From 45571e73747cb97c4abcdc7be8cc0c484b1b0e42 Mon Sep 17 00:00:00 2001
From: Tinderbox User <tbox@isc.org>
Date: Thu, 3 Nov 2016 01:12:32 +0000
Subject: [PATCH] regen v9_11

---
 bin/named/named.conf.5      |   3 +
 bin/named/named.conf.html   |   3 +
 doc/arm/Bv9ARM.ch06.html    |  11 +++
 doc/arm/Bv9ARM.ch09.html    |   7 ++
 doc/arm/man.named.conf.html |   3 +
 doc/arm/notes.html          |   7 ++
 doc/misc/options            | 143 ++++++++++++++++++++++--------------
 7 files changed, 120 insertions(+), 57 deletions(-)

diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 7d0a0a1dac..9f548cc63c 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -369,6 +369,7 @@ options {
 		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
 	};
 	max\-journal\-size \fIsize_no_default\fR;
+	max\-records \fIinteger\fR;
 	max\-transfer\-time\-in \fIinteger\fR;
 	max\-transfer\-time\-out \fIinteger\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
@@ -556,6 +557,7 @@ view \fIstring\fR \fIoptional_class\fR {
 		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
 	};
 	max\-journal\-size \fIsize_no_default\fR;
+	max\-records \fIinteger\fR;
 	max\-transfer\-time\-in \fIinteger\fR;
 	max\-transfer\-time\-out \fIinteger\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
@@ -650,6 +652,7 @@ zone \fIstring\fR \fIoptional_class\fR {
 		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
 	};
 	max\-journal\-size \fIsize_no_default\fR;
+	max\-records \fIinteger\fR;
 	max\-transfer\-time\-in \fIinteger\fR;
 	max\-transfer\-time\-out \fIinteger\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index 42655e4e7a..f22501a677 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -320,6 +320,7 @@ options
 	};<br>
 <br>
 	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
@@ -523,6 +524,7 @@ view
 	};<br>
 <br>
 	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
@@ -623,6 +625,7 @@ zone
 	};<br>
 <br>
 	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index ad6c528023..360e82fe4e 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -2402,6 +2402,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
+    [<span class="optional"> max-records <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
@@ -5594,6 +5595,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   means 2 gigabytes.
                   This may also be set on a per-zone basis.
                 </p></dd>
+<dt><span class="term"><span class="command"><strong>max-records</strong></span></span></dt>
+<dd><p>
+                  The maximum number of records permitted in a zone.
+                  The default is zero which means unlimited.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>host-statistics-max</strong></span></span></dt>
 <dd><p>
                   In BIND 8, specifies the maximum number of host statistics
@@ -9171,6 +9177,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     See the description of
                     <span class="command"><strong>max-journal-size</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called &#8220;Server  Resource Limits&#8221;</a>.
                   </p></dd>
+<dt><span class="term"><span class="command"><strong>max-records</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span class="command"><strong>max-records</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called &#8220;Server  Resource Limits&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt>
 <dd><p>
                     See the description of
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 51e72f70c1..3f677d2bcd 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -108,6 +108,13 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+	  Added the ability to specify the maximum number of records
+	  permitted in a zone (max-records #;).  This provides a mechanism
+	  to block overly large zone transfers, which is a potential risk
+	  with slave zones from other parties, as described in CVE-2016-6170.
+	  [RT #42143]
+	</p></li>
 <li class="listitem"><p>
 	  It was possible to trigger a assertion when rendering a
 	  message using a specially crafted request. This flaw is
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index 824ae9cb7f..2e6ad1023c 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -338,6 +338,7 @@ options
 	};<br>
 <br>
 	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
@@ -541,6 +542,7 @@ view
 	};<br>
 <br>
 	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
@@ -641,6 +643,7 @@ zone
 	};<br>
 <br>
 	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 2639a469ad..63dfa108b4 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -69,6 +69,13 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+	  Added the ability to specify the maximum number of records
+	  permitted in a zone (max-records #;).  This provides a mechanism
+	  to block overly large zone transfers, which is a potential risk
+	  with slave zones from other parties, as described in CVE-2016-6170.
+	  [RT #42143]
+	</p></li>
 <li class="listitem"><p>
 	  It was possible to trigger a assertion when rendering a
 	  message using a specially crafted request. This flaw is
diff --git a/doc/misc/options b/doc/misc/options
index 99fb00934a..16b1b47f0d 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -2,30 +2,35 @@
 This is a summary of the named.conf options supported by 
 this version of BIND 9.
 
-acl <string> { <address_match_element>; ... };
+acl <string> { <address_match_element>; ... }; // may occur multiple times
 
 controls {
-        inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | *
-            ) ] allow { <address_match_element>; ... } [ keys { <string>;
-            ... } ] [ read-only <boolean> ];
-        unix <quoted_string> perm <integer> owner <integer> group <integer>
-            [ keys { <string>; ... } ] [ read-only <boolean> ];
-};
+        inet ( <ipv4_address> | <ipv6_address> |
+            * ) [ port ( <integer> | * ) ] allow
+            { <address_match_element>; ... } [
+            keys { <string>; ... } ] [ read-only
+            <boolean> ]; // may occur multiple times
+        unix <quoted_string> perm <integer>
+            owner <integer> group <integer> [
+            keys { <string>; ... } ] [ read-only
+            <boolean> ]; // may occur multiple times
+}; // may occur multiple times
 
 dlz <string> {
         database <string>;
         search <boolean>;
-};
+}; // may occur multiple times
 
-dyndb <string> <quoted_string> { <unspecified text> };
+dyndb <string> <quoted_string> {
+    <unspecified-text> }; // may occur multiple times
 
 key <string> {
         algorithm <string>;
         secret <string>;
-};
+}; // may occur multiple times
 
 logging {
-        category <string> { <string>; ... };
+        category <string> { <string>; ... }; // may occur multiple times
         channel <string> {
                 buffered <boolean>;
                 file <quoted_string> [ versions ( "unlimited" | <integer> )
@@ -37,7 +42,7 @@ logging {
                 severity <log_severity>;
                 stderr;
                 syslog [ <syslog_facility> ];
-        };
+        }; // may occur multiple times
 };
 
 lwres {
@@ -48,14 +53,15 @@ lwres {
         ndots <integer>;
         search { <string>; ... };
         view <string> [ <class> ];
-};
+}; // may occur multiple times
 
-managed-keys { <string> <string> <integer> <integer> <integer>
-    <quoted_string>; ... };
+managed-keys { <string> <string> <integer>
+    <integer> <integer> <quoted_string>; ... }; // may occur multiple times
 
-masters <string> [ port <integer> ] [ dscp <integer> ] { ( <masters> |
-    <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] )
-    [ key <string> ]; ... };
+masters <string> [ port <integer> ] [ dscp
+    <integer> ] { ( <masters> | <ipv4_address> [
+    port <integer> ] | <ipv6_address> [ port
+    <integer> ] ) [ key <string> ]; ... }; // may occur multiple times
 
 options {
         acache-cleaning-interval <integer>;
@@ -99,7 +105,8 @@ options {
         check-integrity <boolean>;
         check-mx ( fail | warn | ignore );
         check-mx-cname ( fail | warn | ignore );
-        check-names ( master | slave | response ) ( fail | warn | ignore );
+        check-names ( master | slave | response
+            ) ( fail | warn | ignore ); // may occur multiple times
         check-sibling <boolean>;
         check-spf ( warn | ignore );
         check-srv-cname ( fail | warn | ignore );
@@ -117,9 +124,11 @@ options {
             <quoted_string>; ... } ];
         dialup ( notify | notify-passive | refresh | passive | <boolean> );
         directory <quoted_string>;
-        disable-algorithms <string> { <string>; ... };
-        disable-ds-digests <string> { <string>; ... };
-        disable-empty-zone <string>;
+        disable-algorithms <string> { <string>;
+            ... }; // may occur multiple times
+        disable-ds-digests <string> { <string>;
+            ... }; // may occur multiple times
+        disable-empty-zone <string>; // may occur multiple times
         dns64 <netprefix> {
                 break-dnssec <boolean>;
                 clients { <address_match_element>; ... };
@@ -127,15 +136,16 @@ options {
                 mapped { <address_match_element>; ... };
                 recursive-only <boolean>;
                 suffix <ipv6_address>;
-        };
+        }; // may occur multiple times
         dns64-contact <string>;
         dns64-server <string>;
         dnssec-accept-expired <boolean>;
         dnssec-dnskey-kskonly <boolean>;
         dnssec-enable <boolean>;
         dnssec-loadkeys-interval <integer>;
-        dnssec-lookaside ( <string> trust-anchor <string> | auto | no );
-        dnssec-must-be-secure <string> <boolean>;
+        dnssec-lookaside ( <string> trust-anchor
+            <string> | auto | no ); // may occur multiple times
+        dnssec-must-be-secure <string> <boolean>; // may occur multiple times
         dnssec-secure-to-insecure <boolean>;
         dnssec-update-mode ( maintain | no-resign );
         dnssec-validation ( yes | no | auto );
@@ -188,10 +198,12 @@ options {
         keep-response-order { <address_match_element>; ... };
         key-directory <quoted_string>;
         lame-ttl <ttlval>;
-        listen-on [ port <integer> ] [ dscp <integer> ] {
-            <address_match_element>; ... };
-        listen-on-v6 [ port <integer> ] [ dscp <integer> ] {
-            <address_match_element>; ... };
+        listen-on [ port <integer> ] [ dscp
+            <integer> ] {
+            <address_match_element>; ... }; // may occur multiple times
+        listen-on-v6 [ port <integer> ] [ dscp
+            <integer> ] {
+            <address_match_element>; ... }; // may occur multiple times
         lock-file ( <quoted_string> | none );
         maintain-ixfr-base <boolean>; // obsolete
         managed-keys-directory <quoted_string>;
@@ -205,6 +217,7 @@ options {
         max-ixfr-log-size ( unlimited | default | <sizeval> ); // obsolete
         max-journal-size ( unlimited | <sizeval> );
         max-ncache-ttl <integer>;
+        max-records <integer>;
         max-recursion-depth <integer>;
         max-recursion-queries <integer>;
         max-refresh-time <integer>;
@@ -329,7 +342,7 @@ options {
         transfers-out <integer>;
         transfers-per-ns <integer>;
         treat-cr-as-space <boolean>; // obsolete
-        trust-anchor-telemetry <boolean>;
+        trust-anchor-telemetry <boolean>; // experimental
         try-tcp-refresh <boolean>;
         update-check-ksk <boolean>;
         use-alt-transfer-source <boolean>;
@@ -372,14 +385,17 @@ server <netprefix> {
         transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
             ] [ dscp <integer> ];
         transfers <integer>;
-};
+}; // may occur multiple times
 
 statistics-channels {
-        inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | *
-            ) ] [ allow { <address_match_element>; ... } ];
-};
+        inet ( <ipv4_address> | <ipv6_address> |
+            * ) [ port ( <integer> | * ) ] [
+            allow { <address_match_element>; ...
+            } ]; // may occur multiple times
+}; // may occur multiple times
 
-trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... };
+trusted-keys { <string> <integer> <integer>
+    <integer> <quoted_string>; ... }; // may occur multiple times
 
 view <string> [ <class> ] {
         acache-cleaning-interval <integer>;
@@ -418,7 +434,8 @@ view <string> [ <class> ] {
         check-integrity <boolean>;
         check-mx ( fail | warn | ignore );
         check-mx-cname ( fail | warn | ignore );
-        check-names ( master | slave | response ) ( fail | warn | ignore );
+        check-names ( master | slave | response
+            ) ( fail | warn | ignore ); // may occur multiple times
         check-sibling <boolean>;
         check-spf ( warn | ignore );
         check-srv-cname ( fail | warn | ignore );
@@ -430,13 +447,15 @@ view <string> [ <class> ] {
         deny-answer-aliases { <quoted_string>; ... } [ except-from {
             <quoted_string>; ... } ];
         dialup ( notify | notify-passive | refresh | passive | <boolean> );
-        disable-algorithms <string> { <string>; ... };
-        disable-ds-digests <string> { <string>; ... };
-        disable-empty-zone <string>;
+        disable-algorithms <string> { <string>;
+            ... }; // may occur multiple times
+        disable-ds-digests <string> { <string>;
+            ... }; // may occur multiple times
+        disable-empty-zone <string>; // may occur multiple times
         dlz <string> {
                 database <string>;
                 search <boolean>;
-        };
+        }; // may occur multiple times
         dns64 <netprefix> {
                 break-dnssec <boolean>;
                 clients { <address_match_element>; ... };
@@ -444,15 +463,16 @@ view <string> [ <class> ] {
                 mapped { <address_match_element>; ... };
                 recursive-only <boolean>;
                 suffix <ipv6_address>;
-        };
+        }; // may occur multiple times
         dns64-contact <string>;
         dns64-server <string>;
         dnssec-accept-expired <boolean>;
         dnssec-dnskey-kskonly <boolean>;
         dnssec-enable <boolean>;
         dnssec-loadkeys-interval <integer>;
-        dnssec-lookaside ( <string> trust-anchor <string> | auto | no );
-        dnssec-must-be-secure <string> <boolean>;
+        dnssec-lookaside ( <string> trust-anchor
+            <string> | auto | no ); // may occur multiple times
+        dnssec-must-be-secure <string> <boolean>; // may occur multiple times
         dnssec-secure-to-insecure <boolean>;
         dnssec-update-mode ( maintain | no-resign );
         dnssec-validation ( yes | no | auto );
@@ -462,7 +482,8 @@ view <string> [ <class> ] {
             <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
             <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
             <integer> ] [ dscp <integer> ] ); ... };
-        dyndb <string> <quoted_string> { <unspecified text> };
+        dyndb <string> <quoted_string> {
+            <unspecified-text> }; // may occur multiple times
         edns-udp-size <integer>;
         empty-contact <string>;
         empty-server <string>;
@@ -482,12 +503,13 @@ view <string> [ <class> ] {
         key <string> {
                 algorithm <string>;
                 secret <string>;
-        };
+        }; // may occur multiple times
         key-directory <quoted_string>;
         lame-ttl <ttlval>;
         maintain-ixfr-base <boolean>; // obsolete
-        managed-keys { <string> <string> <integer> <integer> <integer>
-            <quoted_string>; ... };
+        managed-keys { <string> <string>
+            <integer> <integer> <integer>
+            <quoted_string>; ... }; // may occur multiple times
         masterfile-format ( text | raw | map );
         masterfile-style ( full | relative );
         match-clients { <address_match_element>; ... };
@@ -500,6 +522,7 @@ view <string> [ <class> ] {
         max-ixfr-log-size ( unlimited | default | <sizeval> ); // obsolete
         max-journal-size ( unlimited | <sizeval> );
         max-ncache-ttl <integer>;
+        max-records <integer>;
         max-recursion-depth <integer>;
         max-recursion-queries <integer>;
         max-refresh-time <integer>;
@@ -602,7 +625,7 @@ view <string> [ <class> ] {
                 transfer-source-v6 ( <ipv6_address> | * ) [ port (
                     <integer> | * ) ] [ dscp <integer> ];
                 transfers <integer>;
-        };
+        }; // may occur multiple times
         servfail-ttl <ttlval>;
         sig-signing-nodes <integer>;
         sig-signing-signatures <integer>;
@@ -616,9 +639,10 @@ view <string> [ <class> ] {
             dscp <integer> ];
         transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
             ] [ dscp <integer> ];
-        trust-anchor-telemetry <boolean>;
-        trusted-keys { <string> <integer> <integer> <integer>
-            <quoted_string>; ... };
+        trust-anchor-telemetry <boolean>; // experimental
+        trusted-keys { <string> <integer>
+            <integer> <integer> <quoted_string>;
+            ... }; // may occur multiple times
         try-tcp-refresh <boolean>;
         update-check-ksk <boolean>;
         use-alt-transfer-source <boolean>;
@@ -681,6 +705,7 @@ view <string> [ <class> ] {
                 max-ixfr-log-size ( unlimited | default |
                     <sizeval> ); // obsolete
                 max-journal-size ( unlimited | <sizeval> );
+                max-records <integer>;
                 max-refresh-time <integer>;
                 max-retry-time <integer>;
                 max-transfer-idle-in <integer>;
@@ -699,8 +724,10 @@ view <string> [ <class> ] {
                     | * ) ] [ dscp <integer> ];
                 notify-to-soa <boolean>;
                 nsec3-test-zone <boolean>; // test only
-                pubkey <integer> <integer> <integer>
-                    <quoted_string>; // obsolete
+                pubkey <integer>
+                    <integer>
+                    <integer>
+                    <quoted_string>; // obsolete, may occur multiple times
                 request-expire <boolean>;
                 request-ixfr <boolean>;
                 serial-update-method ( increment | unixtime | date );
@@ -727,9 +754,9 @@ view <string> [ <class> ] {
                 use-alt-transfer-source <boolean>;
                 zero-no-soa-ttl <boolean>;
                 zone-statistics ( full | terse | none | <boolean> );
-        };
+        }; // may occur multiple times
         zone-statistics ( full | terse | none | <boolean> );
-};
+}; // may occur multiple times
 
 zone <string> [ <class> ] {
         allow-notify { <address_match_element>; ... };
@@ -782,6 +809,7 @@ zone <string> [ <class> ] {
             <integer> ] ) [ key <string> ]; ... };
         max-ixfr-log-size ( unlimited | default | <sizeval> ); // obsolete
         max-journal-size ( unlimited | <sizeval> );
+        max-records <integer>;
         max-refresh-time <integer>;
         max-retry-time <integer>;
         max-transfer-idle-in <integer>;
@@ -800,7 +828,8 @@ zone <string> [ <class> ] {
             [ dscp <integer> ];
         notify-to-soa <boolean>;
         nsec3-test-zone <boolean>; // test only
-        pubkey <integer> <integer> <integer> <quoted_string>; // obsolete
+        pubkey <integer> <integer>
+            <integer> <quoted_string>; // obsolete, may occur multiple times
         request-expire <boolean>;
         request-ixfr <boolean>;
         serial-update-method ( increment | unixtime | date );
@@ -826,5 +855,5 @@ zone <string> [ <class> ] {
         use-alt-transfer-source <boolean>;
         zero-no-soa-ttl <boolean>;
         zone-statistics ( full | terse | none | <boolean> );
-};
+}; // may occur multiple times