diff --git a/CHANGES b/CHANGES index 1c76d006df..b3f5d4ad8a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.15.2 released --- + 5263. [cleanup] Use atomics and isc_refcount_t wherever possible. [GL #1038] diff --git a/README b/README index ea7b28cc1e..15f3c62b8c 100644 --- a/README +++ b/README @@ -139,7 +139,7 @@ make depend. If you're using Emacs, you might find make tags helpful. Several environment variables that can be set before running configure will affect compilation: -Variable Description + Variable Description CC The C compiler to use. configure tries to figure out the right one for supported systems. C compiler flags. Defaults to include -g and/or -O2 as @@ -291,7 +291,7 @@ development BIND 9 is included in the file CHANGES, with the most recent changes listed first. Change notes include tags indicating the category of the change that was made; these categories are: -Category Description + Category Description [func] New feature [bug] General bug fix [security] Fix for a significant security flaw @@ -342,21 +342,23 @@ Acknowledgments * The original development of BIND 9 was underwritten by the following organizations: - Sun Microsystems, Inc. - Hewlett Packard - Compaq Computer Corporation - IBM - Process Software Corporation - Silicon Graphics, Inc. - Network Associates, Inc. - U.S. Defense Information Systems Agency - USENIX Association - Stichting NLnet - NLnet Foundation - Nominum, Inc. + Sun Microsystems, Inc. + Hewlett Packard + Compaq Computer Corporation + IBM + Process Software Corporation + Silicon Graphics, Inc. + Network Associates, Inc. + U.S. Defense Information Systems Agency + USENIX Association + Stichting NLnet - NLnet Foundation + Nominum, Inc. * This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. http://www.OpenSSL.org/ + * This product includes cryptographic software written by Eric Young (eay@cryptsoft.com) + * This product includes software written by Tim Hudson (tjh@cryptsoft.com) diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8 index dc9e2d5b1e..32209be0fe 100644 --- a/bin/check/named-checkconf.8 +++ b/bin/check/named-checkconf.8 @@ -86,6 +86,11 @@ Check "core" configuration only\&. This suppresses the loading of plugin modules statements to be ignored\&. .RE .PP +\-i +.RS 4 +Ignore warnings on deprecated options\&. +.RE +.PP \-p .RS 4 Print out the diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index a87b2977f8..56eea3b6a3 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -96,6 +96,12 @@ plugin statements to be ignored.

+
-i
+
+

+ Ignore warnings on deprecated options. +

+
-p

diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index 7758ae9d3e..0450efac89 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -92,8 +92,7 @@ to generate TSIG keys\&. .RS 4 Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&. .sp -If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with -\fB\-f KSK\fR) default to 2048 bits\&. +If the key size is not specified, some algorithms have pre\-defined defaults\&. For instance, RSA keys have a default size of 2048 bits\&. .RE .PP \-C diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index b23904790a..bff3cf8149 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -145,10 +145,8 @@

If the key size is not specified, some algorithms have - pre-defined defaults. For example, RSA keys for use as - DNSSEC zone signing keys have a default size of 1024 bits; - RSA keys for use as key signing keys (KSKs, generated with - -f KSK) default to 2048 bits. + pre-defined defaults. For instance, RSA keys have a default + size of 2048 bits.

-C
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 7b93ad4771..3d8965df1c 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -10,12 +10,12 @@ .\" Title: named.conf .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2019-05-10 +.\" Date: 2019-06-28 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "NAMED\&.CONF" "5" "2019\-05\-10" "ISC" "BIND9" +.TH "NAMED\&.CONF" "5" "2019\-06\-28" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -163,15 +163,16 @@ logging { .\} .SH "MANAGED-KEYS" .PP -See DNSSEC\-KEYS\&. +Deprecated \- see DNSSEC\-KEYS\&. .sp .if n \{\ .RS 4 .\} .nf -managed\-keys { \fIstring\fR ( static\-key | - initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR - \fIquoted_string\fR; \&.\&.\&. }; +managed\-keys { \fIstring\fR ( static\-key + | initial\-key ) \fIinteger\fR + \fIinteger\fR \fIinteger\fR + \fIquoted_string\fR; \&.\&.\&. }; deprecated .fi .if n \{\ .RE @@ -241,7 +242,6 @@ options { check\-spf ( warn | ignore ); check\-srv\-cname ( fail | warn | ignore ); check\-wildcard \fIboolean\fR; - cleaning\-interval \fIinteger\fR; clients\-per\-query \fIinteger\fR; cookie\-algorithm ( aes | sha1 | sha256 ); cookie\-secret \fIstring\fR; @@ -274,8 +274,9 @@ options { dnssec\-accept\-expired \fIboolean\fR; dnssec\-dnskey\-kskonly \fIboolean\fR; dnssec\-loadkeys\-interval \fIinteger\fR; - dnssec\-lookaside ( \fIstring\fR trust\-anchor - \fIstring\fR | auto | no ); + dnssec\-lookaside ( \fIstring\fR + trust\-anchor \fIstring\fR | + auto | no ); deprecated dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; dnssec\-secure\-to\-insecure \fIboolean\fR; dnssec\-update\-mode ( maintain | no\-resign ); @@ -576,7 +577,7 @@ Deprecated \- see DNSSEC\-KEYS\&. .nf trusted\-keys { \fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR - \fIquoted_string\fR; \&.\&.\&. };, deprecated + \fIquoted_string\fR; \&.\&.\&. }; deprecated .fi .if n \{\ .RE @@ -626,7 +627,6 @@ view \fIstring\fR [ \fIclass\fR ] { check\-spf ( warn | ignore ); check\-srv\-cname ( fail | warn | ignore ); check\-wildcard \fIboolean\fR; - cleaning\-interval \fIinteger\fR; clients\-per\-query \fIinteger\fR; deny\-answer\-addresses { \fIaddress_match_element\fR; \&.\&.\&. } [ except\-from { \fIstring\fR; \&.\&.\&. } ]; @@ -661,8 +661,9 @@ view \fIstring\fR [ \fIclass\fR ] { initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; dnssec\-loadkeys\-interval \fIinteger\fR; - dnssec\-lookaside ( \fIstring\fR trust\-anchor - \fIstring\fR | auto | no ); + dnssec\-lookaside ( \fIstring\fR + trust\-anchor \fIstring\fR | + auto | no ); deprecated dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; dnssec\-secure\-to\-insecure \fIboolean\fR; dnssec\-update\-mode ( maintain | no\-resign ); @@ -697,9 +698,11 @@ view \fIstring\fR [ \fIclass\fR ] { key\-directory \fIquoted_string\fR; lame\-ttl \fIttlval\fR; lmdb\-mapsize \fIsizeval\fR; - managed\-keys { \fIstring\fR ( static\-key | - initial\-key ) \fIinteger\fR \fIinteger\fR - \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; + managed\-keys { \fIstring\fR ( + static\-key | initial\-key + ) \fIinteger\fR \fIinteger\fR + \fIinteger\fR + \fIquoted_string\fR; \&.\&.\&. }; deprecated masterfile\-format ( map | raw | text ); masterfile\-style ( full | relative ); match\-clients { \fIaddress_match_element\fR; \&.\&.\&. }; @@ -852,7 +855,7 @@ view \fIstring\fR [ \fIclass\fR ] { trusted\-keys { \fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR - \fIquoted_string\fR; \&.\&.\&. };, deprecated + \fIquoted_string\fR; \&.\&.\&. }; deprecated try\-tcp\-refresh \fIboolean\fR; update\-check\-ksk \fIboolean\fR; use\-alt\-transfer\-source \fIboolean\fR; diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index bca8de5a24..cb94491af8 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -142,11 +142,12 @@ logging

MANAGED-KEYS

-

See DNSSEC-KEYS.

+

Deprecated - see DNSSEC-KEYS.


-managed-keys { string ( static-key |
-    initial-key ) integer integer integer
-    quoted_string; ... };
+managed-keys { string ( static-key
+    | initial-key ) integer
+    integer integer
+    quoted_string; ... }; deprecated

@@ -208,7 +209,6 @@ options check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard boolean;
- cleaning-interval integer;
clients-per-query integer;
cookie-algorithm ( aes | sha1 | sha256 );
cookie-secret string;
@@ -241,8 +241,9 @@ options dnssec-accept-expired boolean;
dnssec-dnskey-kskonly boolean;
dnssec-loadkeys-interval integer;
- dnssec-lookaside ( string trust-anchor
-     string | auto | no );
+ dnssec-lookaside ( string
+     trust-anchor string |
+     auto | no ); deprecated
dnssec-must-be-secure string boolean;
dnssec-secure-to-insecure boolean;
dnssec-update-mode ( maintain | no-resign );
@@ -526,7 +527,7 @@ statistics-channels


trusted-keys { string integer
    integer integer
-    quoted_string; ... };, deprecated
+    quoted_string; ... }; deprecated

@@ -572,7 +573,6 @@ view check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard boolean;
- cleaning-interval integer;
clients-per-query integer;
deny-answer-addresses { address_match_element; ... } [
    except-from { string; ... } ];
@@ -607,8 +607,9 @@ view     initial-key ) integer integer
    integer quoted_string; ... };
dnssec-loadkeys-interval integer;
- dnssec-lookaside ( string trust-anchor
-     string | auto | no );
+ dnssec-lookaside ( string
+     trust-anchor string |
+     auto | no ); deprecated
dnssec-must-be-secure string boolean;
dnssec-secure-to-insecure boolean;
dnssec-update-mode ( maintain | no-resign );
@@ -643,9 +644,11 @@ view key-directory quoted_string;
lame-ttl ttlval;
lmdb-mapsize sizeval;
- managed-keys { string ( static-key |
-     initial-key ) integer integer
-     integer quoted_string; ... };
+ managed-keys { string (
+     static-key | initial-key
+     ) integer integer
+     integer
+     quoted_string; ... }; deprecated
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
match-clients { address_match_element; ... };
@@ -798,7 +801,7 @@ view trusted-keys { string
    integer integer
    integer
-     quoted_string; ... };, deprecated
+     quoted_string; ... }; deprecated
try-tcp-refresh boolean;
update-check-ksk boolean;
use-alt-transfer-source boolean;
diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index b859194604..ec6636234c 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -516,11 +516,7 @@ timer\&. .RS 4 Dump the security roots (i\&.e\&., trust anchors configured via \fBdnssec\-keys\fR -statements, or the synonymous -\fBmanaged\-keys\fR -or the deprecated -\fBtrusted\-keys\fR -statements, or via +statements, or the managed\-keys or trusted\-keys statements (both deprecated), or via \fBdnssec\-validation auto\fR) and negative trust anchors for the specified views\&. If no view is specified, all views are dumped\&. Security roots will indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query)\&. .sp If the first argument is "\-", then the output is returned via the diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index d03708cb0f..c95d016a3f 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -653,9 +653,8 @@

Dump the security roots (i.e., trust anchors - configured via dnssec-keys statements, - or the synonymous managed-keys or - the deprecated trusted-keys statements, or + configured via dnssec-keys statements, or the + managed-keys or trusted-keys statements (both deprecated), or via dnssec-validation auto) and negative trust anchors for the specified views. If no view is specified, all views are dumped. Security roots will indicate whether diff --git a/configure b/configure index 6845ea53db..3b71dd9501 100755 --- a/configure +++ b/configure @@ -850,7 +850,6 @@ infodir docdir oldincludedir includedir -runstatedir localstatedir sharedstatedir sysconfdir @@ -1020,7 +1019,6 @@ datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' -runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1273,15 +1271,6 @@ do | -silent | --silent | --silen | --sile | --sil) silent=yes ;; - -runstatedir | --runstatedir | --runstatedi | --runstated \ - | --runstate | --runstat | --runsta | --runst | --runs \ - | --run | --ru | --r) - ac_prev=runstatedir ;; - -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ - | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ - | --run=* | --ru=* | --r=*) - runstatedir=$ac_optarg ;; - -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1419,7 +1408,7 @@ fi for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir runstatedir + libdir localedir mandir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1572,7 +1561,6 @@ Fine tuning of the installation directories: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] - --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -4013,7 +4001,7 @@ else We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -4059,7 +4047,7 @@ else We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -4083,7 +4071,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -4128,7 +4116,7 @@ else We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -4152,7 +4140,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index f469fc7511..f27750b36b 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -614,6 +614,6 @@ -

BIND 9.15.1 (Development Release)

+

BIND 9.15.2 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index d19c3fab76..2efd90166d 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -146,6 +146,6 @@ -

BIND 9.15.1 (Development Release)

+

BIND 9.15.2 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index fe4ff10515..2036f8175a 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -856,6 +856,6 @@ controls { -

BIND 9.15.1 (Development Release)

+

BIND 9.15.2 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index b8c0541093..01c686dbd2 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -1043,8 +1043,8 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; if at least one trust anchor has been explicitly configured in named.conf using a dnssec-keys statement (or the - synonymous managed-keys or the deprecated - trusted-keys statements). + managed-keys and trusted-keys + statements, both deprecated).

When dnssec-validation is set to @@ -2840,6 +2840,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -

BIND 9.15.1 (Development Release)

+

BIND 9.15.2 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index dd14632598..e615e7f27a 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -894,8 +894,6 @@ keys are kept up to date using RFC 5011 trust anchor maintenance, and if used with static-key, keys are permanent. - Identical to managed-keys, - but has been added for improved clarity.

@@ -905,8 +903,11 @@

- is identical to dnssec-keys, - and is retained for backward compatibility. + is identical to dnssec-keys; + this option is deprecated in favor + of dnssec-keys with + the initial-key keyword, + and may be removed in a future release.

@@ -2429,7 +2430,6 @@ badresp:1,adberr:0,findfail:0,valfail:0] check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); check-wildcard boolean; - cleaning-interval integer; clients-per-query integer; cookie-algorithm ( aes | sha1 | sha256 ); cookie-secret string; @@ -2462,8 +2462,9 @@ badresp:1,adberr:0,findfail:0,valfail:0] dnssec-accept-expired boolean; dnssec-dnskey-kskonly boolean; dnssec-loadkeys-interval integer; - dnssec-lookaside ( string trust-anchor - string | auto | no ); + dnssec-lookaside ( string + trust-anchor string | + auto | no ); deprecated dnssec-must-be-secure string boolean; dnssec-secure-to-insecure boolean; dnssec-update-mode ( maintain | no-resign ); @@ -3015,14 +3016,19 @@ badresp:1,adberr:0,findfail:0,valfail:0]
geoip-directory

- Specifies the directory containing GeoIP - .dat database files for GeoIP - initialization. By default, this option is unset - and the GeoIP support will use libGeoIP's - built-in directory. - (For details, see the section called “acl Statement Definition and - Usage” about the - geoip ACL.) + When named is compiled using the + MaxMind GeoIP2 geolocation API, + this specifies the directory containing GeoIP + database files. By default, the option is set based on + the prefix used to build the libmaxminddb + module: for example, if the library is installed in + /usr/local/lib, then the default + geoip-directory will be + /usr/local/share/GeoIP. On Windows, + the default is the named working + directory. See the section called “acl Statement Definition and + Usage” for details about + geoip ACLs.

key-directory
@@ -3434,10 +3440,11 @@ options { as insecure.

- Configured trust anchors in trusted-keys - or managed-keys that match a disabled - algorithm will be ignored and treated as if they were not - configured at all. + Configured trust anchors in dnssec-keys + (or managed-keys or + trusted-keys, both deprecated) + that match a disabled algorithm will be ignored and treated + as if they were not configured at all.

disable-ds-digests
@@ -3475,6 +3482,9 @@ options { no, then dnssec-lookaside is not used.

+

+ This option is deprecated and its use is discouraged. +

NOTE: The ISC-provided DLV service at dlv.isc.org, has been shut down. @@ -3773,6 +3783,8 @@ options { zone-statistics terse or zone-statistics none in the zone statement). + These include, for example, DNSSEC signing operations + and the number of authoritative answers per query type. The default is terse, providing minimal statistics on zones (including name and current serial number, but not query type @@ -4676,8 +4688,8 @@ options { If set to yes, DNSSEC validation is enabled, but a trust anchor must be manually configured using a dnssec-keys statement (or - the synonymous managed-keys, or the - deprecated trusted-keys statements). + the managed-keys or the + trusted-keys statements, both deprecated). If there is no configured trust anchor, validation will not take place.

@@ -9007,9 +9019,10 @@ example.com CNAME rpz-tcp-only.

managed-keys Statement Grammar

-managed-keys { string ( static-key |
-    initial-key ) integer integer integer
-    quoted_string; ... };
+managed-keys { string ( static-key
+    | initial-key ) integer
+    integer integer
+    quoted_string; ... }; deprecated
@@ -9018,9 +9031,9 @@ example.com CNAME rpz-tcp-only. and Usage

- The managed-keys statement is - identical to the dnssec-keys, and is - retained for backward compatibility. + The managed-keys statement has been + deprecated in favor of the section called “dnssec-keys Statement Grammar” + with the initial-key keyword.

@@ -9030,7 +9043,7 @@ example.com CNAME rpz-tcp-only. 
 trusted-keys { string integer
     integer integer
-    quoted_string; ... };, deprecated
+    quoted_string; ... }; deprecated
@@ -9041,7 +9054,7 @@ example.com CNAME rpz-tcp-only.

The trusted-keys statement has been deprecated in favor of the section called “dnssec-keys Statement Grammar” - with the static keyword. + with the static-key keyword.

@@ -9674,9 +9687,8 @@ view "external" { For validation to succeed, a key-signing key (KSK) for the zone must be configured as a trust anchor in named.conf: that - is, a key for the zone must either be specified - in managed-keys or - trusted-keys. In the case + is, a key for the zone must be specified in + dnssec-keys. In the case of the root zone, you may also rely on the built-in root trust anchor, which is enabled when dnssec-validation is set to the @@ -13515,6 +13527,15 @@ HOST-127.EXAMPLE. MX 0 . BIND 8 statistics, if applicable.

+

+ Note: BIND statistics counters are signed 64-bit values on + all platforms except one: 32-bit Windows, where they are + signed 32-bit values. Given that 32-bit values have a + vastly smaller range than 64-bit values, BIND statistics + counters in 32-bit Windows builds overflow significantly + more quickly than on all other platforms. +

+

Name Server Statistics Counters

@@ -14913,6 +14934,6 @@ HOST-127.EXAMPLE. MX 0 .
-

BIND 9.15.1 (Development Release)

+

BIND 9.15.2 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 87e00b80d2..0b0e02960c 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -131,46 +131,45 @@ zone "example.com" { to search for a match. Available fields are "country", "region", "city", "continent", "postal" (postal code), "metro" (metro code), "area" (area code), "tz" (timezone), - "isp", "org", "asnum", "domain" and "netspeed". + "isp", "asnum", and "domain".

value is the value to search for within the database. A string may be quoted if it - contains spaces or other special characters. If this is - an "asnum" search, then the leading "ASNNNN" string can be - used, otherwise the full description must be used (e.g. - "ASNNNN Example Company Name"). If this is a "country" - search and the string is two characters long, then it must - be a standard ISO-3166-1 two-letter country code, and if it - is three characters long then it must be an ISO-3166-1 - three-letter country code; otherwise it is the full name - of the country. Similarly, if this is a "region" search - and the string is two characters long, then it must be a - standard two-letter state or province abbreviation; - otherwise it is the full name of the state or province. + contains spaces or other special characters. An "asnum" + search for autonomous system number can be specified using + the string "ASNNNN" or the integer NNNN. + When "country" search is specified with a string is two + characters long, then it must be a standard ISO-3166-1 + two-letter country code; otherwise it is interpreted as + the full name of the country. Similarly, if this is a + "region" search and the string is two characters long, + then it treated as a standard two-letter state or province + abbreviation; otherwise it treated as the full name of the + state or province.

The database field indicates which GeoIP database to search for a match. In most cases this is unnecessary, because most search fields can only be found in - a single database. However, searches for country can be - answered from the "city", "region", or "country" databases, - and searches for region (i.e., state or province) can be - answered from the "city" or "region" databases. For these - search types, specifying a database + a single database. However, searches for "continent" or "country" + can be answered from either the "city" or "country" databases, + so for these search types, specifying a + database will force the query to be answered from that database and no other. If database is not specified, then these queries will be answered from the "city", - database if it is installed, or the "region" database if it is - installed, or the "country" database, in that order. + database if it is installed, or the "country" database if it + is installed, in that order. Valid database names are + "country", "city", "asnum", "isp", and "domain".

Some example GeoIP ACLs: 

geoip country US;
-geoip country JAP;
+geoip country JP;
 geoip db country country Canada;
-geoip db region region WA;
+geoip region WA;
 geoip city "San Francisco";
 geoip region Oklahoma;
 geoip postal 95062;
@@ -361,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; };
 
 
 
-
BIND 9.15.1 (Development Release)

+
BIND 9.15.2 (Development Release)

 
 
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 5e68dff489..23d9a96853 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -191,6 +191,6 @@
 
 
 
-
BIND 9.15.1 (Development Release)

+
BIND 9.15.2 (Development Release)

 
 
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index e3df521814..bf5f28224b 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -36,7 +36,7 @@
 

 
Table of Contents

 

-
Release Notes for BIND Version 9.15.1

+
Release Notes for BIND Version 9.15.2

 

 
Introduction

 
Note on Version Numbering

@@ -55,7 +55,7 @@
 

       

 

-Release Notes for BIND Version 9.15.1

+Release Notes for BIND Version 9.15.2

   
   

 

@@ -163,6 +163,33 @@
 

 New Features

     
    
+
  • 
+	
    
+	  The GeoIP2 API from MaxMind is now supported. Geolocation support
+	  will be compiled in by default if the libmaxminddb
+	  library is found at compile time, but can be turned off by using
+	  configure --disable-geoip.
+	
    
+	
    
+	  The default path to the GeoIP2 databases will be set based
+	  on the location of the libmaxminddb library;
+	  for example, if it is in /usr/local/lib,
+	  then the default path will be
+	  /usr/local/share/GeoIP.
+	  This value can be overridden in named.conf
+	  using the geoip-directory option.
+	
    
+	
    
+	  Some geoip ACL settings that were available with
+	  legacy GeoIP, including searches for netspeed,
+	  org, and three-letter ISO country codes, will
+	  no longer work when using GeoIP2. Supported GeoIP2 database
+	  types are country, city,
+	  domain, isp, and
+	  as. All of these databases support both IPv4
+	  and IPv6 lookups. [GL #182] [GL #1112]
+	
    
+      
    • 
 
  • 
 	
    
 	  In order to clarify the configuration of DNSSEC keys,
@@ -193,6 +220,20 @@
 	  [GL #865]
         
    
       
    • 
+
  • 
+	
    
+	  Two new metrics have been added to the
+	  statistics-channel to report DNSSEC
+	  signing operations.  For each key in each zone, the
+	  dnssec-sign counter indicates the total
+	  number of signatures named has generated
+	  using that key since server startup, and the
+	  dnssec-refresh counter indicates how
+	  many of those signatures were refreshed during zone
+	  maintenance, as opposed to having been generated
+	  as a result of a zone update.  [GL #513]
+	
    
+      
    • 
 

   

 
@@ -202,7 +243,7 @@
     
    
 
  • 
 	
    
-	  The dnssec-enable option has been deprecated and
+	  The dnssec-enable option has been obsoleted and
 	  no longer has any effect. DNSSEC responses are always enabled
 	  if signatures and other DNSSEC data are present. [GL #866]
 	
    
@@ -213,6 +254,12 @@
 	  removed.  [GL !1731]
 	
    
       
    • 
+
  • 
+	
    
+	  The dnssec-lookaside option has been deprecated.
+	  The feature still works, but it is discouraged to use it. [GL #7]
+	
    
+      
    • 
 

   

 
@@ -296,6 +343,23 @@
           the problem. [GL #1055]
 	

       
+
  • 
+	
    
+	  ./configure no longer sets
+	  --sysconfdir to /etc or
+	  --localstatedir to /var
+	  when --prefix is not specified and the
+	  aforementioned options are not specified explicitly. Instead,
+	  Autoconf's defaults of $prefix/etc and
+	  $prefix/var are respected.
+	
    
+      
    • 
+
  • 
+	
    
+	  Glue address records were not being returned in responses
+	  to root priming queries; this has been corrected. [GL #1092]
+	
    
+      
    • 
 
    
   
    
 
@@ -371,6 +435,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 768e26d962..645faa11f9 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -148,6 +148,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index ac6b5a128b..fba79d362b 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -914,6 +914,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index 62acb8e489..5816d8c299 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -537,6 +537,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index b37d158ac0..aa49467c00 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -210,6 +210,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 4a1e274101..6aefbb76f5 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -32,7 +32,7 @@
 
    
 
    
 BIND 9 Administrator Reference Manual
    
-
    BIND Version 9.15.1
    
+
    BIND Version 9.15.2
    
 
    Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")
    
 
    
 
    
@@ -245,7 +245,7 @@
 
 
    A. Release Notes
    
 
    
-
    Release Notes for BIND Version 9.15.1
    
+
    Release Notes for BIND Version 9.15.2
    
 
    
 
    Introduction
    
 
    Note on Version Numbering
    
@@ -443,6 +443,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index bd8ded2f05..6b4cbd7d8b 100644
Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 97f901e714..e1b46d1f74 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -90,6 +90,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 061c0f893a..ea3af06924 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -220,6 +220,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index c734ae2ca8..91606a9d53 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -628,6 +628,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 6f944399ed..bacfbabe3b 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -1160,6 +1160,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html
index 1306fb0b73..03ad0c27c1 100644
--- a/doc/arm/man.dnssec-cds.html
+++ b/doc/arm/man.dnssec-cds.html
@@ -376,6 +376,6 @@ nsupdate -l
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index f1b0ab8220..34697166b2 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -164,6 +164,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 659a868b3f..2025f5445b 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -270,6 +270,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 5d3294a534..681dc2f576 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -356,6 +356,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index cd5c516ccd..4af7389105 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -250,6 +250,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 46493d20fe..5cdb1c7cc3 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -498,6 +498,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 8834541886..681b6006e7 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -163,10 +163,8 @@
 	  
    
 	  
    
 	    If the key size is not specified, some algorithms have
-	    pre-defined defaults.  For example, RSA keys for use as
-	    DNSSEC zone signing keys have a default size of 1024 bits;
-	    RSA keys for use as key signing keys (KSKs, generated with
-	    -f KSK) default to 2048 bits.
+	    pre-defined defaults.  For instance, RSA keys have a default
+	    size of 2048 bits.
 	  
    
 	
    
 
    -C
    
@@ -557,6 +555,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html
index 495a803b83..dcd80611d0 100644
--- a/doc/arm/man.dnssec-keymgr.html
+++ b/doc/arm/man.dnssec-keymgr.html
@@ -405,6 +405,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index c36b4d833c..e643822847 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -171,6 +171,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 7a0a73060c..e12f2f04b2 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -349,6 +349,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 7b4622fc25..85c05a4e2c 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -701,6 +701,6 @@ db.example.com.signed
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index 6490261123..1d43e7862f 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -202,6 +202,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html
index 9ab4e7d3a4..026f5aee55 100644
--- a/doc/arm/man.dnstap-read.html
+++ b/doc/arm/man.dnstap-read.html
@@ -143,6 +143,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html
index b716c8defb..336db83a2e 100644
--- a/doc/arm/man.filter-aaaa.html
+++ b/doc/arm/man.filter-aaaa.html
@@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 9e2a684739..e5ba905b7b 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -366,6 +366,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html
index 0782f57b2f..8901ea0f6b 100644
--- a/doc/arm/man.mdig.html
+++ b/doc/arm/man.mdig.html
@@ -604,6 +604,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 433a91350d..24c6740cbf 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -114,6 +114,12 @@
 	    plugin statements to be ignored.
           
    
         
    
+
    -i
    
+
    
+          
    
+	    Ignore warnings on deprecated options.
+          
    
+        
    
 
    -p
    
 
    
           
    
@@ -208,6 +214,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 4a27a8ab0c..e3191372c1 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -463,6 +463,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index c0a984dc52..621d56ccdd 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -117,6 +117,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html
index 69795f8029..98e0e28482 100644
--- a/doc/arm/man.named-nzd2nzf.html
+++ b/doc/arm/man.named-nzd2nzf.html
@@ -119,6 +119,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index c5e3582f18..f595264f9e 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -121,6 +121,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index 62be52c999..91db3c2a12 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -160,11 +160,12 @@ logging
 
   
    
 
    MANAGED-KEYS
    
-  
    See DNSSEC-KEYS.
    
+  
    Deprecated - see DNSSEC-KEYS.
    
     

    
-managed-keys { string ( static-key |
    
-    initial-key ) integer integer integer
    
-    quoted_string; ... };
    
+managed-keys { string ( static-key
    
+    | initial-key ) integer
    
+    integer integer
    
+    quoted_string; ... }; deprecated
    
 
    
   
    
 
@@ -226,7 +227,6 @@ options
 	check-spf ( warn | ignore );
    
 	check-srv-cname ( fail | warn | ignore );
    
 	check-wildcard boolean;
    
-	cleaning-interval integer;
    
 	clients-per-query integer;
    
 	cookie-algorithm ( aes | sha1 | sha256 );
    
 	cookie-secret string;
    
@@ -259,8 +259,9 @@ options
 	dnssec-accept-expired boolean;
    
 	dnssec-dnskey-kskonly boolean;
    
 	dnssec-loadkeys-interval integer;
    
-	dnssec-lookaside ( string trust-anchor
    
-	    string | auto | no );
    
+	dnssec-lookaside ( string
    
+	    trust-anchor string |
    
+	    auto | no ); deprecated
    
 	dnssec-must-be-secure string boolean;
    
 	dnssec-secure-to-insecure boolean;
    
 	dnssec-update-mode ( maintain | no-resign );
    
@@ -544,7 +545,7 @@ statistics-channels
     

    
 trusted-keys { string integer
    
     integer integer
    
-    quoted_string; ... };, deprecated
    
+    quoted_string; ... }; deprecated
    
 
    
   
 
@@ -590,7 +591,6 @@ view
 	check-spf ( warn | ignore );
    
 	check-srv-cname ( fail | warn | ignore );
    
 	check-wildcard boolean;
    
-	cleaning-interval integer;
    
 	clients-per-query integer;
    
 	deny-answer-addresses { address_match_element; ... } [
    
 	    except-from { string; ... } ];
    
@@ -625,8 +625,9 @@ view
 	    initial-key ) integer integer
    
 	    integer quoted_string; ... };
    
 	dnssec-loadkeys-interval integer;
    
-	dnssec-lookaside ( string trust-anchor
    
-	    string | auto | no );
    
+	dnssec-lookaside ( string
    
+	    trust-anchor string |
    
+	    auto | no ); deprecated
    
 	dnssec-must-be-secure string boolean;
    
 	dnssec-secure-to-insecure boolean;
    
 	dnssec-update-mode ( maintain | no-resign );
    
@@ -661,9 +662,11 @@ view
 	key-directory quoted_string;
    
 	lame-ttl ttlval;
    
 	lmdb-mapsize sizeval;
    
-	managed-keys { string ( static-key |
    
-	    initial-key ) integer integer
    
-	    integer quoted_string; ... };
    
+	managed-keys { string (
    
+	    static-key | initial-key
    
+	    ) integer integer
    
+	    integer
    
+	    quoted_string; ... }; deprecated
    
 	masterfile-format ( map | raw | text );
    
 	masterfile-style ( full | relative );
    
 	match-clients { address_match_element; ... };
    
@@ -816,7 +819,7 @@ view
 	trusted-keys { string
    
 	    integer integer
    
 	    integer
    
-	    quoted_string; ... };, deprecated
    
+	    quoted_string; ... }; deprecated
    
 	try-tcp-refresh boolean;
    
 	update-check-ksk boolean;
    
 	use-alt-transfer-source boolean;
    
@@ -1075,6 +1078,6 @@ zone
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 169fd4c8c7..9cf4c5995f 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -492,6 +492,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index e215f5ea83..fa3b03f9b6 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -155,6 +155,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html
index c9fad58876..ebd6b28ece 100644
--- a/doc/arm/man.nslookup.html
+++ b/doc/arm/man.nslookup.html
@@ -437,6 +437,6 @@ nslookup -query=hinfo  -timeout=10
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index f0f66ee6ee..593835652f 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -818,6 +818,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html
index f29e18d4b8..da69a368af 100644
--- a/doc/arm/man.pkcs11-destroy.html
+++ b/doc/arm/man.pkcs11-destroy.html
@@ -162,6 +162,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html
index a5fe429995..c8e69aaed6 100644
--- a/doc/arm/man.pkcs11-keygen.html
+++ b/doc/arm/man.pkcs11-keygen.html
@@ -200,6 +200,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html
index e11401f459..256cbfae57 100644
--- a/doc/arm/man.pkcs11-list.html
+++ b/doc/arm/man.pkcs11-list.html
@@ -158,6 +158,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html
index e344f6e72f..1b61529db4 100644
--- a/doc/arm/man.pkcs11-tokens.html
+++ b/doc/arm/man.pkcs11-tokens.html
@@ -123,6 +123,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 42c84ad26f..bcff2d6822 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -260,6 +260,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index abf5b4d00a..970e3c9759 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -268,6 +268,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 91aa324bc0..340416aabe 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -669,9 +669,8 @@
 
    
 	  
    
 	    Dump the security roots (i.e., trust anchors
-	    configured via dnssec-keys statements,
-	    or the synonymous managed-keys or
-	    the deprecated trusted-keys statements, or
+	    configured via dnssec-keys statements, or the
+	    managed-keys or trusted-keys statements (both deprecated), or
 	    via dnssec-validation auto) and negative trust
 	    anchors for the specified views.  If no view is specified, all
 	    views are dumped.  Security roots will indicate whether
@@ -1018,6 +1017,6 @@
 
 
 
-
    BIND 9.15.1 (Development Release)
    
+
    BIND 9.15.2 (Development Release)
    
 
 
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 997c22fb48..5557461d72 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -15,7 +15,7 @@
 
   
    
 
    
-Release Notes for BIND Version 9.15.1
    
+Release Notes for BIND Version 9.15.2
    
   
   
    
 
    
@@ -123,6 +123,33 @@
 
    
 New Features
    
     
      
+
    • 
+	
      
+	  The GeoIP2 API from MaxMind is now supported. Geolocation support
+	  will be compiled in by default if the libmaxminddb
+	  library is found at compile time, but can be turned off by using
+	  configure --disable-geoip.
+	
      
+	
      
+	  The default path to the GeoIP2 databases will be set based
+	  on the location of the libmaxminddb library;
+	  for example, if it is in /usr/local/lib,
+	  then the default path will be
+	  /usr/local/share/GeoIP.
+	  This value can be overridden in named.conf
+	  using the geoip-directory option.
+	
      
+	
      
+	  Some geoip ACL settings that were available with
+	  legacy GeoIP, including searches for netspeed,
+	  org, and three-letter ISO country codes, will
+	  no longer work when using GeoIP2. Supported GeoIP2 database
+	  types are country, city,
+	  domain, isp, and
+	  as. All of these databases support both IPv4
+	  and IPv6 lookups. [GL #182] [GL #1112]
+	
      
+      
      • 
 
    • 
 	
      
 	  In order to clarify the configuration of DNSSEC keys,
@@ -153,6 +180,20 @@
 	  [GL #865]
         
      
       
      • 
+
    • 
+	
      
+	  Two new metrics have been added to the
+	  statistics-channel to report DNSSEC
+	  signing operations.  For each key in each zone, the
+	  dnssec-sign counter indicates the total
+	  number of signatures named has generated
+	  using that key since server startup, and the
+	  dnssec-refresh counter indicates how
+	  many of those signatures were refreshed during zone
+	  maintenance, as opposed to having been generated
+	  as a result of a zone update.  [GL #513]
+	
      
+      
      • 
 
    
   
    
 
@@ -162,7 +203,7 @@
     
      
 
    • 
 	
      
-	  The dnssec-enable option has been deprecated and
+	  The dnssec-enable option has been obsoleted and
 	  no longer has any effect. DNSSEC responses are always enabled
 	  if signatures and other DNSSEC data are present. [GL #866]
 	
      
@@ -173,6 +214,12 @@
 	  removed.  [GL !1731]
 	
      
       
      • 
+
    • 
+	
      
+	  The dnssec-lookaside option has been deprecated.
+	  The feature still works, but it is discouraged to use it. [GL #7]
+	
      
+      
      • 
 
    
   
    
 
@@ -256,6 +303,23 @@
           the problem. [GL #1055]
 	
    
       
+
  • 
+	
    
+	  ./configure no longer sets
+	  --sysconfdir to /etc or
+	  --localstatedir to /var
+	  when --prefix is not specified and the
+	  aforementioned options are not specified explicitly. Instead,
+	  Autoconf's defaults of $prefix/etc and
+	  $prefix/var are respected.
+	
    
+      
    • 
+
  • 
+	
    
+	  Glue address records were not being returned in responses
+	  to root priming queries; this has been corrected. [GL #1092]
+	
    
+      
    • 
 
    
   
    
 
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf
index 4f31220a1e..3139267075 100644
Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ
diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt
index 808e1c8478..ce9239ec64 100644
--- a/doc/arm/notes.txt
+++ b/doc/arm/notes.txt
@@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.15.1
+Release Notes for BIND Version 9.15.2
 
 Introduction
 
@@ -65,6 +65,23 @@ Security Fixes
 
 New Features
 
+  * The GeoIP2 API from MaxMind is now supported. Geolocation support will
+    be compiled in by default if the libmaxminddb library is found at
+    compile time, but can be turned off by using configure --disable-geoip
+    .
+
+    The default path to the GeoIP2 databases will be set based on the
+    location of the libmaxminddb library; for example, if it is in /usr/
+    local/lib, then the default path will be /usr/local/share/GeoIP. This
+    value can be overridden in named.conf using the geoip-directory
+    option.
+
+    Some geoip ACL settings that were available with legacy GeoIP,
+    including searches for netspeed, org, and three-letter ISO country
+    codes, will no longer work when using GeoIP2. Supported GeoIP2
+    database types are country, city, domain, isp, and as. All of these
+    databases support both IPv4 and IPv6 lookups. [GL #182] [GL #1112]
+
   * In order to clarify the configuration of DNSSEC keys, the trusted-keys
     and managed-keys statements have been deprecated, and the new
     dnssec-keys statement should now be used for both types of key.
@@ -82,14 +99,25 @@ New Features
     zone's SOA record should be included in the additional section of RPZ
     responses. [GL #865]
 
+  * Two new metrics have been added to the statistics-channel to report
+    DNSSEC signing operations. For each key in each zone, the dnssec-sign
+    counter indicates the total number of signatures named has generated
+    using that key since server startup, and the dnssec-refresh counter
+    indicates how many of those signatures were refreshed during zone
+    maintenance, as opposed to having been generated as a result of a zone
+    update. [GL #513]
+
 Removed Features
 
-  * The dnssec-enable option has been deprecated and no longer has any
+  * The dnssec-enable option has been obsoleted and no longer has any
     effect. DNSSEC responses are always enabled if signatures and other
     DNSSEC data are present. [GL #866]
 
   * The cleaning-interval option has been removed. [GL !1731]
 
+  * The dnssec-lookaside option has been deprecated. The feature still
+    works, but it is discouraged to use it. [GL #7]
+
 Feature Changes
 
   * named will now log a warning if a static key is configured for the
@@ -131,6 +159,14 @@ Bug Fixes
     minimal queries in order to reduce the likelihood of encountering the
     problem. [GL #1055]
 
+  * ./configure no longer sets --sysconfdir to /etc or --localstatedir to
+    /var when --prefix is not specified and the aforementioned options are
+    not specified explicitly. Instead, Autoconf's defaults of $prefix/etc
+    and $prefix/var are respected.
+
+  * Glue address records were not being returned in responses to root
+    priming queries; this has been corrected. [GL #1092]
+
 License
 
 BIND is open source software licensed under the terms of the Mozilla
diff --git a/doc/misc/options b/doc/misc/options
index d697fe543e..61792fd7dc 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -193,7 +193,7 @@ options {
         fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
         fstrm-set-output-queue-size ; // not configured
         fstrm-set-reopen-interval ; // not configured
-        geoip-directory (  | none );
+        geoip-directory (  | none ); // not configured
         geoip-use-ecs ; // obsolete
         glue-cache ;
         has-old-clients ; // ancient
@@ -214,7 +214,7 @@ options {
         listen-on-v6 [ port  ] [ dscp
              ] {
             ; ... }; // may occur multiple times
-        lmdb-mapsize ;
+        lmdb-mapsize ; // non-operational
         lock-file (  | none );
         maintain-ixfr-base ; // ancient
         managed-keys-directory ;
@@ -565,7 +565,7 @@ view  [  ] {
         }; // may occur multiple times
         key-directory ;
         lame-ttl ;
-        lmdb-mapsize ;
+        lmdb-mapsize ; // non-operational
         maintain-ixfr-base ; // ancient
         managed-keys {  (
             static-key | initial-key
diff --git a/lib/isccfg/api b/lib/isccfg/api
index c7836b219a..b48f390b63 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -11,5 +11,5 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 LIBINTERFACE = 1500
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0
diff --git a/version b/version
index ee2badef05..f3b92aca9c 100644
--- a/version
+++ b/version
@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Development Release)"
 MAJORVER=9
 MINORVER=15
-PATCHVER=1
+PATCHVER=2
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=