+[no]ednsflags[=#]+ Set the must-be-zero EDNS flags bits (Z bits) to the + specified value. Decimal, hex and octal encodings are + accepted. Setting a named flag (e.g. DO) will silently be + ignored. By default, no Z bits are set. +
+[no]ednsnegotiation+ Enable / disable EDNS version negotiation. By default + EDNS version negotiation is enabled. +
+[no]ednsopt[=code[:value]]
+ Specify EDNS option with code point code
+ and optionally payload of value as a
+ hexadecimal string. +noednsopt
+ clears the EDNS options to to be sent.
+
+[no]expireSend an EDNS Expire option. @@ -653,7 +672,7 @@
The BIND 9 implementation of dig supports @@ -699,7 +718,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -713,14 +732,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
host(1), named(8), dnssec-keygen(8), @@ -728,7 +747,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
There are probably too many query options.
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 21772ee896..f6a7fb2f5a 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -42,7 +42,173 @@Table of Contents
+ ++ This document summarizes changes since the last production release + of BIND on the corresponding major release branch. +
++ The latest versions of BIND 9 software can always be found at + http://www.isc.org/downloads/. + There you will find additional information about each release, + source code, and pre-compiled versions for Microsoft Windows + operating systems. +
++ dig +ednsopt can now be used to set + arbitrary EDNS options in DNS requests. +
+ dig +ednsflags can now be used to set + yet-to-be-defined EDNS flags in DNS requests. +
+ dig +[no]ednsnegotiation can now be used enable / + disable EDNS version negotiation. +
+ An --enable-querytrace configure switch is + now available to enable very verbose query tracelogging. This + option can only be set at compile time. This option has a + negative performance impact and should be used only for + debugging. +
None
+ Large inline-signing changes should be less disruptive.
+ Signature generation is now done incrementally; the number
+ of signatures to be generated in each quantum is controlled
+ by "sig-signing-signatures number;".
+ [RT #37927]
+
+ When retrying a query via TCP due to the first answer being + truncated, dig will now correctly send + the SIT (server identity token) value returned by the server + in the prior response. [RT #39047] +
+ Retrieving the local port range from net.ipv4.ip_local_port_range + on Linux is now supported. +
+ Asynchronous zone loads were not handled correctly when the + zone load was already in progress; this could trigger a crash + in zt.c. [RT #37573] +
+ A race during shutdown or reconfiguration could + cause an assertion failure in mem.c. [RT #38979] +
+ Some answer formatting options didn't work correctly with + dig +short. [RT #39291] +
+ Several bugs have been fixed in the RPZ implementation: +
++ Policy zones that did not specifically require recursion + could be treated as if they did; consequently, setting + qname-wait-recurse no; was + sometimes ineffective. This has been corrected. + In most configurations, behavioral changes due to this + fix will not be noticeable. [RT #39229] +
+ The server could crash if policy zones were updated (e.g. + via rndc reload or an incoming zone + transfer) while RPZ processing was still ongoing for an + active query. [RT #39415] +
+ On servers with one or more policy zones configured as + slaves, if a policy zone updated during regular operation + (rather than at startup) using a full zone reload, such as + via AXFR, a bug could allow the RPZ summary data to fall out + of sync, potentially leading to an assertion failure in + rpz.c when further incremental updates were made to the + zone, such as via IXFR. [RT #39567] +
+ The server could match a shorter prefix than what was + available in CLIENT-IP policy triggers, and so, an + unexpected action could be taken. This has been + corrected. [RT #39481] +
+ The end of life for BIND 9.10 is yet to be determined but + will not be before BIND 9.12.0 has been released for 6 months. + https://www.isc.org/downloads/software-support-policy/ +
++ Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to + make quality open source software, please visit our donations page at + http://www.isc.org/donate/. +
+GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -98,7 +98,7 @@
$./configure --enable-exportlib$[other flags]make@@ -113,7 +113,7 @@ $make$cd lib/export$make install@@ -135,7 +135,7 @@ $make install
Currently, win32 is not supported for the export library. (Normal BIND 9 application can be built as @@ -175,7 +175,7 @@ $
makeThe IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the @@ -193,14 +193,14 @@ $
makeSome sample application programs using this API are provided for reference. The following is a brief description of these applications.
It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of @@ -264,7 +264,7 @@ $
makeSimilar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names @@ -305,7 +305,7 @@ $
makeIt sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a @@ -346,7 +346,7 @@ $
makeThis is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a @@ -363,7 +363,7 @@ $
makeIt accepts a single update command as a command-line argument, sends an update request message to the @@ -458,7 +458,7 @@ $
sample-update -a sample-update -k Kxxx.+nnn+mmIt checks a set of domains to see the name servers of the domains behave @@ -515,7 +515,7 @@ $
sample-update -a sample-update -k Kxxx.+nnn+mmAs of this writing, there is no formal "manual" of the libraries, except this document, header files (some of them provide pretty detailed explanations), and sample application diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 3f3f0a149a..80c9c069fe 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -239,6 +239,19 @@
Where Can I Get Help?
arpaname {ipaddress ...}
arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
ddns-confgen [-a ] [algorithm-h] [-k ] [keyname-q] [-r ] [ -s randomfilename | -z zone ]
tsig-keygen and ddns-confgen are invocation methods for a utility that generates keys for use @@ -87,7 +87,7 @@
delv [queryopt...] [query...]
delv (Domain Entity Lookup & Validation) is a tool for sending DNS queries and validating the results, using the the same internal @@ -96,7 +96,7 @@
delv provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed. @@ -465,12 +465,12 @@
dig(1), named(8), RFC4034, diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 803978a89d..afc961259d 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -52,7 +52,7 @@
dig [global-queryopt...] [query...]
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -99,7 +99,7 @@
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -416,6 +416,25 @@ clears the remembered EDNS version. EDNS is set to 0 by default.
++[no]ednsflags[=#]+ Set the must-be-zero EDNS flags bits (Z bits) to the + specified value. Decimal, hex and octal encodings are + accepted. Setting a named flag (e.g. DO) will silently be + ignored. By default, no Z bits are set. +
+[no]ednsnegotiation+ Enable / disable EDNS version negotiation. By default + EDNS version negotiation is enabled. +
+[no]ednsopt[=code[:value]]
+ Specify EDNS option with code point code
+ and optionally payload of value as a
+ hexadecimal string. +noednsopt
+ clears the EDNS options to to be sent.
+
+[no]expireSend an EDNS Expire option. @@ -671,7 +690,7 @@
The BIND 9 implementation of dig supports @@ -717,7 +736,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -731,14 +750,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
host(1), named(8), dnssec-keygen(8), @@ -746,7 +765,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index af8d433b9c..c9fa45ce66 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -51,7 +51,7 @@dnssec-dsfromkey [-l ] [domain-f ] [file-d ] [dig path-D ] {zone}dsfromkey path
dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified @@ -59,7 +59,7 @@
dnssec-coverage [-K ] [directory-l ] [length-f ] [file-d ] [DNSKEY TTL-m ] [max TTL-r ] [interval-c ] [compilezone path-k] [-z] [zone]
dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC @@ -78,7 +78,7 @@
dnssec-dsfromkey [-h] [-V]
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiii or the full file name
@@ -173,13 +173,13 @@
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -189,7 +189,7 @@
dnssec-importkey {-f } [filename-K ] [directory-L ] [ttl-P ] [date/offset-D ] [date/offset-h] [-v ] [level-V] [dnsname]
dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an @@ -71,7 +71,7 @@
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -142,7 +142,7 @@
A keyfile can be designed by the key identification
Knnnn.+aaa+iiiii or the full file name
@@ -151,7 +151,7 @@
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -159,7 +159,7 @@
dnssec-keyfromlabel {-l label} [-3] [-a ] [algorithm-A ] [date/offset-c ] [class-D ] [date/offset-E ] [engine-f ] [flag-G] [-I ] [date/offset-i ] [interval-k] [-K ] [directory-L ] [ttl-n ] [nametype-P ] [date/offset-p ] [protocol-R ] [date/offset-S ] [key-t ] [type-v ] [level-V] [-y] {name}
dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key @@ -66,7 +66,7 @@
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -315,7 +315,7 @@
When dnssec-keyfromlabel completes successfully, @@ -354,7 +354,7 @@
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -363,7 +363,7 @@
dnssec-keygen [-a ] [algorithm-b ] [keysize-n ] [nametype-3] [-A ] [date/offset-C] [-c ] [class-D ] [date/offset-E ] [engine-f ] [flag-G] [-g ] [generator-h] [-I ] [date/offset-i ] [interval-K ] [directory-L ] [ttl-k] [-P ] [date/offset-p ] [protocol-q] [-R ] [date/offset-r ] [randomdev-S ] [key-s ] [strength-t ] [type-v ] [level-V] [-z] {name}
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -361,7 +361,7 @@
To generate a 768-bit DSA key for the domain
example.com, the following command would be
@@ -428,7 +428,7 @@
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -437,7 +437,7 @@
dnssec-revoke [-hr] [-v ] [level-V] [-K ] [directory-E ] [engine-f] [-R] {keyfile}
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@
dnssec-settime [-f] [-K ] [directory-L ] [ttl-P ] [date/offset-A ] [date/offset-R ] [date/offset-I ] [date/offset-D ] [date/offset-h] [-V] [-v ] [level-E ] {keyfile}engine
dnssec-settime
reads a DNSSEC private key file and sets the key timing metadata
as specified by the -P, -A,
@@ -76,7 +76,7 @@
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -212,7 +212,7 @@
dnssec-settime can also be used to print the timing metadata associated with a key. @@ -238,7 +238,7 @@
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -246,7 +246,7 @@
dnssec-signzone [-a] [-c ] [class-d ] [directory-D] [-E ] [engine-e ] [end-time-f ] [output-file-g] [-h] [-K ] [directory-k ] [key-L ] [serial-l ] [domain-M ] [domain-i ] [interval-I ] [input-format-j ] [jitter-N ] [soa-serial-format-o ] [origin-O ] [output-format-P] [-p] [-R] [-r ] [randomdev-S] [-s ] [start-time-T ] [ttl-t] [-u] [-v ] [level-V] [-X ] [extended end-time-x] [-z] [-3 ] [salt-H ] [iterations-A] {zonefile} [key...]
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@
The following command signs the example.com
zone with the DSA key generated by dnssec-keygen
@@ -539,14 +539,14 @@ db.example.com.signed
%
dnssec-verify [-c ] [class-E ] [engine-I ] [input-format-o ] [origin-v ] [level-V] [-x] [-z] {zonefile}
dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 @@ -58,7 +58,7 @@
genrandom [-n ] {numbersize} {filename}
genrandom generates a file or a set of files containing a specified quantity @@ -59,7 +59,7 @@
host [-aCdlnrsTwv] [-c ] [class-N ] [ndots-R ] [number-t ] [type-W ] [wait-m ] [flag-4] [-6] [-v] [-V] {name} [server]
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -206,7 +206,7 @@
If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -220,12 +220,12 @@
dig(1), named(8).
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index 79fa675103..5d49a6ba2f 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -50,7 +50,7 @@isc-hmac-fixup {algorithm} {secret}
Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@
Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@
named-checkconf [-h] [-v] [-j] [-t ] {filename} [directory-p] [-x] [-z]
named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -70,7 +70,7 @@
named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.
named-compilezone [-d] [-j] [-q] [-v] [-c ] [class-C ] [mode-f ] [format-F ] [format-J ] [filename-i ] [mode-k ] [mode-m ] [mode-n ] [mode-l ] [ttl-L ] [serial-r ] [mode-s ] [style-t ] [directory-T ] [mode-w ] [directory-D] [-W ] {mode-o } {zonename} {filename}filename
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named-journalprint {journal}
named-journalprint prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@
named-rrchecker [-h] [-o ] [origin-p] [-u] [-C] [-T] [-P]
named-rrchecker read a individual DNS resource record from standard input and checks if it is syntactically correct. @@ -78,7 +78,7 @@
RFC 1034, RFC 1035, diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index ca401e8516..d9d2a84342 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -50,7 +50,7 @@
named [-4] [-6] [-c ] [config-file-d ] [debug-level-D ] [string-E ] [engine-name-f] [-g] [-M ] [option-m ] [flag-n ] [#cpus-p ] [port-s] [-S ] [#max-socks-t ] [directory-U ] [#listeners-u ] [user-v] [-V] [-x ]cache-file
named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@
In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -305,7 +305,7 @@
The named configuration file is too complex to describe in detail here. A complete description is provided @@ -322,7 +322,7 @@
nsec3hash {salt} {algorithm} {iterations} {domain}
nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@
nsupdate [-d] [-D] [-L ] [[level-g] | [-o] | [-l] | [-y ] | [[hmac:]keyname:secret-k ]] [keyfile-t ] [timeout-u ] [udptimeout-r ] [udpretries-R ] [randomdev-v] [-T] [-P] [-V] [filename]
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -108,7 +108,7 @@
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 2c6aff4e94..2a0b557f53 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -50,7 +50,7 @@
rndc-confgen [-a] [-A ] [algorithm-b ] [keysize-c ] [keyfile-h] [-k ] [keyname-p ] [port-r ] [randomfile-s ] [address-t ] [chrootdir-u ]user
rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@
rndc.conf
rndc.conf is the configuration file
for rndc, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
The name server must be configured to accept rndc connections and
to recognize the key specified in the rndc.conf
@@ -220,7 +220,7 @@
rndc [-b ] [source-address-c ] [config-file-k ] [key-file-s ] [server-p ] [port-q] [-V] [-y ] {command}key_id
rndc controls the operation of a name server. It supersedes the ndc utility @@ -81,7 +81,7 @@
A list of commands supported by rndc can be seen by running rndc without arguments. @@ -579,7 +579,7 @@
There is currently no way to provide the shared secret for a
key_id without using the configuration file.
@@ -589,7 +589,7 @@
+ This document summarizes changes since the last production release + of BIND on the corresponding major release branch. +
++ The latest versions of BIND 9 software can always be found at + http://www.isc.org/downloads/. + There you will find additional information about each release, + source code, and pre-compiled versions for Microsoft Windows + operating systems. +
++ dig +ednsopt can now be used to set + arbitrary EDNS options in DNS requests. +
+ dig +ednsflags can now be used to set + yet-to-be-defined EDNS flags in DNS requests. +
+ dig +[no]ednsnegotiation can now be used enable / + disable EDNS version negotiation. +
+ An --enable-querytrace configure switch is + now available to enable very verbose query tracelogging. This + option can only be set at compile time. This option has a + negative performance impact and should be used only for + debugging. +
None
+ Large inline-signing changes should be less disruptive.
+ Signature generation is now done incrementally; the number
+ of signatures to be generated in each quantum is controlled
+ by "sig-signing-signatures number;".
+ [RT #37927]
+
+ When retrying a query via TCP due to the first answer being + truncated, dig will now correctly send + the SIT (server identity token) value returned by the server + in the prior response. [RT #39047] +
+ Retrieving the local port range from net.ipv4.ip_local_port_range + on Linux is now supported. +
+ Asynchronous zone loads were not handled correctly when the + zone load was already in progress; this could trigger a crash + in zt.c. [RT #37573] +
+ A race during shutdown or reconfiguration could + cause an assertion failure in mem.c. [RT #38979] +
+ Some answer formatting options didn't work correctly with + dig +short. [RT #39291] +
+ Several bugs have been fixed in the RPZ implementation: +
++ Policy zones that did not specifically require recursion + could be treated as if they did; consequently, setting + qname-wait-recurse no; was + sometimes ineffective. This has been corrected. + In most configurations, behavioral changes due to this + fix will not be noticeable. [RT #39229] +
+ The server could crash if policy zones were updated (e.g. + via rndc reload or an incoming zone + transfer) while RPZ processing was still ongoing for an + active query. [RT #39415] +
+ On servers with one or more policy zones configured as + slaves, if a policy zone updated during regular operation + (rather than at startup) using a full zone reload, such as + via AXFR, a bug could allow the RPZ summary data to fall out + of sync, potentially leading to an assertion failure in + rpz.c when further incremental updates were made to the + zone, such as via IXFR. [RT #39567] +
+ The server could match a shorter prefix than what was + available in CLIENT-IP policy triggers, and so, an + unexpected action could be taken. This has been + corrected. [RT #39481] +
+ The end of life for BIND 9.10 is yet to be determined but + will not be before BIND 9.12.0 has been released for 6 months. + https://www.isc.org/downloads/software-support-policy/ +
++ Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to + make quality open source software, please visit our donations page at + http://www.isc.org/donate/. +
+