diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html index dae25d521c..5f78be532d 100644 --- a/bin/dig/nslookup.html +++ b/bin/dig/nslookup.html @@ -12,7 +12,7 @@
-
+

Name

nslookup — query Internet name servers interactively

diff --git a/bin/python/dnssec-keymgr.8 b/bin/python/dnssec-keymgr.8 index a08ab9c3c8..971677ac7c 100644 --- a/bin/python/dnssec-keymgr.8 +++ b/bin/python/dnssec-keymgr.8 @@ -49,7 +49,7 @@ and \fBdnssec\-settime\fR\&. .PP DNSSEC policy can be read from a configuration file (default -/etc/dnssec\&.policy), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined\&. This file may be used to define individual DNSSEC policies on a per\-zone basis, or to set a default policy used for all zones\&. +/etc/dnssec\-policy\&.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined\&. This file may be used to define individual DNSSEC policies on a per\-zone basis, or to set a default policy used for all zones\&. .PP When \fBdnssec\-keymgr\fR @@ -79,7 +79,7 @@ If \fB\-c\fR is specified, then the DNSSEC policy is read from \fBfile\fR\&. (If not specified, then the policy is read from -/etc/policy\&.conf; if that file doesn\*(Aqt exist, a built\-in global default policy is used\&.) +/etc/dnssec\-policy\&.conf; if that file doesn\*(Aqt exist, a built\-in global default policy is used\&.) .RE .PP \-f @@ -157,7 +157,7 @@ option\&. .SH "POLICY CONFIGURATION" .PP The -policy\&.conf +dnssec\-policy\&.conf file can specify three kinds of policies: .sp .RS 4 diff --git a/bin/python/dnssec-keymgr.html b/bin/python/dnssec-keymgr.html index 3480c43a7d..588d42074b 100644 --- a/bin/python/dnssec-keymgr.html +++ b/bin/python/dnssec-keymgr.html @@ -32,7 +32,7 @@

DNSSEC policy can be read from a configuration file (default - /etc/dnssec.policy), from which the key + /etc/dnssec-policy.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined. This file may be used to define individual DNSSEC policies on a @@ -79,7 +79,7 @@ If -c is specified, then the DNSSEC policy is read from file. (If not specified, then the policy is read from - /etc/policy.conf; if that file + /etc/dnssec-policy.conf; if that file doesn't exist, a built-in global default policy is used.)

-f
@@ -146,7 +146,7 @@

POLICY CONFIGURATION

- The policy.conf file can specify three kinds + The dnssec-policy.conf file can specify three kinds of policies:

    diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index f86bb3f7bc..2bb972e428 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -2751,7 +2751,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] fstrm-set-buffer-hint: The threshold number of bytes to accumulate in the output buffer before forcing a buffer flush. The minimum is - 1K, the maximum is 64K, and the default is 8K. + 1024, the maximum is 65536, and the default is 8096.
  • fstrm-set-flush-timeout: The number diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 78f41995ea..9e0773b302 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -43,7 +43,6 @@
    Security Fixes
    New Features
    Feature Changes
    -
    Porting Changes
    Bug Fixes
    End of Life
    Thank You
    @@ -181,10 +180,15 @@

  • - New quotas have been added to limit the queries that are - sent by recursive resolvers to authoritative servers - experiencing denial-of-service attacks. When configured, - these options can both reduce the harm done to authoritative + Fetch quotas are now compiled in by default: they + no longer require BIND to be configured with + --enable-fetchlimit, as was the case + when the feature was introduced in BIND 9.10.3. +

    +

    + These quotas limit the queries that are sent by recursive + resolvers to authoritative servers experiencing denial-of-service + attacks. They can both reduce the harm done to authoritative servers and also avoid the resource exhaustion that can be experienced by recursive servers when they are being used as a vehicle for such an attack. @@ -530,7 +534,7 @@ recursive lookup returns NXDOMAIN, a second lookup is initiated with the specified name appended to the query name. This allows NXDOMAIN redirection data to be supplied - by multiple zones configured on the server or by recursive + by multiple zones configured on the server, or by recursive queries to other servers. (The older method, using a single type redirect zone, has better average performance but is less flexible.) [RT #37989] @@ -706,12 +710,6 @@ that was returned by the server in its initial response. [RT #39047]

    • -

  • - A alternative NXDOMAIN redirect method (nxdomain-redirect) - which allows the redirect information to be looked up from - a namespace on the Internet rather than requiring a zone - to be configured on the server is now available. -

  • Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported. @@ -735,7 +733,7 @@

  • The default preferred glue is now the address type of the - transport the query was received over. + transport the query was received over.

  • On machines with 2 or more processors (CPU), the default value @@ -764,17 +762,26 @@ section; no-auth-recursive does the same but only when answering recursive queries.

    • +

  • + At server startup time, the queues for processing + notify and zone refresh queries are now processed in + LIFO rather than FIFO order, to speed up + loading of newly added zones. [RT #42825] +

    • +

  • + When answering queries of type MX or SRV, TLSA records for + the target name are now included in the additional section + to speed up DANE processing. [RT #42894] +

    • +

  • + named can now use the TCP Fast Open + mechanism on the server side, if supported by the + local operating system. [RT #42866] +

-Porting Changes

-

  • - None. -

-
-
-

Bug Fixes

  • diff --git a/doc/arm/Bv9ARM.ch13.html b/doc/arm/Bv9ARM.ch13.html index 3e1e2f658f..26140c160c 100644 --- a/doc/arm/Bv9ARM.ch13.html +++ b/doc/arm/Bv9ARM.ch13.html @@ -51,6 +51,9 @@ delv — DNS lookup and validation utility

    +nslookup — query Internet name servers interactively +
    +
    dnssec-checkds — DNSSEC delegation consistency checking tool
    @@ -69,6 +72,9 @@ dnssec-keygen — DNSSEC key generation tool
    +dnssec-keymgr — Ensures correct DNSKEY coverage for a zone based on a defined policy +
    +
    dnssec-revoke — set the REVOKED bit on a DNSSEC key
    diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 41628d9f2e..73e87bddfd 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -248,7 +248,6 @@
    Security Fixes
    New Features
    Feature Changes
    -
    Porting Changes
    Bug Fixes
    End of Life
    Thank You
    @@ -293,6 +292,9 @@ delv — DNS lookup and validation utility
    +nslookup — query Internet name servers interactively +
    +
    dnssec-checkds — DNSSEC delegation consistency checking tool
    @@ -311,6 +313,9 @@ dnssec-keygen — DNSSEC key generation tool
    +dnssec-keymgr — Ensures correct DNSKEY coverage for a zone based on a defined policy +
    +
    dnssec-revoke — set the REVOKED bit on a DNSSEC key
    diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index 18db6e7843..38918db4ba 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -40,14 +40,14 @@

    arpaname {ipaddress ...}

-

DESCRIPTION

+

DESCRIPTION

arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual.

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index c879c2c852..8bb5c1c49e 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -41,7 +41,7 @@

ddns-confgen [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name | -z zone ]

-

DESCRIPTION

+

DESCRIPTION

tsig-keygen and ddns-confgen are invocation methods for a utility that generates keys for use @@ -77,7 +77,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm

@@ -149,7 +149,7 @@

-

SEE ALSO

+

SEE ALSO

nsupdate(1), named.conf(5), named(8), diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index b7d28a1bbd..97278c668b 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -13,7 +13,7 @@ - +

@@ -23,7 +23,7 @@ Prev  Manual pages - NextNext @@ -490,14 +490,13 @@ Prev  UpNextNext host  Homednssec-checkds - + nslookup
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 4e56b8ecb4..2e28902649 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ dnssec-checkds -Prev  +Prev  Manual pages  Next @@ -41,7 +41,7 @@

dnssec-dsfromkey [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

-

DESCRIPTION

+

DESCRIPTION

dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified @@ -49,7 +49,7 @@

-

OPTIONS

+

OPTIONS

-f file

@@ -78,7 +78,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-dsfromkey(8), dnssec-keygen(8), dnssec-signzone(8), @@ -90,13 +90,13 @@ +Prev  - + diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 72e53c4757..a0cc544ff4 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -40,7 +40,7 @@

dnssec-coverage [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone...]

-

DESCRIPTION

+

DESCRIPTION

dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC @@ -68,7 +68,7 @@

-

OPTIONS

+

OPTIONS

-K directory

@@ -192,7 +192,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-checkds(8), dnssec-dsfromkey(8), diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index aa29d1426d..85feeef963 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -42,14 +42,14 @@

dnssec-dsfromkey [-h] [-V]

-

DESCRIPTION

+

DESCRIPTION

dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).

-

OPTIONS

+

OPTIONS

-1

@@ -140,7 +140,7 @@

-

EXAMPLE

+

EXAMPLE

To build the SHA-256 DS RR from the Kexample.com.+003+26160 @@ -155,7 +155,7 @@

-

FILES

+

FILES

The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name @@ -169,13 +169,13 @@

-

CAVEAT

+

CAVEAT

A keyfile error can give a "file not found" even if the file exists.

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index 58b5eb439c..4d687c37d7 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -41,7 +41,7 @@

dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level] [-V] [dnsname]

-

DESCRIPTION

+

DESCRIPTION

dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an @@ -61,7 +61,7 @@

-

OPTIONS

+

OPTIONS

-f filename
@@ -104,7 +104,7 @@
-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -142,7 +142,7 @@

-

FILES

+

FILES

A keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name @@ -151,7 +151,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 56a3abcd41..06e135113f 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -40,7 +40,7 @@

dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-D sync date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-P sync date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key @@ -56,7 +56,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm
@@ -233,7 +233,7 @@
-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -315,7 +315,7 @@

-

GENERATED KEY FILES

+

GENERATED KEY FILES

When dnssec-keyfromlabel completes successfully, @@ -354,7 +354,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index a55f787894..809ac195f3 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -13,7 +13,7 @@ - +

@@ -23,7 +23,7 @@
-
-Prev  Up  Next
delv nslookup  Home  dnssec-coverage Prev  Manual pages Next + Next
@@ -40,7 +40,7 @@

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-D sync date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-k] [-L ttl] [-P date/offset] [-P sync date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-V] [-v level] [-z] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -54,7 +54,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm
@@ -277,7 +277,7 @@
-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -361,7 +361,7 @@

-

GENERATED KEYS

+

GENERATED KEYS

When dnssec-keygen completes successfully, @@ -407,7 +407,7 @@

-

EXAMPLE

+

EXAMPLE

To generate a 768-bit DSA key for the domain example.com, the following command would be @@ -428,7 +428,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -444,14 +444,14 @@ Prev  UpNextNext dnssec-keyfromlabel  Homednssec-revokednssec-keymgr diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html index c5eff266d2..7822116900 100644 --- a/doc/arm/man.dnssec-keymgr.html +++ b/doc/arm/man.dnssec-keymgr.html @@ -40,7 +40,7 @@

dnssec-keymgr [-K directory] [-c file] [-f] [-k] [-q] [-v] [-z] [-g path] [-r path] [-s path] [zone...]

-

DESCRIPTION

+

DESCRIPTION

dnssec-keymgr is a high level Python wrapper to facilitate the key rollover process for zones handled by @@ -50,7 +50,7 @@

DNSSEC policy can be read from a configuration file (default - /etc/dnssec.policy), from which the key + /etc/dnssec-policy.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined. This file may be used to define individual DNSSEC policies on a @@ -90,14 +90,14 @@

-

OPTIONS

+

OPTIONS

-c file

If -c is specified, then the DNSSEC policy is read from file. (If not specified, then the policy is read from - /etc/policy.conf; if that file + /etc/dnssec-policy.conf; if that file doesn't exist, a built-in global default policy is used.)

-f
@@ -162,9 +162,9 @@
-

POLICY CONFIGURATION

+

POLICY CONFIGURATION

- The policy.conf file can specify three kinds + The dnssec-policy.conf file can specify three kinds of policies:

    @@ -263,7 +263,7 @@
-

REMAINING WORK

+

REMAINING WORK

  • Enable scheduling of KSK rollovers using the -P sync @@ -280,7 +280,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-coverage(8), dnssec-keygen(8), @@ -308,6 +308,6 @@

-

BIND 9.11.0a3

+

BIND 9.11.0rc1

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 2dbd97d8d5..9c6c181f47 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ dnssec-revoke -Prev  +Prev  Manual pages  Next @@ -40,7 +40,7 @@

dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -48,7 +48,7 @@

-

OPTIONS

+

OPTIONS

-h

@@ -99,7 +99,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011. @@ -111,14 +111,14 @@ +Prev  +dnssec-keymgr  diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index fda9737b70..ebf07c1f98 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -40,7 +40,7 @@

dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-D sync date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the -P, -A, @@ -66,7 +66,7 @@

-

OPTIONS

+

OPTIONS

-f

@@ -123,7 +123,7 @@

-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -212,7 +212,7 @@

-

PRINTING OPTIONS

+

PRINTING OPTIONS

dnssec-settime can also be used to print the timing metadata associated with a key. @@ -241,7 +241,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 878d5bd565..fc2dd0886e 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -40,7 +40,7 @@

dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-Q] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

-

DESCRIPTION

+

DESCRIPTION

dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -51,7 +51,7 @@

-

OPTIONS

+

OPTIONS

-a

@@ -502,7 +502,7 @@

-

EXAMPLE

+

EXAMPLE

The following command signs the example.com zone with the DSA key generated by dnssec-keygen @@ -532,7 +532,7 @@ db.example.com.signed %

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033, RFC 4641. diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index a2eb0a6e65..d56af50d93 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -40,7 +40,7 @@

dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 @@ -48,7 +48,7 @@

-

OPTIONS

+

OPTIONS

-c class

@@ -128,7 +128,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index a155786e3e..ea7b61c41a 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -40,7 +40,7 @@

dnstap-read [-m] [-p] [-y] {file}

-

DESCRIPTION

+

DESCRIPTION

dnstap-read reads dnstap data from a specified file @@ -51,7 +51,7 @@

-

OPTIONS

+

OPTIONS

-m

@@ -71,7 +71,7 @@

-

SEE ALSO

+

SEE ALSO

named(8), nsupdate(8), diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index 981c2c5dc8..f11bb8b984 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -40,7 +40,7 @@

genrandom [-n number] {size} {filename}

-

DESCRIPTION

+

DESCRIPTION

genrandom generates a file or a set of files containing a specified quantity @@ -49,7 +49,7 @@

-

ARGUMENTS

+

ARGUMENTS

-n number

@@ -67,7 +67,7 @@

-

SEE ALSO

+

SEE ALSO

rand(3), arc4random(3) diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index 4360d2f84e..ac7b6dc8b2 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -40,7 +40,7 @@

isc-hmac-fixup {algorithm} {secret}

-

DESCRIPTION

+

DESCRIPTION

Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -66,7 +66,7 @@

-

SECURITY CONSIDERATIONS

+

SECURITY CONSIDERATIONS

Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -77,7 +77,7 @@

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual, RFC 2104. diff --git a/doc/arm/man.lwresd.html b/doc/arm/man.lwresd.html index 879cd86a59..a7580f8e12 100644 --- a/doc/arm/man.lwresd.html +++ b/doc/arm/man.lwresd.html @@ -40,7 +40,7 @@

lwresd [-c config-file] [-C config-file] [-d debug-level] [-f] [-g] [-i pid-file] [-m flag] [-n #cpus] [-P port] [-p port] [-s] [-t directory] [-u user] [-v] [-4] [-6]

-

DESCRIPTION

+

DESCRIPTION

lwresd is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver @@ -75,7 +75,7 @@

-

OPTIONS

+

OPTIONS

-4

@@ -205,7 +205,7 @@

-

FILES

+

FILES

/etc/resolv.conf

@@ -218,7 +218,7 @@

-

SEE ALSO

+

SEE ALSO

named(8), lwres(3), resolver(5). diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index b0e6c12009..5ffc241241 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -40,7 +40,7 @@

named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]

-

DESCRIPTION

+

DESCRIPTION

named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -60,7 +60,7 @@

-

OPTIONS

+

OPTIONS

-h

@@ -109,14 +109,14 @@

-

RETURN VALUES

+

RETURN VALUES

named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkzone(8), BIND 9 Administrator Reference Manual. diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index ec737043f2..8dd756c009 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -41,7 +41,7 @@

named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

-

DESCRIPTION

+

DESCRIPTION

named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -61,7 +61,7 @@

-

OPTIONS

+

OPTIONS

-d

@@ -295,14 +295,14 @@

-

RETURN VALUES

+

RETURN VALUES

named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkconf(8), RFC 1035, diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index b799052df5..ed1608d7ca 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -40,7 +40,7 @@

named-journalprint {journal}

-

DESCRIPTION

+

DESCRIPTION

named-journalprint prints the contents of a zone journal file in a human-readable @@ -66,7 +66,7 @@

-

SEE ALSO

+

SEE ALSO

named(8), nsupdate(8), diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html index 22d0e74673..005ef879ba 100644 --- a/doc/arm/man.named-nzd2nzf.html +++ b/doc/arm/man.named-nzd2nzf.html @@ -42,7 +42,7 @@

named-nzd2nzf {filename}

-

DESCRIPTION

+

DESCRIPTION

named-nzd2nzf converts an NZD database to NZF format and prints it to standard output. This can be used to @@ -54,7 +54,7 @@

-

ARGUMENTS

+

ARGUMENTS

filename

@@ -64,13 +64,13 @@

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index ca5fc5fb39..5a79cff4ca 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -40,7 +40,7 @@

named-rrchecker [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]

-

DESCRIPTION

+

DESCRIPTION

named-rrchecker read a individual DNS resource record from standard input and checks if it is syntactically correct. @@ -68,7 +68,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 1034, RFC 1035, diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index c4378326b2..0f1a5ed89e 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -40,7 +40,7 @@

named.conf

-

DESCRIPTION

+

DESCRIPTION

named.conf is the configuration file for named. Statements are enclosed @@ -59,14 +59,14 @@

-

ACL

+

ACL


acl string { address_match_element; ... };

-

KEY

+

KEY


key domain_name {
algorithm string;
@@ -75,7 +75,7 @@ key

-

MASTERS

+

MASTERS


masters string [ port integer ] {
masters | ipv4_address [port integer] |
@@ -84,7 +84,7 @@ masters

-

SERVER

+

SERVER


server ( ipv4_address[/prefixlen] | ipv6_address[/prefixlen] ) {
bogus boolean;
@@ -107,7 +107,7 @@ server

-

TRUSTED-KEYS

+

TRUSTED-KEYS


trusted-keys {
domain_name flags protocol algorithm key; ...
@@ -115,7 +115,7 @@ trusted-keys

-

MANAGED-KEYS

+

MANAGED-KEYS


managed-keys {
domain_name initial-key flags protocol algorithm key; ...
@@ -123,7 +123,7 @@ managed-keys

-

CONTROLS

+

CONTROLS


controls {
inet ( ipv4_address | ipv6_address | * )
@@ -135,7 +135,7 @@ controls

-

LOGGING

+

LOGGING


logging {
channel string {
@@ -153,7 +153,7 @@ logging

-

LWRES

+

LWRES


lwres {
listen-on [ port integer ] {
@@ -168,7 +168,7 @@ lwres

-

OPTIONS

+

OPTIONS


options {
avoid-v4-udp-ports { port; ... };
@@ -406,7 +406,7 @@ options

-

VIEW

+

VIEW


view string optional_class {
match-clients { address_match_element; ... };
@@ -576,7 +576,7 @@ view

-

ZONE

+

ZONE


zone string optional_class {
type ( master | slave | stub | hint | redirect |
@@ -673,12 +673,12 @@ zone

-

FILES

+

FILES

/etc/named.conf

-

SEE ALSO

+

SEE ALSO

named(8), named-checkconf(8), rndc(8), diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index e027954b3a..2a26d2213a 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -40,7 +40,7 @@

named [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-M option] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-X lock-file] [-x cache-file]

-

DESCRIPTION

+

DESCRIPTION

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -55,7 +55,7 @@

-

OPTIONS

+

OPTIONS

-4

@@ -292,7 +292,7 @@

-

SIGNALS

+

SIGNALS

In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -313,7 +313,7 @@

-

CONFIGURATION

+

CONFIGURATION

The named configuration file is too complex to describe in detail here. A complete description is provided @@ -330,7 +330,7 @@

-

FILES

+

FILES

/etc/named.conf

@@ -343,7 +343,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 1033, RFC 1034, RFC 1035, diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index e5bc3c226f..d874d784ec 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -40,7 +40,7 @@

nsec3hash {salt} {algorithm} {iterations} {domain}

-

DESCRIPTION

+

DESCRIPTION

nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -48,7 +48,7 @@

-

ARGUMENTS

+

ARGUMENTS

salt

@@ -72,7 +72,7 @@

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual, RFC 5155. diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html index 1cb49ee66a..1ec9076387 100644 --- a/doc/arm/man.nslookup.html +++ b/doc/arm/man.nslookup.html @@ -345,6 +345,6 @@ nslookup -query=hinfo -timeout=10

-Prev  Up  Next
-dnssec-keygen  Home  dnssec-settime

-

BIND 9.11.0a3

+

BIND 9.11.0rc1

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index c6f83693e0..e28efa6eb9 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -40,7 +40,7 @@

nsupdate [-d] [-D] [-L level] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]

-

DESCRIPTION

+

DESCRIPTION

nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -98,7 +98,7 @@

-

OPTIONS

+

OPTIONS

-d

@@ -233,7 +233,7 @@

-

INPUT FORMAT

+

INPUT FORMAT

nsupdate reads input from filename @@ -547,7 +547,7 @@

-

EXAMPLES

+

EXAMPLES

The examples below show how nsupdate @@ -601,7 +601,7 @@

-

FILES

+

FILES

/etc/resolv.conf

@@ -624,7 +624,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 2136, RFC 3007, @@ -639,7 +639,7 @@

-

BUGS

+

BUGS

The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html index 5bd5f5d78a..2d41af9090 100644 --- a/doc/arm/man.pkcs11-destroy.html +++ b/doc/arm/man.pkcs11-destroy.html @@ -40,7 +40,7 @@

pkcs11-destroy [-m module] [-s slot] { -i ID | -l label } [-p PIN] [-w seconds]

-

DESCRIPTION

+

DESCRIPTION

pkcs11-destroy destroys keys stored in a PKCS#11 device, identified by their ID or @@ -53,7 +53,7 @@

-

ARGUMENTS

+

ARGUMENTS

-m module

@@ -88,7 +88,7 @@

-

SEE ALSO

+

SEE ALSO

pkcs11-keygen(8), pkcs11-list(8), diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html index c6b651ab7a..26b6f47c09 100644 --- a/doc/arm/man.pkcs11-keygen.html +++ b/doc/arm/man.pkcs11-keygen.html @@ -40,7 +40,7 @@

pkcs11-keygen {-a algorithm} [-b keysize] [-e] [-i id] [-m module] [-P] [-p PIN] [-q] [-S] [-s slot] {label}

-

DESCRIPTION

+

DESCRIPTION

pkcs11-keygen causes a PKCS#11 device to generate a new key pair with the given label (which must be @@ -48,7 +48,7 @@

-

ARGUMENTS

+

ARGUMENTS

-a algorithm

@@ -111,7 +111,7 @@

-

SEE ALSO

+

SEE ALSO

pkcs11-destroy(8), pkcs11-list(8), diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html index bc410eb229..244695e634 100644 --- a/doc/arm/man.pkcs11-list.html +++ b/doc/arm/man.pkcs11-list.html @@ -40,7 +40,7 @@

pkcs11-list [-P] [-m module] [-s slot] [-i ID] [-l label] [-p PIN]

-

DESCRIPTION

+

DESCRIPTION

pkcs11-list lists the PKCS#11 objects with ID or @@ -52,7 +52,7 @@

-

ARGUMENTS

+

ARGUMENTS

-P

@@ -86,7 +86,7 @@

-

SEE ALSO

+

SEE ALSO

pkcs11-destroy(8), pkcs11-keygen(8), diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html index 666d2eb269..4b9254c117 100644 --- a/doc/arm/man.pkcs11-tokens.html +++ b/doc/arm/man.pkcs11-tokens.html @@ -38,7 +38,7 @@

pkcs11-tokens [-m module] [-v]

-

DESCRIPTION

+

DESCRIPTION

pkcs11-tokens lists the PKCS#11 available tokens with defaults from the slot/token @@ -46,7 +46,7 @@

-

ARGUMENTS

+

ARGUMENTS

-m module

@@ -61,7 +61,7 @@

-

SEE ALSO

+

SEE ALSO

pkcs11-destroy(8), pkcs11-keygen(8), diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 74d889b68e..b49def4d25 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -40,7 +40,7 @@

rndc-confgen [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

-

DESCRIPTION

+

DESCRIPTION

rndc-confgen generates configuration files for rndc. It can be used as a @@ -56,7 +56,7 @@

-

OPTIONS

+

OPTIONS

-a
@@ -171,7 +171,7 @@
-

EXAMPLES

+

EXAMPLES

To allow rndc to be used with no manual configuration, run @@ -188,7 +188,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc.conf(5), named(8), diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index f6ea3e16b7..7fc70b2b83 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -40,7 +40,7 @@

rndc.conf

-

DESCRIPTION

+

DESCRIPTION

rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -126,7 +126,7 @@

-

EXAMPLE

+

EXAMPLE

       options {
         default-server  localhost;
@@ -200,7 +200,7 @@
-

NAME SERVER CONFIGURATION

+

NAME SERVER CONFIGURATION

The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf @@ -210,7 +210,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc-confgen(8), mmencode(1), diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 6adeff5800..1035d8c0ed 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -40,7 +40,7 @@

rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-r] [-V] [-y key_id] {command}

-

DESCRIPTION

+

DESCRIPTION

rndc controls the operation of a name server. It supersedes the ndc utility @@ -71,7 +71,7 @@

-

OPTIONS

+

OPTIONS

-b source-address

@@ -148,7 +148,7 @@

-

COMMANDS

+

COMMANDS

A list of commands supported by rndc can be seen by running rndc without arguments. @@ -746,7 +746,7 @@

-

LIMITATIONS

+

LIMITATIONS

There is currently no way to provide the shared secret for a key_id without using the configuration file. @@ -756,7 +756,7 @@

-

SEE ALSO

+

SEE ALSO

rndc.conf(5), rndc-confgen(8), named(8), diff --git a/doc/arm/notes.html b/doc/arm/notes.html index 4840b5f6bb..509a0dc999 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -142,10 +142,15 @@

  • - New quotas have been added to limit the queries that are - sent by recursive resolvers to authoritative servers - experiencing denial-of-service attacks. When configured, - these options can both reduce the harm done to authoritative + Fetch quotas are now compiled in by default: they + no longer require BIND to be configured with + --enable-fetchlimit, as was the case + when the feature was introduced in BIND 9.10.3. +

    +

    + These quotas limit the queries that are sent by recursive + resolvers to authoritative servers experiencing denial-of-service + attacks. They can both reduce the harm done to authoritative servers and also avoid the resource exhaustion that can be experienced by recursive servers when they are being used as a vehicle for such an attack. @@ -491,7 +496,7 @@ recursive lookup returns NXDOMAIN, a second lookup is initiated with the specified name appended to the query name. This allows NXDOMAIN redirection data to be supplied - by multiple zones configured on the server or by recursive + by multiple zones configured on the server, or by recursive queries to other servers. (The older method, using a single type redirect zone, has better average performance but is less flexible.) [RT #37989] @@ -667,12 +672,6 @@ that was returned by the server in its initial response. [RT #39047]

    • -

  • - A alternative NXDOMAIN redirect method (nxdomain-redirect) - which allows the redirect information to be looked up from - a namespace on the Internet rather than requiring a zone - to be configured on the server is now available. -

  • Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported. @@ -696,7 +695,7 @@

  • The default preferred glue is now the address type of the - transport the query was received over. + transport the query was received over.

  • On machines with 2 or more processors (CPU), the default value @@ -725,17 +724,26 @@ section; no-auth-recursive does the same but only when answering recursive queries.

    • +

  • + At server startup time, the queues for processing + notify and zone refresh queries are now processed in + LIFO rather than FIFO order, to speed up + loading of newly added zones. [RT #42825] +

    • +

  • + When answering queries of type MX or SRV, TLSA records for + the target name are now included in the additional section + to speed up DANE processing. [RT #42894] +

    • +

  • + named can now use the TCP Fast Open + mechanism on the server side, if supported by the + local operating system. [RT #42866] +

    • -Porting Changes

    -
    -
    -
    -

    Bug Fixes