. [GL #93]
</p>
</li>
<li class="listitem">
<p>
IPv4 addresses in forms other than dotted-quad are no longer
accepted in master files. [GL #13] [GL #56]
</p>
</li>
<li class="listitem">
<p>
IDNA2003 support via (bundled) idnkit-1.0 has been removed.
</p>
</li>
<li class="listitem">
<p>
The "rbtdb64" database implementation (a parallel
implementation of "rbt") has been removed. [GL #217]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>-r randomdev</strong></span> option to explicitly select
random device has been removed from the
<span class="command"><strong>ddns-confgen</strong></span>,
<span class="command"><strong>rndc-confgen</strong></span>,
<span class="command"><strong>nsupdate</strong></span>,
<span class="command"><strong>dnssec-confgen</strong></span>, and
<span class="command"><strong>dnssec-signzone</strong></span> commands.
</p>
<p>
The <span class="command"><strong>-p</strong></span> option to use pseudo-random data
has been removed from the <span class="command"><strong>dnssec-signzone</strong></span>
command.
</p>
</li>
<li class="listitem">
<p>
Support for ECC-GOST (GOST R 34.11-94) algorithm has been
removed from BIND as the algorithm has been superseded by
GOST R 34.11-2012 in RFC6986 and it must not be used in new
deployments. BIND will neither create new DNSSEC keys,
signatures and digest, nor it will validate them.
</p>
</li>
<li class="listitem">
<p>
Add the ability to not return a DNS COOKIE option when one
is present in the request. To prevent a cookie being returned
add 'answer-cookie no;' to named.conf. [GL #173]
</p>
<p>
<span class="command"><strong>answer-cookie</strong></span> is only intended as a temporary
measure, for use when <span class="command"><strong>named</strong></span> shares an IP address
with other servers that do not yet support DNS COOKIE. A mismatch
between servers on the same address is not expected to cause
operational problems, but the option to disable COOKIE responses so
that all servers have the same behavior is provided out of an
abundance of caution. DNS COOKIE is an important security mechanism,
and should not be disabled unless absolutely necessary.
</p>
<p>
Remove support for silently ignoring 'no-change' deltas from
BIND 8 when processing an IXFR stream. 'no-change' deltas
will now trigger a fallback to AXFR as the recovery mechanism.
</p>
<p>
BIND 9 will no longer build on platforms that doesn't have
proper IPv6 support. BIND 9 now also requires non-broken
POSIX-compatible pthread support. Such platforms are
usually long after their end-of-life date and they are
neither developed nor supported by their respective vendors.
</p>
<p>
Support for DSA and DSA-NSEC3-SHA1 algorithms has been
removed from BIND as the DSA key length is limited to 1024
bits and this is not considered secure enough.
</p>
<p>
Support for RSAMD5 algorithm has been removed freom BIND as the usage
of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and
the security of MD5 algorithm has been compromised and the its usage
is considered harmful.
</p>
</li>
<li class="listitem">
<p>
The incomplete support for internationalization message catalogs has
been removed from BIND. Since the internationalization was never
completed, and no localized message catalogs were ever made available
for the portions of BIND in which they could have been used, this
change will have no effect except to simplify the source code. BIND's
log messages and other output were already only available in English.
</p>
</li>
</ul></div>
</li></ul></div>
</div>
<div class="section">
@ -489,132 +142,31 @@
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
BIND will now always use the best CSPRNG (cryptographically-secure
pseudo-random number generator) available on the platform where
it is compiled. It will use <span class="command"><strong>arc4random()</strong></span>
family of functions on BSD operating systems,
<span class="command"><strong>getrandom()</strong></span> on Linux and Solaris,
<span class="command"><strong>CryptGenRandom</strong></span> on Windows, and the selected
cryptography provider library (OpenSSL or PKCS#11) as the last
resort. [GL #221]
When <span class="command"><strong>trusted-keys</strong></span> and
<span class="command"><strong>managed-keys</strong></span> were both configured for the
same name, or when <span class="command"><strong>trusted-keys</strong></span> was used to
configure a trust anchor for the root zone and
<span class="command"><strong>dnssec-validation</strong></span> was set to the default
value of <code class="literal">auto</code>, automatic RFC 5011 key
rollovers would be disabled. This combination of settings was
never intended to work, but there was no check for it in the
parser. This has been corrected, and it is now a fatal
configuration error. [GL #868]
</p>
</li>
<li class="listitem">
<p>
The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
validation using the IANA root key. (The default can be changed
back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
validation only when keys are explicitly configured in
<code class="filename">named.conf</code>, by building BIND with
<span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
</p>
</li>
<li class="listitem">
<p>
BIND can no longer be built without DNSSEC support. A cryptography
provider (i.e., OpenSSL or a hardware service module with
PKCS#11 support) must be available. [GL #244]
</p>
</li>
<li class="listitem">
<p>
Zone types <span class="command"><strong>primary</strong></span> and
<span class="command"><strong>secondary</strong></span> are now available as synonyms for
<span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
respectively, in <code class="filename">named.conf</code>.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now log a warning if the old
root DNSSEC key is explicitly configured and has not been updated.
[RT #43670]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +nssearch</strong></span> will now list name servers
that have timed out, in addition to those that respond. [GL #64]
</p>
</li>
<li class="listitem">
<p>
Up to 64 <span class="command"><strong>response-policy</strong></span> zones are now
supported by default; previously the limit was 32. [GL #123]
</p>
</li>
<li class="listitem">
<p>
Several configuration options for time periods can now use
TTL value suffixes (for example, <code class="literal">2h</code> or
<code class="literal">1d</code>) in addition to an integer number of
seconds. These include
<span class="command"><strong>fstrm-set-reopen-interval</strong></span>,
<span class="command"><strong>interface-interval</strong></span>,
<span class="command"><strong>max-cache-ttl</strong></span>,
<span class="command"><strong>max-ncache-ttl</strong></span>,
<span class="command"><strong>max-policy-ttl</strong></span>, and
<span class="command"><strong>min-update-interval</strong></span>.
[GL #203]
</p>
</li>
<li class="listitem">
<p>
NSID logging (enabled by the <span class="command"><strong>request-nsid</strong></span>
option) now has its own <span class="command"><strong>nsid</strong></span> category,
instead of using the <span class="command"><strong>resolver</strong></span> category.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
between views of the same name but different class; this
has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
option. [GL #105]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>allow-recursion-on</strong></span> and
<span class="command"><strong>allow-query-cache-on</strong></span> each now default to
the other if only one of them is set, in order to be consistent
with the way <span class="command"><strong>allow-recursion</strong></span> and
<span class="command"><strong>allow-query-cache</strong></span> work. [GL #319]
</p>
</li>
<li class="listitem">
<p>
When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and
<span class="command"><strong>nslookup</strong></span> commands now disable IDN processing
when the standard output is not a TTY (i.e., when the output
is not being read by a human). When running from a shell
script, the command line options <span class="command"><strong>+idnin</strong></span> and
<span class="command"><strong>+idnout</strong></span> may be used to enable IDN
processing of input and output domain names, respectively.
When running on a TTY, the <span class="command"><strong>+noidnin</strong></span> and
<span class="command"><strong>+noidnout</strong></span> options may be used to disable
IDN processing of input and output domain names.
</p>
</li>
<li class="listitem">
<p>
The configuration option <span class="command"><strong>max-ncache-ttl</strong></span> cannot
exceed seven days. Previously, larger values than this were silently
lowered; now, they trigger a configuration error.
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>dig -r</strong></span> command line option
disables reading of the file <code class="filename">$HOME/.digrc</code>.
</p>
</li>
<li class="listitem">
<p>
Zone signing and key maintenance events are now logged to the
<span class="command"><strong>dnssec</strong></span> category rather than
<span class="command"><strong>zone</strong></span>.
DS and CDS records are now generated with SHA-256 digests
only, instead of both SHA-1 and SHA-256. This affects the
default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
<code class="filename">dsset</code> files generated by
<span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
<code class="filename">keyset</code> files, the CDS records added to
a zone by <span class="command"><strong>named</strong></span> and
<span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
parameters in key files, and the checks performed by
<span class="command"><strong>dnssec-checkds</strong></span>.
</p>
</li>
</ul></div>
@ -623,59 +175,16 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Running <span class="command"><strong>rndc reconfig</strong></span> could cause
<span class="command"><strong>inline-signing</strong></span> zones to stop signing.
[GL #439]
</p>
</li>
<li class="listitem">
<p>
Reloading all zones caused zone maintenance to stop for
<span class="command"><strong>inline-signing</strong></span> zones. [GL #435]
</p>
</li>
<li class="listitem">
<p>
Signatures loaded from the journal for the signed version
of an <span class="command"><strong>inline-signing</strong></span> zone were not scheduled
for refresh. [GL #482]
</p>
</li>
<li class="listitem">
<p>
A referral response with a non-empty ANSWER section was
incorrectly treated as an error; this caused certain domains
to be non-resolvable. [GL #390]
</p>
</li>
<li class="listitem">
<p>
When a negative trust anchor was added to multiple views
using <span class="command"><strong>rndc nta</strong></span>, the text returned via
<span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
first line, making it appear that only one NTA had been
added. This has been fixed. [GL #105]
The <span class="command"><strong>allow-update</strong></span> and
<span class="command"><strong>allow-update-forwarding</strong></span> options were
inadvertently treated as configuration errors when used at the
<span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
This has now been corrected.
[GL #913]
</p>
</li>
<li class="listitem">
<p>
The view name is now included in the output of
<span class="command"><strong>rndc nta -dump</strong></span>, for consistency with
other options. [GL !816]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> now rejects excessively large
incremental (IXFR) zone transfers in order to prevent
possible corruption of journal files which could cause
<span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
</p>
</li>
</ul></div>
</li></ul></div>
</div>
<div class="section">
@ -706,12 +215,12 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
BIND 9.13 is an unstable development branch. When its development
is complete, it will be renamed to BIND 9.14, which will be a
BIND 9.15 is an unstable development branch. When its development
is complete, it will be renamed to BIND 9.16, which will be a
stable branch.
</p>
<p>
The end of life date for BIND 9.14 has not yet been determined.
The end of life date for BIND 9.16 has not yet been determined.
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at
least December 2021. See

BIN
doc/arm/notes.pdf
View file

Binary file not shown.

405
doc/arm/notes.txt
View file

@ -1,54 +1,45 @@
Release Notes for BIND Version 9.13.6
Release Notes for BIND Version 9.15.0
Introduction
BIND 9.13 is an unstable development release of BIND. This document
BIND 9.15 is an unstable development release of BIND. This document
summarizes new features and functional changes that have been introduced
on this branch. With each development release leading up to the stable
BIND 9.14 release, this document will be updated with additional features
BIND 9.16 release, this document will be updated with additional features
added and bugs fixed.
Note on Version Numbering
Prior to BIND 9.13, new feature development releases were tagged as
"alpha" and "beta", leading up to the first stable release for a given
development branch, which always ended in ".0".
Now, however, BIND has adopted the "odd-unstable/even-stable" release
numbering convention. There will be no "alpha" or "beta" releases in the
9.13 branch, only increasing version numbers. So, for example, what would
previously have been called 9.13.0a1, 9.13.0a2, 9.13.0b1, and so on, will
instead be called 9.13.0, 9.13.1, 9.13.2, etc.
Until BIND 9.12, new feature development releases were tagged as "alpha"
and "beta", leading up to the first stable release for a given development
branch, which always ended in ".0". More recently, BIND adopted the
"odd-unstable/even-stable" release numbering convention. There will be no
"alpha" or "beta" releases in the 9.15 branch, only increasing version
numbers. So, for example, what would previously have been called 9.15.0a1,
9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0, 9.15.1,
9.15.2, etc.
The first stable release from this development branch will be renamed as
9.14.0. Thereafter, maintenance releases will continue on the 9.14 branch,
while unstable feature development proceeds in 9.15.
9.16.0. Thereafter, maintenance releases will continue on the 9.16 branch,
while unstable feature development proceeds in 9.17.
Supported Platforms
BIND 9.13 has undergone substantial code refactoring and cleanup, and some
very old code has been removed that was needed to support legacy platforms
which are no longer supported by their vendors and for which ISC is no
longer able to perform quality assurance testing. Specifically,
workarounds for old versions of UnixWare, BSD/OS, AIX, Tru64, SunOS,
TruCluster and IRIX have been removed. On UNIX-like systems, BIND now
requires support for POSIX.1c threads (IEEE Std 1003.1c-1995), the
Advanced Sockets API for IPv6 (RFC 3542), and standard atomic operations
provided by the C compiler.
To build on UNIX-like systems, BIND requires support for POSIX.1c threads
(IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and
standard atomic operations provided by the C compiler.
More information can be found in the PLATFORM.md file that is included in
the source distribution of BIND 9. If your platform compiler and system
libraries provide the above features, BIND 9 should compile and run. If
that isn't the case, the BIND development team will generally accept
patches that add support for systems that are still supported by their
respective vendors.
The OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead for Public Key
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is still
required for general cryptography operations such as hashing and random
number generation.
As of BIND 9.13, the BIND development team has also made cryptography
(i.e., TSIG and DNSSEC) an integral part of the DNS server. The OpenSSL
cryptography library must be available for the target platform. A PKCS#11
provider can be used instead for Public Key cryptography (i.e., DNSSEC
signing and validation), but OpenSSL is still required for general
cryptography operations such as hashing and random number generation.
More information can be found in the PLATFORMS.md file that is included in
the source distribution of BIND 9. If your compiler and system libraries
provide the above features, BIND 9 should compile and run. If that isn't
the case, the BIND development team will generally accept patches that add
support for systems that are still supported by their respective vendors.
Download
@ -59,328 +50,50 @@ operating systems.
Security Fixes
* There was a long-existing flaw in the documentation for ms-self,
krb5-self, ms-subdomain, and krb5-subdomain rules in update-policy
statements. Though the policies worked as intended, operators who
configured their servers according to the misleading documentation may
have thought zone updates were more restricted than they were; users
of these rule types are advised to review the documentation and
correct their configurations if necessary. New rule types matching the
previously documented behavior will be introduced in a future
maintenance release. [GL !708]
* In certain configurations, named could crash with an assertion failure
if nxdomain-redirect was in use and a redirected query resulted in an
NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL
#880]
* When recursion is enabled but the allow-recursion and
allow-query-cache ACLs are not specified, they should be limited to
local networks, but they were inadvertently set to match the default
allow-query, thus allowing remote queries. This flaw is disclosed in
CVE-2018-5738. [GL #309]
* named could crash during recursive processing of DNAME records when
deny-answer-aliases was in use. This flaw is disclosed in
CVE-2018-5740. [GL #387]
* Code change #4964, intended to prevent double signatures when deleting
an inactive zone DNSKEY in some situations, introduced a new problem
during zone processing in which some delegation glue RRsets are
incorrectly identified as needing RRSIGs, which are then created for
them using the current active ZSK for the zone. In some, but not all
cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3
chain, but incompletely -- this can result in a broken chain,
affecting validation of proof of nonexistence for records in the zone.
[GL #771]
* The TCP client quota set using the tcp-clients option could be
exceeded in some cases. This could lead to exhaustion of file
descriptors. (CVE-2018-5743) [GL #615]
New Features
* Task manager and socket code have been substantially modified. The
manager uses per-cpu queues for tasks and network stack runs multiple
event loops in CPU-affinitive threads. This greatly improves
performance on large systems, especially when using multi-queue NICs.
* A new secondary zone option, mirror, enables named to serve a
transferred copy of a zone's contents without acting as an authority
for the zone. A zone must be fully validated against an active trust
anchor before it can be used as a mirror zone. DNS responses from
mirror zones do not set the AA bit ("authoritative answer"), but do
set the AD bit ("authenticated data"). This feature is meant to
facilitate deployment of a local copy of the root zone, as described
in RFC 7706. [GL #33]
* A new plugin mechanism has been added to allow extension of query
processing functionality through the use of external libraries. The
new filter-aaaa.so plugin replaces the filter-aaaa feature that was
formerly implemented as a native part of BIND.
The plugin API is a work in progress and is likely to evolve as
further plugins are implemented. [GL #15]
* BIND now can be compiled against the libidn2 library to add IDNA2008
support. Previously, BIND supported IDNA2003 using the (now obsolete
and unsupported) idnkit-1 library.
* named now supports the "root key sentinel" mechanism. This enables
validating resolvers to indicate which trust anchors are configured
for the root, so that information about root key rollover status can
be gathered. To disable this feature, add root-key-sentinel no; to
named.conf. [GL #37]
* The dnskey-sig-validity option allows the sig-validity-interval to be
overriden for signatures covering DNSKEY RRsets. [GL #145]
* Support for QNAME minimization was added and enabled by default in
relaxed mode, in which BIND will fall back to normal resolution if the
remote server returns something unexpected during the query
minimization process. This default setting might change to strict in
the future.
* When built on Linux, BIND now requires the libcap library to set
process privileges. The adds a new compile-time dependency, which can
be met on most Linux platforms by installing the libcap-dev or
libcap-devel package. BIND can also be built without capability
support by using configure --disable-linux-caps, at the cost of some
loss of security.
* The validate-except option specifies a list of domains beneath which
DNSSEC validation should not be performed, regardless of whether a
trust anchor has been configured above them. [GL #237]
* Two new update policy rule types have been added krb5-selfsub and
ms-selfsub which allow machines with Kerberos principals to update the
name space at or below the machine names identified in the respective
principals.
* The new configure option --enable-fips-mode can be used to make BIND
enable and enforce FIPS mode in the OpenSSL library. When compiled
with such option the BIND will refuse to run if FIPS mode can't be
enabled, thus this option must be only enabled for the systems where
FIPS mode is available.
* Two new configuration options min-cache-ttl and min-ncache-ttl has
been added to allow the BIND 9 administrator to override the minimum
TTL in the received DNS records (positive caching) and for storing the
information about non-existent records (negative caching). The
configured minimum TTL for both configuration options cannot exceed 90
seconds.
* rndc status output now includes a reconfig/reload in progress status
line if named configuration is being reloaded.
* The new add-soa option specifies whether or not the response-policy
zone's SOA record should be included in the additional section of RPZ
responses. [GL #865]
Removed Features
* Workarounds for servers that misbehave when queried with EDNS have
been removed, because these broken servers and the workarounds for
their noncompliance cause unnecessary delays, increase code
complexity, and prevent deployment of new DNS features. See https://
dnsflagday.net for further details.
In particular, resolution will no longer fall back to plain DNS when
there was no response from an authoritative server. This will cause
some domains to become non-resolvable without manual intervention. In
these cases, resolution can be restored by adding server clauses for
the offending servers, specifying edns no or send-cookie no, depending
on the specific noncompliance.
To determine which server clause to use, run the following commands to
send queries to the authoritative servers for the broken domain:
dig soa <zone> @<server> +dnssec
dig soa <zone> @<server> +dnssec +nocookie
dig soa <zone> @<server> +noedns
If the first command fails but the second succeeds, the server most
likely needs send-cookie no. If the first two fail but the third
succeeds, then the server needs EDNS to be fully disabled with edns no
.
Please contact the administrators of noncompliant domains and
encourage them to upgrade their broken DNS servers. [GL #150]
* Previously, it was possible to build BIND without thread support for
old architectures and systems without threads support. BIND now
requires threading support (either POSIX or Windows) from the
operating system, and it cannot be built without threads.
* The filter-aaaa, filter-aaaa-on-v4, and filter-aaaa-on-v6 options have
been removed from named, and can no longer be configured using native
named.conf syntax. However, loading the new filter-aaaa.so plugin and
setting its parameters provides identical functionality.
* named can no longer use the EDNS CLIENT-SUBNET option for view
selection. In its existing form, the authoritative ECS feature was not
fully RFC-compliant, and could not realistically have been deployed in
production for an authoritative server; its only practical use was for
testing and experimentation. In the interest of code simplification,
this feature has now been removed.
The ECS option is still supported in dig and mdig via the +subnet
argument, and can be parsed and logged when received by named, but it
is no longer used for ACL processing. The geoip-use-ecs option is now
obsolete; a warning will be logged if it is used in named.conf. ecs
tags in an ACL definition are also obsolete, and will cause the
configuration to fail to load if they are used. [GL #32]
* dnssec-keygen can no longer generate HMAC keys for TSIG
authentication. Use tsig-keygen to generate these keys. [RT #46404]
* Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or
greater, or LibreSSL is now required.
* The configure --enable-seccomp option, which formerly turned on
system-call filtering on Linux, has been removed. [GL #93]
* IPv4 addresses in forms other than dotted-quad are no longer accepted
in master files. [GL #13] [GL #56]
* IDNA2003 support via (bundled) idnkit-1.0 has been removed.
* The "rbtdb64" database implementation (a parallel implementation of
"rbt") has been removed. [GL #217]
* The -r randomdev option to explicitly select random device has been
removed from the ddns-confgen, rndc-confgen, nsupdate, dnssec-confgen,
and dnssec-signzone commands.
The -p option to use pseudo-random data has been removed from the
dnssec-signzone command.
* Support for ECC-GOST (GOST R 34.11-94) algorithm has been removed from
BIND as the algorithm has been superseded by GOST R 34.11-2012 in
RFC6986 and it must not be used in new deployments. BIND will neither
create new DNSSEC keys, signatures and digest, nor it will validate
them.
* Add the ability to not return a DNS COOKIE option when one is present
in the request. To prevent a cookie being returned add 'answer-cookie
no;' to named.conf. [GL #173]
answer-cookie is only intended as a temporary measure, for use when
named shares an IP address with other servers that do not yet support
DNS COOKIE. A mismatch between servers on the same address is not
expected to cause operational problems, but the option to disable
COOKIE responses so that all servers have the same behavior is
provided out of an abundance of caution. DNS COOKIE is an important
security mechanism, and should not be disabled unless absolutely
necessary.
Remove support for silently ignoring 'no-change' deltas from BIND 8
when processing an IXFR stream. 'no-change' deltas will now trigger a
fallback to AXFR as the recovery mechanism.
BIND 9 will no longer build on platforms that doesn't have proper IPv6
support. BIND 9 now also requires non-broken POSIX-compatible pthread
support. Such platforms are usually long after their end-of-life date
and they are neither developed nor supported by their respective
vendors.
Support for DSA and DSA-NSEC3-SHA1 algorithms has been removed from
BIND as the DSA key length is limited to 1024 bits and this is not
considered secure enough.
Support for RSAMD5 algorithm has been removed freom BIND as the usage
of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and
the security of MD5 algorithm has been compromised and the its usage
is considered harmful.
* The incomplete support for internationalization message catalogs has
been removed from BIND. Since the internationalization was never
completed, and no localized message catalogs were ever made available
for the portions of BIND in which they could have been used, this
change will have no effect except to simplify the source code. BIND's
log messages and other output were already only available in English.
* The dnssec-enable option has been deprecated and no longer has any
effect. DNSSEC responses are always enabled if signatures and other
DNSSEC data are present. [GL #866]
Feature Changes
* BIND will now always use the best CSPRNG (cryptographically-secure
pseudo-random number generator) available on the platform where it is
compiled. It will use arc4random() family of functions on BSD
operating systems, getrandom() on Linux and Solaris, CryptGenRandom on
Windows, and the selected cryptography provider library (OpenSSL or
PKCS#11) as the last resort. [GL #221]
* When trusted-keys and managed-keys were both configured for the same
name, or when trusted-keys was used to configure a trust anchor for
the root zone and dnssec-validation was set to the default value of
auto, automatic RFC 5011 key rollovers would be disabled. This
combination of settings was never intended to work, but there was no
check for it in the parser. This has been corrected, and it is now a
fatal configuration error. [GL #868]
* The default setting for dnssec-validation is now auto, which activates
DNSSEC validation using the IANA root key. (The default can be changed
back to yes, which activates DNSSEC validation only when keys are
explicitly configured in named.conf, by building BIND with configure
--disable-auto-validation.) [GL #30]
* BIND can no longer be built without DNSSEC support. A cryptography
provider (i.e., OpenSSL or a hardware service module with PKCS#11
support) must be available. [GL #244]
* Zone types primary and secondary are now available as synonyms for
master and slave, respectively, in named.conf.
* named will now log a warning if the old root DNSSEC key is explicitly
configured and has not been updated. [RT #43670]
* dig +nssearch will now list name servers that have timed out, in
addition to those that respond. [GL #64]
* Up to 64 response-policy zones are now supported by default;
previously the limit was 32. [GL #123]
* Several configuration options for time periods can now use TTL value
suffixes (for example, 2h or 1d) in addition to an integer number of
seconds. These include fstrm-set-reopen-interval, interface-interval,
max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval
. [GL #203]
* NSID logging (enabled by the request-nsid option) now has its own nsid
category, instead of using the resolver category.
* The rndc nta command could not differentiate between views of the same
name but different class; this has been corrected with the addition of
a -class option. [GL #105]
* allow-recursion-on and allow-query-cache-on each now default to the
other if only one of them is set, in order to be consistent with the
way allow-recursion and allow-query-cache work. [GL #319]
* When compiled with IDN support, the dig and nslookup commands now
disable IDN processing when the standard output is not a TTY (i.e.,
when the output is not being read by a human). When running from a
shell script, the command line options +idnin and +idnout may be used
to enable IDN processing of input and output domain names,
respectively. When running on a TTY, the +noidnin and +noidnout
options may be used to disable IDN processing of input and output
domain names.
* The configuration option max-ncache-ttl cannot exceed seven days.
Previously, larger values than this were silently lowered; now, they
trigger a configuration error.
* The new dig -r command line option disables reading of the file $HOME
/.digrc.
* Zone signing and key maintenance events are now logged to the dnssec
category rather than zone.
* DS and CDS records are now generated with SHA-256 digests only,
instead of both SHA-1 and SHA-256. This affects the default output of
dnssec-dsfromkey, the dsset files generated by dnssec-signzone, the DS
records added to a zone by dnssec-signzone based on keyset files, the
CDS records added to a zone by named and dnssec-signzone based on
"sync" timing parameters in key files, and the checks performed by
dnssec-checkds.
Bug Fixes
* Running rndc reconfig could cause inline-signing zones to stop
signing. [GL #439]
* Reloading all zones caused zone maintenance to stop for inline-signing
zones. [GL #435]
* Signatures loaded from the journal for the signed version of an
inline-signing zone were not scheduled for refresh. [GL #482]
* A referral response with a non-empty ANSWER section was incorrectly
treated as an error; this caused certain domains to be non-resolvable.
[GL #390]
* When a negative trust anchor was added to multiple views using rndc
nta, the text returned via rndc was incorrectly truncated after the
first line, making it appear that only one NTA had been added. This
has been fixed. [GL #105]
* The view name is now included in the output of rndc nta -dump, for
consistency with other options. [GL !816]
* named now rejects excessively large incremental (IXFR) zone transfers
in order to prevent possible corruption of journal files which could
cause named to abort when loading zones. [GL #339]
* The allow-update and allow-update-forwarding options were
inadvertently treated as configuration errors when used at the options
or view level. This has now been corrected. [GL #913]
License
@ -399,10 +112,10 @@ www.isc.org/mission/contact/.
End of Life
BIND 9.13 is an unstable development branch. When its development is
complete, it will be renamed to BIND 9.14, which will be a stable branch.
BIND 9.15 is an unstable development branch. When its development is
complete, it will be renamed to BIND 9.16, which will be a stable branch.
The end of life date for BIND 9.14 has not yet been determined. For those
The end of life date for BIND 9.16 has not yet been determined. For those
needing long term support, the current Extended Support Version (ESV) is
BIND 9.11, which will be supported until at least December 2021. See
https://www.isc.org/downloads/software-support-policy/ for details of

10
doc/misc/options
View file

@ -138,7 +138,7 @@ options {
dnsrps-options { <unspecified-text> }; // not configured
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-enable <boolean>;
dnssec-enable <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string> trust-anchor
<string> | auto | no ); // may occur multiple times
@ -186,7 +186,7 @@ options {
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured
geoip-directory ( <quoted_string> | none );
geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // ancient
@ -207,7 +207,7 @@ options {
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
@ -512,7 +512,7 @@ view <string> [ <class> ] {
dnsrps-options { <unspecified-text> }; // not configured
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-enable <boolean>;
dnssec-enable <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string> trust-anchor
<string> | auto | no ); // may occur multiple times
@ -553,7 +553,7 @@ view <string> [ <class> ] {
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> <string>
<integer> <integer> <integer>

2
lib/ns/api
View file

@ -6,7 +6,7 @@
# 9.9-sub: 130-139, 150-159, 200-209
# 9.10: 140-149, 190-199
# 9.10-sub: 180-189
# 9.11: 160-169
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699

2
version
View file

@ -6,6 +6,6 @@ DESCRIPTION="(Development Release)"
MAJORVER=9
MINORVER=15
PATCHVER=0
RELEASETYPE=-dev
RELEASETYPE=
RELEASEVER=
EXTENSIONS=