diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index 8f6cf11719..0edb89f5e2 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -336,7 +336,7 @@ to be effective. It defaults to enabled. .RS 4 Sets a DNSSEC negative trust anchor (NTA) for \fBdomain\fR, with a lifetime of -\fBlifetime\fR. The default lifetime is configured in +\fBduration\fR. The default lifetime is configured in \fInamed.conf\fR via the \fBnta\-lifetime\fR @@ -344,7 +344,12 @@ option, and defaults to one hour. The lifetime cannot exceed one week. .sp A negative trust anchor selectively disables DNSSEC validation for zones that are known to be failing because of misconfiguration rather than an attack. When data to be validated is at or below an active NTA (and above any other configured trust anchors), \fBnamed\fR -will abort the DNSSEC validation process and treat the data as insecure rather than bogus. This continues until the NTA's lifetime is elapsed, or until the server is restarted (NTAs do not persist across restarts). +will abort the DNSSEC validation process and treat the data as insecure rather than bogus. This continues until the NTA's lifetime is elapsed. +.sp +NTAs persist across restarts of the named server. The NTAs for a view are saved in a file called +\fI\fIname\fR\fR\fI.nta\fR, where +\fIname\fR +is the name of the view, or if it contains characters that are incompatible with use as a file name, a cryptographic hash generated from the name of the view. .sp An existing NTA can be removed by using the \fB\-remove\fR diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index f2fd2c826c..2bc520d990 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -394,7 +394,7 @@

Sets a DNSSEC negative trust anchor (NTA) for domain, with a lifetime of - lifetime. The default lifetime is + duration. The default lifetime is configured in named.conf via the nta-lifetime option, and defaults to one hour. The lifetime cannot exceed one week. @@ -408,8 +408,17 @@ configured trust anchors), named will abort the DNSSEC validation process and treat the data as insecure rather than bogus. This continues until the - NTA's lifetime is elapsed, or until the server is - restarted (NTAs do not persist across restarts). + NTA's lifetime is elapsed. +

+

+ NTAs persist across restarts of the named server. + The NTAs for a view are saved in a file called + name.nta, + where name is the + name of the view, or if it contains characters + that are incompatible with use as a file name, a + cryptographic hash generated from the name + of the view.

An existing NTA can be removed by using the @@ -602,7 +611,7 @@

-

LIMITATIONS

+

LIMITATIONS

There is currently no way to provide the shared secret for a key_id without using the configuration file. @@ -612,7 +621,7 @@

-

SEE ALSO

+

SEE ALSO

rndc.conf(5), rndc-confgen(8), named(8), @@ -622,7 +631,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 82b343dc54..ab41eb639b 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -70,39 +70,39 @@
DNSSEC, Dynamic Zones, and Automatic Signing
-
Converting from insecure to secure
-
Dynamic DNS update method
-
Fully automatic zone signing
-
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
Converting from insecure to secure
+
Dynamic DNS update method
+
Fully automatic zone signing
+
Private-type records
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
-
Validating Resolver
-
Authoritative Server
+
Validating Resolver
+
Authoritative Server
PKCS#11 (Cryptoki) support
-
Prerequisites
-
Native PKCS#11
-
OpenSSL-based PKCS#11
-
PKCS#11 Tools
-
Using the HSM
-
Specifying the engine on the command line
-
Running named with automatic zone re-signing
+
Prerequisites
+
Native PKCS#11
+
OpenSSL-based PKCS#11
+
PKCS#11 Tools
+
Using the HSM
+
Specifying the engine on the command line
+
Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
-
Configuring DLZ
-
Sample DLZ Driver
+
Configuring DLZ
+
Sample DLZ Driver
IPv6 Support in BIND 9
@@ -1080,7 +1080,7 @@ options { from insecure to signed and back again. A secure zone can use either NSEC or NSEC3 chains.

-Converting from insecure to secure

+Converting from insecure to secure

Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

@@ -1106,7 +1106,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process.

-Dynamic DNS update method

+Dynamic DNS update method

To insert the keys via dynamic update:

         % nsupdate
@@ -1142,7 +1142,7 @@ options {
 
While the initial signing and NSEC/NSEC3 chain generation
   is happening, other updates are possible as well.

 

-Fully automatic zone signing

+Fully automatic zone signing
 
To enable automatic signing, add the 
   auto-dnssec option to the zone statement in 
   named.conf. 
@@ -1198,7 +1198,7 @@ options {
   configuration. If this has not been done, the configuration will
   fail.

 

-Private-type records

+Private-type records
 
The state of the signing process is signaled by
   private-type records (with a default type value of 65534). When
   signing is complete, these records will have a nonzero value for
@@ -1239,12 +1239,12 @@ options {
 

   

 

-DNSKEY rollovers

+DNSKEY rollovers
 
As with insecure-to-secure conversions, rolling DNSSEC
   keys can be done in two ways: using a dynamic DNS update, or the 
   auto-dnssec zone option.

 

-Dynamic DNS update method

+Dynamic DNS update method
 
 To perform key rollovers via dynamic update, you need to add
   the K* files for the new keys so that 
   named can find them. You can then add the new
@@ -1266,7 +1266,7 @@ options {
   named will clean out any signatures generated
   by the old key after the update completes.

 

-Automatic key rollovers

+Automatic key rollovers
 
When a new key reaches its activation date (as set by
   dnssec-keygen or dnssec-settime),
   if the auto-dnssec zone option is set to 
@@ -1281,27 +1281,27 @@ options {
   completes in 30 days, after which it will be safe to remove the
   old key from the DNSKEY RRset.

 

-NSEC3PARAM rollovers via UPDATE

+NSEC3PARAM rollovers via UPDATE
 
Add the new NSEC3PARAM record via dynamic update. When the
   new NSEC3 chain has been generated, the NSEC3PARAM flag field
   will be zero. At this point you can remove the old NSEC3PARAM
   record. The old chain will be removed after the update request
   completes.

 

-Converting from NSEC to NSEC3

+Converting from NSEC to NSEC3
 
To do this, you just need to add an NSEC3PARAM record. When
   the conversion is complete, the NSEC chain will have been removed
   and the NSEC3PARAM record will have a zero flag field. The NSEC3
   chain will be generated before the NSEC chain is
   destroyed.

 

-Converting from NSEC3 to NSEC

+Converting from NSEC3 to NSEC
 
To do this, use nsupdate to
   remove all NSEC3PARAM records with a zero flag
   field. The NSEC chain will be generated before the NSEC3 chain is
   removed.

 

-Converting from secure to insecure

+Converting from secure to insecure
 
To convert a signed zone to unsigned using dynamic DNS,
   delete all the DNSKEY records from the zone apex using
   nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1316,14 +1316,14 @@ options {
   allow instead (or it will re-sign).
   

 

-Periodic re-signing

+Periodic re-signing
 
In any secure zone which supports dynamic updates, named
   will periodically re-sign RRsets which have not been re-signed as
   a result of some update action. The signature lifetimes will be
   adjusted so as to spread the re-sign load over time rather than
   all at once.

 

-NSEC3 and OPTOUT

+NSEC3 and OPTOUT
 

   named only supports creating new NSEC3 chains
   where all the NSEC3 records in the zone have the same OPTOUT
@@ -1345,7 +1345,7 @@ options {
   configuration files.

 

 

-Validating Resolver

+Validating Resolver

 
To configure a validating resolver to use RFC 5011 to
     maintain a trust anchor, configure the trust anchor using a 
     managed-keys statement. Information about
@@ -1356,7 +1356,7 @@ options {
 
 

 

-Authoritative Server

+Authoritative Server

 
To set up an authoritative zone for RFC 5011 trust anchor
     maintenance, generate two (or more) key signing keys (KSKs) for
     the zone. Sign the zone with one of them; this is the "active"
@@ -1453,7 +1453,7 @@ $ dnssec-signzone -S -K keys example.net<
   

 

 

-Prerequisites

+Prerequisites

 

       See the documentation provided by your HSM vendor for
       information about installing, initializing, testing and
@@ -1462,7 +1462,7 @@ $ dnssec-signzone -S -K keys example.net<
 
 

 

-Native PKCS#11

+Native PKCS#11

 

       Native PKCS#11 mode will only work with an HSM capable of carrying
       out every cryptographic operation BIND 9 may
@@ -1495,7 +1495,7 @@ $ ./configure --enable-native-pkcs11 \
     

 

 

-Building SoftHSMv2

+Building SoftHSMv2

 

 	SoftHSMv2, the latest development version of SoftHSM, is available
 	from
@@ -1533,7 +1533,7 @@ $  /opt/pkcs11/usr/bin/softhsm-util --init-token
 
 

 

-OpenSSL-based PKCS#11

+OpenSSL-based PKCS#11

 

       OpenSSL-based PKCS#11 mode uses a modified version of the
       OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1591,7 +1591,7 @@ $  /opt/pkcs11/usr/bin/softhsm-util --init-token
     

 

 

-Patching OpenSSL

+Patching OpenSSL

 
 $ wget http://www.openssl.org/source/openssl-0.9.8zc.tar.gz
   

@@ -1624,7 +1624,7 @@ $ patch -p1 -d openssl-0.9.8zc \
 
 

 

-Building OpenSSL for the AEP Keyper on Linux

+Building OpenSSL for the AEP Keyper on Linux

 

 	The AEP Keyper is a highly secure key storage device,
 	but does not provide hardware cryptographic acceleration. It
@@ -1666,7 +1666,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
 
 

 

-Building OpenSSL for the SCA 6000 on Solaris

+Building OpenSSL for the SCA 6000 on Solaris

 

 	The SCA-6000 PKCS#11 provider is installed as a system
 	library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1695,7 +1695,7 @@ $ ./Configure solaris64-x86_64-cc \
 
 

 

-Building OpenSSL for SoftHSM

+Building OpenSSL for SoftHSM

 

 	SoftHSM (version 1) is a software library developed by the
 	OpenDNSSEC project
@@ -1770,7 +1770,7 @@ $ ./Configure linux-x86_64 -pthread \
     

 

 

-Configuring BIND 9 for Linux with the AEP Keyper

+Configuring BIND 9 for Linux with the AEP Keyper

 

 	To link with the PKCS#11 provider, threads must be
 	enabled in the BIND 9 build.
@@ -1790,7 +1790,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
 
 

 

-Configuring BIND 9 for Solaris with the SCA 6000

+Configuring BIND 9 for Solaris with the SCA 6000

 

 	To link with the PKCS#11 provider, threads must be
 	enabled in the BIND 9 build.
@@ -1812,7 +1812,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
 
 

 

-Configuring BIND 9 for SoftHSM

+Configuring BIND 9 for SoftHSM

 
 $ cd ../bind9
 $ ./configure --enable-threads \
@@ -1833,7 +1833,7 @@ $ ./configure --enable-threads \
 
 

 

-PKCS#11 Tools

+PKCS#11 Tools

 

       BIND 9 includes a minimal set of tools to operate the
       HSM, including 
@@ -1856,7 +1856,7 @@ $ ./configure --enable-threads \
 
 

 

-Using the HSM

+Using the HSM

 

       For OpenSSL-based PKCS#11, we must first set up the runtime
       environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1977,7 +1977,7 @@ example.net.signed
 
 

 

-Specifying the engine on the command line

+Specifying the engine on the command line

 

       When using OpenSSL-based PKCS#11, the "engine" to be used by
       OpenSSL can be specified in named and all of
@@ -2009,7 +2009,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Running named with automatic zone re-signing

+Running named with automatic zone re-signing

 

       If you want named to dynamically re-sign zones
       using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2096,7 +2096,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Configuring DLZ

+Configuring DLZ

 

       A DLZ database is configured with a dlz
       statement in named.conf:
@@ -2145,7 +2145,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Sample DLZ Driver

+Sample DLZ Driver

 

       For guidance in implementation of DLZ modules, the directory
       contrib/dlz/example contains a basic
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index d419b92325..1196f8c75b 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -78,28 +78,28 @@
 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

 
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Definition
             and Usage

-
managed-keys Statement Grammar

+
managed-keys Statement Grammar

 
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
@@ -3097,8 +3097,8 @@ options { configured trust anchors), named will abort the DNSSEC validation process and treat the data as insecure rather than bogus. This continues until the - NTA's lifetime is elapsed, or until the server is - restarted (NTAs do not persist across restarts). + NTA's lifetime is elapsed. NTAs persist + across named restarts.

For convenience, TTL-style time unit suffixes can be @@ -4164,7 +4164,7 @@ options {

-Forwarding

+Forwarding

The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -4208,7 +4208,7 @@ options {

-Dual-stack Servers

+Dual-stack Servers

Dual-stack servers are used as servers of last resort to work around @@ -4476,7 +4476,7 @@ options {

-Interfaces

+Interfaces

The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4953,7 +4953,7 @@ avoid-v6-udp-ports {};

-UDP Port Lists

+UDP Port Lists

use-v4-udp-ports, avoid-v4-udp-ports, @@ -4995,7 +4995,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Operating System Resource Limits

+Operating System Resource Limits

The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -5156,7 +5156,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Periodic Task Intervals

+Periodic Task Intervals
cleaning-interval

@@ -6233,7 +6233,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Content Filtering

+Content Filtering

BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -6356,7 +6356,7 @@ deny-answer-aliases { "example.net"; };

-Response Policy Zone (RPZ) Rewriting

+Response Policy Zone (RPZ) Rewriting

BIND 9 includes a limited mechanism to modify DNS responses for requests @@ -6727,7 +6727,7 @@ example.com CNAME rpz-tcp-only.

-Response Rate Limiting

+Response Rate Limiting

Excessive almost identical UDP responses can be controlled by configuring a @@ -7241,7 +7241,7 @@ example.com CNAME rpz-tcp-only.

-statistics-channels Statement Definition and +statistics-channels Statement Definition and Usage

The statistics-channels statement @@ -7357,7 +7357,7 @@ example.com CNAME rpz-tcp-only.

-trusted-keys Statement Definition +trusted-keys Statement Definition and Usage

The trusted-keys statement defines @@ -7401,7 +7401,7 @@ example.com CNAME rpz-tcp-only.

-managed-keys Statement Grammar

+managed-keys Statement Grammar
managed-keys {
     name initial-key flags protocol algorithm key-data ;
     [ name initial-key flags protocol algorithm key-data ; [...]]
@@ -7539,7 +7539,7 @@ example.com                 CNAME   rpz-tcp-only.
 
 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -7861,10 +7861,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 
@@ -8182,7 +8182,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -8204,7 +8204,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
allow-notify

 

@@ -9135,7 +9135,7 @@ example.com. NS ns2.example.net.
 

 

 

-Multiple views

+Multiple views

 

               When multiple views are in use, a zone may be
               referenced by more than one of them. Often, the views
@@ -9186,7 +9186,7 @@ view external {
 
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -9199,7 +9199,7 @@ view external {
           

 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -9936,7 +9936,7 @@ view external {
 
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -10139,7 +10139,7 @@ view external {
 
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -10394,7 +10394,7 @@ view external {
 
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -10455,7 +10455,7 @@ view external {
 
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -10470,7 +10470,7 @@ view external {
           

 

 

-The @ (at-sign)

+The @ (at-sign)

 

               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -10481,7 +10481,7 @@ view external {
 
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -10510,7 +10510,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -10546,7 +10546,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -10565,7 +10565,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
@@ -11008,7 +11008,7 @@ HOST-127.EXAMPLE. MX 0 .
           

 

 

-Name Server Statistics Counters

+Name Server Statistics Counters

 

 
 

@@ -11604,7 +11604,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

 
 

 
 
@@ -11758,7 +11758,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Resolver Statistics Counters

+Resolver Statistics Counters

 
 

 
 
@@ -12141,7 +12141,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

               Socket I/O statistics counters are defined per socket
               types, which are
@@ -12296,7 +12296,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 08a585e326..b99fb8df74 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -46,10 +46,10 @@
 
Table of Contents

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -245,7 +245,7 @@ allow-query { !{ !10/8; any; }; key example; };
 

 

-Chroot and Setuid
+Chroot and Setuid
 

 

           On UNIX servers, it is possible to run BIND
@@ -271,7 +271,7 @@ allow-query { !{ !10/8; any; }; key example; };
         

 

 

-The chroot Environment

+The chroot Environment

             In order for a chroot environment
             to
@@ -299,7 +299,7 @@ allow-query { !{ !10/8; any; }; key example; };
 
 

 

-Using the setuid Function

+Using the setuid Function

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index bb712e818c..5e83a76a67 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

-Common Problems

+Common Problems

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index f074b4e80b..cdbada0f39 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -45,7 +45,7 @@
 

 
Table of Contents

 

-
Release Notes for BIND Version 9.11.0pre-alpha

+
Release Notes for BIND Version 9.11.0pre-alpha

 

 
Introduction

 
Download

@@ -60,7 +60,7 @@
 

 

-Release Notes for BIND Version 9.11.0pre-alpha

+Release Notes for BIND Version 9.11.0pre-alpha

 

 Introduction

@@ -129,42 +129,44 @@
 New Features
    
 
  • 
-          The serial number of a dynamically updatable zone can
-          now be set using
-          rndc signing -serial number zonename.
-          This is particularly useful with inline-signing
-          zones that have been reset.  Setting the serial number to a value
-          larger than that on the slaves will trigger an AXFR-style
+	  The serial number of a dynamically updatable zone can
+	  now be set using
+	  rndc signing -serial number zonename.
+	  This is particularly useful with inline-signing
+	  zones that have been reset.  Setting the serial number to a value
+	  larger than that on the slaves will trigger an AXFR-style
 	  transfer.
 	
    • 
 
  • 
-          When answering recursive queries, SERVFAIL responses can now be
-          cached by the server for a limited time; subsequent queries for
-          the same query name and type will return another SERVFAIL until
-          the cache times out.  This reduces the frequency of retries
-          when a query is persistently failing, which can be a burden
-          on recursive serviers.  The SERVFAIL cache timeout is controlled
-          by servfail-ttl, which defaults to 10 seconds
-          and has an upper limit of 30.
+	  When answering recursive queries, SERVFAIL responses can now be
+	  cached by the server for a limited time; subsequent queries for
+	  the same query name and type will return another SERVFAIL until
+	  the cache times out.  This reduces the frequency of retries
+	  when a query is persistently failing, which can be a burden
+	  on recursive serviers.  The SERVFAIL cache timeout is controlled
+	  by servfail-ttl, which defaults to 10 seconds
+	  and has an upper limit of 30.
 	
    • 
 
  • 
-          The new rndc nta command can now be used to
-          set a "negative trust anchor" (NTA), disabling DNSSEC validation for
-          a specific domain; this can be used when responses from a domain
-          are known to be failing validation due to administrative error
-          rather than because of a spoofing attack. NTAs are strictly
-          temporary; by default they expire after one hour, but can be
-          configured to last up to one week.  The default NTA lifetime
-          can be changed by setting the nta-lifetime in
-          named.conf.
+	  The new rndc nta command can now be used to
+	  set a "negative trust anchor" (NTA), disabling DNSSEC validation for
+	  a specific domain; this can be used when responses from a domain
+	  are known to be failing validation due to administrative error
+	  rather than because of a spoofing attack. NTAs are strictly
+	  temporary; by default they expire after one hour, but can be
+	  configured to last up to one week.  The default NTA lifetime
+	  can be changed by setting the nta-lifetime in
+	  named.conf. When added, NTAs are stored in a
+	  file (viewname.nta)
+	  in order to persist across restarts of the named server.
 	
    • 
 
  • 
 	  The EDNS Client Subnet (ECS) option is now supported for
-          authoritative servers; if a query contains an ECS option then
-          ACLs containing geoip or ecs
-          elements can match against the the address encoded in the option.
-          This can be used to select a view for a query, so that different
-          answers can be provided depending on the client network.
+	  authoritative servers; if a query contains an ECS option then
+	  ACLs containing geoip or ecs
+	  elements can match against the the address encoded in the option.
+	  This can be used to select a view for a query, so that different
+	  answers can be provided depending on the client network.
 	
    • 
 
  • 
 	  The EDNS EXPIRE option has been implemented on the client
@@ -173,63 +175,63 @@
 	  server.
 	
    • 
 
  • 
-          A new masterfile-style zone option controls
-          the formatting of text zone files:  When set to
-          full, the zone file will dumped in
-          single-line-per-record format.
+	  A new masterfile-style zone option controls
+	  the formatting of text zone files:  When set to
+	  full, the zone file will dumped in
+	  single-line-per-record format.
 	
    • 
 
  • 
-          dig +ednsopt can now be used to set
-          arbitrary EDNS options in DNS requests.
+	  dig +ednsopt can now be used to set
+	  arbitrary EDNS options in DNS requests.
 	
    • 
 
  • 
-          dig +ednsflags can now be used to set
-          yet-to-be-defined EDNS flags in DNS requests.
+	  dig +ednsflags can now be used to set
+	  yet-to-be-defined EDNS flags in DNS requests.
 	
    • 
 
  • 
 	  dig +[no]ednsnegotiation can now be used enable /
 	  disable EDNS version negotiation.
 	
    • 
 
  • 
-          dig +header-only can now be used to send
+	  dig +header-only can now be used to send
 	  queries without a question section.
 	
    • 
 
  • 
-          dig +ttlunits causes dig
-          to print TTL values with time-unit suffixes: w, d, h, m, s for
-          weeks, days, hours, minutes, and seconds.
+	  dig +ttlunits causes dig
+	  to print TTL values with time-unit suffixes: w, d, h, m, s for
+	  weeks, days, hours, minutes, and seconds.
 	
    • 
 
  • 
-          dig +zflag can be used to set the last
+	  dig +zflag can be used to set the last
 	  unassigned DNS header flag bit.  This bit in normally zero.
 	
    • 
 
  • 
-          dig +dscp=value
-          can now be used to set the DSCP code point in outgoing query
-          packets.
+	  dig +dscp=value
+	  can now be used to set the DSCP code point in outgoing query
+	  packets.
 	
    • 
 
  • 
-          serial-update-method can now be set to
-          date. On update, the serial number will
-          be set to the current date in YYYYMMDDNN format.
+	  serial-update-method can now be set to
+	  date. On update, the serial number will
+	  be set to the current date in YYYYMMDDNN format.
 	
    • 
 
  • 
-          dnssec-signzone -N date also sets the serial
-          number to YYYYMMDDNN.
+	  dnssec-signzone -N date also sets the serial
+	  number to YYYYMMDDNN.
 	
    • 
 
  • 
-          named -L filename
-          causes named to send log messages to the specified file by
-          default instead of to the system log.
+	  named -L filename
+	  causes named to send log messages to the specified file by
+	  default instead of to the system log.
 	
    • 
 
  • 
-          The rate limiter configured by the
-          serial-query-rate option no longer covers
-          NOTIFY messages; those are now separately controlled by
-          notify-rate and
-          startup-notify-rate (the latter of which
-          controls the rate of NOTIFY messages sent when the server
-          is first started up or reconfigured).
+	  The rate limiter configured by the
+	  serial-query-rate option no longer covers
+	  NOTIFY messages; those are now separately controlled by
+	  notify-rate and
+	  startup-notify-rate (the latter of which
+	  controls the rate of NOTIFY messages sent when the server
+	  is first started up or reconfigured).
 	
    • 
 
  • 
 	  The default number of tasks and client objects available
@@ -282,32 +284,32 @@
 	  geoip asnum "AS1234 Example, Inc.";).
 	  They can now match against the AS number alone (as in
 	  geoip asnum "AS1234";).
-        
    • 
+	
    
 
  • 
-          When using native PKCS#11 cryptography (i.e.,
-          configure --enable-native-pkcs11) HSM PINs
-          of up to 256 characters can now be used.
-        
    • 
+	  When using native PKCS#11 cryptography (i.e.,
+	  configure --enable-native-pkcs11) HSM PINs
+	  of up to 256 characters can now be used.
+	
    
 
  • 
-          NXDOMAIN responses to queries of type DS are now cached separately
-          from those for other types. This helps when using "grafted" zones
-          of type forward, for which the parent zone does not contain a
-          delegation, such as local top-level domains.  Previously a query
-          of type DS for such a zone could cause the zone apex to be cached
-          as NXDOMAIN, blocking all subsequent queries.  (Note: This
-          change is only helpful when DNSSEC validation is not enabled.
-          "Grafted" zones without a delegation in the parent are not a
-          recommended configuration.)
-        
    • 
+	  NXDOMAIN responses to queries of type DS are now cached separately
+	  from those for other types. This helps when using "grafted" zones
+	  of type forward, for which the parent zone does not contain a
+	  delegation, such as local top-level domains.  Previously a query
+	  of type DS for such a zone could cause the zone apex to be cached
+	  as NXDOMAIN, blocking all subsequent queries.  (Note: This
+	  change is only helpful when DNSSEC validation is not enabled.
+	  "Grafted" zones without a delegation in the parent are not a
+	  recommended configuration.)
+	
    
 
  • 
 	  Update forwarding performance has been improved by allowing
 	  a single TCP connection to be shared between multiple updates.
 	
    • 
 
  • 
-          By default, nsupdate will now check
-          the correctness of hostnames when adding records of type
-          A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
-          disabled with check-names no.
+	  By default, nsupdate will now check
+	  the correctness of hostnames when adding records of type
+	  A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
+	  disabled with check-names no.
 	
    • 
 
  • 
 	  Added support for OPENPGPKEY type.
@@ -333,10 +335,10 @@
 	  truncated output.)
 	
    • 
 
  • 
-          Errors reported when running rndc addzone
-          (e.g., when a zone file cannot be loaded) have been clarified
-          to make it easier to diagnose problems.
-        
    • 
+	  Errors reported when running rndc addzone
+	  (e.g., when a zone file cannot be loaded) have been clarified
+	  to make it easier to diagnose problems.
+	
    
 
  • 
 	  When encountering an authoritative name server whose name is
 	  an alias pointing to another name, the resolver treats
@@ -363,20 +365,20 @@
 	  a name which, after appending search list elements,
 	  exceeded 255 bytes. Such names are now skipped, but
 	  processing of other names will continue. [RT #36892]
-        
    • 
+	
    
 
  • 
 	  The error message generated when
 	  named-checkzone or
 	  named-checkconf -z encounters a
 	  $TTL directive without a value has
 	  been clarified. [RT #37138]
-        
    • 
+	
    
 
  • 
 	  Semicolon characters (;) included in TXT records were
 	  incorrectly escaped with a backslash when the record was
 	  displayed as text. This is actually only necessary when there
 	  are no quotation marks. [RT #37159]
-        
    • 
+	
    
 
  • 
 	  When files opened for writing by named,
 	  such as zone journal files, were referenced more than once
@@ -384,42 +386,42 @@
 	  corruption as multiple threads wrote to the same file. This
 	  is now detected when loading named.conf
 	  and reported as an error. [RT #37172]
-        
    • 
+	
    
 
  • 
-          When checking for updates to trust anchors listed in
-          managed-keys, named
-          now revalidates keys based on the current set of
-          active trust anchors, without relying on any cached
-          record of previous validation. [RT #37506]
-        
    • 
+	  When checking for updates to trust anchors listed in
+	  managed-keys, named
+	  now revalidates keys based on the current set of
+	  active trust anchors, without relying on any cached
+	  record of previous validation. [RT #37506]
+	
    
 
  • 
 	  Large-system tuning
 	  (configure --with-tuning=large) caused
 	  problems on some platforms by setting a socket receive
 	  buffer size that was too large.  This is now detected and
 	  corrected at run time. [RT #37187]
-        
    • 
+	
    
 
  • 
 	  When NXDOMAIN redirection is in use, queries for a name
 	  that is present in the redirection zone but a type that
 	  is not present will now return NOERROR instead of NXDOMAIN.
-        
    • 
+	
    
 
  • 
 	  Due to an inadvertent removal of code in the previous
 	  release, when named encountered an
 	  authoritative name server which dropped all EDNS queries,
 	  it did not always try plain DNS. This has been corrected.
 	  [RT #37965]
-        
    • 
+	
    
 
  • 
 	  A regression caused nsupdate to use the default recursive servers
 	  rather than the SOA MNAME server when sending the UPDATE.
-        
    • 
+	
    
 
  • 
 	  Adjusted max-recursion-queries to accommodate the smaller
 	  initial packet sizes used in BIND 9.10 and higher when
 	  contacting authoritative servers for the first time.
-        
    • 
+	
    
 
  • 
 	  Built-in "empty" zones did not correctly inherit the
 	  "allow-transfer" ACL from the options or view. [RT #38310]
diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index f021e2d709..cc504a6b5f 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -50,7 +50,7 @@
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
 

@@ -140,17 +140,17 @@
           

 

-Bibliography

+Bibliography

 
Standards

 

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

+
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

 

 

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

+
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

 

 

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 

 

 

@@ -158,42 +158,42 @@
 

 Proposed Standards

 

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 

 

 

-
[RFC2308] M. Andrews. Negative Caching of DNS
+
[RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 

 

 

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 

 

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 

 

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

 

 

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 

 

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 

 

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 

 

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

 

 

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

 

 

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

 

 

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 

 

@@ -202,19 +202,19 @@
 

 DNS Security Proposed Standards

 

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

 

 

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

 

 

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

 

 

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

 

 

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 

 

 
@@ -222,146 +222,146 @@
 
Other Important RFCs About DNS
                 Implementation

 

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software. October 1993. 

 

 

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 

 

 

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

 

 

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 

 

 
 

 
Resource Record Types

 

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

 

 

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

 

 

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 

 

 

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 

 

 

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services. October 1996. 

 

 

-
[RFC2163] A. Allocchio. Using the Internet DNS to
+
[RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 

 

 

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

 

 

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

 

 

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

 

 

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

 

 

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

 

 

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

 

 

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 

 

 

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

 

 

 

 

 DNS and the Internet

 

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 

 

 

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 

 

 

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

 

 

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

 

 

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

 

 

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

 

 

 

 

 DNS Operations

 

-
[RFC1033] M. Lottor. Domain administrators operations guide. November 1987. 

+
[RFC1033] M. Lottor. Domain administrators operations guide. November 1987. 

 

 

-
[RFC1537] P. Beertema. Common DNS Data File
+
[RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 

 

 

-
[RFC1912] D. Barr. Common DNS Operational and
+
[RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 

 

 

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers. October 1996. 

+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers. October 1996. 

 

 

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services. October 1997. 

 

 

 

 
Internationalized Domain Names

 

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 

 

 

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

 

 

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

 

 

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 

 

@@ -377,47 +377,47 @@
                 

 

 

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 

 

 

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

 

 

-
[RFC1794] T. Brisco. DNS Support for Load
+
[RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 

 

 

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

 

 

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

 

 

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

 

 

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

 

 

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 

 

 

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

 

 
 

 
Obsolete and Unimplemented Experimental RFC

 

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 

 

 

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

 

 

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 

 

 

@@ -431,39 +431,39 @@
                 

 
 

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

 

 

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

 

 

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

 

 

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 

 

 

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

 

 

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

 

 

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

 

 

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

 

 

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

 

 

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 

 

 

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

 

 
 
@@ -484,14 +484,14 @@
 
 

 

-Other Documents About BIND
+Other Documents About BIND
 

 

 

 

-Bibliography

+Bibliography

 

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 

 
 
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index 06d20e521d..54f0ba4f5a 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -47,13 +47,13 @@
 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 
@@ -89,7 +89,7 @@
 
 

 

-Prerequisite

+Prerequisite

 
GNU make is required to build the export libraries (other
   part of BIND 9 can still be built with other types of make). In
   the reminder of this document, "make" means GNU make. Note that
@@ -98,7 +98,7 @@
 
 

 

-Compilation

+Compilation

 
 $ ./configure --enable-exportlib [other flags]
 $ make
@@ -113,7 +113,7 @@ $ make
 
 

 

-Installation

+Installation

 
 $ cd lib/export
 $ make install
@@ -135,7 +135,7 @@ $ make install
 
 

 

-Known Defects/Restrictions

+Known Defects/Restrictions

 
    
 
  • Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
@@ -175,7 +175,7 @@ $ make
 

 

 

-The dns.conf File

+The dns.conf File

 
The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
@@ -193,14 +193,14 @@ $ make
 
 

 

-Sample Applications

+Sample Applications

 
Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   

 

 

-sample: a simple stub resolver utility

+sample: a simple stub resolver utility

 

   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
@@ -264,7 +264,7 @@ $ make
 
 

 

-sample-async: a simple stub resolver, working asynchronously

+sample-async: a simple stub resolver, working asynchronously

 

   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
@@ -305,7 +305,7 @@ $ make
 
 

 

-sample-request: a simple DNS transaction client

+sample-request: a simple DNS transaction client

 

   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
@@ -346,7 +346,7 @@ $ make
 
 

 

-sample-gai: getaddrinfo() and getnameinfo() test code

+sample-gai: getaddrinfo() and getnameinfo() test code

 

   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -363,7 +363,7 @@ $ make
 
 

 

-sample-update: a simple dynamic update client program

+sample-update: a simple dynamic update client program

 

   It accepts a single update command as a
   command-line argument, sends an update request message to the
@@ -458,7 +458,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-nsprobe: domain/name server checker in terms of RFC 4074

+nsprobe: domain/name server checker in terms of RFC 4074

 

   It checks a set
   of domains to see the name servers of the domains behave
@@ -515,7 +515,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-Library References

+Library References

 
As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index cce11a244f..9b2bb8eeee 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -114,39 +114,39 @@
 
 
DNSSEC, Dynamic Zones, and Automatic Signing

 

-
Converting from insecure to secure

-
Dynamic DNS update method

-
Fully automatic zone signing

-
Private-type records

-
DNSKEY rollovers

-
Dynamic DNS update method

-
Automatic key rollovers

-
NSEC3PARAM rollovers via UPDATE

-
Converting from NSEC to NSEC3

-
Converting from NSEC3 to NSEC

-
Converting from secure to insecure

-
Periodic re-signing

-
NSEC3 and OPTOUT

+
Converting from insecure to secure

+
Dynamic DNS update method

+
Fully automatic zone signing

+
Private-type records

+
DNSKEY rollovers

+
Dynamic DNS update method

+
Automatic key rollovers

+
NSEC3PARAM rollovers via UPDATE

+
Converting from NSEC to NSEC3

+
Converting from NSEC3 to NSEC

+
Converting from secure to insecure

+
Periodic re-signing

+
NSEC3 and OPTOUT

 

 
Dynamic Trust Anchor Management

 

-
Validating Resolver

-
Authoritative Server

+
Validating Resolver

+
Authoritative Server

 

 
PKCS#11 (Cryptoki) support

 

-
Prerequisites

-
Native PKCS#11

-
OpenSSL-based PKCS#11

-
PKCS#11 Tools

-
Using the HSM

-
Specifying the engine on the command line

-
Running named with automatic zone re-signing

+
Prerequisites

+
Native PKCS#11

+
OpenSSL-based PKCS#11

+
PKCS#11 Tools

+
Using the HSM

+
Specifying the engine on the command line

+
Running named with automatic zone re-signing

 

 
DLZ (Dynamically Loadable Zones)

 

-
Configuring DLZ

-
Sample DLZ Driver

+
Configuring DLZ

+
Sample DLZ Driver

 

 
IPv6 Support in BIND 9

 

@@ -194,28 +194,28 @@
 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

 
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Definition
             and Usage

-
managed-keys Statement Grammar

+
managed-keys Statement Grammar

 
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -224,23 +224,23 @@
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Release Notes

 

-
Release Notes for BIND Version 9.11.0pre-alpha

+
Release Notes for BIND Version 9.11.0pre-alpha

 

 
Introduction

 
Download

@@ -261,20 +261,20 @@
 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
D. BIND 9 DNS Library Support

 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 
I. Manual pages

diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 12a654a1d8..5e5f561e33 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -50,20 +50,20 @@
 
arpaname  {ipaddress ...}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       arpaname translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 034d54c116..5ceb628b77 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -51,7 +51,7 @@
 
ddns-confgen  [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name  |   -z zone ]

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       tsig-keygen and ddns-confgen
       are invocation methods for a utility that generates keys for use
@@ -87,7 +87,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -159,7 +159,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
nsupdate(1),
       named.conf(5),
       named(8),
@@ -167,7 +167,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index 7942d370c4..120f330679 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -53,7 +53,7 @@
 
delv  [queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
delv
       (Domain Entity Lookup & Validation) is a tool for sending
       DNS queries and validating the results, using the the same internal
@@ -96,7 +96,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of delv looks like:
       

@@ -151,7 +151,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a anchor-file

 

@@ -285,7 +285,7 @@
 

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
delv
       provides a number of query options which affect the way results are
       displayed, and in some cases the way lookups are performed.
@@ -471,12 +471,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/bind.keys

 
/etc/resolv.conf

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8),
       RFC4034,
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 8c32b57a05..5ab1a19514 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -99,7 +99,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -152,7 +152,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -260,7 +260,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -688,7 +688,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -734,7 +734,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -748,14 +748,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -763,7 +763,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index dc9aa3a070..b8d2283c83 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -51,7 +51,7 @@
 
dnssec-dsfromkey  [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-checkds
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f file

 

@@ -88,14 +88,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-dsfromkey(8),
       dnssec-keygen(8),
       dnssec-signzone(8),
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 51f856c7e9..07c19a6084 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -50,7 +50,7 @@
 
dnssec-coverage  [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-coverage
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-K directory

 

@@ -192,7 +192,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-checkds(8),
       dnssec-dsfromkey(8),
@@ -201,7 +201,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 57b50c53c9..87184b333a 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -52,14 +52,14 @@
 
dnssec-dsfromkey  [-h] [-V]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -144,7 +144,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -159,7 +159,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -173,13 +173,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -189,7 +189,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index 7b7ffdb52d..2664e56a78 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -51,7 +51,7 @@
 
dnssec-importkey  {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-importkey
       reads a public DNSKEY record and generates a pair of
       .key/.private files.  The DNSKEY record may be read from an
@@ -71,7 +71,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f filename

 

@@ -114,7 +114,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -142,7 +142,7 @@
 

 
 

-
FILES

+
FILES

 

       A keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -151,7 +151,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -159,7 +159,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index c6272c0686..9d6203d199 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -243,7 +243,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -315,7 +315,7 @@
 

 
 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -354,7 +354,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -363,7 +363,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 330a4448e0..f4280bf80d 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -50,7 +50,7 @@
 
dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -285,7 +285,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -359,7 +359,7 @@
 

 
 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -405,7 +405,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -426,7 +426,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -435,7 +435,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 5ca84dfe59..f26d5788eb 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -50,7 +50,7 @@
 
dnssec-revoke  [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -109,14 +109,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 7a7e2f5f36..1b311990c4 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -50,7 +50,7 @@
 
dnssec-settime  [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -76,7 +76,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f

 

@@ -131,7 +131,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -210,7 +210,7 @@
 

 
 

-
PRINTING OPTIONS

+
PRINTING OPTIONS

 

       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -236,7 +236,7 @@
 

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -244,7 +244,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 0bf4a08575..78f3b842d3 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-Q] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -512,7 +512,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -542,14 +542,14 @@ db.example.com.signed
 %

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033, RFC 4641.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index 2ee7718e8f..02c61a3c85 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -50,7 +50,7 @@
 
dnssec-verify  [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-verify
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-c class

 

@@ -138,7 +138,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -146,7 +146,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index bdb0e66a21..86cd8e662d 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -50,7 +50,7 @@
 
genrandom  [-n number] {size} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       genrandom
       generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
-n number

 

@@ -77,14 +77,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       rand(3),
       arc4random(3)
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 92cfc48521..d438217513 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -214,7 +214,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -228,12 +228,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index f097f9ac47..42749df41c 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -50,7 +50,7 @@
 
isc-hmac-fixup  {algorithm} {secret}

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
     

 

 

-
SECURITY CONSIDERATIONS

+
SECURITY CONSIDERATIONS

 

       Secrets that have been converted by isc-hmac-fixup
       are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 2104.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 9dd4d05726..2ca4a38628 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -50,7 +50,7 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a
       named configuration file.  The file is parsed
@@ -70,7 +70,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -119,21 +119,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 58052b0050..967f022d0c 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -305,14 +305,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -320,7 +320,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 9cd0264331..141e4a5187 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -50,7 +50,7 @@
 
named-journalprint  {journal}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       named-journalprint
       prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       named(8),
       nsupdate(8),
@@ -84,7 +84,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 67c2ffc043..94e67905d5 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -50,7 +50,7 @@
 
named-rrchecker  [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-rrchecker
      read a individual DNS resource record from standard input and checks if it
      is syntactically correct.
@@ -78,7 +78,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 1034,
       RFC 1035,
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 7304d6fd7f..90739a9e1d 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-X lock-file] [-x cache-file]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -288,7 +288,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -309,7 +309,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -326,7 +326,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -339,7 +339,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -352,7 +352,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 063df70f77..b09b1bc06d 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -48,7 +48,7 @@
 
nsec3hash  {salt} {algorithm} {iterations} {domain}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       nsec3hash generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
@@ -56,7 +56,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
salt

 

@@ -80,14 +80,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 5155.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 60bcaed6b1..d6404077b9 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -236,7 +236,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -549,7 +549,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -603,7 +603,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -626,7 +626,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 2136,
       RFC 3007,
@@ -641,7 +641,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 729e217841..8b17c9519c 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
 
rndc-confgen  [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -180,7 +180,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -197,7 +197,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -205,7 +205,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index f69f6764b4..f78c16a337 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -210,7 +210,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -220,7 +220,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -228,7 +228,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 73099b2cc2..1c94809fdc 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -81,7 +81,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
 

 

 

-
COMMANDS

+
COMMANDS

 

       A list of commands supported by rndc can
       be seen by running rndc without arguments.
@@ -412,7 +412,7 @@
 

             Sets a DNSSEC negative trust anchor (NTA)
             for domain, with a lifetime of
-            lifetime.  The default lifetime is
+            duration.  The default lifetime is
             configured in named.conf via the
             nta-lifetime option, and defaults to
             one hour.  The lifetime cannot exceed one week.
@@ -426,8 +426,17 @@
             configured trust anchors), named will
             abort the DNSSEC validation process and treat the data as
             insecure rather than bogus.  This continues until the
-            NTA's lifetime is elapsed, or until the server is
-            restarted (NTAs do not persist across restarts).
+            NTA's lifetime is elapsed.
+          

+

+            NTAs persist across restarts of the named server.
+            The NTAs for a view are saved in a file called
+            name.nta,
+            where name is the
+            name of the view, or if it contains characters
+            that are incompatible with use as a file name, a
+            cryptographic hash generated from the name
+            of the view.
           

 

             An existing NTA can be removed by using the
@@ -620,7 +629,7 @@
 

 
 

-
LIMITATIONS

+
LIMITATIONS

 

       There is currently no way to provide the shared secret for a
       key_id without using the configuration file.
@@ -630,7 +639,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -640,7 +649,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 0dbbc1fc2d..1d1960319c 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -90,42 +90,44 @@
 New Features
 
    
 
  • 
-          The serial number of a dynamically updatable zone can
-          now be set using
-          rndc signing -serial number zonename.
-          This is particularly useful with inline-signing
-          zones that have been reset.  Setting the serial number to a value
-          larger than that on the slaves will trigger an AXFR-style
+	  The serial number of a dynamically updatable zone can
+	  now be set using
+	  rndc signing -serial number zonename.
+	  This is particularly useful with inline-signing
+	  zones that have been reset.  Setting the serial number to a value
+	  larger than that on the slaves will trigger an AXFR-style
 	  transfer.
 	
    • 
 
  • 
-          When answering recursive queries, SERVFAIL responses can now be
-          cached by the server for a limited time; subsequent queries for
-          the same query name and type will return another SERVFAIL until
-          the cache times out.  This reduces the frequency of retries
-          when a query is persistently failing, which can be a burden
-          on recursive serviers.  The SERVFAIL cache timeout is controlled
-          by servfail-ttl, which defaults to 10 seconds
-          and has an upper limit of 30.
+	  When answering recursive queries, SERVFAIL responses can now be
+	  cached by the server for a limited time; subsequent queries for
+	  the same query name and type will return another SERVFAIL until
+	  the cache times out.  This reduces the frequency of retries
+	  when a query is persistently failing, which can be a burden
+	  on recursive serviers.  The SERVFAIL cache timeout is controlled
+	  by servfail-ttl, which defaults to 10 seconds
+	  and has an upper limit of 30.
 	
    • 
 
  • 
-          The new rndc nta command can now be used to
-          set a "negative trust anchor" (NTA), disabling DNSSEC validation for
-          a specific domain; this can be used when responses from a domain
-          are known to be failing validation due to administrative error
-          rather than because of a spoofing attack. NTAs are strictly
-          temporary; by default they expire after one hour, but can be
-          configured to last up to one week.  The default NTA lifetime
-          can be changed by setting the nta-lifetime in
-          named.conf.
+	  The new rndc nta command can now be used to
+	  set a "negative trust anchor" (NTA), disabling DNSSEC validation for
+	  a specific domain; this can be used when responses from a domain
+	  are known to be failing validation due to administrative error
+	  rather than because of a spoofing attack. NTAs are strictly
+	  temporary; by default they expire after one hour, but can be
+	  configured to last up to one week.  The default NTA lifetime
+	  can be changed by setting the nta-lifetime in
+	  named.conf. When added, NTAs are stored in a
+	  file (viewname.nta)
+	  in order to persist across restarts of the named server.
 	
    • 
 
  • 
 	  The EDNS Client Subnet (ECS) option is now supported for
-          authoritative servers; if a query contains an ECS option then
-          ACLs containing geoip or ecs
-          elements can match against the the address encoded in the option.
-          This can be used to select a view for a query, so that different
-          answers can be provided depending on the client network.
+	  authoritative servers; if a query contains an ECS option then
+	  ACLs containing geoip or ecs
+	  elements can match against the the address encoded in the option.
+	  This can be used to select a view for a query, so that different
+	  answers can be provided depending on the client network.
 	
    • 
 
  • 
 	  The EDNS EXPIRE option has been implemented on the client
@@ -134,63 +136,63 @@
 	  server.
 	
    • 
 
  • 
-          A new masterfile-style zone option controls
-          the formatting of text zone files:  When set to
-          full, the zone file will dumped in
-          single-line-per-record format.
+	  A new masterfile-style zone option controls
+	  the formatting of text zone files:  When set to
+	  full, the zone file will dumped in
+	  single-line-per-record format.
 	
    • 
 
  • 
-          dig +ednsopt can now be used to set
-          arbitrary EDNS options in DNS requests.
+	  dig +ednsopt can now be used to set
+	  arbitrary EDNS options in DNS requests.
 	
    • 
 
  • 
-          dig +ednsflags can now be used to set
-          yet-to-be-defined EDNS flags in DNS requests.
+	  dig +ednsflags can now be used to set
+	  yet-to-be-defined EDNS flags in DNS requests.
 	
    • 
 
  • 
 	  dig +[no]ednsnegotiation can now be used enable /
 	  disable EDNS version negotiation.
 	
    • 
 
  • 
-          dig +header-only can now be used to send
+	  dig +header-only can now be used to send
 	  queries without a question section.
 	
    • 
 
  • 
-          dig +ttlunits causes dig
-          to print TTL values with time-unit suffixes: w, d, h, m, s for
-          weeks, days, hours, minutes, and seconds.
+	  dig +ttlunits causes dig
+	  to print TTL values with time-unit suffixes: w, d, h, m, s for
+	  weeks, days, hours, minutes, and seconds.
 	
    • 
 
  • 
-          dig +zflag can be used to set the last
+	  dig +zflag can be used to set the last
 	  unassigned DNS header flag bit.  This bit in normally zero.
 	
    • 
 
  • 
-          dig +dscp=value
-          can now be used to set the DSCP code point in outgoing query
-          packets.
+	  dig +dscp=value
+	  can now be used to set the DSCP code point in outgoing query
+	  packets.
 	
    • 
 
  • 
-          serial-update-method can now be set to
-          date. On update, the serial number will
-          be set to the current date in YYYYMMDDNN format.
+	  serial-update-method can now be set to
+	  date. On update, the serial number will
+	  be set to the current date in YYYYMMDDNN format.
 	
    • 
 
  • 
-          dnssec-signzone -N date also sets the serial
-          number to YYYYMMDDNN.
+	  dnssec-signzone -N date also sets the serial
+	  number to YYYYMMDDNN.
 	
    • 
 
  • 
-          named -L filename
-          causes named to send log messages to the specified file by
-          default instead of to the system log.
+	  named -L filename
+	  causes named to send log messages to the specified file by
+	  default instead of to the system log.
 	
    • 
 
  • 
-          The rate limiter configured by the
-          serial-query-rate option no longer covers
-          NOTIFY messages; those are now separately controlled by
-          notify-rate and
-          startup-notify-rate (the latter of which
-          controls the rate of NOTIFY messages sent when the server
-          is first started up or reconfigured).
+	  The rate limiter configured by the
+	  serial-query-rate option no longer covers
+	  NOTIFY messages; those are now separately controlled by
+	  notify-rate and
+	  startup-notify-rate (the latter of which
+	  controls the rate of NOTIFY messages sent when the server
+	  is first started up or reconfigured).
 	
    • 
 
  • 
 	  The default number of tasks and client objects available
@@ -243,32 +245,32 @@
 	  geoip asnum "AS1234 Example, Inc.";).
 	  They can now match against the AS number alone (as in
 	  geoip asnum "AS1234";).
-        
    • 
+	
    
 
  • 
-          When using native PKCS#11 cryptography (i.e.,
-          configure --enable-native-pkcs11) HSM PINs
-          of up to 256 characters can now be used.
-        
    • 
+	  When using native PKCS#11 cryptography (i.e.,
+	  configure --enable-native-pkcs11) HSM PINs
+	  of up to 256 characters can now be used.
+	
    
 
  • 
-          NXDOMAIN responses to queries of type DS are now cached separately
-          from those for other types. This helps when using "grafted" zones
-          of type forward, for which the parent zone does not contain a
-          delegation, such as local top-level domains.  Previously a query
-          of type DS for such a zone could cause the zone apex to be cached
-          as NXDOMAIN, blocking all subsequent queries.  (Note: This
-          change is only helpful when DNSSEC validation is not enabled.
-          "Grafted" zones without a delegation in the parent are not a
-          recommended configuration.)
-        
    • 
+	  NXDOMAIN responses to queries of type DS are now cached separately
+	  from those for other types. This helps when using "grafted" zones
+	  of type forward, for which the parent zone does not contain a
+	  delegation, such as local top-level domains.  Previously a query
+	  of type DS for such a zone could cause the zone apex to be cached
+	  as NXDOMAIN, blocking all subsequent queries.  (Note: This
+	  change is only helpful when DNSSEC validation is not enabled.
+	  "Grafted" zones without a delegation in the parent are not a
+	  recommended configuration.)
+	
    
 
  • 
 	  Update forwarding performance has been improved by allowing
 	  a single TCP connection to be shared between multiple updates.
 	
    • 
 
  • 
-          By default, nsupdate will now check
-          the correctness of hostnames when adding records of type
-          A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
-          disabled with check-names no.
+	  By default, nsupdate will now check
+	  the correctness of hostnames when adding records of type
+	  A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
+	  disabled with check-names no.
 	
    • 
 
  • 
 	  Added support for OPENPGPKEY type.
@@ -294,10 +296,10 @@
 	  truncated output.)
 	
    • 
 
  • 
-          Errors reported when running rndc addzone
-          (e.g., when a zone file cannot be loaded) have been clarified
-          to make it easier to diagnose problems.
-        
    • 
+	  Errors reported when running rndc addzone
+	  (e.g., when a zone file cannot be loaded) have been clarified
+	  to make it easier to diagnose problems.
+	
    
 
  • 
 	  When encountering an authoritative name server whose name is
 	  an alias pointing to another name, the resolver treats
@@ -324,20 +326,20 @@
 	  a name which, after appending search list elements,
 	  exceeded 255 bytes. Such names are now skipped, but
 	  processing of other names will continue. [RT #36892]
-        
    • 
+	
    
 
  • 
 	  The error message generated when
 	  named-checkzone or
 	  named-checkconf -z encounters a
 	  $TTL directive without a value has
 	  been clarified. [RT #37138]
-        
    • 
+	
    
 
  • 
 	  Semicolon characters (;) included in TXT records were
 	  incorrectly escaped with a backslash when the record was
 	  displayed as text. This is actually only necessary when there
 	  are no quotation marks. [RT #37159]
-        
    • 
+	
    
 
  • 
 	  When files opened for writing by named,
 	  such as zone journal files, were referenced more than once
@@ -345,42 +347,42 @@
 	  corruption as multiple threads wrote to the same file. This
 	  is now detected when loading named.conf
 	  and reported as an error. [RT #37172]
-        
    • 
+	
    
 
  • 
-          When checking for updates to trust anchors listed in
-          managed-keys, named
-          now revalidates keys based on the current set of
-          active trust anchors, without relying on any cached
-          record of previous validation. [RT #37506]
-        
    • 
+	  When checking for updates to trust anchors listed in
+	  managed-keys, named
+	  now revalidates keys based on the current set of
+	  active trust anchors, without relying on any cached
+	  record of previous validation. [RT #37506]
+	
    
 
  • 
 	  Large-system tuning
 	  (configure --with-tuning=large) caused
 	  problems on some platforms by setting a socket receive
 	  buffer size that was too large.  This is now detected and
 	  corrected at run time. [RT #37187]
-        
    • 
+	
    
 
  • 
 	  When NXDOMAIN redirection is in use, queries for a name
 	  that is present in the redirection zone but a type that
 	  is not present will now return NOERROR instead of NXDOMAIN.
-        
    • 
+	
    
 
  • 
 	  Due to an inadvertent removal of code in the previous
 	  release, when named encountered an
 	  authoritative name server which dropped all EDNS queries,
 	  it did not always try plain DNS. This has been corrected.
 	  [RT #37965]
-        
    • 
+	
    
 
  • 
 	  A regression caused nsupdate to use the default recursive servers
 	  rather than the SOA MNAME server when sending the UPDATE.
-        
    • 
+	
    
 
  • 
 	  Adjusted max-recursion-queries to accommodate the smaller
 	  initial packet sizes used in BIND 9.10 and higher when
 	  contacting authoritative servers for the first time.
-        
    • 
+	
    
 
  • 
 	  Built-in "empty" zones did not correctly inherit the
 	  "allow-transfer" ACL from the options or view. [RT #38310]