upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-15 22:09:31 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

prep 9.15.6

Browse source
This commit is contained in:
Tinderbox User 2019-11-17 07:25:57 +00:00 committed by Evan Hunt
parent a48814906f
commit 767a2aef43
77 changed files with 2086 additions and 1031 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGES
View file

@ -1,3 +1,5 @@
--- 9.15.6 released ---
5319. [func] Trust anchors can now be configured using DS
format to represent a key digest, by using the
new "initial-ds" or "static-ds" keywords in

9
PLATFORMS
View file

@ -4,10 +4,11 @@ Supported platforms
In general, this version of BIND will build and run on any POSIX-compliant
system with a C11-compliant C compiler, BSD-style sockets with
RFC-compliant IPv6 support, POSIX-compliant threads, and the OpenSSL
cryptography library. Atomic operations support from the compiler is
needed, either in the form of builtin operations, C11 atomics or the
Interlocked family of functions on Windows.
RFC-compliant IPv6 support, POSIX-compliant threads, the libuv
asynchronous I/O library, and the OpenSSL cryptography library. Atomic
operations support from the compiler is needed, either in the form of
builtin operations, C11 atomics, or the Interlocked family of functions on
Windows.
BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x).
For some of the older systems listed below, you will have to install

8
PLATFORMS.md
View file

@ -12,10 +12,10 @@
In general, this version of BIND will build and run on any POSIX-compliant
system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant
IPv6 support, POSIX-compliant threads, and the OpenSSL cryptography library.
Atomic operations support from the compiler is needed, either in the form of
builtin operations, C11 atomics or the Interlocked family of functions on
Windows.
IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library,
and the OpenSSL cryptography library. Atomic operations support from the
compiler is needed, either in the form of builtin operations, C11 atomics,
or the `Interlocked` family of functions on Windows.
BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x). For
some of the older systems listed below, you will have to install updated libuv

32
README
View file

@ -48,7 +48,8 @@ the file HISTORY.
For a detailed list of changes made throughout the history of BIND 9, see
the file CHANGES. See below for details on the CHANGES file format.
For up-to-date versions and release notes, see https://www.isc.org/download/.
For up-to-date versions and release notes, see https://www.isc.org/
download/.
For information about supported platforms, see PLATFORMS.
@ -110,25 +111,30 @@ BIND 9.15 features
BIND 9.15 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.14 and earlier releases. New features include:
* New "dnssec-policy" statement to configure a key and signing policy
for zones, enabling automatic key regeneration and rollover.
* New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API
* Improved DNSSEC key configuration using dnssec-keys
* Improved DNSSEC trust anchor configuration using dnssec-keys,
permitting configuration of trust anchors in DS as well as DNSKEY
format.
* YAML output for dig, mdig, and delv.
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
basic POSIX support, and a 64-bit integer type. Successful builds have
been observed on many versions of Linux and UNIX, including RHEL/CentOS,
Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD,
NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and
OpenWRT.
basic POSIX support, and a 64-bit integer type. BIND also requires the
libuv asynchronous I/O library, and a cryptography provider library such
as OpenSSL or a hardware service module supporting PKCS#11. On Linux, BIND
requires the libcap library to set process privileges, though this
requirement can be overridden by disabling capability support at compile
time. See Compile-time options below for details on other libraries that
may be required to support optional features.
BIND requires a cryptography provider library such as OpenSSL or a
hardware service module supporting PKCS#11. On Linux, BIND requires the
libcap library to set process privileges, though this requirement can be
overridden by disabling capability support at compile time. See
Compile-time options below for details on other libraries that may be
required to support optional features.
Successful builds have been observed on many versions of Linux and UNIX,
including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware,
Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE,
HP-UX, and OpenWRT.
BIND is also available for Windows Server 2008 and higher. See win32utils/
build.txt for details on building for Windows systems.

28
README.md
View file

@ -129,25 +129,29 @@ include:
* New "dnssec-policy" statement to configure a key and signing policy
for zones, enabling automatic key regeneration and rollover.
* A new network manager based on libuv.
* New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API
* Improved DNSSEC trust anchor configuration using `dnssec-keys`
* Improved DNSSEC trust anchor configuration using `dnssec-keys`,
permitting configuration of trust anchors in DS as well as
DNSKEY format.
* YAML output for `dig`, `mdig`, and `delv`.
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
basic POSIX support, and a 64-bit integer type. Successful builds have been
observed on many versions of Linux and UNIX, including RHEL/CentOS, Fedora,
Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, NetBSD,
OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
basic POSIX support, and a 64-bit integer type. BIND also requires the
`libuv` asynchronous I/O library, and a cryptography provider library
such as OpenSSL or a hardware service module supporting PKCS#11. On
Linux, BIND requires the `libcap` library to set process privileges,
though this requirement can be overridden by disabling capability
support at compile time. See [Compile-time options](#opts) below
for details on other libraries that may be required to support
optional features.
BIND requires a cryptography provider library such as OpenSSL or a
hardware service module supporting PKCS#11. On Linux, BIND requires
the `libcap` library to set process privileges, though this requirement
can be overridden by disabling capability support at compile time.
See [Compile-time options](#opts) below for details on other libraries
that may be required to support optional features.
Successful builds have been observed on many versions of Linux and
UNIX, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris,
OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
BIND is also available for Windows Server 2008 and higher. See
`win32utils/build.txt` for details on building for Windows

24
bin/dnssec/dnssec-keygen.8
View file

@ -39,7 +39,7 @@
dnssec-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keygen\fR\ 'u
\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-d\ \fR\fB\fIbits\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIpolicy\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-l\ \fR\fB\fIfile\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-T\ \fR\fB\fIrrtype\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
@ -109,6 +109,11 @@ option suppresses them\&.
Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&.
.RE
.PP
\-d \fIbits\fR
.RS 4
Key size in bits\&. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256 and RSASHA512 the key size must be in range 1024\-4096\&. DH size is between 128 and 4096\&. This option is ignored for algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448\&.
.RE
.PP
\-E \fIengine\fR
.RS 4
Specifies the cryptographic hardware to use, when applicable\&.
@ -142,6 +147,17 @@ Prints a short summary of the options and arguments to
Sets the directory in which the key files are to be written\&.
.RE
.PP
\-k \fIpolicy\fR
.RS 4
Create keys for a specific dnssec\-policy\&. If a policy uses multiple keys,
\fBdnssec\-keygen\fR
will generate multiple keys\&. This will also create a "\&.state" file to keep track of the key state\&.
.sp
This option creates keys according to the dnssec\-policy configuration, hence it cannot be used together with many of the other options that
\fBdnssec\-keygen\fR
provides\&.
.RE
.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
@ -151,6 +167,12 @@ none
is the same as leaving it unset\&.
.RE
.PP
\-l \fIfile\fR
.RS 4
Provide a configuration file that contains a dnssec\-policy statement (matching the policy set with
\fB\-k\fR)\&.
.RE
.PP
\-n \fInametype\fR
.RS 4
Specifies the owner type of the key\&. The value of

36
bin/dnssec/dnssec-keygen.html
View file

@ -41,6 +41,7 @@
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>bits</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-G</code>]
@ -49,8 +50,9 @@
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-k <em class="replaceable"><code>policy</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
@ -59,6 +61,7 @@
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>rrtype</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
@ -168,6 +171,15 @@
the specified class. If not specified, class IN is used.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>bits</code></em></span></dt>
<dd>
<p>
Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
DH size is between 128 and 4096. This option is ignored for
algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
@ -218,6 +230,21 @@
Sets the directory in which the key files are to be written.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>policy</code></em></span></dt>
<dd>
<p>
Create keys for a specific dnssec-policy. If a policy uses
multiple keys, <span class="command"><strong>dnssec-keygen</strong></span> will generate
multiple keys. This will also create a ".state" file to keep
track of the key state.
</p>
<p>
This option creates keys according to the dnssec-policy
configuration, hence it cannot be used together with many of
the other options that <span class="command"><strong>dnssec-keygen</strong></span>
provides.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
@ -231,6 +258,13 @@
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
Provide a configuration file that contains a dnssec-policy
statement (matching the policy set with <span class="command"><strong>-k</strong></span>).
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>

55
bin/dnssec/dnssec-settime.8
View file

@ -39,7 +39,7 @@
dnssec-settime \- set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-settime\fR\ 'u
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-s\fR] [\fB\-g\ \fR\fB\fIstate\fR\fR] [\fB\-d\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-z\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-settime\fR
@ -59,7 +59,25 @@ simply prints the key timing metadata already stored in the key\&.
.PP
When key metadata fields are changed, both files of a key pair (Knnnn\&.+aaa+iiiii\&.key
and
Knnnn\&.+aaa+iiiii\&.private) are regenerated\&. Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&.
Knnnn\&.+aaa+iiiii\&.private) are regenerated\&.
.PP
Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&.
.PP
When working with state files, it is possible to update the timing metadata in those files as well with
\fB\-s\fR\&. If this option is used you can also update key states with
\fB\-d\fR
(DS),
\fB\-k\fR
(DNSKEY),
\fB\-r\fR
(RRSIG of KSK), or
\fB\-z\fR
(RRSIG of ZSK)\&. Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE\&.
.PP
You can also set the goal state of the key with
\fB\-g\fR\&. This should be either HIDDEN or OMNIPRESENT (representing whether the key should be removed from the zone, or published)\&.
.PP
It is NOT RECOMMENDED to manipulate state files manually except for testing purposes\&.
.SH "OPTIONS"
.PP
\-f
@ -156,6 +174,39 @@ If the key is being set to be an explicit successor to another key, then the def
.sp
As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
.RE
.SH "KEY STATE OPTIONS"
.PP
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE\&. These should not be set manually except for testing purposes\&.
.PP
\-s
.RS 4
When setting key timing data, also update the state file\&.
.RE
.PP
\-g
.RS 4
Set the goal state for this key\&. Must be HIDDEN or OMNIPRESENT\&.
.RE
.PP
\-d
.RS 4
Set the DS state for this key, and when it was last changed\&.
.RE
.PP
\-k
.RS 4
Set the DNSKEY state for this key, and when it was last changed\&.
.RE
.PP
\-r
.RS 4
Set the RRSIG (KSK) state for this key, and when it was last changed\&.
.RE
.PP
\-z
.RS 4
Set the RRSIG (ZSK) state for this key, and when it was last changed\&.
.RE
.SH "PRINTING OPTIONS"
.PP
\fBdnssec\-settime\fR

79
bin/dnssec/dnssec-settime.html
View file

@ -49,6 +49,12 @@
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-s</code>]
[<code class="option">-g <em class="replaceable"><code>state</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-z <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
{keyfile}
</p></div>
</div>
@ -74,11 +80,30 @@
When key metadata fields are changed, both files of a key
pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
<code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
</p>
<p>
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</p>
<p>
When working with state files, it is possible to update the timing
metadata in those files as well with <code class="option">-s</code>. If this
option is used you can also update key states with <code class="option">-d</code>
(DS), <code class="option">-k</code> (DNSKEY), <code class="option">-r</code> (RRSIG of KSK),
or <code class="option">-z</code> (RRSIG of ZSK). Allowed states are HIDDEN,
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
</p>
<p>
You can also set the goal state of the key with <code class="option">-g</code>.
This should be either HIDDEN or OMNIPRESENT (representing whether the
key should be removed from the zone, or published).
</p>
<p>
It is NOT RECOMMENDED to manipulate state files manually except for
testing purposes.
</p>
</div>
<div class="refsection">
@ -262,7 +287,57 @@
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>PRINTING OPTIONS</h2>
<a name="id-1.10"></a><h2>KEY STATE OPTIONS</h2>
<p>
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
These should not be set manually except for testing purposes.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-s</span></dt>
<dd>
<p>
When setting key timing data, also update the state file.
</p>
</dd>
<dt><span class="term">-g</span></dt>
<dd>
<p>
Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
</p>
</dd>
<dt><span class="term">-d</span></dt>
<dd>
<p>
Set the DS state for this key, and when it was last changed.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Set the DNSKEY state for this key, and when it was last changed.
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd>
<p>
Set the RRSIG (KSK) state for this key, and when it was last
changed.
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Set the RRSIG (ZSK) state for this key, and when it was last
changed.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>PRINTING OPTIONS</h2>
<p>
<span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
@ -298,7 +373,7 @@
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)

117
bin/named/named.conf.5
View file

@ -10,12 +10,12 @@
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2019-08-07
.\" Date: 2019-08-12
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\&.CONF" "5" "2019\-08\-07" "ISC" "BIND9"
.TH "NAMED\&.CONF" "5" "2019\-08\-12" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -104,7 +104,8 @@ dlz \fIstring\fR {
.\}
.nf
dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
initial\-key | static\-ds | initial\-ds )
\fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
.fi
.if n \{\
@ -170,9 +171,9 @@ Deprecated \- see DNSSEC\-KEYS\&.
.\}
.nf
managed\-keys { \fIstring\fR ( static\-key
| initial\-key ) \fIinteger\fR
\fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. }; deprecated
| initial\-key | static\-ds |
initial\-ds ) \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; deprecated
.fi
.if n \{\
.RE
@ -230,7 +231,7 @@ options {
[ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [ port
\fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
\fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. };
in\-memory \fIboolean\fR ] [ min\-update\-interval \fIduration\fR ]; \&.\&.\&. };
check\-dup\-records ( fail | warn | ignore );
check\-integrity \fIboolean\fR;
check\-mx ( fail | warn | ignore );
@ -312,18 +313,18 @@ options {
fstrm\-set\-output\-notify\-threshold \fIinteger\fR;
fstrm\-set\-output\-queue\-model ( mpsc | spsc );
fstrm\-set\-output\-queue\-size \fIinteger\fR;
fstrm\-set\-reopen\-interval \fIttlval\fR;
fstrm\-set\-reopen\-interval \fIduration\fR;
geoip\-directory ( \fIquoted_string\fR | none );
glue\-cache \fIboolean\fR;
heartbeat\-interval \fIinteger\fR;
hostname ( \fIquoted_string\fR | none );
inline\-signing \fIboolean\fR;
interface\-interval \fIttlval\fR;
interface\-interval \fIduration\fR;
ixfr\-from\-differences ( primary | master | secondary | slave |
\fIboolean\fR );
keep\-response\-order { \fIaddress_match_element\fR; \&.\&.\&. };
key\-directory \fIquoted_string\fR;
lame\-ttl \fIttlval\fR;
lame\-ttl \fIduration\fR;
listen\-on [ port \fIinteger\fR ] [ dscp
\fIinteger\fR ] {
\fIaddress_match_element\fR; \&.\&.\&. };
@ -337,28 +338,28 @@ options {
masterfile\-style ( full | relative );
match\-mapped\-addresses \fIboolean\fR;
max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
max\-cache\-ttl \fIttlval\fR;
max\-cache\-ttl \fIduration\fR;
max\-clients\-per\-query \fIinteger\fR;
max\-journal\-size ( default | unlimited | \fIsizeval\fR );
max\-ncache\-ttl \fIttlval\fR;
max\-ncache\-ttl \fIduration\fR;
max\-records \fIinteger\fR;
max\-recursion\-depth \fIinteger\fR;
max\-recursion\-queries \fIinteger\fR;
max\-refresh\-time \fIinteger\fR;
max\-retry\-time \fIinteger\fR;
max\-rsa\-exponent\-size \fIinteger\fR;
max\-stale\-ttl \fIttlval\fR;
max\-stale\-ttl \fIduration\fR;
max\-transfer\-idle\-in \fIinteger\fR;
max\-transfer\-idle\-out \fIinteger\fR;
max\-transfer\-time\-in \fIinteger\fR;
max\-transfer\-time\-out \fIinteger\fR;
max\-udp\-size \fIinteger\fR;
max\-zone\-ttl ( unlimited | \fIttlval\fR );
max\-zone\-ttl ( unlimited | \fIduration\fR );
memstatistics \fIboolean\fR;
memstatistics\-file \fIquoted_string\fR;
message\-compression \fIboolean\fR;
min\-cache\-ttl \fIttlval\fR;
min\-ncache\-ttl \fIttlval\fR;
min\-cache\-ttl \fIduration\fR;
min\-ncache\-ttl \fIduration\fR;
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
minimal\-any \fIboolean\fR;
@ -375,8 +376,8 @@ options {
notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
[ dscp \fIinteger\fR ];
notify\-to\-soa \fIboolean\fR;
nta\-lifetime \fIttlval\fR;
nta\-recheck \fIttlval\fR;
nta\-lifetime \fIduration\fR;
nta\-recheck \fIduration\fR;
nxdomain\-redirect \fIstring\fR;
pid\-file ( \fIquoted_string\fR | none );
port \fIinteger\fR;
@ -423,13 +424,13 @@ options {
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
\fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
\fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
\fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
min\-update\-interval \fIduration\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
[ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ] [ dnsrps\-enable \fIboolean\fR ] [
@ -443,7 +444,7 @@ options {
serial\-query\-rate \fIinteger\fR;
serial\-update\-method ( date | increment | unixtime );
server\-id ( \fIquoted_string\fR | none | hostname );
servfail\-ttl \fIttlval\fR;
servfail\-ttl \fIduration\fR;
session\-keyalg \fIstring\fR;
session\-keyfile ( \fIquoted_string\fR | none );
session\-keyname \fIstring\fR;
@ -454,7 +455,7 @@ options {
sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
stacksize ( default | unlimited | \fIsizeval\fR );
stale\-answer\-enable \fIboolean\fR;
stale\-answer\-ttl \fIttlval\fR;
stale\-answer\-ttl \fIduration\fR;
startup\-notify\-rate \fIinteger\fR;
statistics\-file \fIquoted_string\fR;
synth\-from\-dnssec \fIboolean\fR;
@ -612,7 +613,7 @@ view \fIstring\fR [ \fIclass\fR ] {
[ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [ port
\fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
\fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. };
in\-memory \fIboolean\fR ] [ min\-update\-interval \fIduration\fR ]; \&.\&.\&. };
check\-dup\-records ( fail | warn | ignore );
check\-integrity \fIboolean\fR;
check\-mx ( fail | warn | ignore );
@ -655,8 +656,9 @@ view \fIstring\fR [ \fIclass\fR ] {
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
initial\-key | static\-ds | initial\-ds
) \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
@ -690,10 +692,11 @@ view \fIstring\fR [ \fIclass\fR ] {
secret \fIstring\fR;
};
key\-directory \fIquoted_string\fR;
lame\-ttl \fIttlval\fR;
lame\-ttl \fIduration\fR;
lmdb\-mapsize \fIsizeval\fR;
managed\-keys { \fIstring\fR (
static\-key | initial\-key
| static\-ds | initial\-ds
) \fIinteger\fR \fIinteger\fR
\fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. }; deprecated
@ -703,25 +706,25 @@ view \fIstring\fR [ \fIclass\fR ] {
match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. };
match\-recursive\-only \fIboolean\fR;
max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
max\-cache\-ttl \fIttlval\fR;
max\-cache\-ttl \fIduration\fR;
max\-clients\-per\-query \fIinteger\fR;
max\-journal\-size ( default | unlimited | \fIsizeval\fR );
max\-ncache\-ttl \fIttlval\fR;
max\-ncache\-ttl \fIduration\fR;
max\-records \fIinteger\fR;
max\-recursion\-depth \fIinteger\fR;
max\-recursion\-queries \fIinteger\fR;
max\-refresh\-time \fIinteger\fR;
max\-retry\-time \fIinteger\fR;
max\-stale\-ttl \fIttlval\fR;
max\-stale\-ttl \fIduration\fR;
max\-transfer\-idle\-in \fIinteger\fR;
max\-transfer\-idle\-out \fIinteger\fR;
max\-transfer\-time\-in \fIinteger\fR;
max\-transfer\-time\-out \fIinteger\fR;
max\-udp\-size \fIinteger\fR;
max\-zone\-ttl ( unlimited | \fIttlval\fR );
max\-zone\-ttl ( unlimited | \fIduration\fR );
message\-compression \fIboolean\fR;
min\-cache\-ttl \fIttlval\fR;
min\-ncache\-ttl \fIttlval\fR;
min\-cache\-ttl \fIduration\fR;
min\-ncache\-ttl \fIduration\fR;
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
minimal\-any \fIboolean\fR;
@ -737,8 +740,8 @@ view \fIstring\fR [ \fIclass\fR ] {
notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
[ dscp \fIinteger\fR ];
notify\-to\-soa \fIboolean\fR;
nta\-lifetime \fIttlval\fR;
nta\-recheck \fIttlval\fR;
nta\-lifetime \fIduration\fR;
nta\-recheck \fIduration\fR;
nxdomain\-redirect \fIstring\fR;
plugin ( query ) \fIstring\fR [ {
\fIunspecified\-text\fR } ];
@ -780,13 +783,13 @@ view \fIstring\fR [ \fIclass\fR ] {
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
\fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
\fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
\fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
min\-update\-interval \fIduration\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
[ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ] [ dnsrps\-enable \fIboolean\fR ] [
@ -831,14 +834,14 @@ view \fIstring\fR [ \fIclass\fR ] {
\fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
transfers \fIinteger\fR;
};
servfail\-ttl \fIttlval\fR;
servfail\-ttl \fIduration\fR;
sig\-signing\-nodes \fIinteger\fR;
sig\-signing\-signatures \fIinteger\fR;
sig\-signing\-type \fIinteger\fR;
sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
stale\-answer\-enable \fIboolean\fR;
stale\-answer\-ttl \fIttlval\fR;
stale\-answer\-ttl \fIduration\fR;
synth\-from\-dnssec \fIboolean\fR;
transfer\-format ( many\-answers | one\-answer );
transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
@ -890,6 +893,7 @@ view \fIstring\fR [ \fIclass\fR ] {
dnskey\-sig\-validity \fIinteger\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-policy \fIstring\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
file \fIquoted_string\fR;
@ -915,7 +919,7 @@ view \fIstring\fR [ \fIclass\fR ] {
max\-transfer\-idle\-out \fIinteger\fR;
max\-transfer\-time\-in \fIinteger\fR;
max\-transfer\-time\-out \fIinteger\fR;
max\-zone\-ttl ( unlimited | \fIttlval\fR );
max\-zone\-ttl ( unlimited | \fIduration\fR );
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
multi\-master \fIboolean\fR;
@ -996,6 +1000,7 @@ zone \fIstring\fR [ \fIclass\fR ] {
dnskey\-sig\-validity \fIinteger\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-policy \fIstring\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
file \fIquoted_string\fR;
@ -1020,7 +1025,7 @@ zone \fIstring\fR [ \fIclass\fR ] {
max\-transfer\-idle\-out \fIinteger\fR;
max\-transfer\-time\-in \fIinteger\fR;
max\-transfer\-time\-out \fIinteger\fR;
max\-zone\-ttl ( unlimited | \fIttlval\fR );
max\-zone\-ttl ( unlimited | \fIduration\fR );
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
multi\-master \fIboolean\fR;
@ -1062,6 +1067,30 @@ zone \fIstring\fR [ \fIclass\fR ] {
.if n \{\
.RE
.\}
.SH "DNSSEC-POLICY"
.sp
.if n \{\
.RS 4
.\}
.nf
dnssec\-policy \fIstring\fR {
dnskey\-ttl \fIttlval\fR;
keys { ( csk | ksk | zsk ) key\-directory lifetime \fIduration\fR algorithm \fIinteger\fR [ \fIinteger\fR ] ; \&.\&.\&. };
parent\-ds\-ttl \fIduration\fR;
parent\-propagation\-delay \fIduration\fR;
parent\-registration\-delay \fIduration\fR;
publish\-safety \fIduration\fR;
retire\-safety \fIduration\fR;
signatures\-refresh \fIduration\fR;
signatures\-validity \fIduration\fR;
signatures\-validity\-dnskey \fIduration\fR;
zone\-max\-ttl \fIduration\fR;
zone\-propagation\-delay \fIduration\fR;
};
.fi
.if n \{\
.RE
.\}
.SH "FILES"
.PP
/etc/named\&.conf

114
bin/named/named.conf.html
View file

@ -95,7 +95,8 @@ dlz
<a name="id-1.11"></a><h2>DNSSEC-KEYS</h2>
<div class="literallayout"><p><br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    initial-key | static-ds | initial-ds )<br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
@ -144,9 +145,9 @@ logging
<p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
    | initial-key ) <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
    | initial-key | static-ds |<br>
    initial-ds ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
</p></div>
</div>
@ -196,7 +197,7 @@ options
    [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
    <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>duration</code></em> ]; ... };<br>
check-dup-records ( fail | warn | ignore );<br>
check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
check-mx ( fail | warn | ignore );<br>
@ -278,18 +279,18 @@ options
fstrm-set-output-notify-threshold <em class="replaceable"><code>integer</code></em>;<br>
fstrm-set-output-queue-model ( mpsc | spsc );<br>
fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
fstrm-set-reopen-interval <em class="replaceable"><code>ttlval</code></em>;<br>
fstrm-set-reopen-interval <em class="replaceable"><code>duration</code></em>;<br>
geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
glue-cache <em class="replaceable"><code>boolean</code></em>;<br>
heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
interface-interval <em class="replaceable"><code>ttlval</code></em>;<br>
interface-interval <em class="replaceable"><code>duration</code></em>;<br>
ixfr-from-differences ( primary | master | secondary | slave |<br>
    <em class="replaceable"><code>boolean</code></em> );<br>
keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
lame-ttl <em class="replaceable"><code>duration</code></em>;<br>
listen-on [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] {<br>
    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -303,28 +304,28 @@ options
masterfile-style ( full | relative );<br>
match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
max-rsa-exponent-size <em class="replaceable"><code>integer</code></em>;<br>
max-stale-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-stale-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
memstatistics <em class="replaceable"><code>boolean</code></em>;<br>
memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
message-compression <em class="replaceable"><code>boolean</code></em>;<br>
min-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
min-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
min-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
min-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
@ -341,8 +342,8 @@ options
notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
nta-lifetime <em class="replaceable"><code>duration</code></em>;<br>
nta-recheck <em class="replaceable"><code>duration</code></em>;<br>
nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
port <em class="replaceable"><code>integer</code></em>;<br>
@ -389,13 +390,13 @@ options
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>duration</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
    [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
@ -409,7 +410,7 @@ options
serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
serial-update-method ( date | increment | unixtime );<br>
server-id ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );<br>
servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
servfail-ttl <em class="replaceable"><code>duration</code></em>;<br>
session-keyalg <em class="replaceable"><code>string</code></em>;<br>
session-keyfile ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
session-keyname <em class="replaceable"><code>string</code></em>;<br>
@ -420,7 +421,7 @@ options
sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
stale-answer-enable <em class="replaceable"><code>boolean</code></em>;<br>
stale-answer-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
stale-answer-ttl <em class="replaceable"><code>duration</code></em>;<br>
startup-notify-rate <em class="replaceable"><code>integer</code></em>;<br>
statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
@ -557,7 +558,7 @@ view
    [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
    <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>duration</code></em> ]; ... };<br>
check-dup-records ( fail | warn | ignore );<br>
check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
check-mx ( fail | warn | ignore );<br>
@ -600,8 +601,9 @@ view
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
    initial-key | static-ds | initial-ds<br>
    ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
@ -635,10 +637,11 @@ view
secret <em class="replaceable"><code>string</code></em>;<br>
};<br>
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
lame-ttl <em class="replaceable"><code>duration</code></em>;<br>
lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
managed-keys { <em class="replaceable"><code>string</code></em> (<br>
    static-key | initial-key<br>
    | static-ds | initial-ds<br>
    ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
@ -648,25 +651,25 @@ view
match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
max-stale-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-stale-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
message-compression <em class="replaceable"><code>boolean</code></em>;<br>
min-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
min-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
min-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
min-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
@ -682,8 +685,8 @@ view
notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
nta-lifetime <em class="replaceable"><code>duration</code></em>;<br>
nta-recheck <em class="replaceable"><code>duration</code></em>;<br>
nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ {<br>
    <em class="replaceable"><code>unspecified-text</code></em> } ];<br>
@ -725,13 +728,13 @@ view
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>duration</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
    [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
@ -776,14 +779,14 @@ view
    <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
transfers <em class="replaceable"><code>integer</code></em>;<br>
};<br>
servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
servfail-ttl <em class="replaceable"><code>duration</code></em>;<br>
sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
sig-validity-interval <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
stale-answer-enable <em class="replaceable"><code>boolean</code></em>;<br>
stale-answer-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
stale-answer-ttl <em class="replaceable"><code>duration</code></em>;<br>
synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
transfer-format ( many-answers | one-answer );<br>
transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
@ -835,6 +838,7 @@ view
dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
file <em class="replaceable"><code>quoted_string</code></em>;<br>
@ -860,7 +864,7 @@ view
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
@ -937,6 +941,7 @@ zone
dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
file <em class="replaceable"><code>quoted_string</code></em>;<br>
@ -961,7 +966,7 @@ zone
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
@ -1003,14 +1008,35 @@ zone
</div>
<div class="refsection">
<a name="id-1.24"></a><h2>FILES</h2>
<a name="id-1.24"></a><h2>DNSSEC-POLICY</h2>
<div class="literallayout"><p><br>
dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
dnskey-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
publish-safety <em class="replaceable"><code>duration</code></em>;<br>
retire-safety <em class="replaceable"><code>duration</code></em>;<br>
signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
zone-max-ttl <em class="replaceable"><code>duration</code></em>;<br>
zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
};<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.25"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsection">
<a name="id-1.25"></a><h2>SEE ALSO</h2>
<a name="id-1.26"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">ddns-confgen</span>(8)

8
bin/rndc/rndc.8
View file

@ -276,7 +276,8 @@ See also
Fetch all DNSSEC keys for the given zone from the key directory\&. If they are within their publication period, merge them into the zone\*(Aqs DNSKEY RRset\&. Unlike
\fBrndc sign\fR, however, the zone is not immediately re\-signed by the new keys, but is allowed to incrementally re\-sign over time\&.
.sp
This command requires that the
This command requires that the zone is configured with a
\fBdnssec\-policy\fR, or that the
\fBauto\-dnssec\fR
zone option be set to
maintain, and also requires the zone to be configured to allow dynamic DNS\&. (See "Dynamic Update Policies" in the Administrator Reference Manual for more details\&.)
@ -566,7 +567,8 @@ Fetch all DNSSEC keys for the given zone from the key directory (see the
\fBkey\-directory\fR
option in the BIND 9 Administrator Reference Manual)\&. If they are within their publication period, merge them into the zone\*(Aqs DNSKEY RRset\&. If the DNSKEY RRset is changed, then the zone is automatically re\-signed with the new key set\&.
.sp
This command requires that the
This command requires that the zone is configured with a
\fBdnssec\-policy\fR, or that the
\fBauto\-dnssec\fR
zone option be set to
allow
@ -702,7 +704,7 @@ in each view\&. The list includes both statically configured keys and dynamic TK
.PP
\fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR
.RS 4
Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&.
Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&. The cache is flushed when validation is turned on or off to avoid using data that might differ between states\&.
.RE
.PP
\fBzonestatus \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR

8
bin/rndc/rndc.html
View file

@ -366,7 +366,8 @@
allowed to incrementally re-sign over time.
</p>
<p>
This command requires that the
This command requires that the zone is configured with a
<span class="command"><strong>dnssec-policy</strong></span>, or that the
<span class="command"><strong>auto-dnssec</strong></span> zone option
be set to <code class="literal">maintain</code>,
and also requires the zone to be configured to
@ -721,7 +722,8 @@
re-signed with the new key set.
</p>
<p>
This command requires that the
This command requires that the zone is configured with a
<span class="command"><strong>dnssec-policy</strong></span>, or that the
<span class="command"><strong>auto-dnssec</strong></span> zone option be set
to <code class="literal">allow</code> or
<code class="literal">maintain</code>,
@ -914,6 +916,8 @@
<p>
Enable, disable, or check the current status of
DNSSEC validation. By default, validation is enabled.
The cache is flushed when validation is turned on or off
to avoid using data that might differ between states.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>

2
doc/arm/Bv9ARM.ch01.html
View file

@ -614,6 +614,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch02.html
View file

@ -146,6 +146,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch03.html
View file

@ -856,6 +856,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

587
doc/arm/Bv9ARM.ch04.html
View file

@ -61,18 +61,18 @@
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.2">Converting from insecure to secure</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.7">Dynamic DNS update method</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.15">Fully automatic zone signing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.24">Private-type records</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.31">DNSKEY rollovers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.33">Dynamic DNS update method</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.38">Automatic key rollovers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.40">NSEC3PARAM rollovers via UPDATE</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.42">Converting from NSEC to NSEC3</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.44">Converting from NSEC3 to NSEC</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.46">Converting from secure to insecure</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.50">Periodic re-signing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.52">NSEC3 and OPTOUT</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.9">Dynamic DNS update method</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.17">Fully automatic zone signing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.27">Private-type records</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">DNSKEY rollovers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.36">Dynamic DNS update method</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">Automatic key rollovers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">NSEC3PARAM rollovers via UPDATE</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC to NSEC3</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.48">Converting from NSEC3 to NSEC</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.50">Converting from secure to insecure</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.54">Periodic re-signing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.56">NSEC3 and OPTOUT</a></span></dt>
</dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
<dd><dl>
@ -1060,13 +1060,14 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
The keys specified in <span class="command"><strong>dnssec-keys</strong></span>
copies of DNSKEY RRs for zones that are used to form the
first link in the cryptographic chain of trust. Keys configured
with the keyword <span class="command"><strong>static-key</strong></span> are loaded directly
with the keyword <span class="command"><strong>static-key</strong></span> or
<span class="command"><strong>static-ds</strong></span> are loaded directly
into the table of trust anchors, and can only be changed by
altering the configuration. Keys configured with
<span class="command"><strong>initial-key</strong></span> are used to initialize
RFC 5011 trust anchor maintenance, and will be kept up to
date automatically after the first time <span class="command"><strong>named</strong></span>
runs.
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
are used to initialize RFC 5011 trust anchor maintenance, and
will be kept up to date automatically after the first time
<span class="command"><strong>named</strong></span> runs.
</p>
<p>
@ -1106,17 +1107,7 @@ dnssec-keys {
97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
dgxbcDTClU0CRBdiieyLMNzXG3";
/* Key for our organization's forward zone */
example.com. static-key 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
/oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
1OTQ09A0=";
example.com. static-ds 54135 5 2 "8EF922C97F1D07B23134440F19682E7519ADDAE180E20B1B1EC52E7F58B2831D"
/* Key for our reverse zone. */
2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
@ -1195,33 +1186,53 @@ options {
<a name="id-1.5.10.2"></a>Converting from insecure to secure</h3></div></div></div>
</div>
<p>Changing a zone from insecure to secure can be done in two
ways: using a dynamic DNS update, or the
<span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
<p>For either method, you need to configure
<span class="command"><strong>named</strong></span> so that it can see the
<code class="filename">K*</code> files which contain the public and private
parts of the keys that will be used to sign the zone. These files
will have been generated by
<span class="command"><strong>dnssec-keygen</strong></span>. You can do this by placing them
in the key-directory, as specified in
<code class="filename">named.conf</code>:</p>
<pre class="programlisting">
<p>
Changing a zone from insecure to secure can be done in three
ways: using a dynamic DNS update, use the
<span class="command"><strong>auto-dnssec</strong></span> zone option, or set a DNSSEC
policy for the zone with <span class="command"><strong>dnssec-policy</strong></span>.
</p>
<p>
For either method, you need to configure
<span class="command"><strong>named</strong></span> so that it can see the
<code class="filename">K*</code> files which contain the public and private
parts of the keys that will be used to sign the zone. These files
will have been generated by
<span class="command"><strong>dnssec-keygen</strong></span> (or created when needed by
<span class="command"><strong>named</strong></span> if <span class="command"><strong>dnssec-policy</strong></span> is
used). Keys should be placed in the key-directory, as specified in
<code class="filename">named.conf</code>:</p>
<pre class="programlisting">
zone example.net {
type master;
update-policy local;
file "dynamic/example.net/example.net";
key-directory "dynamic/example.net";
};
</pre>
<p>If one KSK and one ZSK DNSKEY key have been generated, this
configuration will cause all records in the zone to be signed
with the ZSK, and the DNSKEY RRset to be signed with the KSK as
well. An NSEC chain will be generated as part of the initial
signing process.</p>
</pre>
<p>
If one KSK and one ZSK DNSKEY key have been generated, this
configuration will cause all records in the zone to be signed
with the ZSK, and the DNSKEY RRset to be signed with the KSK as
well. An NSEC chain will be generated as part of the initial
signing process.
</p>
<p>
With <span class="command"><strong>dnssec-policy</strong></span> you specify what keys should
be KSK and/or ZSK. If you want a key to sign all records with a key
you will need to specify a CSK:
</p>
<pre class="programlisting">
dnssec-policy csk {
keys {
csk key-directory lifetime P5Y algorithm 13;
};
};
</pre>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.7"></a>Dynamic DNS update method</h3></div></div></div>
<a name="id-1.5.10.9"></a>Dynamic DNS update method</h3></div></div></div>
</div>
<p>To insert the keys via dynamic update:</p>
@ -1232,16 +1243,20 @@ options {
&gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
&gt; send
</pre>
<p>While the update request will complete almost immediately,
the zone will not be completely signed until
<span class="command"><strong>named</strong></span> has had time to walk the zone and
generate the NSEC and RRSIG records. The NSEC record at the apex
will be added last, to signal that there is a complete NSEC
chain.</p>
<p>If you wish to sign using NSEC3 instead of NSEC, you should
add an NSEC3PARAM record to the initial update request. If you
wish the NSEC3 chain to have the OPTOUT bit set, set it in the
flags field of the NSEC3PARAM record.</p>
<p>
While the update request will complete almost immediately,
the zone will not be completely signed until
<span class="command"><strong>named</strong></span> has had time to walk the zone and
generate the NSEC and RRSIG records. The NSEC record at the apex
will be added last, to signal that there is a complete NSEC
chain.
</p>
<p>
If you wish to sign using NSEC3 instead of NSEC, you should
add an NSEC3PARAM record to the initial update request. If you
wish the NSEC3 chain to have the OPTOUT bit set, set it in the
flags field of the NSEC3PARAM record.
</p>
<pre class="screen">
% nsupdate
&gt; ttl 3600
@ -1250,94 +1265,117 @@ options {
&gt; update add example.net NSEC3PARAM 1 1 100 1234567890
&gt; send
</pre>
<p>Again, this update request will complete almost
immediately; however, the record won't show up until
<span class="command"><strong>named</strong></span> has had a chance to build/remove the
relevant chain. A private type record will be created to record
the state of the operation (see below for more details), and will
be removed once the operation completes.</p>
<p>While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.</p>
<p>
Again, this update request will complete almost
immediately; however, the record won't show up until
<span class="command"><strong>named</strong></span> has had a chance to build/remove the
relevant chain. A private type record will be created to record
the state of the operation (see below for more details), and will
be removed once the operation completes.
</p>
<p>
While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.15"></a>Fully automatic zone signing</h3></div></div></div>
<a name="id-1.5.10.17"></a>Fully automatic zone signing</h3></div></div></div>
</div>
<p>To enable automatic signing, add the
<span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in
<code class="filename">named.conf</code>.
<span class="command"><strong>auto-dnssec</strong></span> has two possible arguments:
<code class="constant">allow</code> or
<code class="constant">maintain</code>.</p>
<p>With
<span class="command"><strong>auto-dnssec allow</strong></span>,
<span class="command"><strong>named</strong></span> can search the key directory for keys
matching the zone, insert them into the zone, and use them to
sign the zone. It will do so only when it receives an
<span class="command"><strong>rndc sign &lt;zonename&gt;</strong></span>.</p>
<p>
<span class="command"><strong>auto-dnssec maintain</strong></span> includes the above
functionality, but will also automatically adjust the zone's
DNSKEY records on schedule according to the keys' timing metadata.
(See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
To enable automatic signing, you can set a
<span class="command"><strong>dnssec-policy</strong></span>, or add the
<span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in
<code class="filename">named.conf</code>.
<span class="command"><strong>auto-dnssec</strong></span> has two possible arguments:
<code class="constant">allow</code> or
<code class="constant">maintain</code>.
</p>
<p>
<span class="command"><strong>named</strong></span> will periodically search the key directory
for keys matching the zone, and if the keys' metadata indicates
that any change should be made the zone, such as adding, removing,
or revoking a key, then that action will be carried out. By default,
the key directory is checked for changes every 60 minutes; this period
can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
to a maximum of 24 hours. The <span class="command"><strong>rndc loadkeys</strong></span> forces
<span class="command"><strong>named</strong></span> to check for key updates immediately.
With <span class="command"><strong>auto-dnssec allow</strong></span>,
<span class="command"><strong>named</strong></span> can search the key directory for keys
matching the zone, insert them into the zone, and use them to
sign the zone. It will do so only when it receives an
<span class="command"><strong>rndc sign &lt;zonename&gt;</strong></span>.
</p>
<p>
If keys are present in the key directory the first time the zone
is loaded, the zone will be signed immediately, without waiting for an
<span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
command. (Those commands can still be used when there are unscheduled
key changes, however.)
<span class="command"><strong>auto-dnssec maintain</strong></span> includes the above
functionality, but will also automatically adjust the zone's
DNSKEY records on schedule according to the keys' timing metadata.
(See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
</p>
<p>
When new keys are added to a zone, the TTL is set to match that
of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
then the TTL will be set to the TTL specified when the key was
created (using the <span class="command"><strong>dnssec-keygen -L</strong></span> option), if
any, or to the SOA TTL.
<span class="command"><strong>dnssec-policy</strong></span> is like
<span class="command"><strong>auto-dnssec maintain</strong></span>, but will also automatically
create new keys when necessary. Also any configuration related
to DNSSEC signing is retrieved from the policy (ignoring existing
DNSSEC named.conf options).
</p>
<p>
If you wish the zone to be signed using NSEC3 instead of NSEC,
submit an NSEC3PARAM record via dynamic update prior to the
scheduled publication and activation of the keys. If you wish the
NSEC3 chain to have the OPTOUT bit set, set it in the flags field
of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
the zone immediately, but it will be stored for later reference. When
the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
record will appear in the zone.
<span class="command"><strong>named</strong></span> will periodically search the key directory
for keys matching the zone, and if the keys' metadata indicates
that any change should be made the zone, such as adding, removing,
or revoking a key, then that action will be carried out. By default,
the key directory is checked for changes every 60 minutes; this period
can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
to a maximum of 24 hours. The <span class="command"><strong>rndc loadkeys</strong></span> forces
<span class="command"><strong>named</strong></span> to check for key updates immediately.
</p>
<p>Using the
<span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be
configured to allow dynamic updates, by adding an
<span class="command"><strong>allow-update</strong></span> or
<span class="command"><strong>update-policy</strong></span> statement to the zone
configuration. If this has not been done, the configuration will
fail.</p>
<p>
If keys are present in the key directory the first time the zone
is loaded, the zone will be signed immediately, without waiting for an
<span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
command. (Those commands can still be used when there are unscheduled
key changes, however.)
</p>
<p>
When new keys are added to a zone, the TTL is set to match that
of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
then the TTL will be set to the TTL specified when the key was
created (using the <span class="command"><strong>dnssec-keygen -L</strong></span> option), if
any, or to the SOA TTL.
</p>
<p>
If you wish the zone to be signed using NSEC3 instead of NSEC,
submit an NSEC3PARAM record via dynamic update prior to the
scheduled publication and activation of the keys. If you wish the
NSEC3 chain to have the OPTOUT bit set, set it in the flags field
of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
the zone immediately, but it will be stored for later reference. When
the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
record will appear in the zone.
</p>
<p>
Using the
<span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be
configured to allow dynamic updates, by adding an
<span class="command"><strong>allow-update</strong></span> or
<span class="command"><strong>update-policy</strong></span> statement to the zone
configuration. If this has not been done, the configuration will
fail.
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.24"></a>Private-type records</h3></div></div></div>
<a name="id-1.5.10.27"></a>Private-type records</h3></div></div></div>
</div>
<p>The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
signing is complete, these records will have a nonzero value for
the final octet (for those records which have a nonzero initial
octet).</p>
<p>The private type record format: If the first octet is
non-zero then the record indicates that the zone needs to be
signed with the key matching the record, or that all signatures
that match the record should be removed.</p>
<p>
The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
signing is complete, these records will have a nonzero value for
the final octet (for those records which have a nonzero initial
octet).
</p>
<p>
The private type record format: If the first octet is
non-zero then the record indicates that the zone needs to be
signed with the key matching the record, or that all signatures
that match the record should be removed.
</p>
<p>
</p>
<div class="literallayout"><p><br>
@ -1349,14 +1387,18 @@ options {
</p></div>
<p>
</p>
<p>Only records flagged as "complete" can be removed via
dynamic update. Attempts to remove other private type records
will be silently ignored.</p>
<p>If the first octet is zero (this is a reserved algorithm
number that should never appear in a DNSKEY record) then the
record indicates changes to the NSEC3 chains are in progress. The
rest of the record contains an NSEC3PARAM record. The flag field
tells what operation to perform based on the flag bits.</p>
<p>
Only records flagged as "complete" can be removed via
dynamic update. Attempts to remove other private type records
will be silently ignored.
</p>
<p>
If the first octet is zero (this is a reserved algorithm
number that should never appear in a DNSKEY record) then the
record indicates changes to the NSEC3 chains are in progress. The
rest of the record contains an NSEC3PARAM record. The flag field
tells what operation to perform based on the flag bits.
</p>
<p>
</p>
<div class="literallayout"><p><br>
@ -1370,127 +1412,160 @@ options {
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.31"></a>DNSKEY rollovers</h3></div></div></div>
</div>
<p>As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
<span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.33"></a>Dynamic DNS update method</h3></div></div></div>
</div>
<p> To perform key rollovers via dynamic update, you need to add
the <code class="filename">K*</code> files for the new keys so that
<span class="command"><strong>named</strong></span> can find them. You can then add the new
DNSKEY RRs via dynamic update.
<span class="command"><strong>named</strong></span> will then cause the zone to be signed
with the new keys. When the signing is complete the private type
records will be updated so that the last octet is non
zero.</p>
<p>If this is for a KSK you need to inform the parent and any
trust anchor repositories of the new KSK.</p>
<p>You should then wait for the maximum TTL in the zone before
removing the old DNSKEY. If it is a KSK that is being updated,
you also need to wait for the DS RRset in the parent to be
updated and its TTL to expire. This ensures that all clients will
be able to verify at least one signature when you remove the old
DNSKEY.</p>
<p>The old DNSKEY can be removed via UPDATE. Take care to
specify the correct key.
<span class="command"><strong>named</strong></span> will clean out any signatures generated
by the old key after the update completes.</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.38"></a>Automatic key rollovers</h3></div></div></div>
</div>
<p>When a new key reaches its activation date (as set by
<span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
<code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will
automatically carry out the key rollover. If the key's algorithm
has not previously been used to sign the zone, then the zone will
be fully signed as quickly as possible. However, if the new key
is replacing an existing key of the same algorithm, then the
zone will be re-signed incrementally, with signatures from the
old key being replaced with signatures from the new key as their
signature validity periods expire. By default, this rollover
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.40"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div>
</div>
<p>Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.42"></a>Converting from NSEC to NSEC3</h3></div></div></div>
</div>
<p>To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.44"></a>Converting from NSEC3 to NSEC</h3></div></div></div>
</div>
<p>To do this, use <span class="command"><strong>nsupdate</strong></span> to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.46"></a>Converting from secure to insecure</h3></div></div></div>
</div>
<p>To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
<span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
and associated NSEC3PARAM records will be removed automatically.
This will take place after the update request completes.</p>
<p> This requires the
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to
<strong class="userinput"><code>yes</code></strong> in
<code class="filename">named.conf</code>.</p>
<p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span>
zone statement is used, it should be removed or changed to
<span class="command"><strong>allow</strong></span> instead (or it will re-sign).
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.50"></a>Periodic re-signing</h3></div></div></div>
</div>
<p>In any secure zone which supports dynamic updates, <span class="command"><strong>named</strong></span>
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.52"></a>NSEC3 and OPTOUT</h3></div></div></div>
<a name="id-1.5.10.34"></a>DNSKEY rollovers</h3></div></div></div>
</div>
<p>
<span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
state.
<span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3
records in the chain have mixed OPTOUT state.
<span class="command"><strong>named</strong></span> does not support changing the OPTOUT
state of an individual NSEC3 record, the entire chain needs to be
changed if the OPTOUT state of an individual NSEC3 needs to be
changed.</p>
As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
<span class="command"><strong>auto-dnssec</strong></span> zone option.
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.36"></a>Dynamic DNS update method</h3></div></div></div>
</div>
<p>
To perform key rollovers via dynamic update, you need to add
the <code class="filename">K*</code> files for the new keys so that
<span class="command"><strong>named</strong></span> can find them. You can then add the new
DNSKEY RRs via dynamic update.
<span class="command"><strong>named</strong></span> will then cause the zone to be signed
with the new keys. When the signing is complete the private type
records will be updated so that the last octet is non
zero.
</p>
<p>
If this is for a KSK you need to inform the parent and any
trust anchor repositories of the new KSK.
</p>
<p>
You should then wait for the maximum TTL in the zone before
removing the old DNSKEY. If it is a KSK that is being updated,
you also need to wait for the DS RRset in the parent to be
updated and its TTL to expire. This ensures that all clients will
be able to verify at least one signature when you remove the old
DNSKEY.
</p>
<p>
The old DNSKEY can be removed via UPDATE. Take care to
specify the correct key.
<span class="command"><strong>named</strong></span> will clean out any signatures generated
by the old key after the update completes.
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.41"></a>Automatic key rollovers</h3></div></div></div>
</div>
<p>
When a new key reaches its activation date (as set by
<span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
<code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will
automatically carry out the key rollover. If the key's algorithm
has not previously been used to sign the zone, then the zone will
be fully signed as quickly as possible. However, if the new key
is replacing an existing key of the same algorithm, then the
zone will be re-signed incrementally, with signatures from the
old key being replaced with signatures from the new key as their
signature validity periods expire. By default, this rollover
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.43"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div>
</div>
<p>
Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.45"></a>Converting from NSEC to NSEC3</h3></div></div></div>
</div>
<p>
To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.
</p>
<p>
NSEC3 is not supported yet with <span class="command"><strong>dnssec-policy</strong></span>.
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.48"></a>Converting from NSEC3 to NSEC</h3></div></div></div>
</div>
<p>
To do this, use <span class="command"><strong>nsupdate</strong></span> to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.50"></a>Converting from secure to insecure</h3></div></div></div>
</div>
<p>
To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
<span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
and associated NSEC3PARAM records will be removed automatically.
This will take place after the update request completes.</p>
<p> This requires the
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to
<strong class="userinput"><code>yes</code></strong> in
<code class="filename">named.conf</code>.</p>
<p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span>
zone statement is used, it should be removed or changed to
<span class="command"><strong>allow</strong></span> instead (or it will re-sign).
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.54"></a>Periodic re-signing</h3></div></div></div>
</div>
<p>
In any secure zone which supports dynamic updates, <span class="command"><strong>named</strong></span>
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.56"></a>NSEC3 and OPTOUT</h3></div></div></div>
</div>
<p>
<span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
state.
<span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3
records in the chain have mixed OPTOUT state.
<span class="command"><strong>named</strong></span> does not support changing the OPTOUT
state of an individual NSEC3 record, the entire chain needs to be
changed if the OPTOUT state of an individual NSEC3 needs to be
changed.
</p>
</div>
<div class="section">
@ -1512,8 +1587,8 @@ options {
<p>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
<span class="command"><strong>dnssec-keys</strong></span> statement and the
<span class="command"><strong>initial-key</strong></span> keyword. Information about
this can be found in
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
keyword. Information about this can be found in
<a class="xref" href="Bv9ARM.ch05.html#dnssec-keys" title="dnssec-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>dnssec-keys</strong></span> Statement Definition
and Usage&#8221;</a>.</p>
</div>
@ -2840,6 +2915,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

487
doc/arm/Bv9ARM.ch05.html
View file

@ -70,6 +70,9 @@
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
@ -806,6 +809,17 @@
</td>
</tr>
<tr>
<td>
<p><span class="command"><strong>dnssec-policy</strong></span></p>
</td>
<td>
<p>
describes a DNSSEC key and signing policy for zones.
See <a class="xref" href="Bv9ARM.ch05.html#dnssec_policy_grammar" title="dnssec-policy Statement Grammar">the section called &#8220;<span class="command"><strong>dnssec-policy</strong></span> Statement Grammar&#8221;</a> for details.
</p>
</td>
</tr>
<tr>
<td>
<p><span class="command"><strong>include</strong></span></p>
</td>
@ -889,11 +903,14 @@
</td>
<td>
<p>
defines DNSSEC keys: if used with the
<span class="command"><strong>initial-key</strong></span> keyword,
keys are kept up to date using RFC 5011
trust anchor maintenance, and if used with
<span class="command"><strong>static-key</strong></span>, keys are permanent.
defines DNSSEC trust anchors: if used with
the <span class="command"><strong>initial-key</strong></span> or
<span class="command"><strong>initial-ds</strong></span> keyword,
trust anchors are kept up to date using RFC
5011 trust anchor maintenance, and if used with
<span class="command"><strong>static-key</strong></span> or
<span class="command"><strong>static-ds</strong></span>, trust anchors
are permanent.
</p>
</td>
</tr>
@ -2418,7 +2435,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port
<em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key
<em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [
<span class="command"><strong>in-memory</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };
<span class="command"><strong>in-memory</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>duration</code></em> ]; ... };
<span class="command"><strong>check-dup-records</strong></span> ( fail | warn | ignore );
<span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>check-mx</strong></span> ( fail | warn | ignore );
@ -2500,18 +2517,18 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<span class="command"><strong>fstrm-set-output-notify-threshold</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>fstrm-set-output-queue-model</strong></span> ( mpsc | spsc );
<span class="command"><strong>fstrm-set-output-queue-size</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>fstrm-set-reopen-interval</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>fstrm-set-reopen-interval</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>geoip-directory</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
<span class="command"><strong>glue-cache</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>heartbeat-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>hostname</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
<span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>interface-interval</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>interface-interval</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>ixfr-from-differences</strong></span> ( primary | master | secondary | slave |
<em class="replaceable"><code>boolean</code></em> );
<span class="command"><strong>keep-response-order</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
<span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
<span class="command"><strong>lame-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>lame-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>listen-on</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp
<em class="replaceable"><code>integer</code></em> ] {
<em class="replaceable"><code>address_match_element</code></em>; ... };
@ -2525,28 +2542,28 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<span class="command"><strong>masterfile-style</strong></span> ( full | relative );
<span class="command"><strong>match-mapped-addresses</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>max-cache-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );
<span class="command"><strong>max-cache-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>max-cache-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>max-clients-per-query</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
<span class="command"><strong>max-ncache-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>max-ncache-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-recursion-depth</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-recursion-queries</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-rsa-exponent-size</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-stale-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>max-stale-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
<span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>duration</code></em> );
<span class="command"><strong>memstatistics</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>memstatistics-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
<span class="command"><strong>message-compression</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>min-cache-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>min-ncache-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>min-cache-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>min-ncache-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>minimal-any</strong></span> <em class="replaceable"><code>boolean</code></em>;
@ -2563,8 +2580,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]
[ dscp <em class="replaceable"><code>integer</code></em> ];
<span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>nta-lifetime</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>nta-recheck</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>nta-lifetime</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>nta-recheck</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>nxdomain-redirect</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>pid-file</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
<span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em>;
@ -2611,13 +2628,13 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<span class="command"><strong>response-padding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size
<em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log
<em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval
<em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |
<em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval
<em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |
<span class="command"><strong>nodata</strong></span> | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
<span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [
<span class="command"><strong>min-update-interval</strong></span> <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [
<span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [
<span class="command"><strong>min-update-interval</strong></span> <em class="replaceable"><code>duration</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [
<span class="command"><strong>nsip-wait-recurse</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]
[ recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [
@ -2631,7 +2648,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<span class="command"><strong>serial-query-rate</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>serial-update-method</strong></span> ( date | increment | unixtime );
<span class="command"><strong>server-id</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );
<span class="command"><strong>servfail-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>servfail-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>session-keyalg</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>session-keyfile</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
<span class="command"><strong>session-keyname</strong></span> <em class="replaceable"><code>string</code></em>;
@ -2642,7 +2659,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<span class="command"><strong>sortlist</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
<span class="command"><strong>stacksize</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
<span class="command"><strong>stale-answer-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>stale-answer-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>stale-answer-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>startup-notify-rate</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>statistics-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
<span class="command"><strong>synth-from-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em>;
@ -3068,7 +3085,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<p>
Specifies the directory in which to store the files that
track managed DNSSEC keys (i.e., those configured using
the <span class="command"><strong>initial-key</strong></span> keyword in a
the <span class="command"><strong>initial-key</strong></span> or
<span class="command"><strong>initial-ds</strong></span> keywords in a
<span class="command"><strong>dnssec-keys</strong></span> statement). By default,
this is the working directory. The directory
<span class="emphasis"><em>must</em></span> be writable by the effective
@ -3211,7 +3229,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
the first time; if unsuccessful, the server will
will terminate, under the assumption that another
server is already running. If not specified, the default is
<code class="filename">/var/run/named/named.lock</code>.
<code class="filename">none</code>.
</p>
<p>
Specifying <span class="command"><strong>lock-file none</strong></span> disables the
@ -3788,15 +3806,21 @@ options {
<dt><span class="term"><span class="command"><strong>automatic-interface-scan</strong></span></span></dt>
<dd>
<p>
If <strong class="userinput"><code>yes</code></strong> and supported by the OS,
automatically rescan network interfaces when the interface
addresses are added or removed. The default is
<strong class="userinput"><code>yes</code></strong>.
If <strong class="userinput"><code>yes</code></strong> and supported by the operating
system, automatically rescan network interfaces when the
interface addresses are added or removed. The default is
<strong class="userinput"><code>yes</code></strong>. This configuration option does
not affect time based <span class="command"><strong>interface-interval</strong></span>
option, and it is recommended to set the time based
<span class="command"><strong>interface-interval</strong></span> to 0 when the operator
confirms that automatic interface scanning is supported by the
operating system.
</p>
<p>
Currently the OS needs to support routing sockets for
<span class="command"><strong>automatic-interface-scan</strong></span> to be
supported.
The <span class="command"><strong>automatic-interface-scan</strong></span> implementation
uses routing sockets for the network interface discovery,
and therefore the operating system has to support the routing
sockets for this feature to work.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>allow-new-zones</strong></span></span></dt>
@ -4305,6 +4329,17 @@ options {
response to a UDP request from a cookie aware client.
BADCOOKIE is sent if there is a bad or no existent
server cookie.
The default is <strong class="userinput"><code>no</code></strong>.
</p>
<p>
Set this to <strong class="userinput"><code>yes</code></strong> to test that DNS
COOKIE clients correctly handle BADCOOKIE or if you are
getting a lot of forged DNS requests with DNS COOKIES
present. Setting this to <strong class="userinput"><code>yes</code></strong> will
result in reduced amplification effect in a reflection
attack, as the BADCOOKIE response will be smaller than
a full response, while also requiring a legitimate client
to follow up with a second query with the new, valid, cookie.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>answer-cookie</strong></span></span></dt>
@ -4347,6 +4382,7 @@ options {
do not send a correct COOKIE option may be limited
to receiving smaller responses via the
<span class="command"><strong>nocookie-udp-size</strong></span> option.
The default is <strong class="userinput"><code>yes</code></strong>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>stale-answer-enable</strong></span></span></dt>
@ -4959,7 +4995,9 @@ options {
<p>
Synthesize answers from cached NSEC, NSEC3 and
other RRsets that have been proved to be correct
using DNSSEC. The default is <span class="command"><strong>yes</strong></span>.
using DNSSEC. The default is <span class="command"><strong>no</strong></span>,
but it will become <span class="command"><strong>yes</strong></span> again
in the future releases.
</p>
<p>
Note:
@ -6469,10 +6507,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
minutes. The default
is 60 minutes. The maximum value is 28 days (40320 minutes).
If set to 0, interface scanning will only occur when
the configuration file is loaded. After the scan, the
server will
begin listening for queries on any newly discovered
interfaces (provided they are allowed by the
the configuration file is loaded, or when
<span class="command"><strong>automatic-interface-scan</strong></span> is enabled
and supported by the operating system. After the scan, the
server will begin listening for queries on any newly
discovered interfaces (provided they are allowed by the
<span class="command"><strong>listen-on</strong></span> configuration), and
will stop listening on interfaces that have gone away.
For convenience, TTL-style time unit suffixes may be
@ -6511,7 +6550,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The first element (which may be an IP address, an IP prefix, an
ACL name or a nested <span class="command"><strong>address_match_list</strong></span>) of
each top level list is checked against the source address of
the query until a match is found.
the query until a match is found. When the addresses in the
first element overlap, the first rule to match gets selected.
</p>
<p>
Once the source address of the query has been matched, if the
@ -6823,6 +6863,20 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<span class="command"><strong>rndc serve-stale on</strong></span>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>resolver-nonbackoff-tries</strong></span></span></dt>
<dd>
<p>
Specifies how many retries occur before exponential
backoff kicks in. The default is <strong class="userinput"><code>3</code></strong>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>resolver-retry-interval</strong></span></span></dt>
<dd>
<p>
The base retry interval in milliseconds.
The default is <strong class="userinput"><code>800</code></strong>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt>
<dd>
<p>
@ -8798,7 +8852,8 @@ example.com CNAME rpz-tcp-only.
<a name="dnssec_keys"></a><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span class="command"><strong>dnssec-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
<span class="command"><strong>initial-key</strong></span> ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<span class="command"><strong>initial-key</strong></span> | static-ds | initial-ds )
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>quoted_string</code></em>; ... };
</pre>
</div>
@ -8812,12 +8867,12 @@ example.com CNAME rpz-tcp-only.
trust anchors. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>.
</p>
<p>
A trust anchor is defined when the public key for
a non-authoritative zone is known, but cannot be securely
obtained through DNS, either because it is the DNS root zone
or because its parent zone is unsigned. Once a key has been
configured as a trust anchor, it is treated as if it had
been validated and proven secure.
A trust anchor is defined when the public key or public key
digest for a non-authoritative zone is known, but cannot be
securely obtained through DNS, either because it is the DNS
root zone or because its parent zone is unsigned. Once a key
or digest has been configured as a trust anchor, it is treated
as if it had been validated and proven secure.
</p>
<p>
The resolver attempts DNSSEC validation on all DNS data
@ -8829,19 +8884,9 @@ example.com CNAME rpz-tcp-only.
<p>
All keys listed in <span class="command"><strong>dnssec-keys</strong></span>, and
their corresponding zones, are deemed to exist regardless
of what parent zones say. Only keys configured as trust anchors
of what parent zones say. Only keys configured as trust anchors
are used to validate the DNSKEY RRset for the corresponding
name. The parent's DS RRset will not be used.
</p>
<p>
The <span class="command"><strong>dnssec-keys</strong></span> statement can contain
multiple key entries, each consisting of the key's
domain name, followed by the <span class="command"><strong>static-key</strong></span> or
<span class="command"><strong>initial-key</strong></span> keyword, then the key's flags,
protocol, algorithm, and the Base64 representation of the key
data. Spaces, tabs, newlines and carriage returns are ignored
in the key data, so the configuration may be split up into
multiple lines.
name. The parent's DS RRset will not be used.
</p>
<p>
<span class="command"><strong>dnssec-keys</strong></span> may be set at the top level
@ -8851,11 +8896,33 @@ example.com CNAME rpz-tcp-only.
defined in a view are only used within that view.
</p>
<p>
<span class="command"><strong>dnssec-keys</strong></span> entries can be configured with
two keywords: <span class="command"><strong>static-key</strong></span> or
<span class="command"><strong>initial-key</strong></span>. Keys configured with
<span class="command"><strong>static-key</strong></span> are immutable,
while keys configured with <span class="command"><strong>initial-key</strong></span>
The <span class="command"><strong>dnssec-keys</strong></span> statement can contain
multiple trust anchor entries, each consisting of a
domain name, followed by an "anchor type" keyword indicating
the trust anchor's format, followed by the key or digest data.
</p>
<p>
If the anchor type is <span class="command"><strong>static-key</strong></span> or
<span class="command"><strong>initial-key</strong></span>, then it is followed with the
key's flags, protocol, algorithm, and the Base64 representation
of the public key data. This is identical to the text
representation of a DNSKEY record. Spaces, tabs, newlines and
carriage returns are ignored in the key data, so the
configuration may be split up into multiple lines.
</p>
<p>
If the anchor type is <span class="command"><strong>static-ds</strong></span> or
<span class="command"><strong>initial-ds</strong></span>, then it is followed with the
key tag, algorithm, digest type, and the hexidecimal
representation of the key digest. This is identical to the
text representation of a DS record. Spaces, tabs, newlines
and carriage returns are ignored.
</p>
<p>
Trust anchors configured with the
<span class="command"><strong>static-key</strong></span> or <span class="command"><strong>static-ds</strong></span>
anchor types are immutable, while keys configured with
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
can be kept up to date automatically, without intervention
from the resolver operator. (<span class="command"><strong>static-key</strong></span>
keys are identical to keys configured using the deprecated
@ -8865,45 +8932,55 @@ example.com CNAME rpz-tcp-only.
Suppose, for example, that a zone's key-signing
key was compromised, and the zone owner had to revoke and
replace the key. A resolver which had the original key
configured as a <span class="command"><strong>static-key</strong></span> would be
unable to validate this zone any longer; it would
reply with a SERVFAIL response code. This would
continue until the resolver operator had updated the
<span class="command"><strong>dnssec-keys</strong></span> statement with the new key.
configured using <span class="command"><strong>static-key</strong></span> or
<span class="command"><strong>static-ds</strong></span> would be unable to validate
this zone any longer; it would reply with a SERVFAIL response
code. This would continue until the resolver operator had
updated the <span class="command"><strong>dnssec-keys</strong></span> statement with
the new key.
</p>
<p>
If, however, the trust anchor had been configured with
<span class="command"><strong>initial-key</strong></span> instead, then the
zone owner could add a "stand-by" key to their zone in advance.
<span class="command"><strong>named</strong></span> would store the stand-by key, and
when the original key was revoked, <span class="command"><strong>named</strong></span>
would be able to transition smoothly to the new key. It would
also recognize that the old key had been revoked, and cease
using that key to validate answers, minimizing the damage that
the compromised key could do. This is the process used to
keep the ICANN root DNSSEC key up to date.
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
instead, then the zone owner could add a "stand-by" key to
their zone in advance. <span class="command"><strong>named</strong></span> would store
the stand-by key, and when the original key was revoked,
<span class="command"><strong>named</strong></span> would be able to transition smoothly
to the new key. It would also recognize that the old key had
been revoked, and cease using that key to validate answers,
minimizing the damage that the compromised key could do.
This is the process used to keep the ICANN root DNSSEC key
up to date.
</p>
<p>
Whereas <span class="command"><strong>static-key</strong></span>
keys continue to be trusted until they are removed from
Whereas <span class="command"><strong>static-key</strong></span> and
<span class="command"><strong>static-ds</strong></span> trust anchors continue
to be trusted until they are removed from
<code class="filename">named.conf</code>, an
<span class="command"><strong>initial-key</strong></span> is only trusted
<span class="emphasis"><em>once</em></span>: for as long as it
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
is only trusted <span class="emphasis"><em>once</em></span>: for as long as it
takes to load the managed key database and start the RFC 5011
key maintenance process.
</p>
<p>
It is not possible to mix static with initial trust anchors
for the same domain name. It is also not possible to mix
<span class="command"><strong>key</strong></span> with <span class="command"><strong>ds</strong></span> trust anchors.
</p>
<p>
The first time <span class="command"><strong>named</strong></span> runs with an
<span class="command"><strong>initial-key</strong></span> configured in
<code class="filename">named.conf</code>, it fetches the
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
configured in <code class="filename">named.conf</code>, it fetches the
DNSKEY RRset directly from the zone apex, and validates it
using the key specified in <span class="command"><strong>dnssec-keys</strong></span>.
If the DNSKEY RRset is validly signed, then it is
used as the basis for a new managed keys database.
using the trust anchor specified in <span class="command"><strong>dnssec-keys</strong></span>.
If the DNSKEY RRset is validly signed by a key matching
the trust anchor, then it is used as the basis for a new
managed keys database.
</p>
<p>
From that point on, whenever <span class="command"><strong>named</strong></span> runs, it
sees the <span class="command"><strong>initial-key</strong></span> listed in
sees the <span class="command"><strong>initial-key</strong></span> or
<span class="command"><strong>initial-ds</strong></span> listed in
<span class="command"><strong>dnssec-keys</strong></span>, checks to
make sure RFC 5011 key maintenance has already been initialized
for the specified domain, and if so, it simply moves on. The
@ -8914,13 +8991,13 @@ example.com CNAME rpz-tcp-only.
</p>
<p>
The next time <span class="command"><strong>named</strong></span> runs after an
<span class="command"><strong>initial-key</strong></span> has been
<span class="emphasis"><em>removed</em></span> from the
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
trust anchor has been <span class="emphasis"><em>removed</em></span> from the
<span class="command"><strong>dnssec-keys</strong></span> statement (or changed to
a <span class="command"><strong>static-key</strong></span>), the corresponding
zone will be removed from the managed keys database,
and RFC 5011 key maintenance will no longer be used for that
domain.
a <span class="command"><strong>static-key</strong></span> or <span class="command"><strong>static-ds</strong></span>),
the corresponding keys will be removed from the managed keys
database, and RFC 5011 key maintenance will no longer be used
for that domain.
</p>
<p>
In the current implementation, the managed keys database
@ -8965,12 +9042,216 @@ example.com CNAME rpz-tcp-only.
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="dnssec_policy_grammar"></a><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em> {
<span class="command"><strong>dnskey-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>keys</strong></span> { ( csk | ksk | zsk ) key-directory <em class="replaceable"><code>duration</code></em> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };
<span class="command"><strong>parent-ds-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>parent-propagation-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>parent-registration-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>publish-safety</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>retire-safety</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>signatures-refresh</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>signatures-validity</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>signatures-validity-dnskey</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>zone-max-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>zone-propagation-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
};
</pre>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="dnssec_policy"></a><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
The <span class="command"><strong>dnssec-policy</strong></span> statement defines a key and
signing policy (KASP) for zones.
</p>
<p>
KASP is used to determine how one or more zones need to be signed
with DNSSEC. For example, how often RRSIG records need to be
refreshed, or what cryptographic algorithms to use.
</p>
<p>
You can configure multiple policies. To attach a policy to a zone
simply add <strong class="userinput"><code>dnssec-policy "policy_name"</code></strong>
option to the <span class="command"><strong>zone</strong></span> statement with a matching
policy name.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><span class="command"><strong>dnskey-ttl</strong></span></span></dt>
<dd>
<p>
The TTL of the DNSKEY resource records.
Default is <code class="constant">3600</code> seconds.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>keys</strong></span></span></dt>
<dd>
<p>
A list of keys to use. Each line represents one key. Here is
an example (for illustration purposes only) of some possible
keys in a <span class="command"><strong>dnssec-policy</strong></span>:
</p>
<pre class="programlisting">keys {
ksk key-directory lifetime P5Y algorithm 8 2048;
zsk key-directory lifetime P30D algorithm 8;
csk key-directory lifetime P6MT12H3M15S algorithm 13;
};
</pre>
<p>
This example lists three keys. The first token determines
what RRsets the key will sign. If set to
<strong class="userinput"><code>ksk</code></strong> the key will sign the DNSKEY, CDS,
and CDNSKEY RRsets, if set to <strong class="userinput"><code>zsk</code></strong> the
key will sign the other RRsets, and if set to
<strong class="userinput"><code>csk</code></strong> the key will sign all RRsets.
</p>
<p>
The following part determines where the key will be stored.
Currently keys can only be stored in the configured
<span class="command"><strong>key-directory</strong></span>.
</p>
<p>
The third token tells how long the key may be used. In the
example the first key has a lifetime of 5 years, the second
key may be used for 30 days and the third key has a rather
peculiar lifetime of 6 months, 12 hours, 3 minutes and 15
seconds.
</p>
<p>
The last token(s) are the key's algorithm and algorithm
length. The length may be omitted as shown in the
example for the second and third key.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>publish-safety</strong></span></span></dt>
<dd>
<p>
A margin that is added to the publish interval in key
timing equations to give some extra time to cover
unforeseen events. Default is <code class="constant">PT5M</code>
(5 minutes).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>retire-safety</strong></span></span></dt>
<dd>
<p>
A margin that is added to the retire interval in key
timing equations to give some extra time to cover
unforeseen events. Default is <code class="constant">PT5M</code>
(5 minutes).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>signatures-refresh</strong></span></span></dt>
<dd>
<p>
This determines when a RRSIG record needs to be
refreshed. The signatures is renewed when the time until
the expiration time is closer than
<span class="command"><strong>signatures-refresh</strong></span>.
<span class="command"><strong>signatures-resign</strong></span> interval. Default
is <code class="constant">P5D</code> (5 days), meaning a signature
that will expire in 5 days or sooner will be refreshed.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>signatures-validity</strong></span></span></dt>
<dd>
<p>
The validity period of an RRSIG record (minus the
inception offset and jitter). Default is
<code class="constant">P2W</code> (2 weeks).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>signatures-validity-dnskey</strong></span></span></dt>
<dd>
<p>
Like <span class="command"><strong>signatures-validity</strong></span> but for
DNSKEY records. Default is <code class="constant">P2W</code> (2
weeks).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>zone-max-ttl</strong></span></span></dt>
<dd>
<p>
Like <span class="command"><strong>max-zone-ttl</strong></span>, specifies the
maximum permissible TTL value in seconds. When loading a
zone file using a <code class="option">masterfile-format</code> or
<code class="constant">text</code> or <code class="constant">raw</code>,
any record encountered with a TTL higher than
<code class="option">zone-max-ttl</code> will be capped to the
maximum permissible TTL value.
</p>
<p>
This is needed in DNSSEC-maintained zones because when
rolling to a new DNSKEY, the old key needs to remain
available until RRSIG records have expired from caches.
The <code class="option">zone-max-ttl</code> option guarantees that
the largest TTL in the zone will be no higher than the
set value.
</p>
<p>
(NOTE: Because <code class="constant">map</code>-format files
load directly into memory, this option cannot be
used with them.)
</p>
<p>
The default value is <code class="constant">PT24H</code> (24 hours).
A <code class="option">zone-max-ttl</code> of zero is treated as if
the default value is in use.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>zone-propagation-delay</strong></span></span></dt>
<dd>
<p>
The expected propagation delay from when a zone is
updated and when the new version of the zone is served by
all its name servers. Default is
<code class="constant">PT5M</code> (5 minutes).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>parent-ds-ttl</strong></span></span></dt>
<dd>
<p>
The TTL of the DS RRset that the parent uses. Default is
<code class="constant">PT1H</code> (1 hour).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>parent-propagation-delay</strong></span></span></dt>
<dd>
<p>
The expected propagation delay from when the parent zone
is updated and when the new version of the parent zone is
served by all its name servers. Default is
<code class="constant">PT1H</code> (1 hour).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>parent-registration-delay</strong></span></span></dt>
<dd>
<p>
The expected registration delay from when a DS RRset
change is requested and when the DS RRset has been
updated in the parent zone. Default is
<code class="constant">P1D</code> (1 day).
</p>
</dd>
</dl></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key
| initial-key ) <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated
| initial-key | static-ds |
<span class="command"><strong>initial-ds</strong></span> ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated
</pre>
</div>
<div class="section">
@ -9180,6 +9461,7 @@ view "external" {
<span class="command"><strong>dnskey-sig-validity</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
<span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
@ -9195,7 +9477,7 @@ view "external" {
<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
<span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>duration</code></em> );
<span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
<span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
@ -9231,6 +9513,7 @@ view "external" {
<span class="command"><strong>dnskey-sig-validity</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
<span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
<span class="command"><strong>forward</strong></span> ( first | only );
@ -9386,7 +9669,7 @@ view "external" {
<span class="command"><strong>masterfile-style</strong></span> ( full | relative );
<span class="command"><strong>masters</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
<span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>duration</code></em> );
<span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
};
</pre>
@ -10052,6 +10335,14 @@ view "external" {
Usage&#8221;</a>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>dnssec-policy</strong></span></span></dt>
<dd>
<p>
The key and signing policy for this zone. Set to
<strong class="userinput"><code>"default"</code></strong> if you want to make use
of the default policy.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
<dd>
<p>
@ -14897,6 +15188,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch06.html
View file

@ -360,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; };
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch07.html
View file

@ -191,6 +191,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

851
doc/arm/Bv9ARM.ch08.html
View file

@ -36,17 +36,19 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.5</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.6</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_removed">Removed Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.3">Notes for BIND 9.15.3</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.2">Notes for BIND 9.15.2</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.1">Notes for BIND 9.15.1</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.0">Notes for BIND 9.15.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
@ -55,7 +57,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.5</h2></div></div></div>
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.6</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@ -119,362 +121,559 @@
<a name="relnotes_download"></a>Download</h3></div></div></div>
<p>
The latest versions of BIND 9 software can always be found at
<a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
<a class="link" href="https://www.isc.org/download/" target="_top">https://www.isc.org/download/</a>.
There you will find additional information about each release,
source code, and pre-compiled versions for Microsoft Windows
operating systems.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. This flaw is disclosed in
CVE-2018-5743. [GL #615]
</p>
</li>
<p>
A new asynchronous network communications system based on
<span class="command"><strong>libuv</strong></span> is now used by <span class="command"><strong>named</strong></span>
for listening for incoming requests and responding to them.
This change will make it easier to improve performance and
implement new protocol layers (for example, DNS over TLS) in
the future. [GL #29]
</p>
</li>
<li class="listitem">
<p>
In certain configurations, <span class="command"><strong>named</strong></span> could crash
with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
was in use and a redirected query resulted in an NXDOMAIN from the
cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</p>
</li>
<p>
The new <span class="command"><strong>dnssec-policy</strong></span> option allows the
configuration key and signing policy (KASP) for zones. This
option enables <span class="command"><strong>named</strong></span> to generate new keys
as needed and automatically roll both ZSK and KSK keys.
(Note that the syntax for this statement differs from the DNSSEC
policy used by <span class="command"><strong>dnssec-keymgr</strong></span>.) [GL #1134]
</p>
</li>
<li class="listitem">
<p>
A race condition could trigger an assertion failure when
a large number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> could crash with an assertion failure
if a forwarder returned a referral, rather than resolving the
query, when QNAME minimization was enabled. This flaw is
disclosed in CVE-2019-6476. [GL #1051]
</p>
</li>
<li class="listitem">
<p>
A flaw in DNSSEC verification when transferring mirror zones
could allow data to be incorrectly marked valid. This flaw
is disclosed in CVE-2019-6475. [GL #1252]
</p>
</li>
<p>
Two new keywords have been added to the
<span class="command"><strong>dnssec-keys</strong></span> statement:
<span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
These allow the use of trust anchors in DS format instead of
DNSKEY format. DS format allows trust anchors to be configured
for keys that have not yet been published; this is the format
used by IANA when announcing future root keys.
</p>
<p>
As with the <span class="command"><strong>initial-key</strong></span> and
<span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
configures a dynamic trust anchor to be maintained via RFC 5011, and
<span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
</p>
<p>
(Note: Currently, DNSKEY-format and DS-format trust anchors
cannot both be used for the same domain name.) [GL #6] [GL #622]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
because it was found to have a significant performance impact on the
recursive service. The NSEC Aggressive Cache will be enable by default
in the future releases. [GL #1265]
</p>
</li>
<li class="listitem">
<p>
The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Too many simultaneous pipelined TCP queries could cause
resource overuse. We now prevent this by enforcing a limit
on the number of simultaneous requests per active connection.
This flaw`is disclosed in CVE-2019-6477. [GL #1264]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<a name="relnotes-9.15.5"></a>Notes for BIND 9.15.5</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.5-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Added a new command line option to <span class="command"><strong>dig</strong></span>:
<span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
won't accept a reply from a source other than the one to which
it sent the query. Add the <span class="command"><strong>+unexpected</strong></span> argument
to enable it to process replies from unexpected sources.
</p>
</li>
<p>
<span class="command"><strong>named</strong></span> could crash with an assertion failure
if a forwarder returned a referral, rather than resolving the
query, when QNAME minimization was enabled. This flaw is
disclosed in CVE-2019-6476. [GL #1051]
</p>
</li>
<li class="listitem">
<p>
The GeoIP2 API from MaxMind is now supported. Geolocation support
will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
library is found at compile time, but can be turned off by using
<span class="command"><strong>configure --disable-geoip</strong></span>.
</p>
<p>
The default path to the GeoIP2 databases will be set based
on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
for example, if it is in <code class="filename">/usr/local/lib</code>,
then the default path will be
<code class="filename">/usr/local/share/GeoIP</code>.
This value can be overridden in <code class="filename">named.conf</code>
using the <span class="command"><strong>geoip-directory</strong></span> option.
</p>
<p>
Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
<span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
no longer work when using GeoIP2. Supported GeoIP2 database
types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
<span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
<span class="command"><strong>as</strong></span>. All of these databases support both IPv4
and IPv6 lookups. [GL #182] [GL #1112]
</p>
</li>
<p>
A flaw in DNSSEC verification when transferring mirror zones
could allow data to be incorrectly marked valid. This flaw
is disclosed in CVE-2019-6475. [GL #1252]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.4"></a>Notes for BIND 9.15.4</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.4-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
In order to clarify the configuration of DNSSEC keys,
the <span class="command"><strong>trusted-keys</strong></span> and
<span class="command"><strong>managed-keys</strong></span> statements have been
deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
statement should now be used for both types of key.
</p>
<p>
When used with the keyword <span class="command"><strong>initial-key</strong></span>,
<span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
<span class="command"><strong>managed-keys</strong></span>, i.e., it configures
a trust anchor that is to be maintained via RFC 5011.
</p>
<p>
When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
configuring a permanent trust anchor that will not automatically
be updated. (This usage is not recommended for the root key.)
[GL #6]
</p>
</li>
<p>
Added a new command line option to <span class="command"><strong>dig</strong></span>:
<span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
won't accept a reply from a source other than the one to which
it sent the query. Add the <span class="command"><strong>+unexpected</strong></span> argument
to enable it to process replies from unexpected sources.
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>add-soa</strong></span> option specifies whether
or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
should be included in the additional section of RPZ responses.
[GL #865]
</p>
</li>
<li class="listitem">
<p>
Two new metrics have been added to the
<span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
signing operations. For each key in each zone, the
<span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
number of signatures <span class="command"><strong>named</strong></span> has generated
using that key since server startup, and the
<span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
many of those signatures were refreshed during zone
maintenance, as opposed to having been generated
as a result of a zone update. [GL #513]
</p>
</li>
<li class="listitem">
<p>
<p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
<span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
option to print output in a a detailed YAML format. [RT #1145]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.4-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
that its policies are removed from the RPZ summary database.
[GL #1146]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.3"></a>Notes for BIND 9.15.3</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.3-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Statistics channel groups are now toggleable. [GL #1030]
</p>
</li>
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.3-removed"></a>Removed Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
DNSSEC Lookaside Validation (DLV) is now obsolete.
The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
marked as deprecated; when used in <code class="filename">named.conf</code>,
it will generate a warning but will otherwise be ignored.
All code enabling the use of lookaside validation has been removed
from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
[GL #7]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.3-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
<span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
option to print output in a a detailed YAML format. [RT #1145]
</p>
</li>
<p>
A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
made default. Old non-default HMAC-SHA based DNS Cookie algorithms
have been removed, and only the default AES algorithm is being kept
for legacy reasons. This change doesn't have any operational impact
in most common scenarios. [GL #605]
</p>
<p>
If you are running multiple DNS Servers (different versions of BIND 9
or DNS server from multiple vendors) responding from the same IP
address (anycast or load-balancing scenarios), you'll have to make
sure that all the servers are configured with the same DNS Cookie
algorithm and same Server Secret for the best performance.
</p>
</li>
<li class="listitem">
<p>
The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
<span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
output. The standard error output is only used to print warnings and
errors, and in case the user requests the signed zone to be printed to
standard output with <span class="command"><strong>-f -</strong></span> option. A new
configuration option <span class="command"><strong>-q</strong></span> has been added to silence
all output on standard output except for the name of the signed zone.
</p>
</li>
<li class="listitem">
<p>
DS records included in DNS referral messages can now be validated
and cached immediately, reducing the number of queries needed for
a DNSSEC validation. [GL #964]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.3-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Cache database statistics counters could report invalid values
when stale answers were enabled, because of a bug in counter
maintenance when cache data becomes stale. The statistics counters
have been corrected to report the number of RRsets for each
RR type that are active, stale but still potentially served,
or stale and marked for deletion. [GL #602]
</p>
</li>
<li class="listitem">
<p>
Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
cause unexpected results; this has been fixed. [GL #1106]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
to ensure bits 64-71 are zero. [GL #1159]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
<span class="command"><strong>dnstap-output</strong></span> option when
<span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
</p>
</li>
<li class="listitem">
<p>
Handle ETIMEDOUT error on connect() with a non-blocking
socket. [GL #1133]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<a name="relnotes-9.15.2"></a>Notes for BIND 9.15.2</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.2-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
</li>
<p>
The GeoIP2 API from MaxMind is now supported. Geolocation support
will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
library is found at compile time, but can be turned off by using
<span class="command"><strong>configure --disable-geoip</strong></span>.
</p>
<p>
The default path to the GeoIP2 databases will be set based
on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
for example, if it is in <code class="filename">/usr/local/lib</code>,
then the default path will be
<code class="filename">/usr/local/share/GeoIP</code>.
This value can be overridden in <code class="filename">named.conf</code>
using the <span class="command"><strong>geoip-directory</strong></span> option.
</p>
<p>
Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
<span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
no longer work when using GeoIP2. Supported GeoIP2 database
types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
<span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
<span class="command"><strong>as</strong></span>. All of these databases support both IPv4
and IPv6 lookups. [GL #182] [GL #1112]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>cleaning-interval</strong></span> option has been
removed. [GL !1731]
</p>
</li>
<li class="listitem">
<p>
DNSSEC Lookaside Validation (DLV) is now obsolete.
The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
marked as deprecated; when used in <code class="filename">named.conf</code>,
it will generate a warning but will otherwise be ignored.
All code enabling the use of lookaside validation has been removed
from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
[GL #7]
</p>
</li>
<p>
Two new metrics have been added to the
<span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
signing operations. For each key in each zone, the
<span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
number of signatures <span class="command"><strong>named</strong></span> has generated
using that key since server startup, and the
<span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
many of those signatures were refreshed during zone
maintenance, as opposed to having been generated
as a result of a zone update. [GL #513]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.2-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
When <span class="command"><strong>qname-minimization</strong></span> was set to
<span class="command"><strong>relaxed</strong></span>, some improperly configured domains
would fail to resolve, but would have succeeded when minimization
was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
resolution in such cases, and also uses type A rather than NS for
minimal queries in order to reduce the likelihood of encountering
the problem. [GL #1055]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>./configure</strong></span> no longer sets
<span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
<span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
when <span class="command"><strong>--prefix</strong></span> is not specified and the
aforementioned options are not specified explicitly. Instead,
Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
<span class="command"><strong>$prefix/var</strong></span> are respected.
</p>
</li>
<li class="listitem">
<p>
Glue address records were not being returned in responses
to root priming queries; this has been corrected. [GL #1092]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<a name="relnotes-9.15.1"></a>Notes for BIND 9.15.1</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.1-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
A race condition could trigger an assertion failure when
a large number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.1-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
In order to clarify the configuration of DNSSEC keys,
the <span class="command"><strong>trusted-keys</strong></span> and
<span class="command"><strong>managed-keys</strong></span> statements have been
deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
statement should now be used for both types of key.
</p>
<p>
When used with the keyword <span class="command"><strong>initial-key</strong></span>,
<span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
<span class="command"><strong>managed-keys</strong></span>, i.e., it configures
a trust anchor that is to be maintained via RFC 5011.
</p>
<p>
When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
configuring a permanent trust anchor that will not automatically
be updated. (This usage is not recommended for the root key.)
[GL #6]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.1-removed"></a>Removed Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>cleaning-interval</strong></span> option has been
removed. [GL !1731]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.1-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now log a warning if
a static key is configured for the root zone. [GL #6]
</p>
</li>
<p>
<span class="command"><strong>named</strong></span> will now log a warning if
a static key is configured for the root zone. [GL #6]
</p>
</li>
<li class="listitem">
<p>
When static and managed DNSSEC keys were both configured for the
same name, or when a static key was used to
configure a trust anchor for the root zone and
<span class="command"><strong>dnssec-validation</strong></span> was set to the default
value of <code class="literal">auto</code>, automatic RFC 5011 key
rollovers would be disabled. This combination of settings was
never intended to work, but there was no check for it in the
parser. This has been corrected, and it is now a fatal
configuration error. [GL #868]
</p>
</li>
<li class="listitem">
<p>
DS and CDS records are now generated with SHA-256 digests
only, instead of both SHA-1 and SHA-256. This affects the
default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
<code class="filename">dsset</code> files generated by
<span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
<code class="filename">keyset</code> files, the CDS records added to
a zone by <span class="command"><strong>named</strong></span> and
<span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
parameters in key files, and the checks performed by
<span class="command"><strong>dnssec-checkds</strong></span>.
</p>
</li>
<li class="listitem">
<p>
JSON-C is now the only supported library for enabling JSON
support for BIND statistics. The <span class="command"><strong>configure</strong></span>
option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
to <span class="command"><strong>--with-json-c</strong></span>. Use
<span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
the <span class="command"><strong>json-c</strong></span> library as the new
<span class="command"><strong>configure</strong></span> option does not take the library
installation path as an optional argument.
</p>
</li>
<li class="listitem">
<p>
A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
made default. Old non-default HMAC-SHA based DNS Cookie algorithms
have been removed, and only the default AES algorithm is being kept
for legacy reasons. This change doesn't have any operational impact
in most common scenarios. [GL #605]
</p>
<p>
If you are running multiple DNS Servers (different versions of BIND 9
or DNS server from multiple vendors) responding from the same IP
address (anycast or load-balancing scenarios), you'll have to make
sure that all the servers are configured with the same DNS Cookie
algorithm and same Server Secret for the best performance.
</p>
</li>
<li class="listitem">
<p>
The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
<span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
output. The standard error output is only used to print warnings and
errors, and in case the user requests the signed zone to be printed to
standard output with <span class="command"><strong>-f -</strong></span> option. A new
configuration option <span class="command"><strong>-q</strong></span> has been added to silence
all output on standard output except for the name of the signed zone.
</p>
</li>
<li class="listitem">
<p>
DS records included in DNS referral messages can now be validated
and cached immediately, reducing the number of queries needed for
a DNSSEC validation. [GL #964]
</p>
</li>
<p>
JSON-C is now the only supported library for enabling JSON
support for BIND statistics. The <span class="command"><strong>configure</strong></span>
option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
to <span class="command"><strong>--with-json-c</strong></span>. Use
<span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
the <span class="command"><strong>json-c</strong></span> library as the new
<span class="command"><strong>configure</strong></span> option does not take the library
installation path as an optional argument.
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<a name="relnotes-9.15.0"></a>Notes for BIND 9.15.0</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The <span class="command"><strong>allow-update</strong></span> and
<span class="command"><strong>allow-update-forwarding</strong></span> options were
inadvertently treated as configuration errors when used at the
<span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
This has now been corrected.
[GL #913]
</p>
</li>
<p>
In certain configurations, <span class="command"><strong>named</strong></span> could crash
with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
was in use and a redirected query resulted in an NXDOMAIN from the
cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</p>
</li>
<li class="listitem">
<p>
When <span class="command"><strong>qname-minimization</strong></span> was set to
<span class="command"><strong>relaxed</strong></span>, some improperly configured domains
would fail to resolve, but would have succeeded when minimization
was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
resolution in such cases, and also uses type A rather than NS for
minimal queries in order to reduce the likelihood of encountering
the problem. [GL #1055]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>./configure</strong></span> no longer sets
<span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
<span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
when <span class="command"><strong>--prefix</strong></span> is not specified and the
aforementioned options are not specified explicitly. Instead,
Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
<span class="command"><strong>$prefix/var</strong></span> are respected.
</p>
</li>
<li class="listitem">
<p>
Glue address records were not being returned in responses
to root priming queries; this has been corrected. [GL #1092]
</p>
</li>
<li class="listitem">
<p>
Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
cause unexpected results; this has been fixed. [GL #1106]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
to ensure bits 64-71 are zero. [GL #1159]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
<span class="command"><strong>dnstap-output</strong></span> option when
<span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
</p>
</li>
<li class="listitem">
<p>
Handle ETIMEDOUT error on connect() with a non-blocking
socket. [GL #1133]
</p>
</li>
<li class="listitem">
<p>
Cache database statistics counters could report invalid values
when stale answers were enabled, because of a bug in counter
maintenance when cache data becomes stale. The statistics counters
have been corrected to report the number of RRsets for each
RR type that are active, stale but still potentially served,
or stale and marked for deletion. [GL #602]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
</p>
</li>
<li class="listitem">
<p>
When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
that its policies are removed from the RPZ summary database.
[GL #1146]
</p>
</li>
<p>
The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. This flaw is disclosed in
CVE-2018-5743. [GL #615]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The new <span class="command"><strong>add-soa</strong></span> option specifies whether
or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
should be included in the additional section of RPZ responses.
[GL #865]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-removed"></a>Removed Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
When static and managed DNSSEC keys were both configured for the
same name, or when a static key was used to
configure a trust anchor for the root zone and
<span class="command"><strong>dnssec-validation</strong></span> was set to the default
value of <code class="literal">auto</code>, automatic RFC 5011 key
rollovers would be disabled. This combination of settings was
never intended to work, but there was no check for it in the
parser. This has been corrected, and it is now a fatal
configuration error. [GL #868]
</p>
</li>
<li class="listitem">
<p>
DS and CDS records are now generated with SHA-256 digests
only, instead of both SHA-1 and SHA-256. This affects the
default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
<code class="filename">dsset</code> files generated by
<span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
<code class="filename">keyset</code> files, the CDS records added to
a zone by <span class="command"><strong>named</strong></span> and
<span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
parameters in key files, and the checks performed by
<span class="command"><strong>dnssec-checkds</strong></span>.
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.0-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>allow-update</strong></span> and
<span class="command"><strong>allow-update-forwarding</strong></span> options were
inadvertently treated as configuration errors when used at the
<span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
This has now been corrected.
[GL #913]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
@ -511,7 +710,7 @@
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at
least December 2021. See
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
<a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
for details of ISC's software support policy.
</p>
</div>
@ -522,7 +721,7 @@
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
<a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
<a class="link" href="https://www.isc.org/donate/" target="_top">https://www.isc.org/donate/</a>.
</p>
</div>
</div>
@ -545,6 +744,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch09.html
View file

@ -148,6 +148,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch10.html
View file

@ -914,6 +914,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

5
doc/arm/Bv9ARM.ch11.html
View file

@ -176,7 +176,8 @@ $ <strong class="userinput"><code>make</code></strong>
<code class="filename">named.conf</code>, except that all
<span class="command"><strong>managed-keys</strong></span> entries will be treated as
if they were configured with the <span class="command"><strong>static-key</strong></span>
keyword, even if they are configured with <span class="command"><strong>initial-key</strong></span>.
or <span class="command"><strong>static-ds</strong></span> keywords, even if they are configured
with <span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>iniital-ds</strong></span>.
(See <a class="xref" href="Bv9ARM.ch05.html#managed-keys" title="managed-keys Statement Grammar">the section called &#8220;<span class="command"><strong>managed-keys</strong></span> Statement Grammar&#8221;</a> for syntax details.)
</p>
</div>
@ -537,6 +538,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch12.html
View file

@ -210,6 +210,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

45
doc/arm/Bv9ARM.html
View file

@ -32,7 +32,7 @@
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
<div><p class="releaseinfo">BIND Version 9.15.5</p></div>
<div><p class="releaseinfo">BIND Version 9.15.6</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
@ -109,18 +109,18 @@
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.2">Converting from insecure to secure</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.7">Dynamic DNS update method</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.15">Fully automatic zone signing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.24">Private-type records</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.31">DNSKEY rollovers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.33">Dynamic DNS update method</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.38">Automatic key rollovers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.40">NSEC3PARAM rollovers via UPDATE</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.42">Converting from NSEC to NSEC3</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.44">Converting from NSEC3 to NSEC</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.46">Converting from secure to insecure</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.50">Periodic re-signing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.52">NSEC3 and OPTOUT</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.9">Dynamic DNS update method</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.17">Fully automatic zone signing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.27">Private-type records</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">DNSKEY rollovers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.36">Dynamic DNS update method</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">Automatic key rollovers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">NSEC3PARAM rollovers via UPDATE</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC to NSEC3</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.48">Converting from NSEC3 to NSEC</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.50">Converting from secure to insecure</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.54">Periodic re-signing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.56">NSEC3 and OPTOUT</a></span></dt>
</dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
<dd><dl>
@ -195,6 +195,9 @@
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
@ -245,17 +248,19 @@
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.5</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.6</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_removed">Removed Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.3">Notes for BIND 9.15.3</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.2">Notes for BIND 9.15.2</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.1">Notes for BIND 9.15.1</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.0">Notes for BIND 9.15.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
@ -443,6 +448,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

BIN
doc/arm/Bv9ARM.pdf
View file

Binary file not shown.

2
doc/arm/man.arpaname.html
View file

@ -90,6 +90,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.ddns-confgen.html
View file

@ -220,6 +220,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.delv.html
View file

@ -621,6 +621,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dig.html
View file

@ -1188,6 +1188,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-cds.html
View file

@ -376,6 +376,6 @@ nsupdate -l
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-checkds.html
View file

@ -156,6 +156,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-coverage.html
View file

@ -270,6 +270,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-dsfromkey.html
View file

@ -341,6 +341,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-importkey.html
View file

@ -250,6 +250,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keyfromlabel.html
View file

@ -498,6 +498,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

38
doc/arm/man.dnssec-keygen.html
View file

@ -59,6 +59,7 @@
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>bits</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-G</code>]
@ -67,8 +68,9 @@
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-k <em class="replaceable"><code>policy</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
@ -77,6 +79,7 @@
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>rrtype</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
@ -186,6 +189,15 @@
the specified class. If not specified, class IN is used.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>bits</code></em></span></dt>
<dd>
<p>
Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
DH size is between 128 and 4096. This option is ignored for
algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
@ -236,6 +248,21 @@
Sets the directory in which the key files are to be written.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>policy</code></em></span></dt>
<dd>
<p>
Create keys for a specific dnssec-policy. If a policy uses
multiple keys, <span class="command"><strong>dnssec-keygen</strong></span> will generate
multiple keys. This will also create a ".state" file to keep
track of the key state.
</p>
<p>
This option creates keys according to the dnssec-policy
configuration, hence it cannot be used together with many of
the other options that <span class="command"><strong>dnssec-keygen</strong></span>
provides.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
@ -249,6 +276,13 @@
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
Provide a configuration file that contains a dnssec-policy
statement (matching the policy set with <span class="command"><strong>-k</strong></span>).
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
@ -555,6 +589,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keymgr.html
View file

@ -405,6 +405,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-revoke.html
View file

@ -171,6 +171,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

81
doc/arm/man.dnssec-settime.html
View file

@ -67,6 +67,12 @@
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-s</code>]
[<code class="option">-g <em class="replaceable"><code>state</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-z <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
{keyfile}
</p></div>
</div>
@ -92,11 +98,30 @@
When key metadata fields are changed, both files of a key
pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
<code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
</p>
<p>
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</p>
<p>
When working with state files, it is possible to update the timing
metadata in those files as well with <code class="option">-s</code>. If this
option is used you can also update key states with <code class="option">-d</code>
(DS), <code class="option">-k</code> (DNSKEY), <code class="option">-r</code> (RRSIG of KSK),
or <code class="option">-z</code> (RRSIG of ZSK). Allowed states are HIDDEN,
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
</p>
<p>
You can also set the goal state of the key with <code class="option">-g</code>.
This should be either HIDDEN or OMNIPRESENT (representing whether the
key should be removed from the zone, or published).
</p>
<p>
It is NOT RECOMMENDED to manipulate state files manually except for
testing purposes.
</p>
</div>
<div class="refsection">
@ -280,7 +305,57 @@
</div>
<div class="refsection">
<a name="id-1.13.15.10"></a><h2>PRINTING OPTIONS</h2>
<a name="id-1.13.15.10"></a><h2>KEY STATE OPTIONS</h2>
<p>
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
These should not be set manually except for testing purposes.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-s</span></dt>
<dd>
<p>
When setting key timing data, also update the state file.
</p>
</dd>
<dt><span class="term">-g</span></dt>
<dd>
<p>
Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
</p>
</dd>
<dt><span class="term">-d</span></dt>
<dd>
<p>
Set the DS state for this key, and when it was last changed.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Set the DNSKEY state for this key, and when it was last changed.
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd>
<p>
Set the RRSIG (KSK) state for this key, and when it was last
changed.
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Set the RRSIG (ZSK) state for this key, and when it was last
changed.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.13.15.11"></a><h2>PRINTING OPTIONS</h2>
<p>
<span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
@ -316,7 +391,7 @@
</div>
<div class="refsection">
<a name="id-1.13.15.11"></a><h2>SEE ALSO</h2>
<a name="id-1.13.15.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
@ -349,6 +424,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-signzone.html
View file

@ -707,6 +707,6 @@ db.example.com.signed
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-verify.html
View file

@ -214,6 +214,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnstap-read.html
View file

@ -143,6 +143,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.filter-aaaa.html
View file

@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.host.html
View file

@ -366,6 +366,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.mdig.html
View file

@ -610,6 +610,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-checkconf.html
View file

@ -214,6 +214,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-checkzone.html
View file

@ -463,6 +463,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-journalprint.html
View file

@ -117,6 +117,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-nzd2nzf.html
View file

@ -119,6 +119,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-rrchecker.html
View file

@ -121,6 +121,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

116
doc/arm/man.named.conf.html
View file

@ -113,7 +113,8 @@ dlz
<a name="id-1.13.27.11"></a><h2>DNSSEC-KEYS</h2>
<div class="literallayout"><p><br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    initial-key | static-ds | initial-ds )<br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
@ -162,9 +163,9 @@ logging
<p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
    | initial-key ) <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
    | initial-key | static-ds |<br>
    initial-ds ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
</p></div>
</div>
@ -214,7 +215,7 @@ options
    [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
    <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>duration</code></em> ]; ... };<br>
check-dup-records ( fail | warn | ignore );<br>
check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
check-mx ( fail | warn | ignore );<br>
@ -296,18 +297,18 @@ options
fstrm-set-output-notify-threshold <em class="replaceable"><code>integer</code></em>;<br>
fstrm-set-output-queue-model ( mpsc | spsc );<br>
fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
fstrm-set-reopen-interval <em class="replaceable"><code>ttlval</code></em>;<br>
fstrm-set-reopen-interval <em class="replaceable"><code>duration</code></em>;<br>
geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
glue-cache <em class="replaceable"><code>boolean</code></em>;<br>
heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
interface-interval <em class="replaceable"><code>ttlval</code></em>;<br>
interface-interval <em class="replaceable"><code>duration</code></em>;<br>
ixfr-from-differences ( primary | master | secondary | slave |<br>
    <em class="replaceable"><code>boolean</code></em> );<br>
keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
lame-ttl <em class="replaceable"><code>duration</code></em>;<br>
listen-on [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] {<br>
    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -321,28 +322,28 @@ options
masterfile-style ( full | relative );<br>
match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
max-rsa-exponent-size <em class="replaceable"><code>integer</code></em>;<br>
max-stale-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-stale-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
memstatistics <em class="replaceable"><code>boolean</code></em>;<br>
memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
message-compression <em class="replaceable"><code>boolean</code></em>;<br>
min-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
min-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
min-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
min-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
@ -359,8 +360,8 @@ options
notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
nta-lifetime <em class="replaceable"><code>duration</code></em>;<br>
nta-recheck <em class="replaceable"><code>duration</code></em>;<br>
nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
port <em class="replaceable"><code>integer</code></em>;<br>
@ -407,13 +408,13 @@ options
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>duration</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
    [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
@ -427,7 +428,7 @@ options
serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
serial-update-method ( date | increment | unixtime );<br>
server-id ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );<br>
servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
servfail-ttl <em class="replaceable"><code>duration</code></em>;<br>
session-keyalg <em class="replaceable"><code>string</code></em>;<br>
session-keyfile ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
session-keyname <em class="replaceable"><code>string</code></em>;<br>
@ -438,7 +439,7 @@ options
sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
stale-answer-enable <em class="replaceable"><code>boolean</code></em>;<br>
stale-answer-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
stale-answer-ttl <em class="replaceable"><code>duration</code></em>;<br>
startup-notify-rate <em class="replaceable"><code>integer</code></em>;<br>
statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
@ -575,7 +576,7 @@ view
    [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
    <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>duration</code></em> ]; ... };<br>
check-dup-records ( fail | warn | ignore );<br>
check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
check-mx ( fail | warn | ignore );<br>
@ -618,8 +619,9 @@ view
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
    initial-key | static-ds | initial-ds<br>
    ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
@ -653,10 +655,11 @@ view
secret <em class="replaceable"><code>string</code></em>;<br>
};<br>
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
lame-ttl <em class="replaceable"><code>duration</code></em>;<br>
lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
managed-keys { <em class="replaceable"><code>string</code></em> (<br>
    static-key | initial-key<br>
    | static-ds | initial-ds<br>
    ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
@ -666,25 +669,25 @@ view
match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
max-stale-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-stale-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
message-compression <em class="replaceable"><code>boolean</code></em>;<br>
min-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
min-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
min-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
min-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
@ -700,8 +703,8 @@ view
notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
nta-lifetime <em class="replaceable"><code>duration</code></em>;<br>
nta-recheck <em class="replaceable"><code>duration</code></em>;<br>
nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ {<br>
    <em class="replaceable"><code>unspecified-text</code></em> } ];<br>
@ -743,13 +746,13 @@ view
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
    <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>duration</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
    [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
@ -794,14 +797,14 @@ view
    <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
transfers <em class="replaceable"><code>integer</code></em>;<br>
};<br>
servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
servfail-ttl <em class="replaceable"><code>duration</code></em>;<br>
sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
sig-validity-interval <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
stale-answer-enable <em class="replaceable"><code>boolean</code></em>;<br>
stale-answer-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
stale-answer-ttl <em class="replaceable"><code>duration</code></em>;<br>
synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
transfer-format ( many-answers | one-answer );<br>
transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
@ -853,6 +856,7 @@ view
dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
file <em class="replaceable"><code>quoted_string</code></em>;<br>
@ -878,7 +882,7 @@ view
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
@ -955,6 +959,7 @@ zone
dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
file <em class="replaceable"><code>quoted_string</code></em>;<br>
@ -979,7 +984,7 @@ zone
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
@ -1021,14 +1026,35 @@ zone
</div>
<div class="refsection">
<a name="id-1.13.27.24"></a><h2>FILES</h2>
<a name="id-1.13.27.24"></a><h2>DNSSEC-POLICY</h2>
<div class="literallayout"><p><br>
dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
dnskey-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
publish-safety <em class="replaceable"><code>duration</code></em>;<br>
retire-safety <em class="replaceable"><code>duration</code></em>;<br>
signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
zone-max-ttl <em class="replaceable"><code>duration</code></em>;<br>
zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
};<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.13.27.25"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsection">
<a name="id-1.13.27.25"></a><h2>SEE ALSO</h2>
<a name="id-1.13.27.26"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">ddns-confgen</span>(8)
@ -1069,6 +1095,6 @@ zone
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named.html
View file

@ -492,6 +492,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nsec3hash.html
View file

@ -155,6 +155,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nslookup.html
View file

@ -437,6 +437,6 @@ nslookup -query=hinfo -timeout=10
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nsupdate.html
View file

@ -818,6 +818,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-destroy.html
View file

@ -162,6 +162,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-keygen.html
View file

@ -200,6 +200,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-list.html
View file

@ -158,6 +158,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-tokens.html
View file

@ -123,6 +123,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc-confgen.html
View file

@ -260,6 +260,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc.conf.html
View file

@ -268,6 +268,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

10
doc/arm/man.rndc.html
View file

@ -382,7 +382,8 @@
allowed to incrementally re-sign over time.
</p>
<p>
This command requires that the
This command requires that the zone is configured with a
<span class="command"><strong>dnssec-policy</strong></span>, or that the
<span class="command"><strong>auto-dnssec</strong></span> zone option
be set to <code class="literal">maintain</code>,
and also requires the zone to be configured to
@ -737,7 +738,8 @@
re-signed with the new key set.
</p>
<p>
This command requires that the
This command requires that the zone is configured with a
<span class="command"><strong>dnssec-policy</strong></span>, or that the
<span class="command"><strong>auto-dnssec</strong></span> zone option be set
to <code class="literal">allow</code> or
<code class="literal">maintain</code>,
@ -930,6 +932,8 @@
<p>
Enable, disable, or check the current status of
DNSSEC validation. By default, validation is enabled.
The cache is flushed when validation is turned on or off
to avoid using data that might differ between states.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
@ -1017,6 +1021,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>

46
doc/arm/notes.html
View file

@ -15,7 +15,7 @@
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2"></a>Release Notes for BIND Version 9.15.5</h2></div></div></div>
<a name="id-1.2"></a>Release Notes for BIND Version 9.15.6</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@ -114,19 +114,61 @@
policy used by <span class="command"><strong>dnssec-keymgr</strong></span>.) [GL #1134]
</p>
</li>
<li class="listitem">
<p>
Two new keywords have been added to the
<span class="command"><strong>dnssec-keys</strong></span> statement:
<span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
These allow the use of trust anchors in DS format instead of
DNSKEY format. DS format allows trust anchors to be configured
for keys that have not yet been published; this is the format
used by IANA when announcing future root keys.
</p>
<p>
As with the <span class="command"><strong>initial-key</strong></span> and
<span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
configures a dynamic trust anchor to be maintained via RFC 5011, and
<span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
</p>
<p>
(Note: Currently, DNSKEY-format and DS-format trust anchors
cannot both be used for the same domain name.) [GL #6] [GL #622]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
because it was found to have a significant performance impact on the
recursive service. The NSEC Aggressive Cache will be enable by default
in the future releases. [GL #1265]
</p>
</li>
<li class="listitem">
<p>
The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Too many simultaneous pipelined TCP queries could cause
resource overuse. We now prevent this by enforcing a limit
on the number of simultaneous requests per active connection.
This flaw`is disclosed in CVE-2019-6477. [GL #1264]
</p>
</li></ul></div>
</div>

BIN
doc/arm/notes.pdf
View file

Binary file not shown.

25
doc/arm/notes.txt
View file

@ -1,4 +1,4 @@
Release Notes for BIND Version 9.15.5
Release Notes for BIND Version 9.15.6
Introduction
@ -64,6 +64,19 @@ New Features
that the syntax for this statement differs from the DNSSEC policy used
by dnssec-keymgr.) [GL #1134]
* Two new keywords have been added to the dnssec-keys statement:
initial-ds and static-ds. These allow the use of trust anchors in DS
format instead of DNSKEY format. DS format allows trust anchors to be
configured for keys that have not yet been published; this is the
format used by IANA when announcing future root keys.
As with the initial-key and static-key keywords, initial-ds configures
a dynamic trust anchor to be maintained via RFC 5011, and static-ds
configures a permanent trust anchor.
(Note: Currently, DNSKEY-format and DS-format trust anchors cannot
both be used for the same domain name.) [GL #6] [GL #622]
Feature Changes
* NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
@ -71,6 +84,16 @@ Feature Changes
recursive service. The NSEC Aggressive Cache will be enable by default
in the future releases. [GL #1265]
* The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
Security Fixes
* Too many simultaneous pipelined TCP queries could cause resource
overuse. We now prevent this by enforcing a limit on the number of
simultaneous requests per active connection. This flaw`is disclosed in
CVE-2019-6477. [GL #1264]
Notes for BIND 9.15.5
Security Fixes

2
doc/misc/master.zoneopt
View file

@ -39,7 +39,7 @@ zone <string> [ <class> ] {
max-records <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-out <integer>;
max-zone-ttl ( unlimited | <ttlval> );
max-zone-ttl ( unlimited | <duration> );
notify ( explicit | master-only | <boolean> );
notify-delay <integer>;
notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];

100
doc/misc/options
View file

@ -27,19 +27,19 @@ dnssec-keys { <string> ( static-key |
<quoted_string>; ... }; // may occur multiple times
dnssec-policy <string> {
dnskey-ttl <ttlval>;
keys { ( csk | ksk | zsk ) key-directory lifetime <duration> algorithm <integer>
[ <integer> ]; ... };
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
parent-registration-delay <duration>;
dnskey-ttl <duration>;
keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <duration>
algorithm <integer> [ <integer> ]; ... };
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
parent-registration-delay <duration>;
publish-safety <duration>;
retire-safety <duration>;
signatures-refresh <duration>;
signatures-validity <duration>;
signatures-validity-dnskey <duration>;
zone-max-ttl <duration>;
zone-propagation-delay <duration>;
zone-propagation-delay <duration>;
}; // may occur multiple times
dyndb <string> <quoted_string> {
@ -116,7 +116,7 @@ options {
[ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
<integer> ] | <ipv6_address> [ port <integer> ] ) [ key
<string> ]; ... } ] [ zone-directory <quoted_string> ] [
in-memory <boolean> ] [ min-update-interval <ttlval> ]; ... };
in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );
@ -167,6 +167,7 @@ options {
trust-anchor <string> |
auto | no ); // obsolete, may occur multiple times
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
@ -209,8 +210,8 @@ options {
fstrm-set-output-notify-threshold <integer>; // not configured
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured
geoip-directory ( <quoted_string> | none );
fstrm-set-reopen-interval <duration>; // not configured
geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // ancient
@ -219,19 +220,19 @@ options {
host-statistics-max <integer>; // ancient
hostname ( <quoted_string> | none );
inline-signing <boolean>;
interface-interval <ttlval>;
interface-interval <duration>;
ixfr-from-differences ( primary | master | secondary | slave |
<boolean> );
keep-response-order { <address_match_element>; ... };
key-directory <quoted_string>;
lame-ttl <ttlval>;
lame-ttl <duration>;
listen-on [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
@ -240,29 +241,29 @@ options {
match-mapped-addresses <boolean>;
max-acache-size ( unlimited | <sizeval> ); // obsolete
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
max-cache-ttl <ttlval>;
max-cache-ttl <duration>;
max-clients-per-query <integer>;
max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
max-journal-size ( default | unlimited | <sizeval> );
max-ncache-ttl <ttlval>;
max-ncache-ttl <duration>;
max-records <integer>;
max-recursion-depth <integer>;
max-recursion-queries <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
max-rsa-exponent-size <integer>;
max-stale-ttl <ttlval>;
max-stale-ttl <duration>;
max-transfer-idle-in <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-udp-size <integer>;
max-zone-ttl ( unlimited | <ttlval> );
max-zone-ttl ( unlimited | <duration> );
memstatistics <boolean>;
memstatistics-file <quoted_string>;
message-compression <boolean>;
min-cache-ttl <ttlval>;
min-ncache-ttl <ttlval>;
min-cache-ttl <duration>;
min-ncache-ttl <duration>;
min-refresh-time <integer>;
min-retry-time <integer>;
min-roots <integer>; // ancient
@ -284,8 +285,8 @@ options {
[ dscp <integer> ];
notify-to-soa <boolean>;
nsec3-test-zone <boolean>; // test only
nta-lifetime <ttlval>;
nta-recheck <ttlval>;
nta-lifetime <duration>;
nta-recheck <duration>;
nxdomain-redirect <string>;
pid-file ( <quoted_string> | none );
port <integer>;
@ -335,13 +336,13 @@ options {
response-padding { <address_match_element>; ... } block-size
<integer>;
response-policy { zone <string> [ add-soa <boolean> ] [ log
<boolean> ] [ max-policy-ttl <ttlval> ] [ min-update-interval
<ttlval> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
<boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
<duration> ] [ policy ( cname | disabled | drop | given | no-op
| nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
break-dnssec <boolean> ] [ max-policy-ttl <ttlval> ] [
min-update-interval <ttlval> ] [ min-ns-dots <integer> ] [
break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
min-update-interval <duration> ] [ min-ns-dots <integer> ] [
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
@ -357,7 +358,7 @@ options {
serial-query-rate <integer>;
serial-update-method ( date | increment | unixtime );
server-id ( <quoted_string> | none | hostname );
servfail-ttl <ttlval>;
servfail-ttl <duration>;
session-keyalg <string>;
session-keyfile ( <quoted_string> | none );
session-keyname <string>;
@ -369,7 +370,7 @@ options {
sortlist { <address_match_element>; ... };
stacksize ( default | unlimited | <sizeval> );
stale-answer-enable <boolean>;
stale-answer-ttl <ttlval>;
stale-answer-ttl <duration>;
startup-notify-rate <integer>;
statistics-file <quoted_string>;
statistics-interval <integer>; // ancient
@ -494,7 +495,7 @@ view <string> [ <class> ] {
[ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
<integer> ] | <ipv6_address> [ port <integer> ] ) [ key
<string> ]; ... } ] [ zone-directory <quoted_string> ] [
in-memory <boolean> ] [ min-update-interval <ttlval> ]; ... };
in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );
@ -547,6 +548,7 @@ view <string> [ <class> ] {
trust-anchor <string> |
auto | no ); // obsolete, may occur multiple times
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
@ -582,8 +584,8 @@ view <string> [ <class> ] {
secret <string>;
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
lmdb-mapsize <sizeval>;
lame-ttl <duration>;
lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> (
static-key | initial-key
@ -598,26 +600,26 @@ view <string> [ <class> ] {
match-recursive-only <boolean>;
max-acache-size ( unlimited | <sizeval> ); // obsolete
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
max-cache-ttl <ttlval>;
max-cache-ttl <duration>;
max-clients-per-query <integer>;
max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
max-journal-size ( default | unlimited | <sizeval> );
max-ncache-ttl <ttlval>;
max-ncache-ttl <duration>;
max-records <integer>;
max-recursion-depth <integer>;
max-recursion-queries <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
max-stale-ttl <ttlval>;
max-stale-ttl <duration>;
max-transfer-idle-in <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-udp-size <integer>;
max-zone-ttl ( unlimited | <ttlval> );
max-zone-ttl ( unlimited | <duration> );
message-compression <boolean>;
min-cache-ttl <ttlval>;
min-ncache-ttl <ttlval>;
min-cache-ttl <duration>;
min-ncache-ttl <duration>;
min-refresh-time <integer>;
min-retry-time <integer>;
min-roots <integer>; // ancient
@ -636,8 +638,8 @@ view <string> [ <class> ] {
[ dscp <integer> ];
notify-to-soa <boolean>;
nsec3-test-zone <boolean>; // test only
nta-lifetime <ttlval>;
nta-recheck <ttlval>;
nta-lifetime <duration>;
nta-recheck <duration>;
nxdomain-redirect <string>;
plugin ( query ) <string> [ {
<unspecified-text> } ]; // may occur multiple times
@ -682,13 +684,13 @@ view <string> [ <class> ] {
response-padding { <address_match_element>; ... } block-size
<integer>;
response-policy { zone <string> [ add-soa <boolean> ] [ log
<boolean> ] [ max-policy-ttl <ttlval> ] [ min-update-interval
<ttlval> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
<boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
<duration> ] [ policy ( cname | disabled | drop | given | no-op
| nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
break-dnssec <boolean> ] [ max-policy-ttl <ttlval> ] [
min-update-interval <ttlval> ] [ min-ns-dots <integer> ] [
break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
min-update-interval <duration> ] [ min-ns-dots <integer> ] [
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
@ -736,14 +738,14 @@ view <string> [ <class> ] {
<integer> | * ) ] [ dscp <integer> ];
transfers <integer>;
}; // may occur multiple times
servfail-ttl <ttlval>;
servfail-ttl <duration>;
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
sig-validity-interval <integer> [ <integer> ];
sortlist { <address_match_element>; ... };
stale-answer-enable <boolean>;
stale-answer-ttl <ttlval>;
stale-answer-ttl <duration>;
suppress-initial-notify <boolean>; // not yet implemented
synth-from-dnssec <boolean>;
topology { <address_match_element>; ... }; // ancient
@ -798,6 +800,7 @@ view <string> [ <class> ] {
dnskey-sig-validity <integer>;
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
file <quoted_string>;
@ -828,7 +831,7 @@ view <string> [ <class> ] {
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-zone-ttl ( unlimited | <ttlval> );
max-zone-ttl ( unlimited | <duration> );
min-refresh-time <integer>;
min-retry-time <integer>;
multi-master <boolean>;
@ -903,6 +906,7 @@ zone <string> [ <class> ] {
dnskey-sig-validity <integer>;
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
file <quoted_string>;
@ -931,7 +935,7 @@ zone <string> [ <class> ] {
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-zone-ttl ( unlimited | <ttlval> );
max-zone-ttl ( unlimited | <duration> );
min-refresh-time <integer>;
min-retry-time <integer>;
multi-master <boolean>;

102
doc/misc/options.active
View file

@ -26,6 +26,22 @@ dnssec-keys { <string> ( static-key |
<integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
dnssec-policy <string> {
dnskey-ttl <duration>;
keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <duration>
algorithm <integer> [ <integer> ]; ... };
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
parent-registration-delay <duration>;
publish-safety <duration>;
retire-safety <duration>;
signatures-refresh <duration>;
signatures-validity <duration>;
signatures-validity-dnskey <duration>;
zone-max-ttl <duration>;
zone-propagation-delay <duration>;
}; // may occur multiple times
dyndb <string> <quoted_string> {
<unspecified-text> }; // may occur multiple times
@ -93,7 +109,7 @@ options {
[ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
<integer> ] | <ipv6_address> [ port <integer> ] ) [ key
<string> ]; ... } ] [ zone-directory <quoted_string> ] [
in-memory <boolean> ] [ min-update-interval <ttlval> ]; ... };
in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );
@ -138,6 +154,7 @@ options {
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
@ -175,53 +192,53 @@ options {
fstrm-set-output-notify-threshold <integer>; // not configured
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured
geoip-directory ( <quoted_string> | none );
fstrm-set-reopen-interval <duration>; // not configured
geoip-directory ( <quoted_string> | none ); // not configured
glue-cache <boolean>;
heartbeat-interval <integer>;
hostname ( <quoted_string> | none );
inline-signing <boolean>;
interface-interval <ttlval>;
interface-interval <duration>;
ixfr-from-differences ( primary | master | secondary | slave |
<boolean> );
keep-response-order { <address_match_element>; ... };
key-directory <quoted_string>;
lame-ttl <ttlval>;
lame-ttl <duration>;
listen-on [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
managed-keys-directory <quoted_string>;
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
match-mapped-addresses <boolean>;
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
max-cache-ttl <ttlval>;
max-cache-ttl <duration>;
max-clients-per-query <integer>;
max-journal-size ( default | unlimited | <sizeval> );
max-ncache-ttl <ttlval>;
max-ncache-ttl <duration>;
max-records <integer>;
max-recursion-depth <integer>;
max-recursion-queries <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
max-rsa-exponent-size <integer>;
max-stale-ttl <ttlval>;
max-stale-ttl <duration>;
max-transfer-idle-in <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-udp-size <integer>;
max-zone-ttl ( unlimited | <ttlval> );
max-zone-ttl ( unlimited | <duration> );
memstatistics <boolean>;
memstatistics-file <quoted_string>;
message-compression <boolean>;
min-cache-ttl <ttlval>;
min-ncache-ttl <ttlval>;
min-cache-ttl <duration>;
min-ncache-ttl <duration>;
min-refresh-time <integer>;
min-retry-time <integer>;
minimal-any <boolean>;
@ -238,8 +255,8 @@ options {
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
[ dscp <integer> ];
notify-to-soa <boolean>;
nta-lifetime <ttlval>;
nta-recheck <ttlval>;
nta-lifetime <duration>;
nta-recheck <duration>;
nxdomain-redirect <string>;
pid-file ( <quoted_string> | none );
port <integer>;
@ -286,13 +303,13 @@ options {
response-padding { <address_match_element>; ... } block-size
<integer>;
response-policy { zone <string> [ add-soa <boolean> ] [ log
<boolean> ] [ max-policy-ttl <ttlval> ] [ min-update-interval
<ttlval> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
<boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
<duration> ] [ policy ( cname | disabled | drop | given | no-op
| nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
break-dnssec <boolean> ] [ max-policy-ttl <ttlval> ] [
min-update-interval <ttlval> ] [ min-ns-dots <integer> ] [
break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
min-update-interval <duration> ] [ min-ns-dots <integer> ] [
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
@ -306,7 +323,7 @@ options {
serial-query-rate <integer>;
serial-update-method ( date | increment | unixtime );
server-id ( <quoted_string> | none | hostname );
servfail-ttl <ttlval>;
servfail-ttl <duration>;
session-keyalg <string>;
session-keyfile ( <quoted_string> | none );
session-keyname <string>;
@ -317,7 +334,7 @@ options {
sortlist { <address_match_element>; ... };
stacksize ( default | unlimited | <sizeval> );
stale-answer-enable <boolean>;
stale-answer-ttl <ttlval>;
stale-answer-ttl <duration>;
startup-notify-rate <integer>;
statistics-file <quoted_string>;
synth-from-dnssec <boolean>;
@ -428,7 +445,7 @@ view <string> [ <class> ] {
[ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
<integer> ] | <ipv6_address> [ port <integer> ] ) [ key
<string> ]; ... } ] [ zone-directory <quoted_string> ] [
in-memory <boolean> ] [ min-update-interval <ttlval> ]; ... };
in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );
@ -476,6 +493,7 @@ view <string> [ <class> ] {
<quoted_string>; ... }; // may occur multiple times
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
@ -507,8 +525,8 @@ view <string> [ <class> ] {
secret <string>;
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
lmdb-mapsize <sizeval>;
lame-ttl <duration>;
lmdb-mapsize <sizeval>; // non-operational
managed-keys { <string> (
static-key | initial-key
| static-ds | initial-ds
@ -521,25 +539,25 @@ view <string> [ <class> ] {
match-destinations { <address_match_element>; ... };
match-recursive-only <boolean>;
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
max-cache-ttl <ttlval>;
max-cache-ttl <duration>;
max-clients-per-query <integer>;
max-journal-size ( default | unlimited | <sizeval> );
max-ncache-ttl <ttlval>;
max-ncache-ttl <duration>;
max-records <integer>;
max-recursion-depth <integer>;
max-recursion-queries <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
max-stale-ttl <ttlval>;
max-stale-ttl <duration>;
max-transfer-idle-in <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-udp-size <integer>;
max-zone-ttl ( unlimited | <ttlval> );
max-zone-ttl ( unlimited | <duration> );
message-compression <boolean>;
min-cache-ttl <ttlval>;
min-ncache-ttl <ttlval>;
min-cache-ttl <duration>;
min-ncache-ttl <duration>;
min-refresh-time <integer>;
min-retry-time <integer>;
minimal-any <boolean>;
@ -555,8 +573,8 @@ view <string> [ <class> ] {
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
[ dscp <integer> ];
notify-to-soa <boolean>;
nta-lifetime <ttlval>;
nta-recheck <ttlval>;
nta-lifetime <duration>;
nta-recheck <duration>;
nxdomain-redirect <string>;
plugin ( query ) <string> [ {
<unspecified-text> } ]; // may occur multiple times
@ -598,13 +616,13 @@ view <string> [ <class> ] {
response-padding { <address_match_element>; ... } block-size
<integer>;
response-policy { zone <string> [ add-soa <boolean> ] [ log
<boolean> ] [ max-policy-ttl <ttlval> ] [ min-update-interval
<ttlval> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
<boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
<duration> ] [ policy ( cname | disabled | drop | given | no-op
| nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
break-dnssec <boolean> ] [ max-policy-ttl <ttlval> ] [
min-update-interval <ttlval> ] [ min-ns-dots <integer> ] [
break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
min-update-interval <duration> ] [ min-ns-dots <integer> ] [
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
@ -649,14 +667,14 @@ view <string> [ <class> ] {
<integer> | * ) ] [ dscp <integer> ];
transfers <integer>;
}; // may occur multiple times
servfail-ttl <ttlval>;
servfail-ttl <duration>;
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
sig-validity-interval <integer> [ <integer> ];
sortlist { <address_match_element>; ... };
stale-answer-enable <boolean>;
stale-answer-ttl <ttlval>;
stale-answer-ttl <duration>;
synth-from-dnssec <boolean>;
transfer-format ( many-answers | one-answer );
transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
@ -708,6 +726,7 @@ view <string> [ <class> ] {
dnskey-sig-validity <integer>;
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
file <quoted_string>;
@ -733,7 +752,7 @@ view <string> [ <class> ] {
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-zone-ttl ( unlimited | <ttlval> );
max-zone-ttl ( unlimited | <duration> );
min-refresh-time <integer>;
min-retry-time <integer>;
multi-master <boolean>;
@ -805,6 +824,7 @@ zone <string> [ <class> ] {
dnskey-sig-validity <integer>;
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
file <quoted_string>;
@ -829,7 +849,7 @@ zone <string> [ <class> ] {
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-zone-ttl ( unlimited | <ttlval> );
max-zone-ttl ( unlimited | <duration> );
min-refresh-time <integer>;
min-retry-time <integer>;
multi-master <boolean>;

2
doc/misc/redirect.zoneopt
View file

@ -8,6 +8,6 @@ zone <string> [ <class> ] {
masterfile-style ( full | relative );
masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
max-records <integer>;
max-zone-ttl ( unlimited | <ttlval> );
max-zone-ttl ( unlimited | <duration> );
zone-statistics ( full | terse | none | <boolean> );
};

2
lib/bind9/api
View file

@ -11,5 +11,5 @@
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1501
LIBREVISION = 0
LIBREVISION = 1
LIBAGE = 0

4
lib/dns/api
View file

@ -10,6 +10,6 @@
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1504
LIBINTERFACE = 1505
LIBREVISION = 0
LIBAGE = 1
LIBAGE = 0

2
lib/isc/api
View file

@ -10,6 +10,6 @@
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1503
LIBINTERFACE = 1504
LIBREVISION = 0
LIBAGE = 0

4
lib/isccfg/api
View file

@ -10,6 +10,6 @@
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1501
LIBREVISION = 1
LIBINTERFACE = 1502
LIBREVISION = 0
LIBAGE = 0

4
lib/ns/api
View file

@ -10,6 +10,6 @@
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1501
LIBREVISION = 1
LIBINTERFACE = 1502
LIBREVISION = 0
LIBAGE = 0

2
version
View file

@ -5,7 +5,7 @@ PRODUCT=BIND
DESCRIPTION="(Development Release)"
MAJORVER=9
MINORVER=15
PATCHVER=5
PATCHVER=6
RELEASETYPE=
RELEASEVER=
EXTENSIONS=