diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8 index 40aff3553a..01d6c276cc 100644 --- a/bin/check/named-checkconf.8 +++ b/bin/check/named-checkconf.8 @@ -19,7 +19,7 @@ named-checkconf \- named configuration file syntax checking tool .SH SYNOPSIS .sp -\fBnamed-checkconf\fR [ \fB-v\fR ] [ \fB-t \fIdirectory\fB\fR ] \fBfilename\fR [ \fB-z\fR ] +\fBnamed-checkconf\fR [ \fB-v\fR ] [ \fB-j\fR ] [ \fB-t \fIdirectory\fB\fR ] \fBfilename\fR [ \fB-z\fR ] .SH "DESCRIPTION" .PP \fBnamed-checkconf\fR checks the syntax, but not @@ -39,6 +39,9 @@ program and exit. Perform a check load the master zonefiles found in \fInamed.conf\fR. .TP +\fB-j\fR +When loading a zonefile read the journal if it exists. +.TP \fBfilename\fR The name of the configuration file to be checked. If not specified, it defaults to \fI/etc/named.conf\fR. diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index 3c912f9ef8..32dfbd710d 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -20,7 +20,7 @@ >named-checkconf-v] [-j] [-t

DESCRIPTION

OPTIONS

-j

When loading a zonefile read the journal if it exists. +

filename

RETURN VALUES

SEE ALSO

AUTHOR

named-checkzone-d
] [-j] [-q] [] [-n mode] [-t

DESCRIPTION

OPTIONS

-j

When loading the zone file read the journal if it exists. +

-c
-n mode

Specify whether NS records should be checked to see if they + are addresses. Possible modes are "fail", + "warn" (default) and + "ignore". +

-t

RETURN VALUES

SEE ALSO

AUTHOR

" .PP The default query class (IN for internet) is overridden by the \fB-c\fR option. \fIclass\fR is any valid @@ -126,9 +127,10 @@ When this option is used, there is no need to provide the automatically performs a lookup for a name like 11.12.13.10.in-addr.arpa and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are -looked up using the IP6.ARPA domain and binary labels as defined in -RFC2874. To use the older RFC1886 method using the IP6.INT domain and -"nibble" labels, specify the \fB-n\fR (nibble) option. +looked up using nibble format under the IP6.ARPA domain. +To use the older RFC1886 method using the IP6.INT domain +specify the \fB-i\fR option. Bit string labels (RFC2874) +are now experimental and are not attempted. .PP To sign the DNS queries sent by \fBdig\fR and their responses using transaction signatures (TSIG), specify a TSIG key file @@ -190,7 +192,7 @@ The search list is not used by default. Deprecated, treated as a synonym for \fI+[no]search\fR .TP \fB+[no]aaonly\fR -This option does nothing. It is provided for compatibilty with old +This option does nothing. It is provided for compatibility with old versions of \fBdig\fR where it set an unimplemented resolver flag. .TP @@ -204,7 +206,13 @@ completeness. Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. .TP -\fB+[no]recursive\fR +\fB+[no]cl\fR +Display [do not display] the CLASS when printing the record. +.TP +\fB+[no]ttlid\fR +Display [do not display] the TTL when printing the record. +.TP +\fB+[no]recurse\fR Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means \fBdig\fR normally sends recursive queries. Recursion is automatically disabled @@ -323,7 +331,7 @@ The default is to not display malformed answers. .TP \fB+[no]dnssec\fR Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) -in the the OPT record in the additional section of the query. +in the OPT record in the additional section of the query. .SH "MULTIPLE QUERIES" .PP The BIND 9 implementation of \fBdig \fR supports diff --git a/bin/dig/dig.html b/bin/dig/dig.html index 7b7527a6b4..ff8057dd79 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -20,7 +20,7 @@ >digaddress
. This must be a valid address on -one of the host's network interfaces.

The default query class (IN for internet) is overridden by the 11.12.13.10.in-addr.arpa and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are -looked up using the IP6.ARPA domain and binary labels as defined in -RFC2874. To use the older RFC1886 method using the IP6.INT domain and -"nibble" labels, specify the -n (nibble) option.

-i
option. Bit string labels (RFC2874) +are now experimental and are not attempted.

To sign the DNS queries sent by

This option does nothing. It is provided for compatibilty with old +>This option does nothing. It is provided for compatibility with old versions of dig

+[no]recursive+[no]cl

Display [do not display] the CLASS when printing the record.

+[no]ttlid

Display [do not display] the TTL when printing the record.

+[no]recurse

Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) -in the the OPT record in the additional section of the query.

MULTIPLE QUERIES

FILES

SEE ALSO

BUGS

dnssec-keygen-e
] [-f flag] [-g

DESCRIPTION

OPTIONS

-f flag

Set the specified flag in the flag field of the key record. + The only recognized flag is KSK (Key Signing Key). +

-g

GENERATED KEYS

EXAMPLE

SEE ALSO

AUTHOR

dnssec-signzone
] [-s start-time] [-e ] [-g] [-h] [-k key] [-i ] [-s start-time] [-t] [level] [-z] {zonefile} [key...]

DESCRIPTION

dnssec-signzone signs a zone. It generates NXT - and SIG records and produces a signed version of the zone. If there +> signs a zone. It generates NSEC + and RRSIG records and produces a signed version of the zone. If there is a signedkey

OPTIONS

-k key

Treat specified key as a key signing key ignoring any + key flags. This option may be specified multiple times. +

-d
-g

Generate DS records for child zones from keyset files. + Existing DS records will be removed. +

-s

Specify the date and time when the generated SIG records +> Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes @@ -249,7 +284,7 @@ CLASS="REPLACEABLE" CLASS="OPTION" >start-time is specified, the current - time is used. + time minus 1 hour (to allow for clock skew) is used.

Specify the date and time when the generated SIG records +> Specify the date and time when the generated RRSIG records expire. As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from - the start time. A time realtive to the current time is + the start time. A time relative to the current time is indicated with now+N. If no end-timeinterval option specifies the cycle interval as an offset from the current - time (in seconds). If a SIG record expires after the + time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.

dnssec-signzone
generates signatures that are valid for 30 days, with a cycle - interval of 7.5 days. Therefore, if any existing SIG records + interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.

-z

Ignore KSK flag on key when determining what to sign. +

zonefile

EXAMPLE

SEE ALSO

AUTHOR

namednamed [-4] [-6] [-c

DESCRIPTION

OPTIONS

-4

Use IPv4 only even if the host machine is capable of IPv6. + -4 and -6 are mutually + exclusive. +

-6

Use IPv6 only even if the host machine is capable of IPv4. + -4 and -6 are mutually + exclusive. +

-c

SIGNALS

CONFIGURATION

FILES

SEE ALSO

AUTHOR

nsupdate
] [-t timeout] [-u udptimeout] [-r udpretries] [-v] [filename]

DESCRIPTION

nsupdate -uses UDP to send update requests to the name server. +uses UDP to send update requests to the name server unless they are too +large to fit in a UDP request in which case TCP will be used. The use a TCP connection. This may be preferable when a batch of update requests is made.

The -t option sets the maximum time a update request can +take before it is aborted. The default is 300 seconds. Zero can be used +to disable the timeout.

The -u option sets the UDP retry interval. The default is +3 seconds. If zero the interval will be computed from the timeout interval +and number of UDP retries.

The -r option sets the number of UDP retries. The default is +3. If zero only one update request will be made.

INPUT FORMAT

nsupdate -will send updates using an address and port choosen by the system. +will send updates using an address and port chosen by the system.

EXAMPLES

FILES

SEE ALSO

BUGS

- - - rndc-confgen

Specifies a source of random data for generating the - authoriazation. If the operating + authorization. If the operating system does not provide a /dev/randomIntroduction

6.2.14. masters Statement Definition and Usage

masters lists allow for a common set of masters +to be easily used by multiple stub and slave zones.

6.2.15. options Statement Grammar

] [ server-id server_id_string; ] + [ directory ] [ flush-zones-on-shutdown yes_or_no; ] + [ has-old-clients ] [ dual-stack-servers [port ip_port] { ( domain_name [port ip_port] | ip_addr [port ip_port] ) ; ... }; ] + [ check-names ( ] [ avoid-v4-udp-ports { port_list }; ] + [ avoid-v6-udp-ports { port_list }; ] + [ listen-on [ port ] [ query-source-v6 [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; ] + [ max-transfer-time-in ] [ tcp-listen-queue number; ] + [ transfer-format ] [ alt-transfer-source (ip4_addr | *) [port ip_port] ; ] + [ alt-transfer-source-v6 (ip6_addr | *) [port ip_port] ; ] + [ use-alt-transfer-source yes_or_no; ] + [ notify-source (yes_or_no; ] + [ preferred-glue ( A | AAAA | NONE ); ] + [ edns-udp-size number; ] + [ root-delegation-only [ exclude { namelist } ] ; ] }; 6.2.14. 6.2.16. options Statement Definition and Usage

This option is obsolete. It was used in Section 6.2.14.16Section 6.2.16.17

preferred-glue

If specified the listed type (A or AAAA) will be emitted before other glue +in the additional section of a query response. +The default is not to preference any type (NONE). +

root-delegation-only

Turn on enforcment of delegation-only in TLDs and root zones with an optional +exclude list. +

Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM"). +


options {
+	root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
+};
+
6.2.14.1. Boolean Options6.2.16.1. Boolean Options

notify
and notify-alsoalso-notify.

If the @@ -4562,7 +5020,7 @@ processing.

flush-zones-on-shutdown

When the nameserver exits due receiving SIGTERM, +flush / do not flush any pending zone writes. The default is +flush-zones-on-shutdown no. +

has-old-clients

This option is obsolete. It was used in

This option is obsolete. statistics-file. See also Section 6.2.14.16Section 6.2.16.17.

This option is obsolete. If you need to disable IXFR to a particular server or servers see the information on the option in Section 6.2.16Section 6.2.18. See also in Section 6.2.16Section 6.2.18

in Section 6.2.16Section 6.2.18

MX 10 mail.example.net
", normally the address -records (A, A6, and AAAA) for mail.example.net will be provided as well, @@ -5394,6 +5881,24 @@ temporarily allocate memory to hold this complete difference set.

multi-master

This should be set when you have multiple masters for a zone and the +addresses refer to different machines. If 'yes' named will not log +when the serial number on the master is less than what named currently +has. The default is no. +

6.2.14.2. Forwarding6.2.16.2. Forwarding

The forwarding facility can be used to create a large site-wide @@ -5462,7 +5967,7 @@ CLASS="command" > behavior, or not forward at all, see Section 6.2.21Section 6.2.23.

6.2.16.3. 6 to 4 Servers

6 to 4 servers are used as servers of last resort to work around +problems in reachability due the lack of support for either IPv4 or IPv6 +on the host machine.

dual-stack-servers

Specifies host names / addresses of machines with access to +both IPv4 and IPv6 transports. If a hostname is used the server must be able +to resolve the name using only the transport it has. If the machine is dual +stacked then the dual-stack-servers have no effect unless +access to a transport has been disabled on the command line +(e.g. named -4).

6.2.14.3. Access Control6.2.16.4. Access Control

Access to the server can be restricted based on the IP address @@ -5599,12 +6144,11 @@ CLASS="command" >

Specifies which hosts are to receive -synthetic responses to IPv6 queries as described in -Section 6.2.14.13. +>This option was introduced for the smooth transition from AAAA +to A6 and from "nibble labels" to binary labels. +However, since both A6 and binary labels were then deprecated, +this option was also deprecated. +It is now ignored with some warning messages.

options allow-transfer statement. -If not specified, the default is to allow transfers from all hosts.

6.2.14.4. Interfaces6.2.16.5. Interfaces

The interfaces and ports that the server will answer queries @@ -5693,44 +6237,28 @@ CLASS="command" > is specified, the server will listen on port 53 on all interfaces.

The listen-on-v6 option is used to -specify the ports on which the server will listen for incoming -queries sent using IPv6.

The server does not bind a separate socket to each IPv6 -interface address as it does for IPv4. Instead, it always -listens on the IPv6 wildcard address. Therefore, the only -values allowed for the address_match_list -argument to the listen-on-v6 statement are -

{ any; }
and -
{ none;}

By default, the server does not bind a separate socket to each +IPv6 interface address as it does for IPv4. Instead, it listens on the +IPv6 wildcard address. +Alternatively, a list of IPv6 addresses can be specified, in which case +the server listens on a separate socket for each specified address.

Multiple listen-on-v6 options can be -used to listen on multiple ports:

options can be used. +For example,

listen-on-v6 port 53 { any; };
-listen-on-v6 port 1234 { any; };
+>listen-on-v6 { any; };
+listen-on-v6 port 1234 { !3ffe::/16; any; };
 

will enable the name server on port 53 for any IPv6 addresses +(with a single wildcard socket), +and on port 1234 of IPv6 addresses that is not in the prefix +3ffe::/16 (with separate sockets for each matched address.)

To make the server not listen on any IPv6 address, use

6.2.14.5. Query Address6.2.16.6. Query Address

If the server doesn't know the answer to a question, it will @@ -5780,11 +6308,19 @@ CLASS="command" CLASS="command" >* or is omitted, -a random unprivileged port will be used. The defaults are

avoid-v4-udp-ports +and avoid-v6-udp-ports can be used to prevent named +from selecting certian ports. The defaults are

query-source address * port *;
-query-source-v6 address * port *
+query-source-v6 address * port *;
 
6.2.14.6. Zone Transfers6.2.16.7. Zone Transfers

alt-transfer-source

An alternate transfer source if the one listed in +transfer-source fails and +use-alt-transfer-source is set.

alt-transfer-source-v6

An alternate transfer source if the one listed in +transfer-source-v6 fails and +use-alt-transfer-source is set.

use-alt-transfer-source

Use the alternate transfer sources or not. If views are +specified this defaults to no otherwise it defaults to +yes (for BIND 8 compatibility).

notify-source

6.2.14.7. Operating System Resource Limits6.2.16.8. Bad UDP Port Lists

avoid-v4-udp-ports and avoid-v6-udp-ports +specify a list of IPv4 and IPv6 UDP ports that will not be used as system +assigned source ports for UDP sockets. These lists are expected to be +used to prevent named using "well known" ports in the system assigned range +that have become unusable due to wide spread use of acls containing these +ports. +

6.2.16.9. Operating System Resource Limits

The server's usage of many system resources can be limited. @@ -6300,8 +6910,8 @@ CLASS="sect3" >

6.2.14.8. Server Resource Limits6.2.16.10. Server Resource Limits

The following options set limits on the server's @@ -6401,6 +7011,20 @@ CLASS="literal" records are purged from the cache only when their TTLs expire.

tcp-listen-queue

The listen queue depth. The default and minimum is 3. +If the kernel supports the accept filter "dataready" this also controls how +many TCP connections that will be queued in kernel space waiting for +some data before being passed to accept. Values less than 3 will be +silently raised. +

6.2.14.9. Periodic Task Intervals6.2.16.11. Periodic Task Intervals

6.2.14.10. Topology6.2.16.12. Topology

All other things being equal, when the server chooses a name server @@ -6572,7 +7196,7 @@ CLASS="sect3" CLASS="sect3" >6.2.14.11. The 6.2.16.13. The sortlist Statement statement in Section 6.2.14.12Section 6.2.16.14). The client resolver code should rearrange the RRs as appropriate, that is, using any addresses on the local net in preference to other addresses. @@ -6611,7 +7235,7 @@ CLASS="command" > statement does (Section 6.2.14.10Section 6.2.16.12). Each top level statement in the 6.2.14.12. RRset Ordering6.2.16.14. RRset Ordering

When multiple records are returned in an answer it may be @@ -6717,7 +7341,7 @@ CLASS="command" > statement, Section 6.2.14.11Section 6.2.16.13.

rrset-order
statement -is not yet implemented in BIND 9. -BIND 9 currently supports only a "random-cyclic" ordering, -where the server randomly chooses a starting point within -the RRset and returns the records in order starting at -that point, wrapping around the end of the RRset if -necessary.

6.2.14.13. Synthetic IPv6 responses

Many existing stub resolvers support IPv6 DNS lookups as defined in -RFC1886, using AAAA records for forward lookups and "nibble labels" in -the ip6.int domain for reverse lookups, but do not support -RFC2874-style lookups (using A6 records and binary labels in the -ip6.arpa domain).

For those who wish to continue to use such stub resolvers rather than -switching to the BIND 9 lightweight resolver, BIND 9 provides a way -to automatically convert RFC1886-style lookups into -RFC2874-style lookups and return the results as "synthetic" AAAA and -PTR records.

This feature is disabled by default and can be enabled on a per-client -basis by adding a -allow-v6-synthesis { address_match_list } -clause to the options or view statement. - When it is enabled, recursive -AAAA queries cause the server to first try an A6 lookup and if that -fails, an AAAA lookups. No matter which one succeeds, the results are -returned as a set of synthetic AAAA records. Similarly, recursive PTR -queries in ip6.int will cause a -lookup in ip6.arpa using binary -labels, and if that fails, another lookup in ip6.int. -The results are returned as a synthetic PTR record in -ip6.int.

The synthetic records have a TTL of zero. DNSSEC validation of -synthetic responses is not currently supported; therefore responses -containing synthetic RRs will not have the AD flag set.

Note: allow-v6-synthesis is only performed for -clients that are supplied recursive service.

6.2.14.14. Tuning6.2.16.15. Tuning

Sets the number of seconds to cache a lame server indication. 0 disables caching. (This is -NOTNOT recommended.) Default is

These options allow the administrator to set a minimum and maximum refresh and retry time either per-zone, per-view, or globally. -These options are valid for master, slave and stub zones, +These options are valid for slave and stub zones, and clamp the SOA refresh and retry times to the specified values.

edns-udp-size

edns-udp-size sets the advertised EDNS UDP buffer +size. Valid values are 512 to 4096 (values outside this range will be +silently adjusted). The default value is 4096. The usual reason for +setting edns-udp-size to a non default value it to get UDP answers to +pass through broken firewalls that block fragmented packets and/or +block UDP packets that are greater than 512 bytes. +

6.2.14.15. Built-in server information zones6.2.16.16. Built-in server information zones

The server provides some helpful diagnostic information @@ -7162,7 +7719,7 @@ CLASS="command" > class. These zones are part of a built-in view (see Section 6.2.19Section 6.2.21) of class hostname nonehostname none; disables processing of the queries.

server-id

The ID of the server should report via a query of +the name ID.SERVER +with type TXT, class CHAOS. +The primary purpose of such queries is to +identify which of a group of anycast servers is actually +answering your queries. Specifying server-id none; +disables processing of the queries. +Specifying server-id hostname; will cause named to +use the hostname as found by gethostname(). +The default server-id is none. +

6.2.14.16. The Statistics File6.2.16.17. The Statistics File

The statistics file generated by

6.2.15. 6.2.17. server Statement Grammar] }
; ] + [ transfer-source (ip4_addr | *) [port ip_port] ; ] + [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ] }; 6.2.16. 6.2.18. server Statement Definition and Usage clause allows for multiple keys, only a single key per server is currently supported.

The transfer-source and +transfer-source-v6 clauses specify the IPv4 and IPv6 source +address to be used for zone transfer with the remote server, respectively. +For an IPv4 remote server, only transfer-source can +be specified. +Similarly, for an IPv6 remote server, only +transfer-source-v6 can be specified. +Form more details, see the description of +transfer-source and +transfer-source-v6 in +Section 6.2.16.7.

6.2.17. 6.2.19. trusted-keys Statement Grammar

6.2.18. 6.2.20. trusted-keys Statement Definition @@ -7861,7 +8531,7 @@ CLASS="sect2" CLASS="sect2" >6.2.19. 6.2.21. view Statement Grammaraddress_match_list } ; - match-recursive-only { yes_or_no } ; +> ; [

6.2.20. 6.2.22. view Statement Definition and Usage6.2.21. 6.2.23. zone @@ -8136,7 +8806,7 @@ CLASS="replaceable" >] [{ - type ( master | slave | hint | stub | forward ) ; + type ( master | slave | hint | stub | forward | delegation-only ) ; [ allow-notify { ] [ delegation-only yes_or_no ; ] + [ file ip_port] { ] { ( masters_list | ip_addrkey]; [] ) ; [...] } ; ] [ alt-transfer-source (ip4_addr | *) [port ip_port] ; ] + [ alt-transfer-source-v6 (ip6_addr | *) [port ip_port] ; ] + [ use-alt-transfer-source yes_or_no; ] + [ notify-source (] [ multi-master yes_or_no ; ] + [ key-directory

6.2.22. 6.2.24. zone Statement Definition and Usage

6.2.22.1. Zone Types6.2.24.1. Zone Types

masters
list specifies one or more IP addresses of master servers that the slave contacts to update its copy of the zone. +Masters list elements can also be names of other masters lists. By default, transfers are made from port 53 on the servers; this can be changed for all servers by specifying a port number before the list of IP addresses, or on a per-server basis after the IP address. @@ -8854,6 +9597,36 @@ IN, the server uses a compiled-in default set of root servers hints. Classes other than IN have no built-in defaults hints.

delegation-only

This is used to enforce the delegation only +status of infrastructure zones (e.g. COM, NET, ORG). Any answer that +is received without a explicit or implict delegation in the authority +section will be treated as NXDOMAIN. This does not apply to the zone +apex. This SHOULD NOT be applied to leaf zones.

+

delegation-only has no effect on answers received +from forwarders.

6.2.22.2. Class6.2.24.2. Class

The zone's name may optionally be followed by a class. If @@ -8903,8 +9676,8 @@ CLASS="sect3" >

6.2.22.3. Zone Options6.2.24.3. Zone Options

allow-notify
in Section 6.2.14.3Section 6.2.16.4

allow-query in Section 6.2.14.3Section 6.2.16.4

in Section 6.2.14.3Section 6.2.16.4.

Specifies a "Simple Secure Update" policy. See Section 6.2.22.4Section 6.2.24.4.

in Section 6.2.14.3Section 6.2.16.4.

dialup in Section 6.2.14.1Section 6.2.16.1.

delegation-only

The flag only applies to hint and stub zones. If set +to yes then the zone will also be treated as if it +is also a delegation-only type zone. +

forward
max-transfer-time-in in Section 6.2.14.6Section 6.2.16.7.

max-transfer-idle-in in Section 6.2.14.6Section 6.2.16.7.

max-transfer-time-out in Section 6.2.14.6Section 6.2.16.7.

max-transfer-idle-out in Section 6.2.14.6Section 6.2.16.7.

notify in Section 6.2.14.1Section 6.2.16.1.

sig-validity-interval in Section 6.2.14.14Section 6.2.16.15.

transfer-source in Section 6.2.14.6Section 6.2.16.7

transfer-source-v6 in Section 6.2.14.6Section 6.2.16.7 +

alt-transfer-source

See the description of +alt-transfer-source in Section 6.2.16.7 +

alt-transfer-source-v6

See the description of +alt-transfer-source-v6 in Section 6.2.16.7 +

use-alt-transfer-source

See the description of +use-alt-transfer-source in Section 6.2.16.7

notify-source in Section 6.2.14.6Section 6.2.16.7

notify-source-v6 in Section 6.2.14.6Section 6.2.16.7.

See the description in Section 6.2.14.14Section 6.2.16.15.

ixfr-from-differences in Section 6.2.14.1Section 6.2.16.1.

key-directory in Section 6.2.14Section 6.2.16

multi-master

See the description of +multi-master in Section 6.2.16.1.

6.2.22.4. Dynamic Update Policies6.2.24.4. Dynamic Update Policies

6.3. Zone File

6.3.1.1. Resource Records

Section 6.2.14.11Section 6.2.16.13 and Section 6.2.14.12Section 6.2.16.14.

The components of a Resource Record are:

The following are The following are types of valid RRs:

a host address. In the IN class, this is a -32-bit IP address.

A6

an IPv6 address. This can be a partial -address (a suffix) and an indirection to the name where the rest of the -address (the prefix) can be found.

obsolete format of IPv6 address

IPv6 address. Described in RFC 1886.

A6

IPv6 address. This can be a partial +address (a suffix) and an indirection to the name where the rest of the +address (the prefix) can be found. Experimental. Described in RFC 2874.

location of AFS database servers. -Experimental.

APL

address prefix list. Experimental. +Described in RFC 3123.

holds a digital certificate.

holds a digital certificate. +Described in RFC 2538.

identifies the canonical name of an alias.

identifies the canonical name of an alias. +Described in RFC 1035.

Replaces the domain name specified with another name to be looked up, effectively aliasing an entire subtree of the domain name space rather than a single record -as in the case of the CNAME RR. Used for delegation -of IPv6 reverse mappings. Described in RFC 2672.

Specifies the global position. Superseded by LOC.

Specifies the global position. Superseded by LOC.

identifies the CPU and OS used by a host.

identifies the CPU and OS used by a host. +Described in RFC 1035.

representation of ISDN addresses. -Experimental.

stores a public key associated with a -DNS name.

identifies a key exchanger for this -DNS name.

for storing GPS info. See RFC 1876. +>for storing GPS info. Described in RFC 1876. Experimental.

identifies a mail exchange for the domain. a 16 bit preference value (lower is better) followed by the host name of the mail exchange. - See RFC 974 for details.

name authority pointer.

name authority pointer. Described in RFC 2915.

a network service access point.

a network service access point. +Described in RFC 1706.

the authoritative name server for the -domain.

used in DNSSEC to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. -See RFC 2535 for details.

a pointer to another part of the domain -name space.

provides mappings between RFC 822 and X.400 -addresses.

information on persons responsible -for the domain. Experimental.

route-through binding for hosts that -do not have their own direct wide area network addresses. Experimental.

("signature") contains data authenticated -in the secure DNS. See RFC 2535 for details.

identifies the start of a zone of authority.

identifies the start of a zone of authority. +Described in RFC 1035.

information about well known network -services (replaces WKS).

text records.

text records. Described in RFC 1035.

representation of X.25 network addresses. Experimental.

representation of X.25 network addresses. +Experimental. Described in RFC 1183.

The following The following classes of resource records are currently valid in the DNS:

6.3.1.2. Textual expression of RRs

6.3.2. Discussion of MX Records

must have an associated A record — CNAME is not sufficient.

6.3.4. Inverse Mapping in IPv4

Reverse name resolution (that is, translation from IP address -to name) is achieved by means of the in-addr.arpa domain and PTR records. Entries in the in-addr.arpa domain are made in least-to-most significant order, read left to right. This is the @@ -11262,7 +12155,7 @@ CLASS="optional" >

6.3.5. Other Zone File Directives

6.3.5.1. The $ORIGIN

6.3.5.2. The $INCLUDE

6.3.5.3. The $TTL

6.3.6. BINDlhs [ttl] [class] type0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE. -0.0.0.192.IN-ADDR.ARPA NS SERVER2.EXAMPLE. -1.0.0.192.IN-ADDR.ARPA CNAME 1.0.0.0.192.IN-ADDR.ARPA -2.0.0.192.IN-ADDR.ARPA CNAME 2.0.0.0.192.IN-ADDR.ARPA +0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE. +1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA. +2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA. ... -127.0.0.192.IN-ADDR.ARPA CNAME 127.0.0.0.192.IN-ADDR.ARPA -.

For compatability with earlier versions For compatibility with earlier versions $$ is still @@ -11773,6 +12682,74 @@ VALIGN="MIDDLE" >

ttl

ttl specifies the + ttl of the generated records. If not specified this will be + inherited using the normal ttl inhertance rules.

+

class and ttl can be + entered in either order.

class

class specifies the + class of the generated records. This must match the zone class if + it is specified.

+

class and ttl can be + entered in either order.

type

BIND extension and not part of the standard zone file format.

BIND 8 does not support the optional TTL and CLASS fields.


PrevBIND 9 Security Considerations
HomeNext
Prev
7.2. chroot

It is a It is a good idea to use ACLs, and to control access to your server. Limiting access to your server by outside parties can help prevent spoofing and DoS attacks against @@ -173,9 +179,12 @@ zone "example.com" { unless recursion has been previously disabled.

For more information on how to use ACLs to protect your server, -see the AUSCERT advisory at

7.2. chrootOn UNIX servers, it is possible to run BIND in a in a chrooted environment (

7.2.1. The chroot

Unlike with earlier versions of BIND, you will typically -not need to compile named

7.2.2. Using the setuid

Next
PrevTroubleshooting
HomeNext
Prev
8.1. Common Problems
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?

8.1. Common Problems

Next
PrevAppendices
HomeNext
Prev
A.1. Acknowledgements

A.1. Acknowledgements

A.1.1. A Brief History of the DNSA.2.1. IPv6 addresses (A6)A.2.1. IPv6 addresses (AAAA)

IPv6 addresses are 128-bit identifiers for interfaces and @@ -239,17 +241,26 @@ sets of interfaces which were introduced in the DNS to facilitate -scalable Internet routing. There are three types of addresses: Unicast, -an identifier for a single interface; Anycast, -an identifier for a set of interfaces; and Multicast, an identifier for a set of interfaces. Here we describe the global Unicast address scheme. For more information, see RFC 2374.

The The Public Topology is provided by the -upstream provider or ISP, and (roughly) corresponds to the IPv4 network section -of the address range. The Site Topology is where you can subnet this space, much the same as subnetting an -IPv4 /16 network into /24 subnets. The Interface Identifier is the address of an individual interface on a given network. (With IPv6, addresses belong to interfaces rather than machines.)

The internal structure of the Public Topology for an A6 global -unicast address consists of:

3

13

8

24

FP

TLA ID

RES

NLA ID

A 3 bit FP (Format Prefix) of 001 indicates this is a global -Unicast address. FP lengths for other types of addresses may vary.

13 TLA (Top Level Aggregator) bits give the prefix of your -top-level IP backbone carrier.

8 Reserved bits

24 bits for Next Level Aggregators. This allows organizations -with a TLA to hand out portions of their IP space to client organizations, -so that the client can then split up the network further by filling -in more NLA bits, and hand out IPv6 prefixes to their clients, and -so forth.

There is no particular structure for the Site topology section. -Organizations can allocate these bits in any way they desire.

The Interface Identifier must be unique on that network. On ethernet networks, one way to ensure this is to set the address to the first three bytes of the hardware address, "FFFE", then the @@ -762,7 +688,7 @@ of a block may be omitted, for example:

3ffe:8050:201:9:a00:20ff:fe81:2b322001:4f8:201:9:a00:20ff:fe81:2b32

IPv6 address specifications are likely to contain long strings @@ -820,19 +746,19 @@ TARGET="_top"

Bibliography

Standards

[RFC974] 

[RFC1034] 

[RFC1035] 

Proposed Standards

[RFC2181] 

[RFC2308] 

[RFC1995] 

[RFC1996] 

[RFC2136] 

[RFC2845] 

Proposed Standards Still Under Development

[RFC1886] 

[RFC2065] 

[RFC2137] 

Other Important RFCs About DNS Implementation

[RFC1535] 

[RFC1536] 

[RFC1982] 

Resource Record Types

[RFC1183] 

[RFC1706] 

[RFC2168] 

[RFC1876] 

[RFC2052] 

[RFC2163] 

[RFC2230] 

DNS and the Internet

[RFC1101] 

[RFC1123] 

[RFC1591] 

[RFC2317] 

DNS Operations

[RFC1537] 

[RFC1912] 

[RFC1912] D. Barr, Common DNS Operational and Configuration Errors, February 1996.

[RFC2010] 

[RFC2219] 

Other DNS-related RFCs

[RFC1464] 

[RFC1713] 

[RFC1794] 

[RFC2240] 

[RFC2345] 

[RFC2352] 

Obsolete and Unimplemented Experimental RRs

[RFC1712] 

A.3.3. Other Documents About BIND

Bibliography


Prev
HomeBIND 9 Administrator Reference Manual
3.3.2. Signals
4.4. Split DNS
4.5.1. Generate Shared Keys for Each Pair of Hosts
4.5.2. Copying the Shared Secret to Both Machines
4.5.3. Informing the Servers of the Key's Existence
4.5.4. Instructing the Server to Use the Key
4.5.5. TSIG Key Based Access Control
4.5.6. Errors
4.6. TKEY
4.7. SIG(0)
4.8.1. Generating Keys
4.8.2. Creating a Keyset
4.8.3. Signing the Child's Keyset
4.8.4. Signing the Zone
4.8.5. Configuring Servers
4.9. IPv6 Support in BIND
4.9.1. Address Lookups Using AAAA Records
4.9.2. Address Lookups Using A6 Records
4.9.3. Address to Name Lookups Using Nibble Format
4.9.4. Address to Name Lookups Using Binary Label Format
4.9.5. Using DNAME for Delegation of IPv6 Reverse Addresses
5.1. The Lightweight Resolver Library
6.1.2. Comment Syntax
6.2.1. acl
6.2.3. controls
6.2.5. include
6.2.6. include
6.2.7. key
6.2.8. key
6.2.9. logging
6.2.10. logging
6.2.11. lwres
6.2.12. lwres
6.2.13. masters Statement Grammar
6.2.14. masters Statement Definition and Usage
6.2.15. options Statement Grammar
6.2.14. 6.2.16. Statement Definition and Usage
6.2.15. 6.2.17. Statement Grammar
6.2.16. 6.2.18. Statement Definition and Usage
6.2.17. 6.2.19. trusted-keys Statement Grammar
6.2.18. 6.2.20. trusted-keys
6.2.19. 6.2.21. Statement Grammar
6.2.20. 6.2.22. view Statement Definition and Usage
6.2.21. 6.2.23.
6.2.22. 6.2.24. zone
6.3. Zone File
6.3.2. Discussion of MX Records
6.3.4. Inverse Mapping in IPv4
6.3.5. Other Zone File Directives
6.3.6. BIND
7.2. chroot
7.2.1. The chroot
7.2.2. Using the setuid
8.1. Common Problems
8.1.1. It's not working; how can I figure out what's wrong?
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?
A.1. Acknowledgements
A.1.1. A Brief History of the DNS
A.2.1. IPv6 addresses (A6)IPv6 addresses (AAAA)
A.3.3. Other Documents About BIND
Next ] { ( [port ] | [port ] | [port ] ); ... }; edns-udp-size ; + root-delegation-only [ exclude { ; ... } ]; allow-query { ; ... }; allow-transfer { ; ... }; allow-update-forwarding { ; ... }; @@ -150,7 +151,8 @@ view { secret ; }; zone { - type ( master | slave | stub | hint | forward ); + type ( master | slave | stub | hint | forward | + delegation-only ); allow-update { ; ... }; file ; ixfr-base ; // obsolete @@ -162,6 +164,7 @@ view { update-policy { ( grant | deny ) ( name | subdomain | wildcard | self ) ; ... }; database ; + delegation-only ; check-names ; // not implemented allow-query { ; ... }; allow-transfer { ; ... }; @@ -213,6 +216,10 @@ view { transfer-format ( many-answers | one-answer ); keys ; edns ; + transfer-source ( | * ) [ port ( | + * ) ]; + transfer-source-v6 ( | * ) [ port ( + | * ) ]; }; trusted-keys { ; ... }; @@ -247,6 +254,7 @@ view { dual-stack-servers [ port ] { ( [port ] | [port ] | [port ] ); ... }; edns-udp-size ; + root-delegation-only [ exclude { ; ... } ]; allow-query { ; ... }; allow-transfer { ; ... }; allow-update-forwarding { ; ... }; @@ -299,7 +307,7 @@ key { }; zone { - type ( master | slave | stub | hint | forward ); + type ( master | slave | stub | hint | forward | delegation-only ); allow-update { ; ... }; file ; ixfr-base ; // obsolete @@ -310,6 +318,7 @@ zone { update-policy { ( grant | deny ) ( name | subdomain | wildcard | self ) ; ... }; database ; + delegation-only ; check-names ; // not implemented allow-query { ; ... }; allow-transfer { ; ... }; @@ -358,6 +367,8 @@ server { transfer-format ( many-answers | one-answer ); keys ; edns ; + transfer-source ( | * ) [ port ( | * ) ]; + transfer-source-v6 ( | * ) [ port ( | * ) ]; }; trusted-keys { ; ... }; diff --git a/lib/lwres/man/lwres_context.3 b/lib/lwres/man/lwres_context.3 index 50183309bb..85e60a07ff 100644 --- a/lib/lwres/man/lwres_context.3 +++ b/lib/lwres/man/lwres_context.3 @@ -65,7 +65,7 @@ It holds a socket and other data needed for communicating with a resolver daemon. The new \fBlwres_context_t\fR -is returned throught +is returned through \fIcontextp\fR, a pointer to a \fBlwres_context_t\fR diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html index 377125c434..9eb314fe17 100644 --- a/lib/lwres/man/lwres_context.html +++ b/lib/lwres/man/lwres_context.html @@ -20,7 +20,7 @@ >lwres_contextlwres_context_t -is returned throught +is returned through lwres_getipnode*error_num -to an approriate error code and the function returns a +to an appropriate error code and the function returns a NULL