From 9a7c2b370e7df11beefe709a47efb79ce8e11a31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Fri, 30 Sep 2022 13:57:17 +0200 Subject: [PATCH 1/3] Deduplicate link anchors in the ARM Some statement names like "allow-query" had manually defined link anchor _allow-query and also implicit anchor created by .. namedconf:statement:: syntax. This causes warnings if a ambiguous reference is made using :any:`allow-query` syntax. Remove (hopefully all) manually defined anchors which pointed to identical place as the implicit anchor. This allows :any: to work. In rare cases where manual anchor points to descriptive text separated from statement definition the reference was disamguated by replacing :any:`notify` with :ref:`notify` (for manual anchor) vs. :namedconf:ref:`notify` (for statement definition). Please note that `options` statement is a trap: It is ambiguous even without manual anchor because rndc.conf has its own `options`. Use :namedconf:ref:`options` vs. :rndcconf:ref:`options` to select appropriate target. --- doc/arm/config-auth.inc.rst | 20 +++++----- doc/arm/config-intro.inc.rst | 4 +- doc/arm/config-resolve.inc.rst | 18 ++++----- doc/arm/dnssec.inc.rst | 3 +- doc/arm/reference.rst | 70 +++++++--------------------------- doc/arm/requirements.inc.rst | 2 +- 6 files changed, 37 insertions(+), 80 deletions(-) diff --git a/doc/arm/config-auth.inc.rst b/doc/arm/config-auth.inc.rst index ee6a9fed81..b054fb0904 100644 --- a/doc/arm/config-auth.inc.rst +++ b/doc/arm/config-auth.inc.rst @@ -77,11 +77,11 @@ The numbers in parentheses in the following text refer to the numbered items in propagation can therefore take extended periods. 4. The optional NOTIFY (:rfc:`1996`) feature (2) is automatically configured; - use the :ref:`notify ` statement to turn off the feature. + use the :namedconf:ref:`notify` statement to turn off the feature. Whenever the primary loads or reloads a zone, it sends a NOTIFY message to the configured secondary (or secondaries) and may optionally be configured to send the NOTIFY message to other hosts using the - :ref:`also-notify` statement. The NOTIFY message simply + :any:`also-notify` statement. The NOTIFY message simply indicates to the secondary that the primary has loaded or reloaded the zone. On receipt of the NOTIFY message, the secondary respons to indicate it has received the NOTIFY and immediately reads the SOA RR from the primary (as described in section 2 a. above). If the zone file has @@ -166,10 +166,10 @@ the :iscman:`named.conf` file has been modified as shown: The added statements and blocks are commented in the above file. -The :any:`zone` block, and :ref:`allow-query`, +The :any:`zone` block, and :any:`allow-query`, :any:`allow-query-cache`, -:ref:`allow-transfer`, :ref:`file`, -:ref:`notify`, :ref:`recursion`, and :any:`type` +:any:`allow-transfer`, :any:`file`, +:namedconf:ref:`notify`, :any:`recursion`, and :any:`type` statements are described in detail in the appropriate sections. .. _sample_secondary: @@ -248,11 +248,11 @@ The :ref:`named.conf` file has been modified as shown: The statements and blocks added are all commented in the above file. -The :any:`zone` block, and :ref:`allow-query`, +The :any:`zone` block, and :any:`allow-query`, :any:`allow-query-cache`, -:ref:`allow-transfer`, :ref:`file`, -:ref:`notify`, :ref:`primaries`, -:ref:`recursion`, and :any:`type` statements are described in +:any:`allow-transfer`, :any:`file`, +:namedconf:ref:`primaries`, +:any:`recursion`, and :any:`type` statements are described in detail in the appropriate sections. If NOTIFY is not being used, no changes are required in this @@ -264,5 +264,5 @@ message. can get more complicated. A secondary zone can also be a primary to other secondaries: :iscman:`named`, by default, sends NOTIFY messages for every zone it loads. Specifying :ref:`notify primary-only;` in the - :ref:`zone` block for the secondary causes :iscman:`named` to + :any:`zone` block for the secondary causes :iscman:`named` to only send NOTIFY messages for primary zones that it loads. diff --git a/doc/arm/config-intro.inc.rst b/doc/arm/config-intro.inc.rst index 919d55137c..7efea14026 100644 --- a/doc/arm/config-intro.inc.rst +++ b/doc/arm/config-intro.inc.rst @@ -78,9 +78,9 @@ as required by the user. }; }; -The :ref:`logging` and :ref:`options` blocks +The :any:`logging` and :namedconf:ref:`options` blocks and :ref:`category`, :any:`channel`, -:ref:`directory`, :ref:`file`, and :ref:`severity` +:any:`directory`, :any:`file`, and :any:`severity` statements are all described further in the appropriate sections of this ARM. .. _base_zone_file: diff --git a/doc/arm/config-resolve.inc.rst b/doc/arm/config-resolve.inc.rst index 4467201389..d299622f84 100644 --- a/doc/arm/config-resolve.inc.rst +++ b/doc/arm/config-resolve.inc.rst @@ -143,7 +143,7 @@ responses for all users. Private IP addresses may be defined using standard :ref:`reverse-mapping techniques` or using the -:ref:`empty-zones-enable` statement. By +:any:`empty-zones-enable` statement. By default this statement is set to ``empty-zones-enable yes;`` and thus automatically prevents unnecessary DNS traffic by sending an NXDOMAIN error response (indicating the name does not exist) to any request. However, some applications may require a @@ -263,8 +263,8 @@ It is therefore a **closed** resolver and cannot be used in wider network attack }; The :any:`zone` and :any:`acl` blocks, and the -:ref:`allow-query`, :ref:`empty-zones-enable`, -:ref:`file`, :ref:`notify`, :ref:`recursion`, and +:any:`allow-query`, :any:`empty-zones-enable`, +:any:`file`, :namedconf:ref:`notify`, :any:`recursion`, and :any:`type` statements are described in detail in the appropriate sections. @@ -381,9 +381,9 @@ provided`. }; The :any:`zone` and :any:`acl` blocks, and the -:ref:`allow-query`, :ref:`empty-zones-enable`, -:ref:`file`, :ref:`forward`, :ref:`forwarders`, -:ref:`notify`, :ref:`recursion`, and :any:`type` +:any:`allow-query`, :any:`empty-zones-enable`, +:any:`file`, :any:`forward`, :any:`forwarders`, +:namedconf:ref:`notify`, :any:`recursion`, and :any:`type` statements are described in detail in the appropriate sections. As a reminder, the configuration of this forwarding resolver does **not** @@ -508,9 +508,9 @@ those IPs from which it will accept recursive queries. The :any:`zone` and :any:`acl` blocks, and the -:ref:`allow-query`, :ref:`empty-zones-enable`, -:ref:`file`, :ref:`forward`, :ref:`forwarders`, -:ref:`notify`, :ref:`recursion`, and :any:`type` +:any:`allow-query`, :any:`empty-zones-enable`, +:any:`file`, :any:`forward`, :any:`forwarders`, +:namedconf:ref:`notify`, :any:`recursion`, and :any:`type` statements are described in detail in the appropriate sections. As a reminder, the configuration of this resolver does **not** access the DNS diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst index 762e6aa585..5f432a9fc9 100644 --- a/doc/arm/dnssec.inc.rst +++ b/doc/arm/dnssec.inc.rst @@ -461,8 +461,7 @@ DNSSEC Validation ~~~~~~~~~~~~~~~~~ The BIND resolver validates answers from authoritative servers by default. This -behavior is controlled by the configuration statement :ref:`dnssec-validation -`. +behavior is controlled by the configuration statement :namedconf:ref:`dnssec-validation`. By default a trust anchor for the DNS root zone is used. This trust anchor is provided as part of BIND and is kept up-to-date using diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index ac876e3ca2..cf31b624ad 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -402,8 +402,6 @@ The following blocks are supported: :any:`parental-agents` Defines a named list of servers for inclusion in primary and secondary zones' :any:`parental-agents` lists. -.. _primaries: - :any:`primaries` Defines a named list of servers for inclusion in stub and secondary zones' :any:`primaries` or :any:`also-notify` lists. (Note: this is a synonym for the original keyword ``masters``, which can still be used, but is no longer the preferred terminology.) @@ -431,8 +429,6 @@ The following blocks are supported: :any:`view` Defines a view. -.. _zone_clause: - :any:`zone` Defines a zone. @@ -724,8 +720,6 @@ by the channel (the default is ``info``), and whether to include a version of :any:`syslog`, which only uses two arguments to the ``openlog()`` function, this clause is silently ignored. -.. _severity: - .. namedconf:statement:: severity :tags: logging :short: Defines the priority level of log messages. @@ -1085,8 +1079,6 @@ where ``tls-configuration-name`` refers to a previously defined This is the grammar of the ``options`` statement in the :iscman:`named.conf` file: -.. _options: - ``options`` Block Definition and Usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1095,8 +1087,6 @@ This statement may appear only once in a configuration file. If there is no ``options`` statement, an options block with each option set to its default is used. -.. _attach-cache: - .. namedconf:statement:: attach-cache :tags: view :short: Allows multiple views to share a single cache database. @@ -1158,8 +1148,6 @@ default is used. administrator's responsibility to ensure that configuration differences in different views do not cause disruption with a shared cache. -.. _directory: - .. namedconf:statement:: directory :tags: server :short: Sets the server's working directory. @@ -1656,8 +1644,6 @@ default is used. is to prefer A records when responding to queries that arrived via IPv4 and AAAA when responding to queries that arrived via IPv6. -.. _root-delegation-only: - .. namedconf:statement:: root-delegation-only :tags: query :short: Turns on enforcement of delegation-only in top-level domains (TLDs) and root zones with an optional exclude list. @@ -2236,8 +2222,6 @@ Boolean Options unnecessary records are added to the authority or additional sections. The default is ``no``. -.. _notify_st: - .. namedconf:statement:: notify :tags: transfer :short: Controls whether ``NOTIFY`` messages are sent on zone changes. @@ -2270,8 +2254,6 @@ Boolean Options ultimate primary should be set to still send NOTIFY messages to all the name servers listed in the NS RRset. -.. _recursion: - .. namedconf:statement:: recursion :tags: query :short: Defines whether recursion and caching are allowed. @@ -2642,8 +2624,6 @@ Boolean Options The DNSSEC records are written to the zone's filename set in :any:`file`, unless :any:`inline-signing` is enabled. -.. _dnssec-validation-option: - .. namedconf:statement:: dnssec-validation :tags: dnssec :short: Enables DNSSEC validation in :iscman:`named`. @@ -2921,8 +2901,6 @@ access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache. -.. _forward: - .. namedconf:statement:: forward :tags: query :short: Allows or disallows fallback to recursion if forwarding has failed; it is always used in conjunction with the :any:`forwarders` statement. @@ -2933,8 +2911,6 @@ authoritative and does not have the answer in its cache. server then looks for the answer itself. If ``only`` is specified, the server only queries the forwarders. -.. _forwarders: - .. namedconf:statement:: forwarders :tags: query :short: Defines one or more hosts to which queries are forwarded. @@ -3125,10 +3101,6 @@ for details on how to specify IP address lists. and inherited by zones, this can lead to some zones unintentionally forwarding updates. -.. _allow-transfer-access: - -.. _allow-transfer: - .. namedconf:statement:: allow-transfer :tags: transfer :short: Defines an :any:`address_match_list` of hosts that are allowed to transfer the zone information from this server. @@ -3448,8 +3420,6 @@ BIND has mechanisms in place to facilitate zone transfers and set limits on the amount of load that transfers place on the system. The following options apply to zone transfers. -.. _also-notify: - .. namedconf:statement:: also-notify :tags: transfer :short: Defines one or more hosts that are sent ``NOTIFY`` messages when zone changes occur. @@ -3918,8 +3888,6 @@ system. This option is deprecated and no longer has any effect. -.. _max-cache-size: - .. namedconf:statement:: max-cache-size :tags: server :short: Sets the maximum amount of memory to use for an individual cache database and its associated metadata. @@ -3929,7 +3897,7 @@ system. physical memory. By default, each view has its own separate cache, which means the total amount of memory required for cache data is the sum of the cache database sizes for all views (unless the - :ref:`attach-cache ` option is used). + :any:`attach-cache` option is used). When the amount of data in a cache database reaches the configured limit, :iscman:`named` starts purging non-expired records (following an @@ -4930,16 +4898,12 @@ away from the infrastructure servers. This specifies the contact name that appears in the returned SOA record for empty zones. If none is specified, "." is used. -.. _empty-zones-enable: - .. namedconf:statement:: empty-zones-enable :tags: server, zone :short: Enables or disables all empty zones. This enables or disables all empty zones. By default, they are enabled. -.. _disable-empty-zone: - .. namedconf:statement:: disable-empty-zone :tags: server, zone :short: Disables individual empty zones. @@ -6897,7 +6861,7 @@ Zone Types methods may be added in the future. To make mirror zone contents persist between :iscman:`named` restarts, use - the :ref:`file ` option. + the :any:`file` option. Mirroring a zone other than root requires an explicit list of primary servers to be provided using the :any:`primaries` option (see @@ -6915,7 +6879,7 @@ Zone Types explicit;``. Outgoing transfers of mirror zones are disabled by default but may be - enabled using :ref:`allow-transfer `. + enabled using :any:`allow-transfer`. .. note:: Use of this zone type with any zone other than the root should be @@ -7048,7 +7012,7 @@ Zone Types :any:`delegation-only` has no effect on answers received from forwarders. - See caveats in :ref:`root-delegation-only `. + See caveats in :any:`root-delegation-only`. .. namedconf:statement:: in-view :tags: view, zone @@ -7087,8 +7051,6 @@ Zone Options :any:`allow-notify` See the description of :any:`allow-notify` in :ref:`access_control`. -.. _allow-query: - :any:`allow-query` See the description of :any:`allow-query` in :ref:`access_control`. @@ -7147,10 +7109,10 @@ Zone Options See the description of :any:`update-check-ksk` in :ref:`boolean_options`. :any:`dnssec-loadkeys-interval` - See the description of :any:`dnssec-loadkeys-interval` in :ref:`options`. + See the description of :any:`dnssec-loadkeys-interval` in :namedconf:ref:`options`. :any:`dnssec-update-mode` - See the description of :any:`dnssec-update-mode` in :ref:`options`. + See the description of :any:`dnssec-update-mode` in :namedconf:ref:`options`. :any:`dnssec-dnskey-kskonly` See the description of :any:`dnssec-dnskey-kskonly` in :ref:`boolean_options`. @@ -7187,11 +7149,7 @@ Zone Options ``yes``, then the zone is treated as if it is also a delegation-only type zone. - See caveats in :ref:`root-delegation-only `. - -.. _file-option: - -.. _file: + See caveats in :any:`root-delegation-only`. .. namedconf:statement:: file :tags: zone @@ -7223,7 +7181,7 @@ Zone Options :any:`primary ` and :any:`secondary ` zones. :any:`max-ixfr-ratio` - See the description of :any:`max-ixfr-ratio` in :ref:`options`. + See the description of :any:`max-ixfr-ratio` in :namedconf:ref:`options`. :any:`max-journal-size` See the description of :any:`max-journal-size` in :ref:`server_resource_limits`. @@ -7253,7 +7211,7 @@ Zone Options See the description of :any:`notify-to-soa` in :ref:`boolean_options`. :any:`zone-statistics` - See the description of :any:`zone-statistics` in :ref:`options`. + See the description of :any:`zone-statistics` in :namedconf:ref:`options`. .. namedconf:statement:: server-addresses :tags: query, zone @@ -7354,13 +7312,13 @@ Zone Options are not available at the zone level.) :any:`key-directory` - See the description of :any:`key-directory` in :ref:`options`. + See the description of :any:`key-directory` in :namedconf:ref:`options`. :any:`auto-dnssec` - See the description of :any:`auto-dnssec` in :ref:`options`. + See the description of :any:`auto-dnssec` in :namedconf:ref:`options`. :any:`serial-update-method` - See the description of :any:`serial-update-method` in :ref:`options`. + See the description of :any:`serial-update-method` in :namedconf:ref:`options`. .. namedconf:statement:: inline-signing :tags: dnssec, zone @@ -7380,7 +7338,7 @@ Zone Options See the description of :any:`masterfile-format` in :ref:`tuning`. :any:`max-zone-ttl` - See the description of :any:`max-zone-ttl` in :ref:`options`. + See the description of :any:`max-zone-ttl` in :namedconf:ref:`options`. The use of this option in :any:`zone` blocks is deprecated and will be rendered nonoperational in a future release. @@ -7842,7 +7800,7 @@ Socket I/O Statistics A subset of Name Server Statistics is collected and shown per zone for which the server has the authority, when :any:`zone-statistics` is set to ``full`` (or ``yes``), for backward compatibility. See the description of -:any:`zone-statistics` in :ref:`options` for further details. +:any:`zone-statistics` in :namedconf:ref:`options` for further details. These statistics counters are shown with their zone and view names. The view name is omitted when the server is not configured with explicit diff --git a/doc/arm/requirements.inc.rst b/doc/arm/requirements.inc.rst index dcb080ec33..f15bd5782b 100644 --- a/doc/arm/requirements.inc.rst +++ b/doc/arm/requirements.inc.rst @@ -45,7 +45,7 @@ Memory Requirements ------------------- Server memory must be sufficient to hold both the cache and the -zones loaded from disk. The :ref:`max-cache-size` option can +zones loaded from disk. The :any:`max-cache-size` option can limit the amount of memory used by the cache, at the expense of reducing cache hit rates and causing more DNS traffic. It is still good practice to have enough memory to load all zone and cache data into memory; From ea2d213f34b623d538b8f2d4d58acde080e076fb Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Mon, 3 Oct 2022 18:19:45 +0200 Subject: [PATCH 2/3] Remove trailing whitespaces --- doc/arm/dnssec.inc.rst | 2 +- doc/arm/reference.rst | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst index 5f432a9fc9..9adec06c94 100644 --- a/doc/arm/dnssec.inc.rst +++ b/doc/arm/dnssec.inc.rst @@ -14,7 +14,7 @@ DNSSEC ------ DNS Security Extensions (DNSSEC) provide reliable protection from -`cache poisoning`_ attacks. At the same time these extensions also provide other benefits: +`cache poisoning`_ attacks. At the same time these extensions also provide other benefits: they limit the impact of `random subdomain attacks`_ on resolver caches and authoritative servers, and provide the foundation for modern applications like `authenticated and private e-mail transfer`_. diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index cf31b624ad..d03c309e29 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3764,14 +3764,14 @@ system. .. namedconf:statement:: clients-per-query :tags: server :short: Sets the initial minimum number of simultaneous recursive clients accepted by the server for any given query before the server drops additional clients. - + This sets the initial value (minimum) number of simultaneous recursive clients for any given query () that the server accepts before dropping additional clents. :iscman:`named` attempts to self-tune this value and changes are logged. The default value is 10. - + The chosen value should reflect how many queries come in for a given name - in the time it takes to resolve that name. + in the time it takes to resolve that name. .. namedconf:statement:: max-clients-per-query :tags: server @@ -4239,7 +4239,7 @@ Tuning .. namedconf:statement:: servfail-ttl :tags: server - :short: Sets the length of time (in seconds) that a SERVFAIL response is cached. + :short: Sets the length of time (in seconds) that a SERVFAIL response is cached. This sets the number of seconds to cache a SERVFAIL response due to DNSSEC validation failure or other general server failure. If set to ``0``, @@ -5765,7 +5765,7 @@ any top-level :namedconf:ref:`server` statements are used as defaults. .. namedconf:statement:: keys :tags: server, security :short: Specifies one or more :any:`server_key` s to be used with a remote server. - + :suppress_grammar: .. warning:: @@ -7002,7 +7002,7 @@ Zone Types .. namedconf:statement:: type delegation-only :tags: query - :short: Enforces the delegation-only status of infrastructure zones (COM, NET, ORG, etc.). + :short: Enforces the delegation-only status of infrastructure zones (COM, NET, ORG, etc.). This zone type is used to enforce the delegation-only status of infrastructure zones (e.g., COM, NET, ORG). Any answer that is received without an From 137e0f4e0e14975c7fc00000da2e77b5b29f61f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 4 Oct 2022 11:00:54 +0200 Subject: [PATCH 3/3] Remove manually defined anchors pointing to statement definitions This is hopefully end of duplication. This batch did not cause clashes in Sphinx but it was pointless nonetheless as we have auto-generated anchors for all statements. --- doc/arm/config-intro.inc.rst | 2 +- doc/arm/config-resolve.inc.rst | 2 +- doc/arm/dns-ops.inc.rst | 2 +- doc/arm/dnssec.inc.rst | 4 +- doc/arm/reference.rst | 67 +++++---------------------------- doc/arm/troubleshooting.inc.rst | 5 +-- doc/arm/zones.inc.rst | 2 +- 7 files changed, 18 insertions(+), 66 deletions(-) diff --git a/doc/arm/config-intro.inc.rst b/doc/arm/config-intro.inc.rst index 7efea14026..d041eccf5f 100644 --- a/doc/arm/config-intro.inc.rst +++ b/doc/arm/config-intro.inc.rst @@ -79,7 +79,7 @@ as required by the user. }; The :any:`logging` and :namedconf:ref:`options` blocks -and :ref:`category`, :any:`channel`, +and :any:`category`, :any:`channel`, :any:`directory`, :any:`file`, and :any:`severity` statements are all described further in the appropriate sections of this ARM. diff --git a/doc/arm/config-resolve.inc.rst b/doc/arm/config-resolve.inc.rst index d299622f84..fcfa97e20d 100644 --- a/doc/arm/config-resolve.inc.rst +++ b/doc/arm/config-resolve.inc.rst @@ -563,4 +563,4 @@ and discard the rest. For more detail on ordering responses, refer to the :ref:`rrset-order` statement in the -:ref:`options` block. +:namedconf:ref:`options` block. diff --git a/doc/arm/dns-ops.inc.rst b/doc/arm/dns-ops.inc.rst index a9ad9f955b..38effae7e0 100644 --- a/doc/arm/dns-ops.inc.rst +++ b/doc/arm/dns-ops.inc.rst @@ -107,7 +107,7 @@ server. not found, :iscman:`rndc` also looks in |rndc_key| (or whatever ``sysconfdir`` was defined when the BIND build was configured). The ``rndc.key`` file is generated by running :option:`rndc-confgen -a` as - described in :ref:`controls_statement_definition_and_usage`. + described in :any:`controls`. The format of the configuration file is similar to that of :iscman:`named.conf`, but is limited to only three blocks: the :rndcconf:ref:`options`, diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst index 9adec06c94..c48bab1dda 100644 --- a/doc/arm/dnssec.inc.rst +++ b/doc/arm/dnssec.inc.rst @@ -112,7 +112,7 @@ that are about to expire and managing :ref:`key_rollovers`. .. note:: :any:`dnssec-policy` needs write access to the zone. Please see - :ref:`dnssec_policy` for more details about implications for zone storage. + :any:`dnssec-policy` for more details about implications for zone storage. The default policy creates one key that is used to sign the complete zone, and uses ``NSEC`` to enable authenticated denial of existence (a secure way @@ -150,7 +150,7 @@ Also: using zero extra iterations and no salt. NSEC3 opt-out is disabled, meaning insecure delegations also get an NSEC3 record. -For more information about KASP configuration see :ref:`dnssec_policy_grammar`. +For more information about KASP configuration see :any:`dnssec-policy`. The :ref:`dnssec_advanced_discussions` section in the DNSSEC Guide discusses the various policy settings and may be useful for determining values for specific diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index d03c309e29..ff36672cc4 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -385,7 +385,7 @@ The following blocks are supported: Declares control channels to be used by the :iscman:`rndc` utility. :any:`dnssec-policy` - Describes a DNSSEC key and signing policy for zones. See :ref:`dnssec_policy_grammar` for details. + Describes a DNSSEC key and signing policy for zones. See :any:`dnssec-policy` for details. :namedconf:ref:`key` Specifies key information for use in authentication and authorization using TSIG. @@ -463,16 +463,12 @@ The following ACLs are built-in: ``localnets`` Matches any host on an IPv4 or IPv6 network for which the system has an interface. When addresses are added or removed, the ``localnets`` ACL element is updated to reflect the changes. Some systems do not provide a way to determine the prefix lengths of local IPv6 addresses; in such cases, ``localnets`` only matches the local IPv6 addresses, just like ``localhost``. -.. _controls_grammar: - :any:`controls` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. namedconf:statement:: controls :tags: server :short: Specifies control channels to be used to manage the name server. -.. _controls_statement_definition_and_usage: - :any:`controls` Block Definition and Usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -543,27 +539,22 @@ To disable the command channel, use an empty :any:`controls` statement: ``controls { };``. -.. _key_grammar: - ``key`` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~ .. namedconf:statement:: key :tags: security :short: Defines a shared secret key for use with :ref:`tsig` or the command channel. -.. _key_statement: - ``key`` Block Definition and Usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The ``key`` statement defines a shared secret key for use with TSIG (see -:ref:`tsig`) or the command channel (see :ref:`controls_statement_definition_and_usage`). +:ref:`tsig`) or the command channel (see :any:`controls`). The ``key`` statement can occur at the top level of the configuration file or inside a :any:`view` statement. Keys defined in top-level ``key`` statements can be used in all views. Keys intended for use in a -:any:`controls` statement (see :ref:`controls_statement_definition_and_usage`) -must be defined at the top level. +:any:`controls` statement must be defined at the top level. The :term:`server_key`, also known as the key name, is a domain name that uniquely identifies the key. It can be used in a :namedconf:ref:`server` statement to cause @@ -589,16 +580,12 @@ matching this name, algorithm, and secret. The ``secret_string`` is the secret to be used by the algorithm, and is treated as a Base64-encoded string. -.. _logging_grammar: - :any:`logging` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. namedconf:statement:: logging :tags: logging :short: Configures logging options for the name server. -.. _logging_statement: - :any:`logging` Block Definition and Usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -815,7 +802,7 @@ Here is an example where all three ``print-`` options are on: There are four predefined channels that are used for :iscman:`named`'s default logging, as follows. If :iscman:`named` is started with the :option:`-L ` option, then a fifth channel, ``default_logfile``, is added. How they are used is described in -:ref:`the_category_phrase`. +:any:`category`. :: @@ -872,8 +859,6 @@ Once a channel is defined, it cannot be redefined. The built-in channels cannot be altered directly, but the default logging can be modified by pointing categories at defined channels. -.. _the_category_phrase: - The :any:`category` Phrase ^^^^^^^^^^^^^^^^^^^^^^^^^^ There are many categories, so desired logs can be sent anywhere @@ -1015,16 +1000,12 @@ At ``debug`` level 4 or higher, the detailed context information logged at ``debug`` level 2 is logged for errors other than SERVFAIL and for negative responses such as NXDOMAIN. -.. _parental_agents_grammar: - :any:`parental-agents` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. namedconf:statement:: parental-agents :tags: zone :short: Defines a list of delegation agents to be used by primary and secondary zones. -.. _parental_agents_statement: - :any:`parental-agents` Block Definition and Usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1033,16 +1014,12 @@ used by multiple primary and secondary zones. A parental agent is the entity that is allowed to change a zone's delegation information (defined in :rfc:`7344`). -.. _primaries_grammar: - :any:`primaries` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. namedconf:statement:: primaries :tags: zone :short: Defines one or more primary servers for a zone. -.. _primaries_statement: - :any:`primaries` Block Definition and Usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1068,8 +1045,6 @@ where ``tls-configuration-name`` refers to a previously defined observers but does not protect from man-in-the-middle attacks on zone transfers. -.. _options_grammar: - ``options`` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. namedconf:statement:: options @@ -2924,7 +2899,7 @@ Forwarding can also be configured on a per-domain basis, allowing for the global forwarding options to be overridden in a variety of ways. Particular domains can be set to use different forwarders, or have a different ``forward only/first`` behavior, or not forward at all; see -:ref:`zone_statement_grammar`. +:any:`zone`. .. _dual_stack: @@ -4028,8 +4003,6 @@ Periodic Task Intervals gone away. For convenience, TTL-style time-unit suffixes may be used to specify the value. It also accepts ISO 8601 duration formats. -.. _the_sortlist_statement: - The :any:`sortlist` Statement ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -4134,7 +4107,7 @@ RRset Ordering The :any:`rrset-order` statement permits configuration of the ordering of the records in a multiple-record response. See also: - :ref:`the_sortlist_statement`. + :any:`sortlist`. Each rule in an :any:`rrset-order` statement is defined as follows: @@ -4691,7 +4664,7 @@ Built-in Server Information Zones The server provides some helpful diagnostic information through a number of built-in zones under the pseudo-top-level-domain ``bind`` in the ``CHAOS`` class. These zones are part of a built-in view -(see :ref:`view_statement_grammar`) of class ``CHAOS``, which is +(see :any:`view`) of class ``CHAOS``, which is separate from the default view of class ``IN``. Most global configuration options (:any:`allow-query`, etc.) apply to this view, but some are locally overridden: :namedconf:ref:`notify`, :any:`recursion`, and @@ -5643,7 +5616,7 @@ NXDOMAIN Redirection :iscman:`named` supports NXDOMAIN redirection via two methods: -- Redirect zone (:ref:`zone_statement_grammar`) +- :any:`Redirect zone ` - Redirect namespace With either method, when :iscman:`named` gets an NXDOMAIN response it examines a @@ -5670,16 +5643,12 @@ zone; there are no delegations. If both a redirect zone and a redirect namespace are configured, the redirect zone is tried first. -.. _server_statement_grammar: - ``server`` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. namedconf:statement:: server :tags: server :short: Defines characteristics to be associated with a remote name server. -.. _server_statement_definition_and_usage: - ``server`` Block Definition and Usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -5803,16 +5772,12 @@ and :namedconf:ref:`options` blocks: - :namedconf:ref:`transfer-source` -.. _statschannels: - :any:`statistics-channels` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. namedconf:statement:: statistics-channels :tags: logging :short: Specifies the communication channels to be used by system administrators to access statistics information on the name server. -.. _statistics_channels: - :any:`statistics-channels` Block Definition and Usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -6294,16 +6259,12 @@ that is used to initialize the key-maintenance process is stored in can be found, the initializing key is also compiled directly into :iscman:`named`. -.. _dnssec_policy_grammar: - :any:`dnssec-policy` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. namedconf:statement:: dnssec-policy :tags: dnssec :short: Defines a key and signing policy (KASP) for zones. -.. _dnssec_policy: - :any:`dnssec-policy` Block Definition and Usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -6628,8 +6589,6 @@ with the ``initial-key`` keyword. The :any:`trusted-keys` statement has been deprecated in favor of :any:`trust-anchors` with the ``static-key`` keyword. -.. _view_statement_grammar: - :any:`view` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~~ .. namedconf:statement:: view @@ -6646,8 +6605,6 @@ The :any:`trusted-keys` statement has been deprecated in favor of [ zone_statement ; ... ] } ; -.. _view_statement: - :any:`view` Block Definition and Usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -6746,8 +6703,6 @@ Here is an example of a typical split DNS setup implemented using }; }; -.. _zone_statement_grammar: - :any:`zone` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~~ .. namedconf:statement:: zone @@ -6756,8 +6711,6 @@ Here is an example of a typical split DNS setup implemented using :suppress_grammar: -.. _zone_statement: - :any:`zone` Block Definition and Usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -6865,7 +6818,7 @@ Zone Types Mirroring a zone other than root requires an explicit list of primary servers to be provided using the :any:`primaries` option (see - :ref:`primaries_grammar` for details), and a key-signing key (KSK) + :any:`primaries` for details), and a key-signing key (KSK) for the specified zone to be explicitly configured as a trust anchor (see :any:`trust-anchors`). @@ -7810,7 +7763,7 @@ There are currently two user interfaces to get access to the statistics. One is in plain-text format, dumped to the file specified by the :any:`statistics-file` configuration option; the other is remotely accessible via a statistics channel when the :any:`statistics-channels` -statement is specified in the configuration file (see :ref:`statschannels`.) +statement is specified in the configuration file. .. _statsfile: diff --git a/doc/arm/troubleshooting.inc.rst b/doc/arm/troubleshooting.inc.rst index 0390ce606b..a395357051 100644 --- a/doc/arm/troubleshooting.inc.rst +++ b/doc/arm/troubleshooting.inc.rst @@ -85,12 +85,11 @@ to make :iscman:`named` prepare such a file, set the ``SSLKEYLOGFILE`` environment variable to either: - the string ``config`` (``SSLKEYLOGFILE=config``); this requires - defining a :any:`logging` :ref:`channel ` which will + defining a :any:`logging` :any:`channel` which will handle messages belonging to the ``sslkeylog`` category, - the path to the key file to write (``SSLKEYLOGFILE=/path/to/file``); - this is equivalent to the following :any:`logging` :ref:`stanza - `: + this is equivalent to the following :any:`logging` configuration: :: diff --git a/doc/arm/zones.inc.rst b/doc/arm/zones.inc.rst index 60289fe272..1807029cac 100644 --- a/doc/arm/zones.inc.rst +++ b/doc/arm/zones.inc.rst @@ -29,7 +29,7 @@ of RRs in a set is not significant and need not be preserved by name servers, resolvers, or other parts of the DNS. However, sorting of multiple RRs is permitted for optimization purposes: for example, to specify that a particular nearby server be tried first. See -:ref:`the_sortlist_statement` and :ref:`rrset_ordering`. +:any:`sortlist` and :ref:`rrset_ordering`. The components of a Resource Record are: