diff --git a/HISTORY b/HISTORY
index 6db5f2d88e..e69de29bb2 100644
--- a/HISTORY
+++ b/HISTORY
@@ -1,364 +0,0 @@
-Summary of functional enhancements from prior major releases of BIND 9:
-
-BIND 9.8.0
-
-        BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
-        releases.  New features include:
-
-        - Built-in trust anchor for the root zone, which can be
-          switched on via "dnssec-validation auto;"
-        - Support for DNS64.
-        - Support for response policy zones (RPZ).
-        - Support for writable DLZ zones.
-        - Improved ease of configuration of GSS/TSIG for
-          interoperability with Active Directory
-        - Support for GOST signing algorithm for DNSSEC.
-        - Removed RTT Banding from server selection algorithm.
-        - New "static-stub" zone type.
-        - Allow configuration of resolver timeouts via
-          "resolver-query-timeout" option.
-        - The DLZ "dlopen" driver is now built by default.
-        - Added a new include file with function typedefs
-          for the DLZ "dlopen" driver.
-        - Made "--with-gssapi" default.
-        - More verbose error reporting from DLZ LDAP.
-
-BIND 9.7.0
-
-	BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
-	releases.  Most are intended to simplify DNSSEC configuration.
-	New features include:
-
-	- Fully automatic signing of zones by "named".
-	- Simplified configuration of DNSSEC Lookaside Validation (DLV).
-	- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
-	  command line tool or the "local" update-policy option.  (As a side
-	  effect, this also makes it easier to configure automatic zone
-	  re-signing.)
-	- New named option "attach-cache" that allows multiple views to
-	  share a single cache.
-	- DNS rebinding attack prevention.
-	- New default values for dnssec-keygen parameters.
-	- Support for RFC 5011 automated trust anchor maintenance
-	- Smart signing: simplified tools for zone signing and key
-	  maintenance.
-	- The "statistics-channels" option is now available on Windows.
-	- A new DNSSEC-aware libdns API for use by non-BIND9 applications
-	- On some platforms, named and other binaries can now print out
-	  a stack backtrace on assertion failure, to aid in debugging.
-	- A "tools only" installation mode on Windows, which only installs
-	  dig, host, nslookup and nsupdate.
-	- Improved PKCS#11 support, including Keyper support and explicit
-	  OpenSSL engine selection.
-
-BIND 9.6.0
-
-        Full NSEC3 support
-
-        Automatic zone re-signing
-
-	New update-policy methods tcp-self and 6to4-self
-
-        The BIND 8 resolver library, libbind, has been removed from the
-        BIND 9 distribution and is now available as a separate download.
-
-	Change the default pid file location from /var/run to
-	/var/run/{named,lwresd} for improved chroot/setuid support.
-
-BIND 9.5.0
-
-	GSS-TSIG support (RFC 3645).
-
-	DHCID support.
-
-	Experimental http server and statistics support for named via xml.
-
-	More detailed statistics counters including those supported in BIND 8.
-
-	Faster ACL processing.
-
-	Use Doxygen to generate internal documentation.
-
-        Efficient LRU cache-cleaning mechanism.
-
-        NSID support.
-
-BIND 9.4.0
-
-	Implemented "additional section caching (or acache)", an
-	internal cache framework for additional section content to
-	improve response performance.  Several configuration options
-	were provided to control the behavior.
-
-	New notify type 'master-only'.  Enable notify for master
-	zones only.
-
-	Accept 'notify-source' style syntax for query-source.
-
-	rndc now allows addresses to be set in the server clauses.
-
-	New option "allow-query-cache".  This lets "allow-query"
-	be used to specify the default zone access level rather
-	than having to have every zone override the global value.
-	"allow-query-cache" can be set at both the options and view
-	levels.  If "allow-query-cache" is not set then "allow-recursion"
-	is used if set, otherwise "allow-query" is used if set
-	unless "recursion no;" is set in which case "none;" is used,
-	otherwise the default (localhost; localnets;) is used.
-
-	rndc: the source address can now be specified.
-
-	ixfr-from-differences now takes master and slave in addition
-	to yes and no at the options and view levels.
-
-	Allow the journal's name to be changed via named.conf.
-
-	'rndc notify zone [class [view]]' resend the NOTIFY messages
-	for the specified zone.
-
-	'dig +trace' now randomly selects the next servers to try.
-	Report if there is a bad delegation.
-
-	Improve check-names error messages.
-
-	Make public the function to read a key file, dst_key_read_public().
-
-	dig now returns the byte count for axfr/ixfr.
-			
-	allow-update is now settable at the options / view level.
-
-	named-checkconf now checks the logging configuration.
-
-	host now can turn on memory debugging flags with '-m'.
-
-	Don't send notify messages to self.
-
-	Perform sanity checks on NS records which refer to 'in zone' names.
-
-	New zone option "notify-delay".  Specify a minimum delay
-	between sets of NOTIFY messages.
-
-	Extend adjusting TTL warning messages.
-
-	Named and named-checkzone can now both check for non-terminal
-	wildcard records.
-
-	"rndc freeze/thaw" now freezes/thaws all zones.
-
-	named-checkconf now check acls to verify that they only
-	refer to existing acls.
-
-	The server syntax has been extended to support a range of
-	servers.
-
-	Report differences between hints and real NS rrset and
-	associated address records.
-
-	Preserve the case of domain names in rdata during zone
-	transfers.
-
-	Restructured the data locking framework using architecture
-	dependent atomic operations (when available), improving
-	response performance on multi-processor machines significantly.
-	x86, x86_64, alpha, powerpc, and mips are currently supported.
-
-	UNIX domain controls are now supported.
-
-	Add support for additional zone file formats for improving
-	loading performance.  The masterfile-format option in
-	named.conf can be used to specify a non-default format.  A
-	separate command named-compilezone was provided to generate
-	zone files in the new format.  Additionally, the -I and -O
-	options for dnssec-signzone specify the input and output
-	formats.
-
-	dnssec-signzone can now randomize signature end times
-	(dnssec-signzone -j jitter).
-
-	Add support for CH A record.
-
-	Add additional zone data constancy checks.  named-checkzone
-	has extended checking of NS, MX and SRV record and the hosts
-	they reference.  named has extended post zone load checks.
-	New zone options: check-mx and integrity-check.
-
-
-	edns-udp-size can now be overridden on a per server basis.
-
-	dig can now specify the EDNS version when making a query.
-
-	Added framework for handling multiple EDNS versions.
-
-	Additional memory debugging support to track size and mctx
-	arguments.
-
-	Detect duplicates of UDP queries we are recursing on and
-	drop them.  New stats category "duplicates".
-
-	"USE INTERNAL MALLOC" is now runtime selectable.
-
-	The lame cache is now done on a <qname,qclass,qtype> basis
-	as some servers only appear to be lame for certain query
-	types.
-
-	Limit the number of recursive clients that can be waiting
-	for a single query (<qname,qtype,qclass>) to resolve.  New
-	options clients-per-query and max-clients-per-query.
-
-	dig: report the number of extra bytes still left in the
-	packet after processing all the records.
-
-	Support for IPSECKEY rdata type.
-
-	Raise the UDP recieve buffer size to 32k if it is less than 32k.
-
-	x86 and x86_64 now have seperate atomic locking implementations.
-
-	named-checkconf now validates update-policy entries.
-
-	Attempt to make the amount of work performed in a iteration
-	self tuning.  The covers nodes clean from the cache per
-	iteration, nodes written to disk when rewriting a master
-	file and nodes destroyed per iteration when destroying a
-	zone or a cache.
-
-	ISC string copy API.
-
-	Automatic empty zone creation for D.F.IP6.ARPA and friends.
-	Note: RFC 1918 zones are not yet covered by this but are
-	likely to be in a future release.
-
-	New options: empty-server, empty-contact, empty-zones-enable
-	and disable-empty-zone.
-
-	dig now has a '-q queryname' and '+showsearch' options.
-
-	host/nslookup now continue (default)/fail on SERVFAIL.
-
-	dig now warns if 'RA' is not set in the answer when 'RD'
-	was set in the query.  host/nslookup skip servers that fail
-	to set 'RA' when 'RD' is set unless a server is explicitly
-	set.
-
-	Integrate contibuted DLZ code into named.
-
-	Integrate contibuted IDN code from JPNIC.
-
-	libbind: corresponds to that from BIND 8.4.7.
-
-BIND 9.3.0
-
-	DNSSEC is now DS based (RFC 3658).
-	See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
-
-	DNSSEC lookaside validation.
-
-	check-names is now implemented.
-	rrset-order in more complete.
-
-	IPv4/IPv6 transition support, dual-stack-servers.
-
-	IXFR deltas can now be generated when loading master files,
-	ixfr-from-differences.
-
-	It is now possible to specify the size of a journal, max-journal-size.
-
-	It is now possible to define a named set of master servers to be
-	used in masters clause, masters.
-
-	The advertised EDNS UDP size can now be set, edns-udp-size.
-
-	allow-v6-synthesis has been obsoleted.
-
-	NOTE:
-	* Zones containing MD and MF will now be rejected.
-	* dig, nslookup name. now report "Not Implemented" as
-	  NOTIMP rather than NOTIMPL.  This will have impact on scripts
-	  that are looking for NOTIMPL.
-
-	libbind: corresponds to that from BIND 8.4.5.
-
-BIND 9.2.0
-
-	The size of the cache can now be limited using the
-        "max-cache-size" option.
-
-	The server can now automatically convert RFC1886-style recursive
-	lookup requests into RFC2874-style lookups, when enabled using the
-	new option "allow-v6-synthesis".  This allows stub resolvers that
-	support AAAA records but not A6 record chains or binary labels to
-	perform lookups in domains that make use of these IPv6 DNS
-	features.
-
-	Performance has been improved.
-
-	The man pages now use the more portable "man" macros rather than
-	the "mandoc" macros, and are installed by "make install".
-
-	The named.conf parser has been completely rewritten.  It now
-	supports "include" directives in more places such as inside "view"
-	statements, and it no longer has any reserved words.
-
-	The "rndc status" command is now implemented.
-
-	rndc can now be configured automatically.
-
-	A BIND 8 compatible stub resolver library is now included in
-	lib/bind.
-
-	OpenSSL has been removed from the distribution.  This means that to
-	use DNSSEC, OpenSSL must be installed and the --with-openssl option
-	must be supplied to configure.  This does not apply to the use of
-	TSIG, which does not require OpenSSL.
-
-	The source distribution now builds on Windows.  See
-	win32utils/readme1.txt and win32utils/win32-build.txt for details.
-
-	This distribution also includes a new lightweight stub
-	resolver library and associated resolver daemon that fully
-	support forward and reverse lookups of both IPv4 and IPv6
-	addresses.  This library is considered experimental and
-	is not a complete replacement for the BIND 8 resolver library.
-	Applications that use the BIND 8 res_* functions to perform
-	DNS lookups or dynamic updates still need to be linked against
-	the BIND 8 libraries.  For DNS lookups, they can also use the
-	new "getrrsetbyname()" API.
-
-	BIND 9.2 is capable of acting as an authoritative server
-	for DNSSEC secured zones.  This functionality is believed to
-	be stable and complete except for lacking support for
-	verifications involving wildcard records in secure zones.
-
-	When acting as a caching server, BIND 9.2 can be configured
-	to perform DNSSEC secure resolution on behalf of its clients.
-	This part of the DNSSEC implementation is still considered
-	experimental.  For detailed information about the state of the
-	DNSSEC implementation, see the file doc/misc/dnssec.
-
-	There are a few known bugs:
-
-	    On some systems, IPv6 and IPv4 sockets interact in
-	    unexpected ways.  For details, see doc/misc/ipv6.
-	    To reduce the impact of these problems, the server
-	    no longer listens for requests on IPv6 addresses
-	    by default.  If you need to accept DNS queries over
-	    IPv6, you must specify "listen-on-v6 { any; };"
-	    in the named.conf options statement.
-
-	    FreeBSD prior to 4.2 (and 4.2 if running as non-root)
-	    and OpenBSD prior to 2.8 log messages like
-	    "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
-	    This is due to a bug in "/dev/random" and impacts the
-	    server's DNSSEC support.
-
-	    OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
-	    OS X 10.2 (Darwin 6.0) reports errors like
-	    "fcntl(3, F_SETFL, 4): Operation not supported by device".
-	    This is due to a bug in "/dev/random" and impacts the
-	    server's DNSSEC support.
-
-	    --with-libtool does not work on AIX.
-
-	A bug in some versions of the Microsoft DNS server can cause zone
-        transfers from a BIND 9 server to a W2K server to fail.  For details,
-	see the "Zone Transfers" section in doc/misc/migration.
diff --git a/OPTIONS b/OPTIONS
index 0be74b7aac..e69de29bb2 100644
--- a/OPTIONS
+++ b/OPTIONS
@@ -1,25 +0,0 @@
-Setting the STD_CDEFINES environment variable before running configure can
-be used to enable certain compile-time options that are not explicitly
-defined in configure.
-
-Some of these settings are:
-
-Setting                   Description
-                          Don't ovewrite memory when allocating or freeing
--DISC_MEM_FILL=0          it; this improves performance but makes
-                          debugging more difficult.
-                          Don't track memory allocations by file and line
--DISC_MEM_TRACKLINES=0    number; this improves performance but makes
-                          debugging more difficult.
--DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
--DNS_CLIENT_DROPPORT=0    Disable dropping queries from particular
-                          well-known ports:
--DCHECK_SIBLING=0         Don't check sibling glue in named-checkzone
--DCHECK_LOCAL=0           Don't check out-of-zone addresses in
-                          named-checkzone
--DNS_RUN_PID_DIR=0        Create default PID files in ${localstatedir}/run
-                          rather than ${localstatedir}/run/{named,lwresd}/
-                          Enable DNSSEC signature chasing support in dig.
--DDIG_SIGCHASE=1          (Note: This feature is deprecated. Use delv
-                          instead.)
-
diff --git a/README b/README
index ad3783f958..e69de29bb2 100644
--- a/README
+++ b/README
@@ -1,469 +0,0 @@
-BIND 9
-
-Contents
-
- 1. Introduction
- 2. Reporting bugs and getting help
- 3. Contributing to BIND
- 4. BIND 9.10 features
- 5. Building BIND
- 6. Compile-time options
- 7. Automated testing
- 8. Documentation
- 9. Change log
-10. Acknowledgments
-
-Introduction
-
-BIND (Berkeley Internet Name Domain) is a complete, highly portable
-implementation of the DNS (Domain Name System) protocol.
-
-The BIND name server, named, is able to serve as an authoritative name
-server, recursive resolver, DNS forwarder, or all three simultaneously. It
-implements views for split-horizon DNS, automatic DNSSEC zone signing and
-key management, catalog zones to facilitate provisioning of zone data
-throughout a name server constellation, response policy zones (RPZ) to
-protect clients from malicious data, response rate limiting (RRL) and
-recursive query limits to reduce distributed denial of service attacks,
-and many other advanced DNS features. BIND also includes a suite of
-administrative tools, including the dig and delv DNS lookup tools,
-nsupdate for dynamic DNS zone updates, rndc for remote name server
-administration, and more.
-
-BIND 9 is a complete re-write of the BIND architecture that was used in
-versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
-(c)(3) public benefit corporation dedicated to providing software and
-services in support of the Internet infrastructure, developed BIND 9 and
-is responsible for its ongoing maintenance and improvement. BIND is open
-source software licenced under the terms of the Mozilla Public License,
-version 2.0.
-
-For a summary of features introduced in past major releases of BIND, see
-the file HISTORY.
-
-For a detailed list of changes made throughout the history of BIND 9, see
-the file CHANGES. See below for details on the CHANGES file format.
-
-For up-to-date release notes and errata, see http://www.isc.org/software/
-bind9/releasenotes
-
-Reporting bugs and getting help
-
-Please report assertion failure errors and suspected security issues to
-security-officer@isc.org.
-
-General bug reports can be sent to bind9-bugs@isc.org.
-
-Feature requests can be sent to bind-suggest@isc.org.
-
-Please note that, while ISC's ticketing system is not currently publicly
-readable, this may change in the future. Please do not include information
-in bug reports that you consider to be confidential. For example, when
-sending the contents of your configuration file, it is advisable to
-obscure key secrets; this can be done automatically by using
-named-checkconf -px.
-
-Professional support and training for BIND are available from ISC at
-https://www.isc.org/support.
-
-To join the BIND Users mailing list, or view the archives, visit https://
-lists.isc.org/mailman/listinfo/bind-users.
-
-If you're planning on making changes to the BIND 9 source code, you may
-also want to join the BIND Workers mailing list, at https://lists.isc.org/
-mailman/listinfo/bind-workers.
-
-Contributing to BIND
-
-A public git repository for BIND is maintained at http://www.isc.org/git/,
-and also on Github at https://github.com/isc-projects.
-
-Information for BIND contributors can be found in the following files: -
-General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
-style.md - BIND architecture and developer guide: doc/dev/dev.md
-
-Patches for BIND may be submitted either as Github pull requests or via
-email. When submitting a patch via email, please prepend the subject
-header with "[PATCH]" so it will be easier for us to find. If your patch
-introduces a new feature in BIND, please submit it to bind-suggest@isc.org
-; if it fixes a bug, please submit it to bind9-bugs@isc.org.
-
-BIND 9.10 features
-
-BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
-releases. New features include:
-
-  * DNS Response-rate limiting (DNS RRL), which blunts the impact of
-    reflection and amplification attacks, is always compiled in and no
-    longer requires a compile-time option to enable it.
-  * An experimental "Source Identity Token" (SIT) EDNS option is now
-    available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
-    these are designed to enable clients to detect off-path spoofed
-    responses, and to enable servers to detect spoofed-source queries.
-    Servers can be configured to send smaller responses to clients that
-    have not identified themselves using a SIT option, reducing the
-    effectiveness of amplification attacks. RRL processing has also been
-    updated; clients proven to be legitimate via SIT are not subject to
-    rate limiting. Use configure --enable-sit to enable this feature in
-    BIND.
-  * A new zone file format, map, stores zone data in a format that can be
-    mapped directly into memory, allowing significantly faster zone
-    loading.
-  * delv (domain entity lookup and validation) is a new tool with dig-like
-    semantics for looking up DNS data and performing internal DNSSEC
-    validation. This allows easy validation in environments where the
-    resolver may not be trustworthy, and assists with troubleshooting of
-    DNSSEC problems. (NOTE: In previous development releases of BIND 9.10,
-    this utility was called delve. The spelling has been changed to avoid
-    confusion with the delve utility included with the Xapian search
-    engine.)
-  * Improved EDNS(0) processing for better resolver performance and
-    reliability over slow or lossy connections.
-  * A new configure --with-tuning=large option tunes certain compiled-in
-    constants and default settings to values better suited to large
-    servers with abundant memory. This can improve performance on such
-    servers, but will consume more memory and may degrade performance on
-    smaller systems.
-  * Substantial improvement in response-policy zone (RPZ) performance. Up
-    to 32 response-policy zones can be configured with minimal performance
-    loss.
-  * To improve recursive resolver performance, cache records which are
-    still being requested by clients can now be automatically refreshed
-    from the authoritative server before they expire, reducing or
-    eliminating the time window in which no answer is available in the
-    cache.
-  * New rpz-client-ip triggers and drop policies allowing response
-    policies based on the IP address of the client.
-  * ACLs can now be specified based on geographic location using the
-    MaxMind GeoIP databases. Use configure --with-geoip to enable.
-  * Zone data can now be shared between views, allowing multiple views to
-    serve the same zones authoritatively without storing multiple copies
-    in memory.
-  * New XML schema (version 3) for the statistics channel includes many
-    new statistics and uses a flattened XML tree for faster parsing. The
-    older schema is now deprecated.
-  * A new stylesheet, based on the Google Charts API, displays XML
-    statistics in charts and graphs on javascript-enabled browsers.
-  * The statistics channel can now provide data in JSON format as well as
-    XML.
-  * New stats counters track TCP and UDP queries received per zone, and
-    EDNS options received in total.
-  * The internal and export versions of the BIND libraries (libisc,
-    libdns, etc) have been unified so that external library clients can
-    use the same libraries as BIND itself.
-  * A new compile-time option, configure --enable-native-pkcs11, allows
-    BIND 9 cryptography functions to use the PKCS#11 API natively, so that
-    BIND can drive a cryptographic hardware service module (HSM) directly
-    instead of using a modified OpenSSL as an intermediary. (Note: This
-    feature requires an HSM to have a full implementation of the PKCS#11
-    API; many current HSMs only have partial implementations. The new
-    pkcs11-tokens command can be used to check API completeness. Native
-    PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
-    version 2 from the Open DNSSEC project.)
-  * The new max-zone-ttl option enforces maximum TTLs for zones. This can
-    simplify the process of rolling DNSSEC keys by guaranteeing that
-    cached signatures will have expired within the specified amount of
-    time.
-  * dig +subnet sends an EDNS CLIENT-SUBNET option when querying.
-  * dig +expire sends an EDNS EXPIRE option when querying. When this
-    option is sent with an SOA query to a server that supports it, it will
-    report the expiry time of a slave zone.
-  * New dnssec-coverage tool to check DNSSEC key coverage for a zone and
-    report if a lapse in signing coverage has been inadvertently
-    scheduled.
-  * Signing algorithm flexibility and other improvements for the rndc
-    control channel.
-  * named-checkzone and named-compilezone can now read journal files,
-    allowing them to process dynamic zones.
-  * Multiple DLZ databases can now be configured. Individual zones can be
-    configured to be served from a specific DLZ database. DLZ databases
-    now serve zones of type master and redirect.
-  * rndc zonestatus reports information about a specified zone.
-  * named now listens on IPv6 as well as IPv4 interfaces by default.
-  * named now preserves the capitalization of names when responding to
-    queries: for instance, a query for "example.com" may be answered with
-    "example.COM" if the name was configured that way in the zone file.
-    Some clients have a bug causing them to depend on the older behavior,
-    in which the case of the answer always matched the case of the query,
-    rather than the case of the name configured in the DNS. Such clients
-    can now be specified in the new no-case-compress ACL; this will
-    restore the older behavior of named for those clients only.
-  * new dnssec-importkey command allows the use of offline DNSSEC keys
-    with automatic DNSKEY management.
-  * New named-rrchecker tool to verify the syntactic correctness of
-    individual resource records.
-  * When re-signing a zone, the new dnssec-signzone -Q option drops
-    signatures from keys that are still published but are no longer
-    active.
-  * named-checkconf -px will print the contents of configuration files
-    with the shared secrets obscured, making it easier to share
-    configuration (e.g. when submitting a bug report) without revealing
-    private information.
-  * rndc scan causes named to re-scan network interfaces for changes in
-    local addresses.
-  * On operating systems with support for routing sockets, network
-    interfaces are re-scanned automatically whenever they change.
-  * tsig-keygen is now available as an alternate command name to use for
-    ddns-confgen.
-
-BIND 9.10.1
-
-BIND 9.10.1 is a maintenance release, and addresses the security flaws
-described in CVE-2014-3214 and CVE-2014-3859.
-
-BIND 9.10.2
-
-BIND 9.10.2 is a maintenance release, and addresses the security flaws
-described in CVE-2014-8500, CVE-2014-8680 and CVE-2015-1349.
-
-BIND 9.10.3
-
-BIND 9.10.3 is a maintenance release, and addresses the security flaws
-described in CVE-2015-4620, CVE-2015-5477, CVE-2015-5722, and
-CVE-2015-5986.
-
-It also makes the following new features available:
-
-  * New "fetchlimit" quotas are now available for the use of recursive
-    resolvers that are are under high query load for domains whose
-    authoritative servers are nonresponsive or are experiencing a denial
-    of service attack.
-
-      + fetches-per-server limits the number of simultaneous queries that
-        can be sent to any single authoritative server. The configured
-        value is a starting point; it is automatically adjusted downward
-        if the server is partially or completely non-responsive. The
-        algorithm used to adjust the quota can be configured via the
-        fetch-quota-params option.
-      + fetches-per-zone limits the number of simultaneous queries that
-        can be sent for names within a single domain. (Note: Unlike
-        fetches-per-server, this value is not self-tuning.)
-      + New stats counters have been added to count queries spilled due to
-        these quotas.
-
-NOTE: These features are NOT built in by default; use configure
---enable-fetchlimit to enable them.
-
-  * dig now supports sending of arbitrary EDNS options by specifying them
-    on the command line.
-
-BIND 9.10.4
-
-BIND 9.10.4 is a maintenance release, and addresses the security flaws
-described in CVE-2015-8000, CVE-2015-8461, CVE-2015-8704, CVE-2015-8705,
-CVE-2016-1285, CVE-2016-1286, CVE-2016-2088, CVE-2016-2775 and
-CVE-2016-2776.
-
-BIND 9.10.5
-
-BIND 9.10.5 is a maintenance release, and addresses the security flaws
-disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170, CVE-2016-8864,
-CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2017-3135, CVE-2017-3136,
-CVE-2017-3137, and CVE-2017-3138.
-
-Building BIND
-
-BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
-support, and a 64-bit integer type. Successful builds have been observed
-on many versions of Linux and UNIX, including RedHat, Fedora, Debian,
-Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
-HP-UX, AIX, SCO OpenServer, and OpenWRT.
-
-BIND is also available for Windows XP, 2003, 2008, and higher. See
-win32utils/readme1st.txt for details on building for Windows systems.
-
-To build on a UNIX or Linux system, use:
-
-    $ ./configure
-    $ make
-
-(NOTE: Using multiple processors in make is not reliable and is not
-advised.)
-
-If you're planning on making changes to the BIND 9 source, you should run
-make depend. If you're using Emacs, you might find make tags helpful.
-
-Several environment variables that can be set before running configure
-will affect compilation:
-
-Variable       Description
-CC             The C compiler to use. configure tries to figure out the
-               right one for supported systems.
-               C compiler flags. Defaults to include -g and/or -O2 as
-CFLAGS         supported by the compiler. Please include '-g' if you need
-               to set CFLAGS.
-               System header file directories. Can be used to specify
-STD_CINCLUDES  where add-on thread or IPv6 support is, for example.
-               Defaults to empty string.
-               Any additional preprocessor symbols you want defined.
-STD_CDEFINES   Defaults to empty string. For a list of possible settings,
-               see the file OPTIONS.
-LDFLAGS        Linker flags. Defaults to empty string.
-BUILD_CC       Needed when cross-compiling: the native C compiler to use
-               when building for the target system.
-BUILD_CFLAGS   Optional, used for cross-compiling
-BUILD_CPPFLAGS
-BUILD_LDFLAGS
-BUILD_LIBS
-
-Compile-time options
-
-To see a full list of configuration options, run configure --help.
-
-On most platforms, BIND 9 is built with multithreading support, allowing
-it to take advantage of multiple CPUs. You can configure this by
-specifying --enable-threads or --disable-threads on the configure command
-line. The default is to enable threads, except on some older operating
-systems on which threads are known to have had problems in the past.
-(Note: Prior to BIND 9.10, the default was to disable threads on Linux
-systems; this has now been reversed. On Linux systems, the threaded build
-is known to change BIND's behavior with respect to file permissions; it
-may be necessary to specify a user with the -u option when running named.)
-
-To build shared libraries, specify --with-libtool on the configure command
-line.
-
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying --with-tuning=
-large on the configure command line. This can improve performance on big
-servers, but will consume more memory and may degrade performance on
-smaller systems.
-
-For the server to support DNSSEC, you need to build it with crypto
-support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
-installed. If the OpenSSL library is installed in a nonstandard location,
-specify the prefix using "--with-openssl=/prefix" on the configure command
-line. To use a PKCS#11 hardware service module for cryptographic
-operations, specify the path to the PKCS#11 provider library using
-"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11".
-
-To support the HTTP statistics channel, the server must be linked with at
-least one of the following: libxml2 http://xmlsoft.org or json-c https://
-github.com/json-c. If these are installed at a nonstandard location,
-specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
-
-To support GeoIP location-based ACLs, the server must be linked with
-libGeoIP. This is not turned on by default; BIND must be configured with
-"--with-geoip". If the library is installed in a nonstandard location, use
-specify the prefix using "--with-geoip=/prefix".
-
-Python requires the 'argparse' module to be available. 'argparse' is a
-standard module as of Python 2.7 and Python 3.2.
-
-On some platforms it is necessary to explicitly request large file support
-to handle files bigger than 2GB. This can be done by using
---enable-largefile on the configure command line.
-
-Support for the "fixed" rrset-order option can be enabled or disabled by
-specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
-command line. By default, fixed rrset-order is disabled to reduce memory
-footprint.
-
-If your operating system has integrated support for IPv6, it will be used
-automatically. If you have installed KAME IPv6 separately, use --with-kame
-[=PATH] to specify its location.
-
-make install will install named and the various BIND 9 libraries. By
-default, installation is into /usr/local, but this can be changed with the
---prefix option when running configure.
-
-You may specify the option --sysconfdir to set the directory where
-configuration files like named.conf go by default, and --localstatedir to
-set the default parent directory of run/named.pid. For backwards
-compatibility with BIND 8, --sysconfdir defaults to /etc and
---localstatedir defaults to /var if no --prefix option is given. If there
-is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
-defaults to $prefix/var.
-
-Automated testing
-
-A system test suite can be run with make test. The system tests require
-you to configure a set of virtual IP addresses on your system (this allows
-multiple servers to run locally and communicate with one another). These
-IP addresses can be configured by by running the script bin/tests/system/
-ifconfig.sh up as root.
-
-Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
-and will be skipped if these are not available. Some tests require Python
-and the 'dnspython' module and will be skipped if these are not available.
-See bin/tests/system/README for further details.
-
-Unit tests are implemented using Automated Testing Framework (ATF). To run
-them, use configure --with-atf, then run make test or make unit.
-
-Documentation
-
-The BIND 9 Administrator Reference Manual is included with the source
-distribution, in DocBook XML, HTML and PDF format, in the doc/arm
-directory.
-
-Some of the programs in the BIND 9 distribution have man pages in their
-directories. In particular, the command line options of named are
-documented in bin/named/named.8.
-
-Frequently (and not-so-frequently) asked questions and their answers can
-be found in the ISC Knowledge Base at https://kb.isc.org.
-
-Additional information on various subjects can be found in other README
-files throughout the source tree.
-
-Change log
-
-A detailed list of all changes that have been made throughout the
-development BIND 9 is included in the file CHANGES, with the most recent
-changes listed first. Change notes include tags indicating the category of
-the change that was made; these categories are:
-
-Category       Description
-[func]         New feature
-[bug]          General bug fix
-[security]     Fix for a significant security flaw
-[experimental] Used for new features when the syntax or other aspects of
-               the design are still in flux and may change
-[port]         Portability enhancement
-[maint]        Updates to built-in data such as root server addresses and
-               keys
-[tuning]       Changes to built-in configuration defaults and constants to
-               improve performance
-[performance]  Other changes to improve server performance
-[protocol]     Updates to the DNS protocol such as new RR types
-[test]         Changes to the automatic tests, not affecting server
-               functionality
-[cleanup]      Minor corrections and refactoring
-[doc]          Documentation
-[contrib]      Changes to the contributed tools and libraries in the
-               'contrib' subdirectory
-               Used in the master development branch to reserve change
-[placeholder]  numbers for use in other branches, e.g. when fixing a bug
-               that only exists in older releases
-
-In general, [func] and [experimental] tags will only appear in new-feature
-releases (i.e., those with version numbers ending in zero). Some new
-functionality may be backported to older releases on a case-by-case basis.
-All other change types may be applied to all currently-supported releases.
-
-Acknowledgments
-
-  * The original development of BIND 9 was underwritten by the following
-    organizations:
-
-    Sun Microsystems, Inc.
-    Hewlett Packard
-    Compaq Computer Corporation
-    IBM
-    Process Software Corporation
-    Silicon Graphics, Inc.
-    Network Associates, Inc.
-    U.S. Defense Information Systems Agency
-    USENIX Association
-    Stichting NLnet - NLnet Foundation
-    Nominum, Inc.
-
-  * This product includes software developed by the OpenSSL Project for
-    use in the OpenSSL Toolkit. http://www.OpenSSL.org/
-  * This product includes cryptographic software written by Eric Young
-    (eay@cryptsoft.com)
-  * This product includes software written by Tim Hudson
-    (tjh@cryptsoft.com)
-
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index b5c4d0db27..4d480814b1 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -18,12 +18,12 @@
 .\"     Title: named.conf
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2014-01-08
+.\"      Date: 2016-12-02
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "NAMED\&.CONF" "5" "2014\-01\-08" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2016\-12\-02" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -44,7 +44,7 @@
 .\" * MAIN CONTENT STARTS HERE *
 .\" -----------------------------------------------------------------
 .SH "NAME"
-named.conf \- configuration file for named
+named.conf \- configuration file for \fBnamed\fR
 .SH "SYNOPSIS"
 .HP \w'\fBnamed\&.conf\fR\ 'u
 \fBnamed\&.conf\fR
@@ -70,87 +70,6 @@ acl \fIstring\fR { \fIaddress_match_element\fR; \&.\&.\&. };
 .if n \{\
 .RE
 .\}
-.SH "KEY"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-key \fIdomain_name\fR {
-	algorithm \fIstring\fR;
-	secret \fIstring\fR;
-};
-.fi
-.if n \{\
-.RE
-.\}
-.SH "MASTERS"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-masters \fIstring\fR [ port \fIinteger\fR ] {
-	( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] |
-	\fIipv6_address\fR [port \fIinteger\fR] ) [ key \fIstring\fR ]; \&.\&.\&.
-};
-.fi
-.if n \{\
-.RE
-.\}
-.SH "SERVER"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) {
-	bogus \fIboolean\fR;
-	edns \fIboolean\fR;
-	edns\-udp\-size \fIinteger\fR;
-	max\-udp\-size \fIinteger\fR;
-	tcp\-only \fIboolean\fR;
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	keys \fIserver_key\fR;
-	transfers \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	support\-ixfr \fIboolean\fR; // obsolete
-};
-.fi
-.if n \{\
-.RE
-.\}
-.SH "TRUSTED-KEYS"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-trusted\-keys {
-	\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; \&.\&.\&.
-};
-.fi
-.if n \{\
-.RE
-.\}
-.SH "MANAGED-KEYS"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-managed\-keys {
-	\fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; \&.\&.\&.
-};
-.fi
-.if n \{\
-.RE
-.\}
 .SH "CONTROLS"
 .sp
 .if n \{\
@@ -158,11 +77,41 @@ managed\-keys {
 .\}
 .nf
 controls {
-	inet ( \fIipv4_address\fR | \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ]
-		allow { \fIaddress_match_element\fR; \&.\&.\&. }
-		[ keys { \fIstring\fR; \&.\&.\&. } ];
-	unix \fIunsupported\fR; // not implemented
+	inet ( \fIipv4_address\fR | \fIipv6_address\fR |
+	    * ) [ port ( \fIinteger\fR | * ) ] allow
+	    { \fIaddress_match_element\fR; \&.\&.\&. } [
+	    keys { \fIstring\fR; \&.\&.\&. } ];
+	unix \fIquoted_string\fR perm \fIinteger\fR
+	    owner \fIinteger\fR group \fIinteger\fR [
+	    keys { \fIstring\fR; \&.\&.\&. } ];
+};
+.fi
+.if n \{\
+.RE
+.\}
+.SH "DLZ"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+dlz \fIstring\fR {
+	database \fIstring\fR;
+	search \fIboolean\fR;
+};
+.fi
+.if n \{\
+.RE
+.\}
+.SH "KEY"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+key \fIstring\fR {
+	algorithm \fIstring\fR;
+	secret \fIstring\fR;
 };
 .fi
 .if n \{\
@@ -175,17 +124,18 @@ controls {
 .\}
 .nf
 logging {
-	channel \fIstring\fR {
-		file \fIlog_file\fR;
-		syslog \fIoptional_facility\fR;
-		null;
-		stderr;
-		severity \fIlog_severity\fR;
-		print\-time \fIboolean\fR;
-		print\-severity \fIboolean\fR;
-		print\-category \fIboolean\fR;
-	};
 	category \fIstring\fR { \fIstring\fR; \&.\&.\&. };
+	channel \fIstring\fR {
+		file \fIquoted_string\fR [ versions ( "unlimited" | \fIinteger\fR )
+		    ] [ size \fIsize\fR ];
+		null;
+		print\-category \fIboolean\fR;
+		print\-severity \fIboolean\fR;
+		print\-time \fIboolean\fR;
+		severity \fIlog_severity\fR;
+		stderr;
+		syslog [ \fIsyslog_facility\fR ];
+	};
 };
 .fi
 .if n \{\
@@ -198,17 +148,42 @@ logging {
 .\}
 .nf
 lwres {
-	listen\-on [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
-	};
-	view \fIstring\fR \fIoptional_class\fR;
-	search { \fIstring\fR; \&.\&.\&. };
+	listen\-on [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fIipv4_address\fR
+	    | \fIipv6_address\fR ) [ port \fIinteger\fR ] [ dscp \fIinteger\fR ]; \&.\&.\&. };
 	ndots \fIinteger\fR;
+	search { \fIstring\fR; \&.\&.\&. };
+	view \fIstring\fR [ \fIclass\fR ];
 };
 .fi
 .if n \{\
 .RE
 .\}
+.SH "MANAGED-KEYS"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+managed\-keys { \fIstring\fR \fIstring\fR \fIinteger\fR
+    \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
+.fi
+.if n \{\
+.RE
+.\}
+.SH "MASTERS"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+masters \fIstring\fR [ port \fIinteger\fR ] [ dscp
+    \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [
+    port \fIinteger\fR ] | \fIipv6_address\fR [ port
+    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+.fi
+.if n \{\
+.RE
+.\}
 .SH "OPTIONS"
 .sp
 .if n \{\
@@ -216,353 +191,644 @@ lwres {
 .\}
 .nf
 options {
-	avoid\-v4\-udp\-ports { \fIport\fR; \&.\&.\&. };
-	avoid\-v6\-udp\-ports { \fIport\fR; \&.\&.\&. };
-	blackhole { \fIaddress_match_element\fR; \&.\&.\&. };
-	coresize \fIsize\fR;
-	datasize \fIsize\fR;
-	directory \fIquoted_string\fR;
-	dump\-file \fIquoted_string\fR;
-	files \fIsize\fR;
-	heartbeat\-interval \fIinteger\fR;
-	host\-statistics \fIboolean\fR; // not implemented
-	host\-statistics\-max \fInumber\fR; // not implemented
-	hostname ( \fIquoted_string\fR | none );
-	interface\-interval \fIinteger\fR;
-	listen\-on [ port \fIinteger\fR ] { \fIaddress_match_element\fR; \&.\&.\&. };
-	listen\-on\-v6 [ port \fIinteger\fR ] { \fIaddress_match_element\fR; \&.\&.\&. };
-	match\-mapped\-addresses \fIboolean\fR;
-	memstatistics\-file \fIquoted_string\fR;
-	pid\-file ( \fIquoted_string\fR | none );
-	port \fIinteger\fR;
-	querylog \fIboolean\fR;
-	recursing\-file \fIquoted_string\fR;
-	reserved\-sockets \fIinteger\fR;
-	random\-device \fIquoted_string\fR;
-	recursive\-clients \fIinteger\fR;
-	serial\-query\-rate \fIinteger\fR;
-	server\-id ( \fIquoted_string\fR | hostname | none );
-	stacksize \fIsize\fR;
-	statistics\-file \fIquoted_string\fR;
-	statistics\-interval \fIinteger\fR; // not yet implemented
-	tcp\-clients \fIinteger\fR;
-	tcp\-listen\-queue \fIinteger\fR;
-	tkey\-dhkey \fIquoted_string\fR \fIinteger\fR;
-	tkey\-gssapi\-credential \fIquoted_string\fR;
-	tkey\-gssapi\-keytab \fIquoted_string\fR;
-	tkey\-domain \fIquoted_string\fR;
-	transfers\-per\-ns \fIinteger\fR;
-	transfers\-in \fIinteger\fR;
-	transfers\-out \fIinteger\fR;
-	version ( \fIquoted_string\fR | none );
-	allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
-	topology { \fIaddress_match_element\fR; \&.\&.\&. }; // not implemented
-	auth\-nxdomain \fIboolean\fR; // default changed
-	minimal\-responses \fIboolean\fR;
-	recursion \fIboolean\fR;
-	rrset\-order {
-		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&.
-	};
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	rfc2308\-type1 \fIboolean\fR; // not yet implemented
+	acache\-cleaning\-interval \fIinteger\fR;
+	acache\-enable \fIboolean\fR;
 	additional\-from\-auth \fIboolean\fR;
 	additional\-from\-cache \fIboolean\fR;
-	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	use\-queryport\-pool \fIboolean\fR;
-	queryport\-pool\-ports \fIinteger\fR;
-	queryport\-pool\-updateinterval \fIinteger\fR;
-	cleaning\-interval \fIinteger\fR;
-	resolver\-query\-timeout \fIinteger\fR;
-	min\-roots \fIinteger\fR; // not implemented
-	lame\-ttl \fIinteger\fR;
-	max\-ncache\-ttl \fIinteger\fR;
-	max\-cache\-ttl \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize\fR;
-	max\-acache\-size \fIsize\fR;
-	clients\-per\-query \fInumber\fR;
-	max\-clients\-per\-query \fInumber\fR;
-	check\-names ( master | slave | response )
-		( fail | warn | ignore );
-	check\-mx ( fail | warn | ignore );
-	check\-integrity \fIboolean\fR;
-	check\-mx\-cname ( fail | warn | ignore );
-	check\-srv\-cname ( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR; // test option
-	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
-	preferred\-glue \fIstring\fR;
-	dual\-stack\-servers [ port \fIinteger\fR ] {
-		( \fIquoted_string\fR [port \fIinteger\fR] |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [port \fIinteger\fR] ); \&.\&.\&.
-	};
-	edns\-udp\-size \fIinteger\fR;
-	max\-udp\-size \fIinteger\fR;
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
-	disable\-algorithms \fIstring\fR { \fIstring\fR; \&.\&.\&. };
-	disable\-ds\-digests \fIstring\fR { \fIstring\fR; \&.\&.\&. };
-	dnssec\-enable \fIboolean\fR;
-	dnssec\-validation \fIboolean\fR;
-	dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
-	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
-	dnssec\-accept\-expired \fIboolean\fR;
-	dns64\-server \fIstring\fR;
-	dns64\-contact \fIstring\fR;
-	dns64 \fIprefix\fR {
-		clients { <replacable>acl</replacable>; };
-		exclude { <replacable>acl</replacable>; };
-		mapped { <replacable>acl</replacable>; };
-		break\-dnssec \fIboolean\fR;
-		recursive\-only \fIboolean\fR;
-		suffix \fIipv6_address\fR;
-	};
-	empty\-server \fIstring\fR;
-	empty\-contact \fIstring\fR;
-	empty\-zones\-enable \fIboolean\fR;
-	disable\-empty\-zone \fIstring\fR;
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIixfrdiff\fR;
+	allow\-new\-zones \fIboolean\fR;
+	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query\-cache { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query\-cache\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
-	update\-check\-ksk \fIboolean\fR;
-	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	masterfile\-format ( text | raw | map );
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-delay \fIseconds\fR;
-	notify\-to\-soa \fIboolean\fR;
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; \&.\&.\&.
-		[ key \fIkeyname\fR ] \&.\&.\&. };
-	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
+	also\-notify [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR |
+	    \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+	alt\-transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR |
+	    * ) ] [ dscp \fIinteger\fR ];
+	attach\-cache \fIstring\fR;
+	auth\-nxdomain \fIboolean\fR; // default changed
+	auto\-dnssec ( allow | maintain | off );
+	automatic\-interface\-scan \fIboolean\fR;
+	avoid\-v4\-udp\-ports { \fIportrange\fR; \&.\&.\&. };
+	avoid\-v6\-udp\-ports { \fIportrange\fR; \&.\&.\&. };
+	bindkeys\-file \fIquoted_string\fR;
+	blackhole { \fIaddress_match_element\fR; \&.\&.\&. };
+	cache\-file \fIquoted_string\fR;
+	check\-dup\-records ( fail | warn | ignore );
+	check\-integrity \fIboolean\fR;
+	check\-mx ( fail | warn | ignore );
+	check\-mx\-cname ( fail | warn | ignore );
+	check\-names ( master | slave | response
+	    ) ( fail | warn | ignore );
+	check\-sibling \fIboolean\fR;
+	check\-spf ( warn | ignore );
+	check\-srv\-cname ( fail | warn | ignore );
+	check\-wildcard \fIboolean\fR;
+	cleaning\-interval \fIinteger\fR;
+	clients\-per\-query \fIinteger\fR;
+	coresize ( default | unlimited | \fIsizeval\fR );
+	datasize ( default | unlimited | \fIsizeval\fR );
+	deny\-answer\-addresses { \fIaddress_match_element\fR; \&.\&.\&. } [
+	    except\-from { \fIquoted_string\fR; \&.\&.\&. } ];
+	deny\-answer\-aliases { \fIquoted_string\fR; \&.\&.\&. } [ except\-from {
+	    \fIquoted_string\fR; \&.\&.\&. } ];
+	dialup ( notify | notify\-passive | passive | refresh | \fIboolean\fR );
+	directory \fIquoted_string\fR;
+	disable\-algorithms \fIstring\fR { \fIstring\fR;
+	    \&.\&.\&. };
+	disable\-ds\-digests \fIstring\fR { \fIstring\fR;
+	    \&.\&.\&. };
+	disable\-empty\-zone \fIstring\fR;
+	dns64 \fInetprefix\fR {
+		break\-dnssec \fIboolean\fR;
+		clients { \fIaddress_match_element\fR; \&.\&.\&. };
+		exclude { \fIaddress_match_element\fR; \&.\&.\&. };
+		mapped { \fIaddress_match_element\fR; \&.\&.\&. };
+		recursive\-only \fIboolean\fR;
+		suffix \fIipv6_address\fR;
 	};
+	dns64\-contact \fIstring\fR;
+	dns64\-server \fIstring\fR;
+	dnssec\-accept\-expired \fIboolean\fR;
+	dnssec\-dnskey\-kskonly \fIboolean\fR;
+	dnssec\-enable \fIboolean\fR;
+	dnssec\-loadkeys\-interval \fIinteger\fR;
+	dnssec\-lookaside ( \fIstring\fR trust\-anchor
+	    \fIstring\fR | auto | no );
+	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
+	dnssec\-secure\-to\-insecure \fIboolean\fR;
+	dnssec\-update\-mode ( maintain | no\-resign );
+	dnssec\-validation ( yes | no | auto );
+	dscp \fIinteger\fR;
+	dual\-stack\-servers [ port \fIinteger\fR ] { ( \fIquoted_string\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv4_address\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] ); \&.\&.\&. };
+	dump\-file \fIquoted_string\fR;
+	edns\-udp\-size \fIinteger\fR;
+	empty\-contact \fIstring\fR;
+	empty\-server \fIstring\fR;
+	empty\-zones\-enable \fIboolean\fR;
+	fetch\-quota\-params \fIinteger\fR \fIfixedpoint\fR
+	    \fIfixedpoint\fR \fIfixedpoint\fR;
+	fetches\-per\-server \fIinteger\fR [ ( drop | fail ) ];
+	fetches\-per\-zone \fIinteger\fR [ ( drop | fail ) ];
+	files ( default | unlimited | \fIsizeval\fR );
+	filter\-aaaa { \fIaddress_match_element\fR; \&.\&.\&. };
+	filter\-aaaa\-on\-v4 ( break\-dnssec | \fIboolean\fR );
+	filter\-aaaa\-on\-v6 ( break\-dnssec | \fIboolean\fR );
+	flush\-zones\-on\-shutdown \fIboolean\fR;
+	forward ( first | only );
+	forwarders [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fIipv4_address\fR
+	    | \fIipv6_address\fR ) [ port \fIinteger\fR ] [ dscp \fIinteger\fR ]; \&.\&.\&. };
+	geoip\-directory ( \fIquoted_string\fR | none );
+	heartbeat\-interval \fIinteger\fR;
+	hostname ( \fIquoted_string\fR | none );
+	inline\-signing \fIboolean\fR;
+	interface\-interval \fIinteger\fR;
+	ixfr\-from\-differences ( master | slave | \fIboolean\fR );
+	key\-directory \fIquoted_string\fR;
+	lame\-ttl \fIinteger\fR;
+	listen\-on [ port \fIinteger\fR ] [ dscp
+	    \fIinteger\fR ] {
+	    \fIaddress_match_element\fR; \&.\&.\&. };
+	listen\-on\-v6 [ port \fIinteger\fR ] [ dscp
+	    \fIinteger\fR ] {
+	    \fIaddress_match_element\fR; \&.\&.\&. };
+	managed\-keys\-directory \fIquoted_string\fR;
+	masterfile\-format ( map | raw | text );
+	match\-mapped\-addresses \fIboolean\fR;
+	max\-acache\-size \fIsize_no_default\fR;
+	max\-cache\-size \fIsize_no_default\fR;
+	max\-cache\-ttl \fIinteger\fR;
+	max\-clients\-per\-query \fIinteger\fR;
 	max\-journal\-size \fIsize_no_default\fR;
+	max\-ncache\-ttl \fIinteger\fR;
 	max\-records \fIinteger\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
+	max\-recursion\-depth \fIinteger\fR;
+	max\-recursion\-queries \fIinteger\fR;
+	max\-refresh\-time \fIinteger\fR;
+	max\-retry\-time \fIinteger\fR;
+	max\-rsa\-exponent\-size \fIinteger\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
 	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
+	max\-transfer\-time\-in \fIinteger\fR;
+	max\-transfer\-time\-out \fIinteger\fR;
+	max\-udp\-size \fIinteger\fR;
+	max\-zone\-ttl ( unlimited | \fIttlval\fR );
+	memstatistics \fIboolean\fR;
+	memstatistics\-file \fIquoted_string\fR;
 	min\-refresh\-time \fIinteger\fR;
+	min\-retry\-time \fIinteger\fR;
+	minimal\-responses \fIboolean\fR;
 	multi\-master \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	sig\-re\-signing\-interval \fIinteger\fR;
+	no\-case\-compress { \fIaddress_match_element\fR; \&.\&.\&. };
+	nosit\-udp\-size \fIinteger\fR;, experimental
+	notify ( explicit | master\-only | \fIboolean\fR );
+	notify\-delay \fIinteger\fR;
+	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
+	    [ dscp \fIinteger\fR ];
+	notify\-to\-soa \fIboolean\fR;
+	nsec3\-test\-zone \fIboolean\fR; // test only
+	pid\-file ( \fIquoted_string\fR | none );
+	port \fIinteger\fR;
+	preferred\-glue \fIstring\fR;
+	prefetch \fIinteger\fR [ \fIinteger\fR ];
+	provide\-ixfr \fIboolean\fR;
+	query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv4_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	query\-source\-v6 ( ( [ address ] ( \fIipv6_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv6_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	querylog \fIboolean\fR;
+	random\-device \fIquoted_string\fR;
+	rate\-limit {
+		all\-per\-second \fIinteger\fR;
+		errors\-per\-second \fIinteger\fR;
+		exempt\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
+		ipv4\-prefix\-length \fIinteger\fR;
+		ipv6\-prefix\-length \fIinteger\fR;
+		log\-only \fIboolean\fR;
+		max\-table\-size \fIinteger\fR;
+		min\-table\-size \fIinteger\fR;
+		nodata\-per\-second \fIinteger\fR;
+		nxdomains\-per\-second \fIinteger\fR;
+		qps\-scale \fIinteger\fR;
+		referrals\-per\-second \fIinteger\fR;
+		responses\-per\-second \fIinteger\fR;
+		slip \fIinteger\fR;
+		window \fIinteger\fR;
+	};
+	recursing\-file \fIquoted_string\fR;
+	recursion \fIboolean\fR;
+	recursive\-clients \fIinteger\fR;
+	request\-ixfr \fIboolean\fR;
+	request\-nsid \fIboolean\fR;
+	request\-sit \fIboolean\fR;, experimental
+	reserved\-sockets \fIinteger\fR;
+	resolver\-query\-timeout \fIinteger\fR;
+	response\-policy { zone \fIquoted_string\fR [ policy ( cname | disabled
+	    | drop | given | no\-op | nodata | nxdomain | passthru |
+	    tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [
+	    max\-policy\-ttl \fIinteger\fR ]; \&.\&.\&. } [ recursive\-only \fIboolean\fR ]
+	    [ break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIinteger\fR ] [
+	    min\-ns\-dots \fIinteger\fR ] [ qname\-wait\-recurse \fIboolean\fR ];
+	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
+	rrset\-order { [ class \fIstring\fR ] [ type \fIstring\fR ] [ name
+	    \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&. };
+	secroots\-file \fIquoted_string\fR;
+	serial\-query\-rate \fIinteger\fR;
+	serial\-update\-method ( increment | unixtime );
+	server\-id ( \fIquoted_string\fR | none | hostname );
+	session\-keyalg \fIstring\fR;
+	session\-keyfile ( \fIquoted_string\fR | none );
+	session\-keyname \fIstring\fR;
 	sig\-signing\-nodes \fIinteger\fR;
 	sig\-signing\-signatures \fIinteger\fR;
 	sig\-signing\-type \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
-	managed\-keys\-directory \fIquoted_string\fR;
-	auto\-dnssec \fBallow\fR|\fBmaintain\fR|\fBoff\fR;
+	sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
+	sit\-secret \fIstring\fR;, experimental
+	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
+	stacksize ( default | unlimited | \fIsizeval\fR );
+	statistics\-file \fIquoted_string\fR;
+	tcp\-clients \fIinteger\fR;
+	tcp\-listen\-queue \fIinteger\fR;
+	tkey\-dhkey \fIquoted_string\fR \fIinteger\fR;
+	tkey\-domain \fIquoted_string\fR;
+	tkey\-gssapi\-credential \fIquoted_string\fR;
+	tkey\-gssapi\-keytab \fIquoted_string\fR;
+	transfer\-format ( many\-answers | one\-answer );
+	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	transfers\-in \fIinteger\fR;
+	transfers\-out \fIinteger\fR;
+	transfers\-per\-ns \fIinteger\fR;
+	trust\-anchor\-telemetry \fIboolean\fR; // experimental
 	try\-tcp\-refresh \fIboolean\fR;
+	update\-check\-ksk \fIboolean\fR;
+	use\-alt\-transfer\-source \fIboolean\fR;
+	use\-v4\-udp\-ports { \fIportrange\fR; \&.\&.\&. };
+	use\-v6\-udp\-ports { \fIportrange\fR; \&.\&.\&. };
+	version ( \fIquoted_string\fR | none );
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
-	dnssec\-secure\-to\-insecure \fIboolean\fR;
-	automatic\-interface\-scan \fIboolean\fR;
-	deny\-answer\-addresses {
-		\fIaddress_match_list\fR
-	} [ except\-from { \fInamelist\fR } ];
-	deny\-answer\-aliases {
-		\fInamelist\fR
-	} [ except\-from { \fInamelist\fR } ];
-	nsec3\-test\-zone \fIboolean\fR;  // testing only
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; \&.\&.\&. }; // obsolete
-	deallocate\-on\-exit \fIboolean\fR; // obsolete
-	fake\-iquery \fIboolean\fR; // obsolete
-	fetch\-glue \fIboolean\fR; // obsolete
-	has\-old\-clients \fIboolean\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-	multiple\-cnames \fIboolean\fR; // obsolete
-	named\-xfer \fIquoted_string\fR; // obsolete
-	serial\-queries \fIinteger\fR; // obsolete
-	treat\-cr\-as\-space \fIboolean\fR; // obsolete
-	use\-id\-pool \fIboolean\fR; // obsolete
-	use\-ixfr \fIboolean\fR; // obsolete
+	zone\-statistics ( full | terse | none | \fIboolean\fR );
 };
 .fi
 .if n \{\
 .RE
 .\}
+.SH "SERVER"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+server \fInetprefix\fR {
+	bogus \fIboolean\fR;
+	edns \fIboolean\fR;
+	edns\-udp\-size \fIinteger\fR;
+	keys \fIserver_key\fR;
+	max\-udp\-size \fIinteger\fR;
+	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
+	    [ dscp \fIinteger\fR ];
+	provide\-ixfr \fIboolean\fR;
+	query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv4_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	query\-source\-v6 ( ( [ address ] ( \fIipv6_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv6_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	request\-ixfr \fIboolean\fR;
+	request\-nsid \fIboolean\fR;
+	request\-sit \fIboolean\fR;, experimental
+	tcp\-only \fIboolean\fR;
+	transfer\-format ( many\-answers | one\-answer );
+	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	transfers \fIinteger\fR;
+};
+.fi
+.if n \{\
+.RE
+.\}
+.SH "STATISTICS-CHANNELS"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+statistics\-channels {
+	inet ( \fIipv4_address\fR | \fIipv6_address\fR |
+	    * ) [ port ( \fIinteger\fR | * ) ] [
+	    allow { \fIaddress_match_element\fR; \&.\&.\&.
+	    } ];
+};
+.fi
+.if n \{\
+.RE
+.\}
+.SH "TRUSTED-KEYS"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+trusted\-keys { \fIstring\fR \fIinteger\fR \fIinteger\fR
+    \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
+.fi
+.if n \{\
+.RE
+.\}
 .SH "VIEW"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-view \fIstring\fR \fIoptional_class\fR {
-	match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
-	match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. };
-	match\-recursive\-only \fIboolean\fR;
+view \fIstring\fR [ \fIclass\fR ] {
+	acache\-cleaning\-interval \fIinteger\fR;
+	acache\-enable \fIboolean\fR;
+	additional\-from\-auth \fIboolean\fR;
+	additional\-from\-cache \fIboolean\fR;
+	allow\-new\-zones \fIboolean\fR;
+	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-cache { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-cache\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
+	also\-notify [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR |
+	    \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+	alt\-transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR |
+	    * ) ] [ dscp \fIinteger\fR ];
+	attach\-cache \fIstring\fR;
+	auth\-nxdomain \fIboolean\fR; // default changed
+	auto\-dnssec ( allow | maintain | off );
+	cache\-file \fIquoted_string\fR;
+	check\-dup\-records ( fail | warn | ignore );
+	check\-integrity \fIboolean\fR;
+	check\-mx ( fail | warn | ignore );
+	check\-mx\-cname ( fail | warn | ignore );
+	check\-names ( master | slave | response
+	    ) ( fail | warn | ignore );
+	check\-sibling \fIboolean\fR;
+	check\-spf ( warn | ignore );
+	check\-srv\-cname ( fail | warn | ignore );
+	check\-wildcard \fIboolean\fR;
+	cleaning\-interval \fIinteger\fR;
+	clients\-per\-query \fIinteger\fR;
+	deny\-answer\-addresses { \fIaddress_match_element\fR; \&.\&.\&. } [
+	    except\-from { \fIquoted_string\fR; \&.\&.\&. } ];
+	deny\-answer\-aliases { \fIquoted_string\fR; \&.\&.\&. } [ except\-from {
+	    \fIquoted_string\fR; \&.\&.\&. } ];
+	dialup ( notify | notify\-passive | passive | refresh | \fIboolean\fR );
+	disable\-algorithms \fIstring\fR { \fIstring\fR;
+	    \&.\&.\&. };
+	disable\-ds\-digests \fIstring\fR { \fIstring\fR;
+	    \&.\&.\&. };
+	disable\-empty\-zone \fIstring\fR;
+	dlz \fIstring\fR {
+		database \fIstring\fR;
+		search \fIboolean\fR;
+	};
+	dns64 \fInetprefix\fR {
+		break\-dnssec \fIboolean\fR;
+		clients { \fIaddress_match_element\fR; \&.\&.\&. };
+		exclude { \fIaddress_match_element\fR; \&.\&.\&. };
+		mapped { \fIaddress_match_element\fR; \&.\&.\&. };
+		recursive\-only \fIboolean\fR;
+		suffix \fIipv6_address\fR;
+	};
+	dns64\-contact \fIstring\fR;
+	dns64\-server \fIstring\fR;
+	dnssec\-accept\-expired \fIboolean\fR;
+	dnssec\-dnskey\-kskonly \fIboolean\fR;
+	dnssec\-enable \fIboolean\fR;
+	dnssec\-loadkeys\-interval \fIinteger\fR;
+	dnssec\-lookaside ( \fIstring\fR trust\-anchor
+	    \fIstring\fR | auto | no );
+	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
+	dnssec\-secure\-to\-insecure \fIboolean\fR;
+	dnssec\-update\-mode ( maintain | no\-resign );
+	dnssec\-validation ( yes | no | auto );
+	dual\-stack\-servers [ port \fIinteger\fR ] { ( \fIquoted_string\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv4_address\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] ); \&.\&.\&. };
+	edns\-udp\-size \fIinteger\fR;
+	empty\-contact \fIstring\fR;
+	empty\-server \fIstring\fR;
+	empty\-zones\-enable \fIboolean\fR;
+	fetch\-quota\-params \fIinteger\fR \fIfixedpoint\fR
+	    \fIfixedpoint\fR \fIfixedpoint\fR;
+	fetches\-per\-server \fIinteger\fR [ ( drop | fail ) ];
+	fetches\-per\-zone \fIinteger\fR [ ( drop | fail ) ];
+	filter\-aaaa { \fIaddress_match_element\fR; \&.\&.\&. };
+	filter\-aaaa\-on\-v4 ( break\-dnssec | \fIboolean\fR );
+	filter\-aaaa\-on\-v6 ( break\-dnssec | \fIboolean\fR );
+	forward ( first | only );
+	forwarders [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fIipv4_address\fR
+	    | \fIipv6_address\fR ) [ port \fIinteger\fR ] [ dscp \fIinteger\fR ]; \&.\&.\&. };
+	inline\-signing \fIboolean\fR;
+	ixfr\-from\-differences ( master | slave | \fIboolean\fR );
 	key \fIstring\fR {
 		algorithm \fIstring\fR;
 		secret \fIstring\fR;
 	};
-	zone \fIstring\fR \fIoptional_class\fR {
-		\&.\&.\&.
-	};
-	server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) {
-		\&.\&.\&.
-	};
-	trusted\-keys {
-		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
-		[\&.\&.\&.]
-	};
-	managed\-keys {
-		\fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR;
-		[\&.\&.\&.]
-	};
-	allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
-	topology { \fIaddress_match_element\fR; \&.\&.\&. }; // not implemented
-	auth\-nxdomain \fIboolean\fR; // default changed
-	minimal\-responses \fIboolean\fR;
-	recursion \fIboolean\fR;
-	rrset\-order {
-		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&.
-	};
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	rfc2308\-type1 \fIboolean\fR; // not yet implemented
-	additional\-from\-auth \fIboolean\fR;
-	additional\-from\-cache \fIboolean\fR;
-	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	use\-queryport\-pool \fIboolean\fR;
-	queryport\-pool\-ports \fIinteger\fR;
-	queryport\-pool\-updateinterval \fIinteger\fR;
-	cleaning\-interval \fIinteger\fR;
-	resolver\-query\-timeout \fIinteger\fR;
-	min\-roots \fIinteger\fR; // not implemented
+	key\-directory \fIquoted_string\fR;
 	lame\-ttl \fIinteger\fR;
-	max\-ncache\-ttl \fIinteger\fR;
+	managed\-keys { \fIstring\fR \fIstring\fR
+	    \fIinteger\fR \fIinteger\fR \fIinteger\fR
+	    \fIquoted_string\fR; \&.\&.\&. };
+	masterfile\-format ( map | raw | text );
+	match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
+	match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. };
+	match\-recursive\-only \fIboolean\fR;
+	max\-acache\-size \fIsize_no_default\fR;
+	max\-cache\-size \fIsize_no_default\fR;
 	max\-cache\-ttl \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize\fR;
-	max\-acache\-size \fIsize\fR;
-	clients\-per\-query \fInumber\fR;
-	max\-clients\-per\-query \fInumber\fR;
-	check\-names ( master | slave | response )
-		( fail | warn | ignore );
-	check\-mx ( fail | warn | ignore );
-	check\-integrity \fIboolean\fR;
-	check\-mx\-cname ( fail | warn | ignore );
-	check\-srv\-cname ( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR; // test option
-	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
-	preferred\-glue \fIstring\fR;
-	dual\-stack\-servers [ port \fIinteger\fR ] {
-		( \fIquoted_string\fR [port \fIinteger\fR] |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [port \fIinteger\fR] ); \&.\&.\&.
-	};
-	edns\-udp\-size \fIinteger\fR;
-	max\-udp\-size \fIinteger\fR;
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
-	disable\-algorithms \fIstring\fR { \fIstring\fR; \&.\&.\&. };
-	disable\-ds\-digests \fIstring\fR { \fIstring\fR; \&.\&.\&. };
-	dnssec\-enable \fIboolean\fR;
-	dnssec\-validation \fIboolean\fR;
-	dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
-	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
-	dnssec\-accept\-expired \fIboolean\fR;
-	dns64\-server \fIstring\fR;
-	dns64\-contact \fIstring\fR;
-	dns64 \fIprefix\fR {
-		clients { <replacable>acl</replacable>; };
-		exclude { <replacable>acl</replacable>; };
-		mapped { <replacable>acl</replacable>; };
-		break\-dnssec \fIboolean\fR;
-		recursive\-only \fIboolean\fR;
-		suffix \fIipv6_address\fR;
-	};
-	empty\-server \fIstring\fR;
-	empty\-contact \fIstring\fR;
-	empty\-zones\-enable \fIboolean\fR;
-	disable\-empty\-zone \fIstring\fR;
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIixfrdiff\fR;
-	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-cache { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-cache\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
-	update\-check\-ksk \fIboolean\fR;
-	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	masterfile\-format ( text | raw | map );
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-delay \fIseconds\fR;
-	notify\-to\-soa \fIboolean\fR;
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; \&.\&.\&.
-		[ key \fIkeyname\fR ] \&.\&.\&. };
-	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
-	};
+	max\-clients\-per\-query \fIinteger\fR;
 	max\-journal\-size \fIsize_no_default\fR;
+	max\-ncache\-ttl \fIinteger\fR;
 	max\-records \fIinteger\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
+	max\-recursion\-depth \fIinteger\fR;
+	max\-recursion\-queries \fIinteger\fR;
+	max\-refresh\-time \fIinteger\fR;
+	max\-retry\-time \fIinteger\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
 	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
+	max\-transfer\-time\-in \fIinteger\fR;
+	max\-transfer\-time\-out \fIinteger\fR;
+	max\-udp\-size \fIinteger\fR;
+	max\-zone\-ttl ( unlimited | \fIttlval\fR );
 	min\-refresh\-time \fIinteger\fR;
+	min\-retry\-time \fIinteger\fR;
+	minimal\-responses \fIboolean\fR;
 	multi\-master \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
+	no\-case\-compress { \fIaddress_match_element\fR; \&.\&.\&. };
+	nosit\-udp\-size \fIinteger\fR;, experimental
+	notify ( explicit | master\-only | \fIboolean\fR );
+	notify\-delay \fIinteger\fR;
+	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
+	    [ dscp \fIinteger\fR ];
+	notify\-to\-soa \fIboolean\fR;
+	nsec3\-test\-zone \fIboolean\fR; // test only
+	preferred\-glue \fIstring\fR;
+	prefetch \fIinteger\fR [ \fIinteger\fR ];
+	provide\-ixfr \fIboolean\fR;
+	query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv4_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	query\-source\-v6 ( ( [ address ] ( \fIipv6_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv6_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	rate\-limit {
+		all\-per\-second \fIinteger\fR;
+		errors\-per\-second \fIinteger\fR;
+		exempt\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
+		ipv4\-prefix\-length \fIinteger\fR;
+		ipv6\-prefix\-length \fIinteger\fR;
+		log\-only \fIboolean\fR;
+		max\-table\-size \fIinteger\fR;
+		min\-table\-size \fIinteger\fR;
+		nodata\-per\-second \fIinteger\fR;
+		nxdomains\-per\-second \fIinteger\fR;
+		qps\-scale \fIinteger\fR;
+		referrals\-per\-second \fIinteger\fR;
+		responses\-per\-second \fIinteger\fR;
+		slip \fIinteger\fR;
+		window \fIinteger\fR;
+	};
+	recursion \fIboolean\fR;
+	request\-ixfr \fIboolean\fR;
+	request\-nsid \fIboolean\fR;
+	request\-sit \fIboolean\fR;, experimental
+	resolver\-query\-timeout \fIinteger\fR;
+	response\-policy { zone \fIquoted_string\fR [ policy ( cname | disabled
+	    | drop | given | no\-op | nodata | nxdomain | passthru |
+	    tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [
+	    max\-policy\-ttl \fIinteger\fR ]; \&.\&.\&. } [ recursive\-only \fIboolean\fR ]
+	    [ break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIinteger\fR ] [
+	    min\-ns\-dots \fIinteger\fR ] [ qname\-wait\-recurse \fIboolean\fR ];
+	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
+	rrset\-order { [ class \fIstring\fR ] [ type \fIstring\fR ] [ name
+	    \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&. };
+	serial\-update\-method ( increment | unixtime );
+	server \fInetprefix\fR {
+		bogus \fIboolean\fR;
+		edns \fIboolean\fR;
+		edns\-udp\-size \fIinteger\fR;
+		keys \fIserver_key\fR;
+		max\-udp\-size \fIinteger\fR;
+		notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | *
+		    ) ] [ dscp \fIinteger\fR ];
+		notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR
+		    | * ) ] [ dscp \fIinteger\fR ];
+		provide\-ixfr \fIboolean\fR;
+		query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port
+		    ( \fIinteger\fR | * ) ] ) | ( [ [ address ] (
+		    \fIipv4_address\fR | * ) ] port ( \fIinteger\fR | * ) ) ) [
+		    dscp \fIinteger\fR ];
+		query\-source\-v6 ( ( [ address ] ( \fIipv6_address\fR | * ) [
+		    port ( \fIinteger\fR | * ) ] ) | ( [ [ address ] (
+		    \fIipv6_address\fR | * ) ] port ( \fIinteger\fR | * ) ) ) [
+		    dscp \fIinteger\fR ];
+		request\-ixfr \fIboolean\fR;
+		request\-nsid \fIboolean\fR;
+		request\-sit \fIboolean\fR;, experimental
+		tcp\-only \fIboolean\fR;
+		transfer\-format ( many\-answers | one\-answer );
+		transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR |
+		    * ) ] [ dscp \fIinteger\fR ];
+		transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port (
+		    \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
+		transfers \fIinteger\fR;
+	};
+	sig\-signing\-nodes \fIinteger\fR;
+	sig\-signing\-signatures \fIinteger\fR;
+	sig\-signing\-type \fIinteger\fR;
+	sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
+	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
+	transfer\-format ( many\-answers | one\-answer );
+	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	trust\-anchor\-telemetry \fIboolean\fR; // experimental
+	trusted\-keys { \fIstring\fR \fIinteger\fR
+	    \fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
+	    \&.\&.\&. };
 	try\-tcp\-refresh \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
+	update\-check\-ksk \fIboolean\fR;
+	use\-alt\-transfer\-source \fIboolean\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
-	dnssec\-secure\-to\-insecure \fIboolean\fR;
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; \&.\&.\&. }; // obsolete
-	fetch\-glue \fIboolean\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
+	zone \fIstring\fR [ \fIclass\fR ] {
+		allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
+		also\-notify [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { (
+		    \fImasters\fR | \fIipv4_address\fR [ port \fIinteger\fR ] |
+		    \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ];
+		    \&.\&.\&. };
+		alt\-transfer\-source ( \fIipv4_address\fR | * ) [ port (
+		    \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
+		alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port (
+		    \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
+		auto\-dnssec ( allow | maintain | off );
+		check\-dup\-records ( fail | warn | ignore );
+		check\-integrity \fIboolean\fR;
+		check\-mx ( fail | warn | ignore );
+		check\-mx\-cname ( fail | warn | ignore );
+		check\-names ( fail | warn | ignore );
+		check\-sibling \fIboolean\fR;
+		check\-spf ( warn | ignore );
+		check\-srv\-cname ( fail | warn | ignore );
+		check\-wildcard \fIboolean\fR;
+		database \fIstring\fR;
+		delegation\-only \fIboolean\fR;
+		dialup ( notify | notify\-passive | passive | refresh |
+		    \fIboolean\fR );
+		dlz \fIstring\fR;
+		dnssec\-dnskey\-kskonly \fIboolean\fR;
+		dnssec\-loadkeys\-interval \fIinteger\fR;
+		dnssec\-secure\-to\-insecure \fIboolean\fR;
+		dnssec\-update\-mode ( maintain | no\-resign );
+		file \fIquoted_string\fR;
+		forward ( first | only );
+		forwarders [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { (
+		    \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ] [
+		    dscp \fIinteger\fR ]; \&.\&.\&. };
+		in\-view \fIstring\fR;
+		inline\-signing \fIboolean\fR;
+		ixfr\-from\-differences \fIboolean\fR;
+		journal \fIquoted_string\fR;
+		key\-directory \fIquoted_string\fR;
+		masterfile\-format ( map | raw | text );
+		masters [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR
+		    | \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [
+		    port \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+		max\-ixfr\-log\-size ( default | unlimited |
+		max\-journal\-size \fIsize_no_default\fR;
+		max\-records \fIinteger\fR;
+		max\-refresh\-time \fIinteger\fR;
+		max\-retry\-time \fIinteger\fR;
+		max\-transfer\-idle\-in \fIinteger\fR;
+		max\-transfer\-idle\-out \fIinteger\fR;
+		max\-transfer\-time\-in \fIinteger\fR;
+		max\-transfer\-time\-out \fIinteger\fR;
+		max\-zone\-ttl ( unlimited | \fIttlval\fR );
+		min\-refresh\-time \fIinteger\fR;
+		min\-retry\-time \fIinteger\fR;
+		multi\-master \fIboolean\fR;
+		notify ( explicit | master\-only | \fIboolean\fR );
+		notify\-delay \fIinteger\fR;
+		notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | *
+		    ) ] [ dscp \fIinteger\fR ];
+		notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR
+		    | * ) ] [ dscp \fIinteger\fR ];
+		notify\-to\-soa \fIboolean\fR;
+		nsec3\-test\-zone \fIboolean\fR; // test only
+		pubkey \fIinteger\fR
+		    \fIinteger\fR
+		    \fIinteger\fR
+		request\-ixfr \fIboolean\fR;
+		serial\-update\-method ( increment | unixtime );
+		server\-addresses { ( \fIipv4_address\fR | \fIipv6_address\fR ) [
+		    port \fIinteger\fR ]; \&.\&.\&. };
+		server\-names { \fIquoted_string\fR; \&.\&.\&. };
+		sig\-signing\-nodes \fIinteger\fR;
+		sig\-signing\-signatures \fIinteger\fR;
+		sig\-signing\-type \fIinteger\fR;
+		sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
+		transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR |
+		    * ) ] [ dscp \fIinteger\fR ];
+		transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port (
+		    \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
+		try\-tcp\-refresh \fIboolean\fR;
+		type ( delegation\-only | forward | hint | master | redirect
+		    | slave | static\-stub | stub );
+		update\-check\-ksk \fIboolean\fR;
+		update\-policy ( local | { ( deny | grant ) \fIstring\fR (
+		    6to4\-self | external | krb5\-self | krb5\-subdomain |
+		    ms\-self | ms\-subdomain | name | self | selfsub |
+		    selfwild | subdomain | tcp\-self | wildcard | zonesub )
+		    [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. };
+		use\-alt\-transfer\-source \fIboolean\fR;
+		zero\-no\-soa\-ttl \fIboolean\fR;
+		zone\-statistics ( full | terse | none | \fIboolean\fR );
+	};
+	zone\-statistics ( full | terse | none | \fIboolean\fR );
 };
 .fi
 .if n \{\
@@ -574,87 +840,96 @@ view \fIstring\fR \fIoptional_class\fR {
 .RS 4
 .\}
 .nf
-zone \fIstring\fR \fIoptional_class\fR {
-	type ( master | slave | stub | hint | redirect |
-		forward | delegation\-only );
-	file \fIquoted_string\fR;
-	masters [ port \fIinteger\fR ] {
-		( \fImasters\fR |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&.
-	};
-	database \fIstring\fR;
-	delegation\-only \fIboolean\fR;
-	check\-names ( fail | warn | ignore );
-	check\-mx ( fail | warn | ignore );
-	check\-integrity \fIboolean\fR;
-	check\-mx\-cname ( fail | warn | ignore );
-	check\-srv\-cname ( fail | warn | ignore );
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIboolean\fR;
-	journal \fIquoted_string\fR;
-	zero\-no\-soa\-ttl \fIboolean\fR;
-	dnssec\-secure\-to\-insecure \fIboolean\fR;
+zone \fIstring\fR [ \fIclass\fR ] {
+	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
-	update\-policy \fIlocal\fR | \fI {
-		( grant | deny ) \fR\fI\fIstring\fR\fR\fI
-		( name | subdomain | wildcard | self | selfsub | selfwild |
-                  krb5\-self | ms\-self | krb5\-subdomain | ms\-subdomain |
-		  tcp\-self | zonesub | 6to4\-self ) \fR\fI\fIstring\fR\fR\fI
-		\fR\fI\fIrrtypelist\fR\fR\fI;
-		\fR\fI[\&.\&.\&.]\fR\fI
-	}\fR;
-	update\-check\-ksk \fIboolean\fR;
+	also\-notify [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR |
+	    \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+	alt\-transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR |
+	    * ) ] [ dscp \fIinteger\fR ];
+	auto\-dnssec ( allow | maintain | off );
+	check\-dup\-records ( fail | warn | ignore );
+	check\-integrity \fIboolean\fR;
+	check\-mx ( fail | warn | ignore );
+	check\-mx\-cname ( fail | warn | ignore );
+	check\-names ( fail | warn | ignore );
+	check\-sibling \fIboolean\fR;
+	check\-spf ( warn | ignore );
+	check\-srv\-cname ( fail | warn | ignore );
+	check\-wildcard \fIboolean\fR;
+	database \fIstring\fR;
+	delegation\-only \fIboolean\fR;
+	dialup ( notify | notify\-passive | passive | refresh | \fIboolean\fR );
+	dlz \fIstring\fR;
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	masterfile\-format ( text | raw | map );
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-delay \fIseconds\fR;
-	notify\-to\-soa \fIboolean\fR;
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; \&.\&.\&.
-		[ key \fIkeyname\fR ] \&.\&.\&. };
-	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
+	dnssec\-loadkeys\-interval \fIinteger\fR;
+	dnssec\-secure\-to\-insecure \fIboolean\fR;
+	dnssec\-update\-mode ( maintain | no\-resign );
+	file \fIquoted_string\fR;
 	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
-	};
+	forwarders [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fIipv4_address\fR
+	    | \fIipv6_address\fR ) [ port \fIinteger\fR ] [ dscp \fIinteger\fR ]; \&.\&.\&. };
+	in\-view \fIstring\fR;
+	inline\-signing \fIboolean\fR;
+	ixfr\-from\-differences \fIboolean\fR;
+	journal \fIquoted_string\fR;
+	key\-directory \fIquoted_string\fR;
+	masterfile\-format ( map | raw | text );
+	masters [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR |
+	    \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
 	max\-journal\-size \fIsize_no_default\fR;
 	max\-records \fIinteger\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
+	max\-refresh\-time \fIinteger\fR;
+	max\-retry\-time \fIinteger\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
 	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
+	max\-transfer\-time\-in \fIinteger\fR;
+	max\-transfer\-time\-out \fIinteger\fR;
+	max\-zone\-ttl ( unlimited | \fIttlval\fR );
 	min\-refresh\-time \fIinteger\fR;
+	min\-retry\-time \fIinteger\fR;
 	multi\-master \fIboolean\fR;
+	notify ( explicit | master\-only | \fIboolean\fR );
+	notify\-delay \fIinteger\fR;
+	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
+	    [ dscp \fIinteger\fR ];
+	notify\-to\-soa \fIboolean\fR;
+	nsec3\-test\-zone \fIboolean\fR; // test only
+	pubkey \fIinteger\fR \fIinteger\fR
 	request\-ixfr \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
+	serial\-update\-method ( increment | unixtime );
+	server\-addresses { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port
+	    \fIinteger\fR ]; \&.\&.\&. };
+	server\-names { \fIquoted_string\fR; \&.\&.\&. };
+	sig\-signing\-nodes \fIinteger\fR;
+	sig\-signing\-signatures \fIinteger\fR;
+	sig\-signing\-type \fIinteger\fR;
+	sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
+	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
 	try\-tcp\-refresh \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
-	nsec3\-test\-zone \fIboolean\fR;  // testing only
-	ixfr\-base \fIquoted_string\fR; // obsolete
-	ixfr\-tmp\-file \fIquoted_string\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-	pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; // obsolete
+	type ( delegation\-only | forward | hint | master | redirect | slave
+	    | static\-stub | stub );
+	update\-check\-ksk \fIboolean\fR;
+	update\-policy ( local | { ( deny | grant ) \fIstring\fR ( 6to4\-self |
+	    external | krb5\-self | krb5\-subdomain | ms\-self | ms\-subdomain
+	    | name | self | selfsub | selfwild | subdomain | tcp\-self |
+	    wildcard | zonesub ) [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. };
+	use\-alt\-transfer\-source \fIboolean\fR;
+	zero\-no\-soa\-ttl \fIboolean\fR;
+	zone\-statistics ( full | terse | none | \fIboolean\fR );
 };
 .fi
 .if n \{\
@@ -665,9 +940,11 @@ zone \fIstring\fR \fIoptional_class\fR {
 /etc/named\&.conf
 .SH "SEE ALSO"
 .PP
+\fBddns-confgen\fR(8),
 \fBnamed\fR(8),
 \fBnamed-checkconf\fR(8),
 \fBrndc\fR(8),
+\fBrndc-confgen\fR(8),
 BIND 9 Administrator Reference Manual\&.
 .SH "AUTHOR"
 .PP
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index e01a9b11bc..a64602b1a7 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -31,7 +31,7 @@
 <h2>Name</h2>
 <p>
     <code class="filename">named.conf</code>
-     &#8212; configuration file for named
+     &#8212; configuration file for <span class="command"><strong>named</strong></span>
   </p>
 </div>
 
@@ -70,15 +70,41 @@
 
     <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.9"></a><h2>KEY</h2>
+<a name="id-1.9"></a><h2>CONTROLS</h2>
 
     <div class="literallayout"><p><br>
-key <em class="replaceable"><code>domain_name</code></em> {<br>
+controls {<br>
+	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
+	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] allow<br>
+	    { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br>
+	unix <em class="replaceable"><code>quoted_string</code></em> perm <em class="replaceable"><code>integer</code></em><br>
+	    owner <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [<span class="optional"><br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>DLZ</h2>
+
+    <div class="literallayout"><p><br>
+dlz <em class="replaceable"><code>string</code></em> {<br>
+	database <em class="replaceable"><code>string</code></em>;<br>
+	search <em class="replaceable"><code>boolean</code></em>;<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.11"></a><h2>KEY</h2>
+
+    <div class="literallayout"><p><br>
+key <em class="replaceable"><code>string</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
 	secret <em class="replaceable"><code>string</code></em>;<br>
 };<br>
@@ -86,612 +112,817 @@ key
   </div>
 
   <div class="refsection">
-<a name="id-1.10"></a><h2>MASTERS</h2>
-
-    <div class="literallayout"><p><br>
-masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-	<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.11"></a><h2>SERVER</h2>
-
-    <div class="literallayout"><p><br>
-server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-	bogus <em class="replaceable"><code>boolean</code></em>;<br>
-	edns <em class="replaceable"><code>boolean</code></em>;<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	keys <em class="replaceable"><code>server_key</code></em>;<br>
-	transfers <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	support-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.12"></a><h2>TRUSTED-KEYS</h2>
-
-    <div class="literallayout"><p><br>
-trusted-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.13"></a><h2>MANAGED-KEYS</h2>
-
-    <div class="literallayout"><p><br>
-managed-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14"></a><h2>CONTROLS</h2>
-
-    <div class="literallayout"><p><br>
-controls {<br>
-	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-		allow { <em class="replaceable"><code>address_match_element</code></em>; ... }<br>
-		[<span class="optional"> keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br>
-	unix <em class="replaceable"><code>unsupported</code></em>; // not implemented<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.15"></a><h2>LOGGING</h2>
+<a name="id-1.12"></a><h2>LOGGING</h2>
 
     <div class="literallayout"><p><br>
 logging {<br>
-	channel <em class="replaceable"><code>string</code></em> {<br>
-		file <em class="replaceable"><code>log_file</code></em>;<br>
-		syslog <em class="replaceable"><code>optional_facility</code></em>;<br>
-		null;<br>
-		stderr;<br>
-		severity <em class="replaceable"><code>log_severity</code></em>;<br>
-		print-time <em class="replaceable"><code>boolean</code></em>;<br>
-		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
-		print-category <em class="replaceable"><code>boolean</code></em>;<br>
-	};<br>
 	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
+	channel <em class="replaceable"><code>string</code></em> {<br>
+		file <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> versions ( "unlimited" | <em class="replaceable"><code>integer</code></em> )<br>
+		    </span>] [<span class="optional"> size <em class="replaceable"><code>size</code></em> </span>];<br>
+		null;<br>
+		print-category <em class="replaceable"><code>boolean</code></em>;<br>
+		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
+		print-time <em class="replaceable"><code>boolean</code></em>;<br>
+		severity <em class="replaceable"><code>log_severity</code></em>;<br>
+		stderr;<br>
+		syslog [<span class="optional"> <em class="replaceable"><code>syslog_facility</code></em> </span>];<br>
+	};<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.16"></a><h2>LWRES</h2>
+<a name="id-1.13"></a><h2>LWRES</h2>
 
     <div class="literallayout"><p><br>
 lwres {<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-	view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em>;<br>
-	search { <em class="replaceable"><code>string</code></em>; ... };<br>
+	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
 	ndots <em class="replaceable"><code>integer</code></em>;<br>
+	search { <em class="replaceable"><code>string</code></em>; ... };<br>
+	view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>];<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.17"></a><h2>OPTIONS</h2>
+<a name="id-1.14"></a><h2>MANAGED-KEYS</h2>
+
+    <div class="literallayout"><p><br>
+managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.15"></a><h2>MASTERS</h2>
+
+    <div class="literallayout"><p><br>
+masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+    <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.16"></a><h2>OPTIONS</h2>
 
     <div class="literallayout"><p><br>
 options {<br>
-	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	avoid-v6-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	coresize <em class="replaceable"><code>size</code></em>;<br>
-	datasize <em class="replaceable"><code>size</code></em>;<br>
-	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	files <em class="replaceable"><code>size</code></em>;<br>
-	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
-	host-statistics <em class="replaceable"><code>boolean</code></em>; // not implemented<br>
-	host-statistics-max <em class="replaceable"><code>number</code></em>; // not implemented<br>
-	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
-	memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	port <em class="replaceable"><code>integer</code></em>;<br>
-	querylog <em class="replaceable"><code>boolean</code></em>;<br>
-	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
-	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
-	recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
-	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
-	server-id ( <em class="replaceable"><code>quoted_string</code></em> | hostname | none );<br>
-	stacksize <em class="replaceable"><code>size</code></em>;<br>
-	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	statistics-interval <em class="replaceable"><code>integer</code></em>; // not yet implemented<br>
-	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
-	tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
-	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
-	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
+	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <span style="color: red">&lt;replacable&gt;acl&lt;/replacable&gt;</span>; };<br>
-		exclude { <span style="color: red">&lt;replacable&gt;acl&lt;/replacable&gt;</span>; };<br>
-		mapped { <span style="color: red">&lt;replacable&gt;acl&lt;/replacable&gt;</span>; };<br>
-		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
-		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
-	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
-	empty-contact <em class="replaceable"><code>string</code></em>;<br>
-	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
+	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	attach-cache <em class="replaceable"><code>string</code></em>;<br>
+	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	automatic-interface-scan <em class="replaceable"><code>boolean</code></em>;<br>
+	avoid-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	avoid-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	bindkeys-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( master | slave | response<br>
+	    ) ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	coresize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	datasize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
+	dns64 <em class="replaceable"><code>netprefix</code></em> {<br>
+		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
 	};<br>
-<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
+	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
+	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	dnssec-validation ( yes | no | auto );<br>
+	dscp <em class="replaceable"><code>integer</code></em>;<br>
+	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em><br>
+	    <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	files ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	flush-zones-on-shutdown <em class="replaceable"><code>boolean</code></em>;<br>
+	forward ( first | only );<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
+	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
+	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	masterfile-format ( map | raw | text );<br>
+	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
+	max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
 	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-rsa-exponent-size <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+	memstatistics <em class="replaceable"><code>boolean</code></em>;<br>
+	memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-	sig-re-signing-interval <em class="replaceable"><code>integer</code></em>;<br>
+	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	nosit-udp-size <em class="replaceable"><code>integer</code></em>;, experimental<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	port <em class="replaceable"><code>integer</code></em>;<br>
+	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	querylog <em class="replaceable"><code>boolean</code></em>;<br>
+	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
+	rate-limit {<br>
+		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		log-only <em class="replaceable"><code>boolean</code></em>;<br>
+		max-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		min-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		qps-scale <em class="replaceable"><code>integer</code></em>;<br>
+		referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		slip <em class="replaceable"><code>integer</code></em>;<br>
+		window <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	recursion <em class="replaceable"><code>boolean</code></em>;<br>
+	recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	request-sit <em class="replaceable"><code>boolean</code></em>;, experimental<br>
+	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> policy ( cname | disabled<br>
+	    | drop | given | no-op | nodata | nxdomain | passthru |<br>
+	    tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>]; ... } [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>]<br>
+	    [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	secroots-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
+	serial-update-method ( increment | unixtime );<br>
+	server-id ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );<br>
+	session-keyalg <em class="replaceable"><code>string</code></em>;<br>
+	session-keyfile ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	session-keyname <em class="replaceable"><code>string</code></em>;<br>
 	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sit-secret <em class="replaceable"><code>string</code></em>;, experimental<br>
+	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
+	tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
+	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
+	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
+	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
+	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
+	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
+	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
+	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	use-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	use-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-	automatic-interface-scan <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	deny-answer-addresses {<br>
-		<em class="replaceable"><code>address_match_list</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-	deny-answer-aliases {<br>
-		<em class="replaceable"><code>namelist</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fake-iquery <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	has-old-clients <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	multiple-cnames <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	named-xfer <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	serial-queries <em class="replaceable"><code>integer</code></em>; // obsolete<br>
-	treat-cr-as-space <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-id-pool <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.18"></a><h2>VIEW</h2>
+<a name="id-1.17"></a><h2>SERVER</h2>
 
     <div class="literallayout"><p><br>
-view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
+server <em class="replaceable"><code>netprefix</code></em> {<br>
+	bogus <em class="replaceable"><code>boolean</code></em>;<br>
+	edns <em class="replaceable"><code>boolean</code></em>;<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	keys <em class="replaceable"><code>server_key</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	request-sit <em class="replaceable"><code>boolean</code></em>;, experimental<br>
+	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfers <em class="replaceable"><code>integer</code></em>;<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.18"></a><h2>STATISTICS-CHANNELS</h2>
+
+    <div class="literallayout"><p><br>
+statistics-channels {<br>
+	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
+	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    allow { <em class="replaceable"><code>address_match_element</code></em>; ...<br>
+	    } </span>];<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.19"></a><h2>TRUSTED-KEYS</h2>
+
+    <div class="literallayout"><p><br>
+trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.20"></a><h2>VIEW</h2>
+
+    <div class="literallayout"><p><br>
+view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
+	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	attach-cache <em class="replaceable"><code>string</code></em>;<br>
+	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( master | slave | response<br>
+	    ) ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
+	dlz <em class="replaceable"><code>string</code></em> {<br>
+		database <em class="replaceable"><code>string</code></em>;<br>
+		search <em class="replaceable"><code>boolean</code></em>;<br>
+	};<br>
+	dns64 <em class="replaceable"><code>netprefix</code></em> {<br>
+		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
+	};<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
+	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
+	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	dnssec-validation ( yes | no | auto );<br>
+	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em><br>
+	    <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	forward ( first | only );<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
 	key <em class="replaceable"><code>string</code></em> {<br>
 		algorithm <em class="replaceable"><code>string</code></em>;<br>
 		secret <em class="replaceable"><code>string</code></em>;<br>
 	};<br>
-<br>
-	zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-		...<br>
-	};<br>
-<br>
-	server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-		...<br>
-	};<br>
-<br>
-	trusted-keys {<br>
-		<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	};<br>
-<br>
-	managed-keys {<br>
-		<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	};<br>
-<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em><br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	masterfile-format ( map | raw | text );<br>
+	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+	max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
 	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <span style="color: red">&lt;replacable&gt;acl&lt;/replacable&gt;</span>; };<br>
-		exclude { <span style="color: red">&lt;replacable&gt;acl&lt;/replacable&gt;</span>; };<br>
-		mapped { <span style="color: red">&lt;replacable&gt;acl&lt;/replacable&gt;</span>; };<br>
-		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
-		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
-	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
-	empty-contact <em class="replaceable"><code>string</code></em>;<br>
-	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
+	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
 	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	nosit-udp-size <em class="replaceable"><code>integer</code></em>;, experimental<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	rate-limit {<br>
+		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		log-only <em class="replaceable"><code>boolean</code></em>;<br>
+		max-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		min-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		qps-scale <em class="replaceable"><code>integer</code></em>;<br>
+		referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		slip <em class="replaceable"><code>integer</code></em>;<br>
+		window <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	recursion <em class="replaceable"><code>boolean</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	request-sit <em class="replaceable"><code>boolean</code></em>;, experimental<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> policy ( cname | disabled<br>
+	    | drop | given | no-op | nodata | nxdomain | passthru |<br>
+	    tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>]; ... } [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>]<br>
+	    [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	serial-update-method ( increment | unixtime );<br>
+	server <em class="replaceable"><code>netprefix</code></em> {<br>
+		bogus <em class="replaceable"><code>boolean</code></em>;<br>
+		edns <em class="replaceable"><code>boolean</code></em>;<br>
+		edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+		keys <em class="replaceable"><code>server_key</code></em>;<br>
+		max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port<br>
+		    ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"><br>
+		    port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+		request-sit <em class="replaceable"><code>boolean</code></em>;, experimental<br>
+		tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
+		transfer-format ( many-answers | one-answer );<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfers <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
+	trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
+	    ... };<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
+	zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+		allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
+		    <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] |<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>];<br>
+		    ... };<br>
+		alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		auto-dnssec ( allow | maintain | off );<br>
+		check-dup-records ( fail | warn | ignore );<br>
+		check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+		check-mx ( fail | warn | ignore );<br>
+		check-mx-cname ( fail | warn | ignore );<br>
+		check-names ( fail | warn | ignore );<br>
+		check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+		check-spf ( warn | ignore );<br>
+		check-srv-cname ( fail | warn | ignore );<br>
+		check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+		database <em class="replaceable"><code>string</code></em>;<br>
+		delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
+		dialup ( notify | notify-passive | passive | refresh |<br>
+		    <em class="replaceable"><code>boolean</code></em> );<br>
+		dlz <em class="replaceable"><code>string</code></em>;<br>
+		dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+		dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+		dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+		dnssec-update-mode ( maintain | no-resign );<br>
+		file <em class="replaceable"><code>quoted_string</code></em>;<br>
+		forward ( first | only );<br>
+		forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		in-view <em class="replaceable"><code>string</code></em>;<br>
+		inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+		ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
+		journal <em class="replaceable"><code>quoted_string</code></em>;<br>
+		key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+		masterfile-format ( map | raw | text );<br>
+		masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em><br>
+		    | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"><br>
+		    port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+		max-ixfr-log-size ( default | unlimited |<br>
+		max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+		max-records <em class="replaceable"><code>integer</code></em>;<br>
+		max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+		max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+		max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+		min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+		min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+		notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+		notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+		nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+		pubkey <em class="replaceable"><code>integer</code></em><br>
+		    <em class="replaceable"><code>integer</code></em><br>
+		    <em class="replaceable"><code>integer</code></em><br>
+		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		serial-update-method ( increment | unixtime );<br>
+		server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"><br>
+		    port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+		sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+		sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+		sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+		sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
+		type ( delegation-only | forward | hint | master | redirect<br>
+		    | slave | static-stub | stub );<br>
+		update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+		update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> (<br>
+		    6to4-self | external | krb5-self | krb5-subdomain |<br>
+		    ms-self | ms-subdomain | name | self | selfsub |<br>
+		    selfwild | subdomain | tcp-self | wildcard | zonesub )<br>
+		    [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+		use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+		zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+		zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
+	};<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.19"></a><h2>ZONE</h2>
+<a name="id-1.21"></a><h2>ZONE</h2>
 
     <div class="literallayout"><p><br>
-zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	type ( master | slave | stub | hint | redirect |<br>
-		forward | delegation-only );<br>
-	file <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>masters</code></em> |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	database <em class="replaceable"><code>string</code></em>;<br>
-	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
-	check-names ( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
-	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
-	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
+zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-policy <em class="replaceable"><code>local</code></em> | <em class="replaceable"><code> {<br>
-		( grant | deny ) <em class="replaceable"><code>string</code></em><br>
-		( name | subdomain | wildcard | self | selfsub | selfwild |<br>
-                  krb5-self | ms-self | krb5-subdomain | ms-subdomain |<br>
-		  tcp-self | zonesub | 6to4-self ) <em class="replaceable"><code>string</code></em><br>
-		<em class="replaceable"><code>rrtypelist</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	}</code></em>;<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	database <em class="replaceable"><code>string</code></em>;<br>
+	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	dlz <em class="replaceable"><code>string</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	in-view <em class="replaceable"><code>string</code></em>;<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
+	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	masterfile-format ( map | raw | text );<br>
+	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
 	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	serial-update-method ( increment | unixtime );<br>
+	server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	ixfr-base <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	ixfr-tmp-file <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
+	type ( delegation-only | forward | hint | master | redirect | slave<br>
+	    | static-stub | stub );<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self |<br>
+	    external | krb5-self | krb5-subdomain | ms-self | ms-subdomain<br>
+	    | name | self | selfsub | selfwild | subdomain | tcp-self |<br>
+	    wildcard | zonesub ) [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.20"></a><h2>FILES</h2>
+<a name="id-1.22"></a><h2>FILES</h2>
 
     <p><code class="filename">/etc/named.conf</code>
     </p>
   </div>
 
   <div class="refsection">
-<a name="id-1.21"></a><h2>SEE ALSO</h2>
+<a name="id-1.23"></a><h2>SEE ALSO</h2>
 
     <p><span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
+	<span class="refentrytitle">ddns-confgen</span>(8)
       </span>,
       <span class="citerefentry">
-        <span class="refentrytitle">named-checkconf</span>(8)
+	<span class="refentrytitle">named</span>(8)
       </span>,
       <span class="citerefentry">
-        <span class="refentrytitle">rndc</span>(8)
+	<span class="refentrytitle">named-checkconf</span>(8)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">rndc</span>(8)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">rndc-confgen</span>(8)
       </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8
index 968f2a693a..9813e5b3cc 100644
--- a/bin/rndc/rndc.8
+++ b/bin/rndc/rndc.8
@@ -194,7 +194,7 @@ See also
 \fBrndc addzone\fR\&.
 .RE
 .PP
-\fBdumpdb \fR\fB[\-all|\-cache|\-zone|\-adb|\-bad]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
+\fBdumpdb \fR\fB[\-all|\-cache|\-zones|\-adb|\-bad]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
 .RS 4
 Dump the server\*(Aqs caches (default) and/or zones to the dump file for the specified views\&. If no view is specified, all views are dumped\&. (See the
 \fBdump\-file\fR
diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html
index 83b9a9f1c3..36099c2721 100644
--- a/bin/rndc/rndc.html
+++ b/bin/rndc/rndc.html
@@ -249,14 +249,12 @@
 	    See also <span class="command"><strong>rndc addzone</strong></span>.
 	  </p>
 	</dd>
-<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
+<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zones|-adb|-bad</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
 <dd>
 	  <p>
 	    Dump the server's caches (default) and/or zones to
-	    the
-	    dump file for the specified views.  If no view is
-	    specified, all
-	    views are dumped.
+	    the dump file for the specified views.  If no view
+            is specified, all views are dumped.
 	    (See the <span class="command"><strong>dump-file</strong></span> option in
 	    the BIND 9 Administrator Reference Manual.)
 	  </p>
diff --git a/configure b/configure
index 6a89356c94..ebb4ccee83 100755
--- a/configure
+++ b/configure
@@ -950,7 +950,6 @@ infodir
 docdir
 oldincludedir
 includedir
-runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -1102,7 +1101,6 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1355,15 +1353,6 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
-  -runstatedir | --runstatedir | --runstatedi | --runstated \
-  | --runstate | --runstat | --runsta | --runst | --runs \
-  | --run | --ru | --r)
-    ac_prev=runstatedir ;;
-  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
-  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
-  | --run=* | --ru=* | --r=*)
-    runstatedir=$ac_optarg ;;
-
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1501,7 +1490,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir runstatedir
+		libdir localedir mandir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1654,7 +1643,6 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
-  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index ca21201414..ba7da1520d 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -611,6 +611,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index 5549123dda..d91026d4d1 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -160,6 +160,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index e2c869f4b6..13d7e6ccb1 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -768,6 +768,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index ec4e7ba789..9adb8ef4a1 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -2498,6 +2498,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index b4f58c0d58..d46b988b70 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -145,6 +145,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 979f713aba..5fa68f79c4 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -13790,6 +13790,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 4cbd9fb809..def2f63478 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -262,6 +262,6 @@ zone "example.com" {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 9ce22731a0..f8d7020c3b 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -145,6 +145,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index bc991108a6..726518b3bd 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -45,16 +45,14 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.5</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.6b1</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_maint">Maintenance</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
 </dl></dd>
@@ -62,7 +60,7 @@
 </div>
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.5</h2></div></div></div>
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.6b1</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -120,282 +118,34 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  <span class="command"><strong>rndc ""</strong></span> could trigger an assertion failure
-	  in <span class="command"><strong>named</strong></span>. This flaw is disclosed in
-	  (CVE-2017-3138). [RT #44924]
+	  None.
 	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
-	  queries could trigger assertion failures. This flaw is disclosed
-	  in CVE-2017-3137. [RT #44734]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
-	  can result in an assertion failure. This flaw is disclosed in
-	  CVE-2017-3136. [RT #44653]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If a server is configured with a response policy zone (RPZ)
-	  that rewrites an answer with local data, and is also configured
-	  for DNS64 address mapping, a NULL pointer can be read
-	  triggering a server crash.  This flaw is disclosed in
-	  CVE-2017-3135. [RT #44434]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could mishandle authority sections
-	  with missing RRSIGs, triggering an assertion failure. This
-	  flaw is disclosed in CVE-2016-9444. [RT #43632]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> mishandled some responses where
-	  covering RRSIG records were returned without the requested
-	  data, resulting in an assertion failure. This flaw is
-	  disclosed in CVE-2016-9147. [RT #43548]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
-	  records which could trigger an assertion failure when there was
-	  a class mismatch. This flaw is disclosed in CVE-2016-9131.
-	  [RT #43522]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  It was possible to trigger assertions when processing
-	  responses containing answers of type DNAME. This flaw is
-	  disclosed in CVE-2016-8864. [RT #43465]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Added the ability to specify the maximum number of records
-	  permitted in a zone (<code class="option">max-records #;</code>).
-	  This provides a mechanism to block overly large zone
-	  transfers, which is a potential risk with slave zones from
-	  other parties, as described in CVE-2016-6170.
-	  [RT #42143]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  It was possible to trigger an assertion when rendering a
-	  message using a specially crafted request. This flaw is
-	  disclosed in CVE-2016-2776. [RT #43139]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Calling <span class="command"><strong>getrrsetbyname()</strong></span> with a non
-	  absolute name could trigger an infinite recursion bug in
-	  <span class="command"><strong>lwresd</strong></span> or <span class="command"><strong>named</strong></span> with
-	  <span class="command"><strong>lwres</strong></span> configured if, when combined with
-	  a search list entry from <code class="filename">resolv.conf</code>,
-	  the resulting name is too long.  This flaw is disclosed in
-	  CVE-2016-2775. [RT #42694]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> now provides feedback to the
-	  owners of zones which have trust anchors configured
-	  (<span class="command"><strong>trusted-keys</strong></span>,
-	  <span class="command"><strong>managed-keys</strong></span>, <span class="command"><strong>dnssec-validation
-	  auto;</strong></span> and <span class="command"><strong>dnssec-lookaside auto;</strong></span>)
-	  by sending a daily query which encodes the keyids of the
-	  configured trust anchors for the zone.  This is controlled
-	  by <span class="command"><strong>trust-anchor-telemetry</strong></span> and defaults
-	  to yes.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A new <span class="command"><strong>tcp-only</strong></span> option has been added to
-	  <span class="command"><strong>server</strong></span> clauses, to indicate that UDP should
-	  not be used when sending queries to a specified IP address or
-	  prefix.
-	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
-	  to be disabled in 2017.  A warning is now logged when
-	  <span class="command"><strong>named</strong></span> is configured to use this service,
-	  either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
-	  [RT #42207]
+	  Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
+	  names to assist debugging on operating systems that support that.
+	  Threads will have names such as "isc-timer", "isc-sockmgr",
+	  "isc-worker0001", and so on. This will affect the reporting of
+	  subsidiary thread names in <span class="command"><strong>ps</strong></span> and
+	  <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
 	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If an ACL is specified with an address prefix in which the
-	  prefix length is longer than the address portion (for example,
-	  192.0.2.1/8), <span class="command"><strong>named</strong></span> will now log a warning.
-	  In future releases this will be a fatal configuration error.
-	  [RT #43367]
-	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  A synthesized CNAME record appearing in a response before the
-	  associated DNAME could be cached, when it should not have been.
-	  This was a regression introduced while addressing CVE-2016-8864.
-	  [RT #44318]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could deadlock if multiple changes
-	  to NSEC/NSEC3 parameters for the same zone were being processed
-	  at the same time. [RT #42770]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could trigger an assertion when
-	  sending NOTIFY messages. [RT #44019]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
-	  Windows builds: some Visual Studio compilers generate code that
-	  crashes when the "%z" printf() format specifier is used. [RT #42380]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Windows installs were failing due to triggering UAC without
-	  the installation binary being signed.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A change in the internal binary representation of the RBT database
-	  node structure enabled a race condition to occur (especially when
-	  BIND was built with certain compilers or optimizer settings),
-	  leading to inconsistent database state which caused random
-	  assertion failures. [RT #42380]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
-	  statement could cause an assertion failure during configuration.
-	  [RT #43787]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>rndc addzone</strong></span> could cause a crash
-	  when attempting to add a zone with a type other than
-	  <span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
-	  Such zones are now rejected. [RT #43665]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could hang when encountering log
-	  file names with large apparent gaps in version number (for
-	  example, when files exist called "logfile.0", "logfile.1",
-	  and "logfile.1482954169").  This is now handled correctly.
-	  [RT #38688]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If a zone was updated while <span class="command"><strong>named</strong></span> was
-	  processing a query for nonexistent data, it could return
-	  out-of-sync NSEC3 records causing potential DNSSEC validation
-	  failure. [RT #43247]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could crash when loading a zone
-	  which had RRISG records whose expiry fields were far enough
-	  apart to cause an integer overflow when comparing them.
-	  [RT #40571]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>arpaname</strong></span> and <span class="command"><strong>named-rrchecker</strong></span>
-	  commands were not installed into the correct
-	  <span class="command"><strong>prefix</strong></span><code class="filename">/bin</code> directory.
-	  [RT #42910]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When receiving a response from an authoritative server with
-	  a TTL value of zero, <span class="command"><strong>named&gt;</strong></span> will now only use
-	  that response once, to answer the currently active clients that
-	  were waiting for it. Previously, such response could be cached
-	  and reused for up to one second. [RT #42142]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf</strong></span> now checks the
-	  <span class="command"><strong>rate-limit</strong></span> clause for correctness.
-	  [RT #42970]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Corrected a bug in the <span class="command"><strong>rndc</strong></span> control channel
-	  that could allow a read past the end of a buffer, crashing
-	  <span class="command"><strong>named</strong></span>. Thanks to Lian Yihan for reporting
-	  this error.
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_maint"></a>Maintenance</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  The built-in root hints have been updated to include
-	  IPv6 addresses for B.ROOT-SERVERS.NET (2001:500:84::b),
-	  E.ROOT-SERVERS.NET (2001:500:a8::e) and
-	  G.ROOT-SERVERS.NET (2001:500:12::d0d).
+	  None.
 	</p>
       </li></ul></div>
   </div>
@@ -440,6 +190,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index 1d9dfda78f..d05444062f 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -157,6 +157,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index 05c04ff26c..82ad8850f2 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -923,6 +923,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index 6289ec9e3d..1f6703001e 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -584,6 +584,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch13.html b/doc/arm/Bv9ARM.ch13.html
index cbdf525c10..fab39b140d 100644
--- a/doc/arm/Bv9ARM.ch13.html
+++ b/doc/arm/Bv9ARM.ch13.html
@@ -97,7 +97,7 @@
 <span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for named</span>
+<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for <span class="command"><strong>named</strong></span></span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.lwresd.html"><span class="application">lwresd</span></a></span><span class="refpurpose"> &#8212; lightweight resolver daemon</span>
@@ -184,6 +184,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 954b49f5fa..54c88eeb97 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -41,7 +41,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.10.5</p></div>
+<div><p class="releaseinfo">BIND Version 9.10.6b1</p></div>
 <div><p class="copyright">Copyright © 2004-2016 Internet Systems Consortium, Inc. ("ISC")</p></div>
 <div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
 </div>
@@ -240,16 +240,14 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.5</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.6b1</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_maint">Maintenance</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
 </dl></dd>
@@ -329,7 +327,7 @@
 <span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for named</span>
+<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for <span class="command"><strong>named</strong></span></span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.lwresd.html"><span class="application">lwresd</span></a></span><span class="refpurpose"> &#8212; lightweight resolver daemon</span>
@@ -414,6 +412,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index f3c9d24820..100490239d 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -100,6 +100,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 092988e5f7..e016225313 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -245,6 +245,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index c8eefe0099..4817f54e79 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -619,6 +619,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 696bfc35e6..cac88fc9ac 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -1035,6 +1035,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index f7141b7c08..c2a6fb1fca 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -160,6 +160,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index c3d457c0af..d9637e5da2 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -279,6 +279,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 594b6503a1..038cd13fe9 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -298,6 +298,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index a3f4879e7a..b2acda57f6 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -241,6 +241,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 7d2b1e550f..7877f0b67a 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -485,6 +485,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 2677b7c9ba..9a05dbbef9 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -572,6 +572,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 772624c119..b2698add3a 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -180,6 +180,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 6553a31f44..5a22823013 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -337,6 +337,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index ca8471ff94..8958dd1a90 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -711,6 +711,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index 7730681280..bf4a8c0cc3 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -211,6 +211,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 536588e2d4..0a82ccd54e 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -136,6 +136,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index e7c95dff7c..14ab20e453 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -362,6 +362,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index 59a55b1167..ea20b357f0 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -135,6 +135,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.lwresd.html b/doc/arm/man.lwresd.html
index fbb7943867..6bdd74bbf6 100644
--- a/doc/arm/man.lwresd.html
+++ b/doc/arm/man.lwresd.html
@@ -336,6 +336,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 88c15ef055..9c271e9e27 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -201,6 +201,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 2a4361d097..620d6ad1ee 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -472,6 +472,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index b0f1d320da..42fd8937f5 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -126,6 +126,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 8a384e3c40..833ec44f0f 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -130,6 +130,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index c90987f948..adc7759c49 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -50,7 +50,7 @@
 <h2>Name</h2>
 <p>
     <code class="filename">named.conf</code>
-     &#8212; configuration file for named
+     &#8212; configuration file for <span class="command"><strong>named</strong></span>
   </p>
 </div>
 
@@ -89,15 +89,41 @@
 
     <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.18.9"></a><h2>KEY</h2>
+<a name="id-1.14.18.9"></a><h2>CONTROLS</h2>
 
     <div class="literallayout"><p><br>
-key <em class="replaceable"><code>domain_name</code></em> {<br>
+controls {<br>
+	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
+	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] allow<br>
+	    { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br>
+	unix <em class="replaceable"><code>quoted_string</code></em> perm <em class="replaceable"><code>integer</code></em><br>
+	    owner <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [<span class="optional"><br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.18.10"></a><h2>DLZ</h2>
+
+    <div class="literallayout"><p><br>
+dlz <em class="replaceable"><code>string</code></em> {<br>
+	database <em class="replaceable"><code>string</code></em>;<br>
+	search <em class="replaceable"><code>boolean</code></em>;<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.18.11"></a><h2>KEY</h2>
+
+    <div class="literallayout"><p><br>
+key <em class="replaceable"><code>string</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
 	secret <em class="replaceable"><code>string</code></em>;<br>
 };<br>
@@ -105,612 +131,817 @@ key
   </div>
 
   <div class="refsection">
-<a name="id-1.14.18.10"></a><h2>MASTERS</h2>
-
-    <div class="literallayout"><p><br>
-masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-	<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.18.11"></a><h2>SERVER</h2>
-
-    <div class="literallayout"><p><br>
-server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-	bogus <em class="replaceable"><code>boolean</code></em>;<br>
-	edns <em class="replaceable"><code>boolean</code></em>;<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	keys <em class="replaceable"><code>server_key</code></em>;<br>
-	transfers <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	support-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.18.12"></a><h2>TRUSTED-KEYS</h2>
-
-    <div class="literallayout"><p><br>
-trusted-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.18.13"></a><h2>MANAGED-KEYS</h2>
-
-    <div class="literallayout"><p><br>
-managed-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.18.14"></a><h2>CONTROLS</h2>
-
-    <div class="literallayout"><p><br>
-controls {<br>
-	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-		allow { <em class="replaceable"><code>address_match_element</code></em>; ... }<br>
-		[<span class="optional"> keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br>
-	unix <em class="replaceable"><code>unsupported</code></em>; // not implemented<br>
-};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.18.15"></a><h2>LOGGING</h2>
+<a name="id-1.14.18.12"></a><h2>LOGGING</h2>
 
     <div class="literallayout"><p><br>
 logging {<br>
-	channel <em class="replaceable"><code>string</code></em> {<br>
-		file <em class="replaceable"><code>log_file</code></em>;<br>
-		syslog <em class="replaceable"><code>optional_facility</code></em>;<br>
-		null;<br>
-		stderr;<br>
-		severity <em class="replaceable"><code>log_severity</code></em>;<br>
-		print-time <em class="replaceable"><code>boolean</code></em>;<br>
-		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
-		print-category <em class="replaceable"><code>boolean</code></em>;<br>
-	};<br>
 	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
+	channel <em class="replaceable"><code>string</code></em> {<br>
+		file <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> versions ( "unlimited" | <em class="replaceable"><code>integer</code></em> )<br>
+		    </span>] [<span class="optional"> size <em class="replaceable"><code>size</code></em> </span>];<br>
+		null;<br>
+		print-category <em class="replaceable"><code>boolean</code></em>;<br>
+		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
+		print-time <em class="replaceable"><code>boolean</code></em>;<br>
+		severity <em class="replaceable"><code>log_severity</code></em>;<br>
+		stderr;<br>
+		syslog [<span class="optional"> <em class="replaceable"><code>syslog_facility</code></em> </span>];<br>
+	};<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.18.16"></a><h2>LWRES</h2>
+<a name="id-1.14.18.13"></a><h2>LWRES</h2>
 
     <div class="literallayout"><p><br>
 lwres {<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-	view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em>;<br>
-	search { <em class="replaceable"><code>string</code></em>; ... };<br>
+	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
 	ndots <em class="replaceable"><code>integer</code></em>;<br>
+	search { <em class="replaceable"><code>string</code></em>; ... };<br>
+	view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>];<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.18.17"></a><h2>OPTIONS</h2>
+<a name="id-1.14.18.14"></a><h2>MANAGED-KEYS</h2>
+
+    <div class="literallayout"><p><br>
+managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.18.15"></a><h2>MASTERS</h2>
+
+    <div class="literallayout"><p><br>
+masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+    <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.18.16"></a><h2>OPTIONS</h2>
 
     <div class="literallayout"><p><br>
 options {<br>
-	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	avoid-v6-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	coresize <em class="replaceable"><code>size</code></em>;<br>
-	datasize <em class="replaceable"><code>size</code></em>;<br>
-	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	files <em class="replaceable"><code>size</code></em>;<br>
-	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
-	host-statistics <em class="replaceable"><code>boolean</code></em>; // not implemented<br>
-	host-statistics-max <em class="replaceable"><code>number</code></em>; // not implemented<br>
-	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
-	memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	port <em class="replaceable"><code>integer</code></em>;<br>
-	querylog <em class="replaceable"><code>boolean</code></em>;<br>
-	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
-	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
-	recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
-	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
-	server-id ( <em class="replaceable"><code>quoted_string</code></em> | hostname | none );<br>
-	stacksize <em class="replaceable"><code>size</code></em>;<br>
-	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	statistics-interval <em class="replaceable"><code>integer</code></em>; // not yet implemented<br>
-	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
-	tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
-	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
-	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
+	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <span style="color: red">&lt;replacable&gt;acl&lt;/replacable&gt;</span>; };<br>
-		exclude { <span style="color: red">&lt;replacable&gt;acl&lt;/replacable&gt;</span>; };<br>
-		mapped { <span style="color: red">&lt;replacable&gt;acl&lt;/replacable&gt;</span>; };<br>
-		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
-		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
-	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
-	empty-contact <em class="replaceable"><code>string</code></em>;<br>
-	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
+	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	attach-cache <em class="replaceable"><code>string</code></em>;<br>
+	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	automatic-interface-scan <em class="replaceable"><code>boolean</code></em>;<br>
+	avoid-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	avoid-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	bindkeys-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( master | slave | response<br>
+	    ) ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	coresize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	datasize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
+	dns64 <em class="replaceable"><code>netprefix</code></em> {<br>
+		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
 	};<br>
-<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
+	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
+	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	dnssec-validation ( yes | no | auto );<br>
+	dscp <em class="replaceable"><code>integer</code></em>;<br>
+	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em><br>
+	    <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	files ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	flush-zones-on-shutdown <em class="replaceable"><code>boolean</code></em>;<br>
+	forward ( first | only );<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
+	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
+	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	masterfile-format ( map | raw | text );<br>
+	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
+	max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
 	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-rsa-exponent-size <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+	memstatistics <em class="replaceable"><code>boolean</code></em>;<br>
+	memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-	sig-re-signing-interval <em class="replaceable"><code>integer</code></em>;<br>
+	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	nosit-udp-size <em class="replaceable"><code>integer</code></em>;, experimental<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	port <em class="replaceable"><code>integer</code></em>;<br>
+	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	querylog <em class="replaceable"><code>boolean</code></em>;<br>
+	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
+	rate-limit {<br>
+		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		log-only <em class="replaceable"><code>boolean</code></em>;<br>
+		max-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		min-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		qps-scale <em class="replaceable"><code>integer</code></em>;<br>
+		referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		slip <em class="replaceable"><code>integer</code></em>;<br>
+		window <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	recursion <em class="replaceable"><code>boolean</code></em>;<br>
+	recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	request-sit <em class="replaceable"><code>boolean</code></em>;, experimental<br>
+	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> policy ( cname | disabled<br>
+	    | drop | given | no-op | nodata | nxdomain | passthru |<br>
+	    tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>]; ... } [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>]<br>
+	    [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	secroots-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
+	serial-update-method ( increment | unixtime );<br>
+	server-id ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );<br>
+	session-keyalg <em class="replaceable"><code>string</code></em>;<br>
+	session-keyfile ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	session-keyname <em class="replaceable"><code>string</code></em>;<br>
 	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sit-secret <em class="replaceable"><code>string</code></em>;, experimental<br>
+	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
+	tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
+	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
+	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
+	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
+	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
+	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
+	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
+	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	use-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	use-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-	automatic-interface-scan <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	deny-answer-addresses {<br>
-		<em class="replaceable"><code>address_match_list</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-	deny-answer-aliases {<br>
-		<em class="replaceable"><code>namelist</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fake-iquery <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	has-old-clients <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	multiple-cnames <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	named-xfer <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	serial-queries <em class="replaceable"><code>integer</code></em>; // obsolete<br>
-	treat-cr-as-space <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-id-pool <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.18.18"></a><h2>VIEW</h2>
+<a name="id-1.14.18.17"></a><h2>SERVER</h2>
 
     <div class="literallayout"><p><br>
-view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
+server <em class="replaceable"><code>netprefix</code></em> {<br>
+	bogus <em class="replaceable"><code>boolean</code></em>;<br>
+	edns <em class="replaceable"><code>boolean</code></em>;<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	keys <em class="replaceable"><code>server_key</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	request-sit <em class="replaceable"><code>boolean</code></em>;, experimental<br>
+	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfers <em class="replaceable"><code>integer</code></em>;<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.18.18"></a><h2>STATISTICS-CHANNELS</h2>
+
+    <div class="literallayout"><p><br>
+statistics-channels {<br>
+	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
+	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    allow { <em class="replaceable"><code>address_match_element</code></em>; ...<br>
+	    } </span>];<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.18.19"></a><h2>TRUSTED-KEYS</h2>
+
+    <div class="literallayout"><p><br>
+trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.18.20"></a><h2>VIEW</h2>
+
+    <div class="literallayout"><p><br>
+view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
+	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	attach-cache <em class="replaceable"><code>string</code></em>;<br>
+	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( master | slave | response<br>
+	    ) ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
+	dlz <em class="replaceable"><code>string</code></em> {<br>
+		database <em class="replaceable"><code>string</code></em>;<br>
+		search <em class="replaceable"><code>boolean</code></em>;<br>
+	};<br>
+	dns64 <em class="replaceable"><code>netprefix</code></em> {<br>
+		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
+	};<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
+	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
+	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	dnssec-validation ( yes | no | auto );<br>
+	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em><br>
+	    <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	forward ( first | only );<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
 	key <em class="replaceable"><code>string</code></em> {<br>
 		algorithm <em class="replaceable"><code>string</code></em>;<br>
 		secret <em class="replaceable"><code>string</code></em>;<br>
 	};<br>
-<br>
-	zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-		...<br>
-	};<br>
-<br>
-	server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-		...<br>
-	};<br>
-<br>
-	trusted-keys {<br>
-		<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	};<br>
-<br>
-	managed-keys {<br>
-		<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	};<br>
-<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em><br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	masterfile-format ( map | raw | text );<br>
+	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+	max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
 	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <span style="color: red">&lt;replacable&gt;acl&lt;/replacable&gt;</span>; };<br>
-		exclude { <span style="color: red">&lt;replacable&gt;acl&lt;/replacable&gt;</span>; };<br>
-		mapped { <span style="color: red">&lt;replacable&gt;acl&lt;/replacable&gt;</span>; };<br>
-		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
-		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
-	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
-	empty-contact <em class="replaceable"><code>string</code></em>;<br>
-	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
+	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
 	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	nosit-udp-size <em class="replaceable"><code>integer</code></em>;, experimental<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	rate-limit {<br>
+		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		log-only <em class="replaceable"><code>boolean</code></em>;<br>
+		max-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		min-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		qps-scale <em class="replaceable"><code>integer</code></em>;<br>
+		referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		slip <em class="replaceable"><code>integer</code></em>;<br>
+		window <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	recursion <em class="replaceable"><code>boolean</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	request-sit <em class="replaceable"><code>boolean</code></em>;, experimental<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> policy ( cname | disabled<br>
+	    | drop | given | no-op | nodata | nxdomain | passthru |<br>
+	    tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>]; ... } [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>]<br>
+	    [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	serial-update-method ( increment | unixtime );<br>
+	server <em class="replaceable"><code>netprefix</code></em> {<br>
+		bogus <em class="replaceable"><code>boolean</code></em>;<br>
+		edns <em class="replaceable"><code>boolean</code></em>;<br>
+		edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+		keys <em class="replaceable"><code>server_key</code></em>;<br>
+		max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port<br>
+		    ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"><br>
+		    port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+		request-sit <em class="replaceable"><code>boolean</code></em>;, experimental<br>
+		tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
+		transfer-format ( many-answers | one-answer );<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfers <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
+	trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
+	    ... };<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
+	zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+		allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
+		    <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] |<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>];<br>
+		    ... };<br>
+		alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		auto-dnssec ( allow | maintain | off );<br>
+		check-dup-records ( fail | warn | ignore );<br>
+		check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+		check-mx ( fail | warn | ignore );<br>
+		check-mx-cname ( fail | warn | ignore );<br>
+		check-names ( fail | warn | ignore );<br>
+		check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+		check-spf ( warn | ignore );<br>
+		check-srv-cname ( fail | warn | ignore );<br>
+		check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+		database <em class="replaceable"><code>string</code></em>;<br>
+		delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
+		dialup ( notify | notify-passive | passive | refresh |<br>
+		    <em class="replaceable"><code>boolean</code></em> );<br>
+		dlz <em class="replaceable"><code>string</code></em>;<br>
+		dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+		dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+		dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+		dnssec-update-mode ( maintain | no-resign );<br>
+		file <em class="replaceable"><code>quoted_string</code></em>;<br>
+		forward ( first | only );<br>
+		forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		in-view <em class="replaceable"><code>string</code></em>;<br>
+		inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+		ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
+		journal <em class="replaceable"><code>quoted_string</code></em>;<br>
+		key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+		masterfile-format ( map | raw | text );<br>
+		masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em><br>
+		    | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"><br>
+		    port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+		max-ixfr-log-size ( default | unlimited |<br>
+		max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+		max-records <em class="replaceable"><code>integer</code></em>;<br>
+		max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+		max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+		max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+		min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+		min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+		notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+		notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+		nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+		pubkey <em class="replaceable"><code>integer</code></em><br>
+		    <em class="replaceable"><code>integer</code></em><br>
+		    <em class="replaceable"><code>integer</code></em><br>
+		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		serial-update-method ( increment | unixtime );<br>
+		server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"><br>
+		    port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+		sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+		sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+		sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+		sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
+		type ( delegation-only | forward | hint | master | redirect<br>
+		    | slave | static-stub | stub );<br>
+		update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+		update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> (<br>
+		    6to4-self | external | krb5-self | krb5-subdomain |<br>
+		    ms-self | ms-subdomain | name | self | selfsub |<br>
+		    selfwild | subdomain | tcp-self | wildcard | zonesub )<br>
+		    [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+		use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+		zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+		zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
+	};<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.18.19"></a><h2>ZONE</h2>
+<a name="id-1.14.18.21"></a><h2>ZONE</h2>
 
     <div class="literallayout"><p><br>
-zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	type ( master | slave | stub | hint | redirect |<br>
-		forward | delegation-only );<br>
-	file <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>masters</code></em> |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	database <em class="replaceable"><code>string</code></em>;<br>
-	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
-	check-names ( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
-	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
-	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
+zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-policy <em class="replaceable"><code>local</code></em> | <em class="replaceable"><code> {<br>
-		( grant | deny ) <em class="replaceable"><code>string</code></em><br>
-		( name | subdomain | wildcard | self | selfsub | selfwild |<br>
-                  krb5-self | ms-self | krb5-subdomain | ms-subdomain |<br>
-		  tcp-self | zonesub | 6to4-self ) <em class="replaceable"><code>string</code></em><br>
-		<em class="replaceable"><code>rrtypelist</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	}</code></em>;<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	database <em class="replaceable"><code>string</code></em>;<br>
+	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	dlz <em class="replaceable"><code>string</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	in-view <em class="replaceable"><code>string</code></em>;<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
+	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	masterfile-format ( map | raw | text );<br>
+	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
 	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	serial-update-method ( increment | unixtime );<br>
+	server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	ixfr-base <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	ixfr-tmp-file <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
+	type ( delegation-only | forward | hint | master | redirect | slave<br>
+	    | static-stub | stub );<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self |<br>
+	    external | krb5-self | krb5-subdomain | ms-self | ms-subdomain<br>
+	    | name | self | selfsub | selfwild | subdomain | tcp-self |<br>
+	    wildcard | zonesub ) [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.18.20"></a><h2>FILES</h2>
+<a name="id-1.14.18.22"></a><h2>FILES</h2>
 
     <p><code class="filename">/etc/named.conf</code>
     </p>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.18.21"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.18.23"></a><h2>SEE ALSO</h2>
 
     <p><span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
+	<span class="refentrytitle">ddns-confgen</span>(8)
       </span>,
       <span class="citerefentry">
-        <span class="refentrytitle">named-checkconf</span>(8)
+	<span class="refentrytitle">named</span>(8)
       </span>,
       <span class="citerefentry">
-        <span class="refentrytitle">rndc</span>(8)
+	<span class="refentrytitle">named-checkconf</span>(8)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">rndc</span>(8)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">rndc-confgen</span>(8)
       </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
@@ -736,6 +967,6 @@ zone
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 975f09f38e..1cf1ed7927 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -476,6 +476,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 12fd637bfa..2d0e87402a 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -136,6 +136,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index e94efd29ac..6f0df7dfab 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -804,6 +804,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 8a6f154212..63041bfbe3 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -286,6 +286,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index ba3d18921d..652d7dbffd 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -277,6 +277,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 6a8b50c555..23d6beaada 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -267,14 +267,12 @@
 	    See also <span class="command"><strong>rndc addzone</strong></span>.
 	  </p>
 	</dd>
-<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
+<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zones|-adb|-bad</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
 <dd>
 	  <p>
 	    Dump the server's caches (default) and/or zones to
-	    the
-	    dump file for the specified views.  If no view is
-	    specified, all
-	    views are dumped.
+	    the dump file for the specified views.  If no view
+            is specified, all views are dumped.
 	    (See the <span class="command"><strong>dump-file</strong></span> option in
 	    the BIND 9 Administrator Reference Manual.)
 	  </p>
@@ -723,6 +721,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.6b1</p>
 </body>
 </html>
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 54f77a0675..688aca99ca 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -23,7 +23,7 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.10.5</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.10.6b1</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -81,282 +81,34 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  <span class="command"><strong>rndc ""</strong></span> could trigger an assertion failure
-	  in <span class="command"><strong>named</strong></span>. This flaw is disclosed in
-	  (CVE-2017-3138). [RT #44924]
+	  None.
 	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
-	  queries could trigger assertion failures. This flaw is disclosed
-	  in CVE-2017-3137. [RT #44734]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
-	  can result in an assertion failure. This flaw is disclosed in
-	  CVE-2017-3136. [RT #44653]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If a server is configured with a response policy zone (RPZ)
-	  that rewrites an answer with local data, and is also configured
-	  for DNS64 address mapping, a NULL pointer can be read
-	  triggering a server crash.  This flaw is disclosed in
-	  CVE-2017-3135. [RT #44434]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could mishandle authority sections
-	  with missing RRSIGs, triggering an assertion failure. This
-	  flaw is disclosed in CVE-2016-9444. [RT #43632]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> mishandled some responses where
-	  covering RRSIG records were returned without the requested
-	  data, resulting in an assertion failure. This flaw is
-	  disclosed in CVE-2016-9147. [RT #43548]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
-	  records which could trigger an assertion failure when there was
-	  a class mismatch. This flaw is disclosed in CVE-2016-9131.
-	  [RT #43522]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  It was possible to trigger assertions when processing
-	  responses containing answers of type DNAME. This flaw is
-	  disclosed in CVE-2016-8864. [RT #43465]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Added the ability to specify the maximum number of records
-	  permitted in a zone (<code class="option">max-records #;</code>).
-	  This provides a mechanism to block overly large zone
-	  transfers, which is a potential risk with slave zones from
-	  other parties, as described in CVE-2016-6170.
-	  [RT #42143]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  It was possible to trigger an assertion when rendering a
-	  message using a specially crafted request. This flaw is
-	  disclosed in CVE-2016-2776. [RT #43139]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Calling <span class="command"><strong>getrrsetbyname()</strong></span> with a non
-	  absolute name could trigger an infinite recursion bug in
-	  <span class="command"><strong>lwresd</strong></span> or <span class="command"><strong>named</strong></span> with
-	  <span class="command"><strong>lwres</strong></span> configured if, when combined with
-	  a search list entry from <code class="filename">resolv.conf</code>,
-	  the resulting name is too long.  This flaw is disclosed in
-	  CVE-2016-2775. [RT #42694]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> now provides feedback to the
-	  owners of zones which have trust anchors configured
-	  (<span class="command"><strong>trusted-keys</strong></span>,
-	  <span class="command"><strong>managed-keys</strong></span>, <span class="command"><strong>dnssec-validation
-	  auto;</strong></span> and <span class="command"><strong>dnssec-lookaside auto;</strong></span>)
-	  by sending a daily query which encodes the keyids of the
-	  configured trust anchors for the zone.  This is controlled
-	  by <span class="command"><strong>trust-anchor-telemetry</strong></span> and defaults
-	  to yes.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A new <span class="command"><strong>tcp-only</strong></span> option has been added to
-	  <span class="command"><strong>server</strong></span> clauses, to indicate that UDP should
-	  not be used when sending queries to a specified IP address or
-	  prefix.
-	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
-	  to be disabled in 2017.  A warning is now logged when
-	  <span class="command"><strong>named</strong></span> is configured to use this service,
-	  either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
-	  [RT #42207]
+	  Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
+	  names to assist debugging on operating systems that support that.
+	  Threads will have names such as "isc-timer", "isc-sockmgr",
+	  "isc-worker0001", and so on. This will affect the reporting of
+	  subsidiary thread names in <span class="command"><strong>ps</strong></span> and
+	  <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
 	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If an ACL is specified with an address prefix in which the
-	  prefix length is longer than the address portion (for example,
-	  192.0.2.1/8), <span class="command"><strong>named</strong></span> will now log a warning.
-	  In future releases this will be a fatal configuration error.
-	  [RT #43367]
-	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  A synthesized CNAME record appearing in a response before the
-	  associated DNAME could be cached, when it should not have been.
-	  This was a regression introduced while addressing CVE-2016-8864.
-	  [RT #44318]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could deadlock if multiple changes
-	  to NSEC/NSEC3 parameters for the same zone were being processed
-	  at the same time. [RT #42770]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could trigger an assertion when
-	  sending NOTIFY messages. [RT #44019]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
-	  Windows builds: some Visual Studio compilers generate code that
-	  crashes when the "%z" printf() format specifier is used. [RT #42380]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Windows installs were failing due to triggering UAC without
-	  the installation binary being signed.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A change in the internal binary representation of the RBT database
-	  node structure enabled a race condition to occur (especially when
-	  BIND was built with certain compilers or optimizer settings),
-	  leading to inconsistent database state which caused random
-	  assertion failures. [RT #42380]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
-	  statement could cause an assertion failure during configuration.
-	  [RT #43787]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>rndc addzone</strong></span> could cause a crash
-	  when attempting to add a zone with a type other than
-	  <span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
-	  Such zones are now rejected. [RT #43665]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could hang when encountering log
-	  file names with large apparent gaps in version number (for
-	  example, when files exist called "logfile.0", "logfile.1",
-	  and "logfile.1482954169").  This is now handled correctly.
-	  [RT #38688]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If a zone was updated while <span class="command"><strong>named</strong></span> was
-	  processing a query for nonexistent data, it could return
-	  out-of-sync NSEC3 records causing potential DNSSEC validation
-	  failure. [RT #43247]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could crash when loading a zone
-	  which had RRISG records whose expiry fields were far enough
-	  apart to cause an integer overflow when comparing them.
-	  [RT #40571]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>arpaname</strong></span> and <span class="command"><strong>named-rrchecker</strong></span>
-	  commands were not installed into the correct
-	  <span class="command"><strong>prefix</strong></span><code class="filename">/bin</code> directory.
-	  [RT #42910]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When receiving a response from an authoritative server with
-	  a TTL value of zero, <span class="command"><strong>named&gt;</strong></span> will now only use
-	  that response once, to answer the currently active clients that
-	  were waiting for it. Previously, such response could be cached
-	  and reused for up to one second. [RT #42142]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf</strong></span> now checks the
-	  <span class="command"><strong>rate-limit</strong></span> clause for correctness.
-	  [RT #42970]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Corrected a bug in the <span class="command"><strong>rndc</strong></span> control channel
-	  that could allow a read past the end of a buffer, crashing
-	  <span class="command"><strong>named</strong></span>. Thanks to Lian Yihan for reporting
-	  this error.
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_maint"></a>Maintenance</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  The built-in root hints have been updated to include
-	  IPv6 addresses for B.ROOT-SERVERS.NET (2001:500:84::b),
-	  E.ROOT-SERVERS.NET (2001:500:a8::e) and
-	  G.ROOT-SERVERS.NET (2001:500:12::d0d).
+	  None.
 	</p>
       </li></ul></div>
   </div>