ddns-confgen generates a key for use by nsupdate and named. It simplifies configuration @@ -59,7 +59,7 @@
rndc-confgen [-a] [-b ] [keysize-c ] [keyfile-h] [-k ] [keyname-p ] [port-r ] [randomfile-s ] [address-t ] [chrootdir-u ]user
rndc-confgen generates configuration files for rndc. It can be used as a @@ -48,7 +48,7 @@
rndc.key
in /etc (or whatever
sysconfdir
- was specified as when BIND was
+ was specified as when BIND was
built)
that is read by both rndc
and named on startup. The
@@ -155,7 +155,7 @@
nsupdate [-d] [-D] [[-g] | [-o] | [-y ] | [[hmac:]keyname:secret-k ]] [keyfile-t ] [timeout-u ] [udptimeout-r ] [udpretries-R ] [randomdev-v] [filename]
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. @@ -187,7 +187,7 @@
nsupdate
reads input from
filename
@@ -385,7 +385,7 @@
{domain-name}
[ttl]
[class]
- [type [data...]]
+ [type [data...]]
Deletes any resource records named @@ -451,7 +451,7 @@
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5
index 1012ce3474..4654dd7a1b 100644
--- a/bin/rndc/rndc.conf.5
+++ b/bin/rndc/rndc.conf.5
@@ -13,38 +13,33 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: rndc.conf.5,v 1.39 2009/06/10 00:27:21 each Exp $
+.\" $Id: rndc.conf.5,v 1.40 2009/06/10 01:12:50 tbox Exp $
.\"
.hy 0
.ad l
-.\"Generated by db2man.xsl. Don't modify this, modify the source.
-.de Sh \" Subsection
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
-.TH "RNDC.CONF" 5 "June 30, 2000" "" ""
-.SH NAME
+.\" Title: \fIrndc.conf\fR
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1
rndc.conf is the configuration file
for rndc, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -117,7 +117,7 @@
The name server must be configured to accept rndc connections and
to recognize the key specified in the rndc.conf
@@ -201,7 +201,7 @@
Dynamic update is enabled by including an
- allow-update or update-policy
- clause in the zone statement. The
- tkey-gssapi-credential and
+ allow-update, update-policy
+ clause in the zone statement, or by setting the
+ dynamic option to yes
+ and creating a ddns.key file (see
+ ddns-confgen.)
+
+ If the zone's dynamic option is set to
+ yes, and if a ddns.key
+ file exists and contains a valid TSIG key, and if no other dynamic
+ update policy has been set for the zone, then updates to the zone
+ will be permitted for the key ddns.key.
+
+ The tkey-gssapi-credential and tkey-domain clauses in the - options statement enable the + options statement enable the server to negotiate keys that can be matched against those in update-policy or allow-update. @@ -210,7 +222,7 @@
Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a @@ -240,7 +252,7 @@
Let's say a company named Example, Inc.
(example.com)
@@ -497,7 +509,7 @@ nameserver 172.16.72.4
A shared secret is generated to be shared between host1 and host2. An arbitrary key name is chosen: "host1-host2.". The key name must @@ -505,7 +517,7 @@ nameserver 172.16.72.4
The following command will generate a 128-bit (16 byte) HMAC-MD5 key as described above. Longer keys are better, but shorter keys @@ -530,7 +542,7 @@ nameserver 172.16.72.4
The shared secret is simply a random sequence of bits, encoded in base-64. Most ASCII strings are valid base-64 strings (assuming @@ -545,7 +557,7 @@ nameserver 172.16.72.4
This is beyond the scope of DNS. A secure transport mechanism should be used. This could be secure FTP, ssh, telephone, etc. @@ -553,7 +565,7 @@ nameserver 172.16.72.4
Imagine host1 and host 2 are @@ -582,7 +594,7 @@ key host1-host2. {
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the named.conf file
@@ -614,7 +626,7 @@ server 10.1.2.3 {
BIND allows IP addresses and ranges to be specified in ACL @@ -642,7 +654,7 @@ allow-update { key host1-host2. ;};
The processing of TSIG signed messages can result in several errors. If a signed message is sent to a non-TSIG aware @@ -668,7 +680,7 @@ allow-update { key host1-host2. ;};
TKEY is a mechanism for automatically generating a shared secret between two hosts. There are several "modes" of @@ -704,7 +716,7 @@ allow-update { key host1-host2. ;};
BIND 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535 and RFC 2931. @@ -765,7 +777,7 @@ allow-update { key host1-host2. ;};
The dnssec-keygen program is used to generate keys. @@ -821,7 +833,7 @@ allow-update { key host1-host2. ;};
The dnssec-signzone program is used to sign a zone. @@ -863,7 +875,7 @@ allow-update { key host1-host2. ;};
To enable named to respond appropriately to DNS requests from DNSSEC aware clients, @@ -1001,7 +1013,7 @@ options {
BIND 9 fully supports all currently defined forms of IPv6 name to address and address to name @@ -1039,7 +1051,7 @@ options {
The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the deprecated A6 record, specifies the entire @@ -1058,7 +1070,7 @@ host 3600 IN AAAA 2001:db8::1
When looking up an address in nibble format, the address components are simply reversed, just as in IPv4, and diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index f4edcbbc73..1afba738be 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -45,13 +45,13 @@Table of Contents
Traditionally applications have been linked with a stub resolver library that sends recursive DNS queries to a local caching name diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 40125647c8..cc8f243d9a 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -48,55 +48,55 @@address_match_list= address_match_list_element ; [ address_match_list_element; ... ]address_match_list_element= [ ! ] (ip_address [/length] | @@ -483,7 +483,7 @@Address match lists are primarily used to determine access control for various server operations. They are also used in @@ -567,7 +567,7 @@
The BIND 9 comment syntax allows for comments to appear @@ -577,7 +577,7 @@
/* This is a BIND comment as in C */@@ -593,7 +593,7 @@Comments may appear anywhere that whitespace may appear in a BIND configuration file. @@ -834,7 +834,7 @@
acl acl-name { address_match_list }; @@ -916,7 +916,7 @@controls { [ inet ( ip_addr | * ) [ port ip_port ] allow {address_match_list} @@ -1040,12 +1040,12 @@includefilename;The include statement inserts the @@ -1060,7 +1060,7 @@
keykey_id{ algorithmstring; secretstring; @@ -1069,7 +1069,7 @@The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) @@ -1116,7 +1116,7 @@
logging { [ channelchannel_name{ ( filepath_name@@ -1140,7 +1140,7 @@The logging statement configures a @@ -1174,7 +1174,7 @@
All log output goes to one or more channels; you can make as many of them as you want. @@ -1738,7 +1738,7 @@ category notify { null; };
The query-errors category is specifically intended for debugging purposes: To identify @@ -1966,7 +1966,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the lwres statement in the
named.conffile: @@ -1982,7 +1982,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]The lwres statement configures the name @@ -2033,7 +2033,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
mastersname[portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; @@ -2041,7 +2041,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]masters lists allow for a common set of masters to be easily used by @@ -2050,7 +2050,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the options statement in the
named.conffile: @@ -3311,7 +3311,7 @@ options {The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3355,7 +3355,7 @@ options {
Dual-stack servers are used as servers of last resort to work around @@ -3552,7 +3552,7 @@ options {
The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4004,7 +4004,7 @@ avoid-v6-udp-ports {};
use-v4-udp-ports, avoid-v4-udp-ports, @@ -4046,7 +4046,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -4208,7 +4208,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
- cleaning-interval
@@ -4988,7 +4988,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -5318,7 +5318,7 @@ deny-answer-aliases { "example.net"; };
The statistics-channels statement @@ -5369,7 +5369,7 @@ deny-answer-aliases { "example.net"; };
trusted-keys {stringnumbernumbernumberstring; [stringnumbernumbernumberstring; [...]] @@ -5378,7 +5378,7 @@ deny-answer-aliases { "example.net"; };The trusted-keys statement defines @@ -5437,7 +5437,7 @@ deny-answer-aliases { "example.net"; };
The view statement is a powerful feature @@ -5714,10 +5714,10 @@ zone
zone_name[
@@ -5928,7 +5928,7 @@ zone zone_name[The zone's name may optionally be followed by a class. If a class is not specified, class
IN(forInternet), @@ -5950,7 +5950,7 @@ zonezone_name[
- allow-notify
- +
@@ -6093,6 +6093,15 @@ zone
zone_name[root-delegation-only.- dynamic
++ If this flag is set to
yesin + a master zone, named will + automatically generate a TSIG session key for use + by nsupdate -l on the local system, + and the zone will be marked to allow dynamic updates + using this key. +- forward
Only meaningful if the zone has a forwarders @@ -6318,7 +6327,7 @@ zone
zone_name[-( grant | deny )identitynametypename[types] +( grant | deny )identitynametype[name] [types]Each rule grants or denies privileges. Once a message has @@ -6362,7 +6371,8 @@ zone
zone_name[krb5-self,ms-self,krb5-subdomain,ms-subdomain, -tcp-selfand6to4-self. +tcp-self,6to4-self, + andzonesub.
@@ -6401,6 +6411,29 @@ zone zone_name[+ ++ ++
+zonesub++ ++ This rule is similar to subdomain, except that + it matches when the name being updated is a + subdomain of the zone in which the + update-policy statement + appears. This obviates the need to type the zone + name twice, and enables the use of a standard + update-policy statement in + multiple zones without modification. +
++ When this rule is used, the +
+namefield is omitted. +
wildcard@@ -6529,7 +6562,7 @@ zonezone_name[@@ -6542,7 +6575,7 @@ zonezone_name[A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -7279,7 +7312,7 @@ zone
zone_name[RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -7482,7 +7515,7 @@ zone
zone_name[As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -7738,7 +7771,7 @@ zone
zone_name[Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain @@ -7799,7 +7832,7 @@ zone
zone_name[The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -7814,7 +7847,7 @@ zone
zone_name[When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -7825,7 +7858,7 @@ zone
zone_name[Syntax: $ORIGIN
domain-name@@ -7854,7 +7887,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $INCLUDE
filename@@ -7890,7 +7923,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $TTL
default-ttl@@ -7909,7 +7942,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $GENERATE
range@@ -8333,7 +8366,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -8890,7 +8923,7 @@ HOST-127.EXAMPLE. MX 0 . diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 2028a1cedf..155f73bc52 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@
@@ -9044,7 +9077,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -9427,7 +9460,7 @@ HOST-127.EXAMPLE. MX 0 . Socket I/O statistics counters are defined per socket types, which are @@ -9582,7 +9615,7 @@ HOST-127.EXAMPLE. MX 0 .
Most statistics counters that were available in BIND 8 are also supported in diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 0d1aed2a4d..bba83d055a 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -46,10 +46,10 @@Table of Contents
@@ -122,7 +122,7 @@ zone "example.com" {On UNIX servers, it is possible to run BIND @@ -148,7 +148,7 @@ zone "example.com" {
In order for a chroot environment to @@ -176,7 +176,7 @@ zone "example.com" {
Prior to running the named daemon, use diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 0b7501bde9..c6577e3314 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -45,18 +45,18 @@Table of Contents
The best solution to solving installation and configuration issues is to take preventative measures by setting @@ -68,7 +68,7 @@
Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that @@ -95,7 +95,7 @@
The Internet Systems Consortium (ISC) offers a wide range diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index c1a4d5fd7d..c90cd300ec 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -45,21 +45,21 @@Table of Contents
@@ -268,42 +268,42 @@Standards
-[RFC974] Mail Routing and the Domain System. January 1986.
+[RFC974] Mail Routing and the Domain System. January 1986.
Proposed Standards
-[RFC1995] Incremental Zone Transfer in DNS. August 1996.
+[RFC1995] Incremental Zone Transfer in DNS. August 1996.
-[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
+[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
-[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
+[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
-[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
+[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
-[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
+[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
-[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
+[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
-[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
+[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
-[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
+[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
-[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
+[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
-@@ -312,19 +312,19 @@[RFC3645] Generic Security Service Algorithm for Secret +
[RFC3645] Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG). October 2003.
DNS Security Proposed Standards
-[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
+[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
-[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
+[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
-[RFC4033] DNS Security Introduction and Requirements. March 2005.
+[RFC4033] DNS Security Introduction and Requirements. March 2005.
-[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
+[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
-@@ -332,146 +332,146 @@[RFC4035] Protocol Modifications for the DNS +
[RFC4035] Protocol Modifications for the DNS Security Extensions. March 2005.
Other Important RFCs About DNS Implementation
-[RFC1535] A Security Problem and Proposed Correction With Widely +
[RFC1535] A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993.
-[RFC1536] Common DNS Implementation +
[RFC1536] Common DNS Implementation Errors and Suggested Fixes. October 1993.
-[RFC4074] Common Misbehaviour Against DNS +
[RFC4074] Common Misbehaviour Against DNS Queries for IPv6 Addresses. May 2005.
Resource Record Types
-[RFC1706] DNS NSAP Resource Records. October 1994.
+[RFC1706] DNS NSAP Resource Records. October 1994.
-[RFC2168] Resolution of Uniform Resource Identifiers using +
[RFC2168] Resolution of Uniform Resource Identifiers using the Domain Name System. June 1997.
-[RFC1876] A Means for Expressing Location Information in the +
[RFC1876] A Means for Expressing Location Information in the Domain Name System. January 1996.
-[RFC2052] A DNS RR for Specifying the +
[RFC2052] A DNS RR for Specifying the Location of Services.. October 1996.
-[RFC2163] Using the Internet DNS to +
[RFC2163] Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping. January 1998.
-[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
+[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
-[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
+[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
-[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
+[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
-[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
+[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
-[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
+[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
-[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
+[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
-[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
+[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
-[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
+[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
DNS and the Internet
-[RFC1101] DNS Encoding of Network Names +
[RFC1101] DNS Encoding of Network Names and Other Types. April 1989.
-[RFC1123] Requirements for Internet Hosts - Application and +
[RFC1123] Requirements for Internet Hosts - Application and Support. October 1989.
-[RFC1591] Domain Name System Structure and Delegation. March 1994.
+[RFC1591] Domain Name System Structure and Delegation. March 1994.
-[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
+[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
DNS Operations
-[RFC1033] Domain administrators operations guide.. November 1987.
+[RFC1033] Domain administrators operations guide.. November 1987.
-[RFC1912] Common DNS Operational and +
[RFC1912] Common DNS Operational and Configuration Errors. February 1996.
Internationalized Domain Names
-[RFC2825] A Tangled Web: Issues of I18N, Domain Names, +
[RFC2825] A Tangled Web: Issues of I18N, Domain Names, and the Other Internet protocols. May 2000.
-@@ -487,47 +487,47 @@[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
+[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
-[RFC1464] Using the Domain Name System To Store Arbitrary String +
[RFC1464] Using the Domain Name System To Store Arbitrary String Attributes. May 1993.
-[RFC1713] Tools for DNS Debugging. November 1994.
+[RFC1713] Tools for DNS Debugging. November 1994.
-[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
+[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
-[RFC2345] Domain Names and Company Name Retrieval. May 1998.
+[RFC2345] Domain Names and Company Name Retrieval. May 1998.
-[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
+[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
-[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
+[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
-[RFC3258] Distributing Authoritative Name Servers via +
[RFC3258] Distributing Authoritative Name Servers via Shared Unicast Addresses. April 2002.
-[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
+[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
@@ -541,39 +541,39 @@Obsolete and Unimplemented Experimental RFC
-[RFC1712] DNS Encoding of Geographical +
[RFC1712] DNS Encoding of Geographical Location. November 1994.
-[RFC2065] Domain Name System Security Extensions. January 1997.
+[RFC2065] Domain Name System Security Extensions. January 1997.
-[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
+[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
-[RFC2535] Domain Name System Security Extensions. March 1999.
+[RFC2535] Domain Name System Security Extensions. March 1999.
-[RFC3008] Domain Name System Security (DNSSEC) +
[RFC3008] Domain Name System Security (DNSSEC) Signing Authority. November 2000.
-[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
+[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
-[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
+[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
-[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
+[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
-[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
+[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
-[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
+[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
-[RFC3757] Domain Name System KEY (DNSKEY) Resource Record +
[RFC3757] Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag. April 2004.
-@@ -594,14 +594,14 @@[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
+[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
-diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index 7475bce86b..bb3e100aba 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -84,11 +84,9 @@DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
+DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
- -
rndc.conf— rndc configuration file- -rndc-confgen — rndc key generation tool -
+<xi:include></xi:include> diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 177164df7b..f7359f9076 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -52,7 +52,7 @@
dig[global-queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -98,7 +98,7 @@
-OPTIONS
+OPTIONS
The
-boption sets the source IP address of the query toaddress. This must be a valid @@ -248,7 +248,7 @@-QUERY OPTIONS
+QUERY OPTIONS
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -573,7 +573,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig supports @@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1), named(8), dnssec-keygen(8), @@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 87b639a38d..f36575b8db 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,14 +51,14 @@
dnssec-dsfromkey{-s} [-v] [level-1] [-2] [-a] [alg-c] [class-d] {dnsname}dir-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -128,13 +128,13 @@-diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index a8567cecc9..b2fdd9c962 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -143,7 +143,7 @@
dnssec-keyfromlabel{-aalgorithm} {-llabel} [-c] [class-f] [flag-k] [-n] [nametype-p] [protocol-t] [type-v] {name}level-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -58,7 +58,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes successfully, @@ -172,7 +172,7 @@
-diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 7c925cb6b4..c5c61dc358 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -182,7 +182,7 @@
dnssec-keygen{-aalgorithm} {-bkeysize} {-nnametype} [-c] [class-e] [-f] [flag-g] [generator-h] [-k] [-p] [protocol-r] [randomdev-s] [strength-t] [type-v] {name}level-DESCRIPTION
+DESCRIPTION
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -58,7 +58,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be @@ -233,7 +233,7 @@-diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 369b123773..292969ad68 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -242,7 +242,7 @@
dnssec-signzone[-a] [-c] [class-d] [directory-e] [end-time-f] [output-file-g] [-h] [-k] [key-l] [domain-i] [interval-I] [input-format-j] [jitter-N] [soa-serial-format-o] [origin-O] [output-format-p] [-P] [-r] [randomdev-s] [start-time-t] [-v] [level-z] [-3] [salt-H] [iterations-A] {zonefile} [key...]-DESCRIPTION
+DESCRIPTION
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@
-diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 04cc05a008..c4f6f3675c 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@EXAMPLE
+EXAMPLE
The following command signs the
example.comzone with the DSA key generated by dnssec-keygen @@ -318,14 +318,14 @@ db.example.com.signed %
host[-aCdlnrsTwv] [-c] [class-N] [ndots-R] [number-t] [type-W] [wait-m] [flag-4] [-6] {name} [server]-DESCRIPTION
+DESCRIPTION
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8).
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 943247726e..f4f1a97afe 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,14 +50,14 @@
named-checkconf[-h] [-v] [-j] [-t] {filename} [directory-z]-DESCRIPTION
+DESCRIPTION
named-checkconf checks the syntax, but not the semantics, of a named configuration file.
-diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 623237f9ef..fe47c02819 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,7 +51,7 @@RETURN VALUES
+RETURN VALUES
named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.
named-compilezone[-d] [-j] [-q] [-v] [-c] [class-C] [mode-f] [format-F] [format-i] [mode-k] [mode-m] [mode-n] [mode-o] [filename-s] [style-t] [directory-w] [directory-D] [-W] {zonename} {filename}mode-DESCRIPTION
+DESCRIPTION
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@
-diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index c9fc0b6694..0c237b347b 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@RETURN VALUES
+RETURN VALUES
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named[-4] [-6] [-c] [config-file-d] [debug-level-f] [-g] [-m] [flag-n] [#cpus-p] [port-s] [-S] [#max-socks-t] [directory-u] [user-v] [-V] [-x]cache-file-DESCRIPTION
+DESCRIPTION
named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -259,7 +259,7 @@
-diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 14a0e26ae1..ca24fde382 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@CONFIGURATION
+CONFIGURATION
The named configuration file is too complex to describe in detail here. A complete description is provided @@ -276,7 +276,7 @@
nsupdate[-d] [-D] [[-g] | [-o] | [-y] | [[hmac:]keyname:secret-k]] [keyfile-t] [timeout-u] [udptimeout-r] [udpretries-R] [randomdev-v] [filename]-DESCRIPTION
+DESCRIPTION
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. @@ -87,6 +87,10 @@ The
+-Doption makes nsupdate report additional debugging information to-d.+ The
-Loption with an integer argument of zero or + higher sets the logging debug level. If zero, logging is disabled. +Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described @@ -114,38 +118,48 @@ uses the
-yor-koption to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type - HMAC-MD5. These options are mutually exclusive. With the --koption, nsupdate reads - the shared secret from the filekeyfile, - whose name is of the form -K{name}.+157.+{random}.private. For - historical reasons, the file -K{name}.+157.+{random}.keymust also be - present. When the-yoption is used, a - signature is generated from - [hmac:]keyname:secret.-keynameis the name of the key, and -secretis the base64 encoded shared - secret. Use of the-yoption is discouraged - because the shared secret is supplied as a command line - argument in clear text. This may be visible in the output - from - ps(1) or in a history file maintained by the user's - shell. + HMAC-MD5. These options are mutually exclusive.+ When the
+-yoption is used, a signature is + generated from + [hmac:]keyname:secret.+keynameis the name of the key, and +secretis the base64 encoded shared secret. + Use of the-yoption is discouraged because the + shared secret is supplied as a command line argument in clear text. + This may be visible in the output from + ps(1) + or in a history file maintained by the user's shell. ++ With the +
-koption, nsupdate reads + the shared secret from the filekeyfile. + Keyfiles may be in two formats: a single file containing + anamed.conf-format key + statement, which may be generated automatically by + ddns-confgen, or a pair of files whose names are + of the formatK{name}.+157.+{random}.keyand +K{name}.+157.+{random}.private, which can be + generated by dnssec-keygen. The-kmay also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC-MD5 key.- The
-gand-ospecify that - GSS-TSIG is to be used. The-oshould only - be used with old Microsoft Windows 2000 servers. + nsupdate can be run in a local-host only mode + using the-lflag. This sets the server address to + localhost (disabling the server so that the server + address cannot be overridden). Connections to the local server will + use a TSIG key found in/var/run/named/ddns.key, + which is automatically generated by named if any + local master zone has the dynamic zone option set + to yes. The location of this key file can be overridden with + the-koption.- By default, - nsupdate + By default, nsupdate uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The @@ -155,6 +169,10 @@ use a TCP connection. This may be preferable when a batch of update requests is made.
++ The
-psets the default port number to use for + connections to a name server. The default is 53. +The
-toption sets the maximum time an update request can @@ -187,7 +205,7 @@-FILES
+FILES
/etc/resolv.conf- +
used to identify default name server
- +
/var/run/named/ddns.key+ sets the default TSIG key for use in local-only mode +
K{name}.+157.+{random}.keybase-64 encoding of HMAC-MD5 key created by @@ -524,7 +546,7 @@
-SEE ALSO
+SEE ALSO
RFC2136, RFC3007, RFC2104, @@ -533,11 +555,12 @@ RFC2535, RFC2931, named(8), + ddns-confgen(8), dnssec-keygen(8).
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 172fd0f208..b30b410482 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -23,7 +23,6 @@ -
@@ -50,7 +48,7 @@
rndc.conf-DESCRIPTION
+DESCRIPTION
rndc.confis the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -135,7 +133,7 @@-@@ -239,15 +237,13 @@NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to recognize the key specified in the
rndc.conf@@ -219,7 +217,7 @@Prev Up -Next - +rndc Home -rndc-confgen - +
rndc[-b] [source-address-c] [config-file-k] [key-file-s] [server-p] [port-V] [-y] {command}key_id-DESCRIPTION
+DESCRIPTION
rndc controls the operation of a name server. It supersedes the ndc utility @@ -79,7 +79,7 @@
-OPTIONS
+OPTIONS
- -b
source-address@@ -151,7 +151,7 @@
-diff --git a/doc/misc/options b/doc/misc/options index 7ccfe7f363..c3f2f84c27 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -2,72 +2,16 @@ This is a summary of the named.conf options supported by this version of BIND 9. -aclLIMITATIONS
+LIMITATIONS
rndc does not yet support all the commands of the BIND 8 ndc utility. @@ -165,7 +165,7 @@
{ ; ... }; - -controls { - inet ( | | * ) [ port ( | * - ) ] allow { ; ... } [ keys { ; - ... } ]; - unix perm owner group - [ keys { ; ... } ]; -}; - -dlz { - database ; -}; - -key { - algorithm ; - secret ; -}; - -logging { - category { ; ... }; - channel { - file [ versions ( "unlimited" | ) - ] [ size ]; - null; - print-category ; - print-severity ; - print-time ; - severity ; - stderr; - syslog ; - }; -}; - -lwres { - listen-on [ port ] { ( | ) - [ port ]; ... }; - ndots ; - search { ; ... }; - view ; -}; - -masters [ port ] { ( | [ port - ] | [ port ] ) [ key ]; ... }; - options { acache-cleaning-interval ; acache-enable ; additional-from-auth ; additional-from-cache ; - allow-notify { ; ... }; - allow-query { ; ... }; allow-query-cache { ; ... }; allow-query-cache-on { ; ... }; - allow-query-on { ; ... }; allow-recursion { ; ... }; allow-recursion-on { ; ... }; - allow-transfer { ; ... }; - allow-update { ; ... }; - allow-update-forwarding { ; ... }; allow-v6-synthesis { ; ... }; // obsolete - also-notify [ port ] { ( | - ) [ port ]; ... }; - alt-transfer-source ( | * ) [ port ( | * ) ]; - alt-transfer-source-v6 ( | * ) [ port ( | - * ) ]; attach-cache ; auth-nxdomain ; // default changed avoid-v4-udp-ports { ; ... }; @@ -75,23 +19,19 @@ options { bindkeys-file ; blackhole { ; ... }; cache-file ; - check-integrity ; - check-mx ( fail | warn | ignore ); - check-mx-cname ( fail | warn | ignore ); check-names ( master | slave | response ) ( fail | warn | ignore ); - check-sibling ; - check-srv-cname ( fail | warn | ignore ); - check-wildcard ; cleaning-interval ; clients-per-query ; coresize ; datasize ; + ddns-keyalg ; + ddns-keyfile ( | none ); + ddns-keyname ; deallocate-on-exit ; // obsolete deny-answer-addresses { ; ... } [ except-from { ; ... } ]; deny-answer-aliases { ; ... } [ except-from { ; ... } ]; - dialup ; directory ; disable-algorithms { ; ... }; disable-empty-zone ; @@ -112,9 +52,6 @@ options { fetch-glue ; // obsolete files ; flush-zones-on-shutdown ; - forward ( first | only ); - forwarders [ port ] { ( | ) - [ port ]; ... }; has-old-clients ; // obsolete heartbeat-interval ; host-statistics ; // not implemented @@ -122,42 +59,22 @@ options { hostname ( | none ); interface-interval ; ixfr-from-differences ; - key-directory ; lame-ttl ; listen-on [ port ] { ; ... }; listen-on-v6 [ port ] { ; ... }; - maintain-ixfr-base ; // obsolete - masterfile-format ( text | raw ); match-mapped-addresses ; max-acache-size ; max-cache-size ; max-cache-ttl ; max-clients-per-query ; - max-ixfr-log-size ; // obsolete - max-journal-size ; max-ncache-ttl ; - max-refresh-time ; - max-retry-time ; - max-transfer-idle-in ; - max-transfer-idle-out ; - max-transfer-time-in ; - max-transfer-time-out ; max-udp-size ; memstatistics ; memstatistics-file ; - min-refresh-time ; - min-retry-time ; min-roots ; // not implemented minimal-responses ; - multi-master ; multiple-cnames ; // obsolete named-xfer ; // obsolete - notify ; - notify-delay ; - notify-source ( | * ) [ port ( | * ) ]; - notify-source-v6 ( | * ) [ port ( | * ) ]; - notify-to-soa ; - nsec3-test-zone ; // test only pid-file ( | none ); port ; preferred-glue ; @@ -176,373 +93,26 @@ options { reserved-sockets ; rfc2308-type1 ; // not yet implemented root-delegation-only [ exclude { ; ... } ]; - rrset-order { [ class ] [ type ] [ name - ] ; ... }; - serial-queries ; // obsolete + rrset-order { [ class ] [ type ] [ + name ] ; ... }; + serial-queries ; // obsolete serial-query-rate ; server-id ( | none |; - sig-signing-nodes ; - sig-signing-signatures ; - sig-signing-type ; - sig-validity-interval [ ]; - sortlist { ; ... }; stacksize ; statistics-file ; statistics-interval ; // not yet implemented - suppress-initial-notify ; // not yet implemented tcp-clients ; tcp-listen-queue ; tkey-dhkey ; tkey-domain ; tkey-gssapi-credential ; - topology { ; ... }; // not implemented - transfer-format ( many-answers | one-answer ); - transfer-source ( | * ) [ port ( | * ) ]; - transfer-source-v6 ( | * ) [ port ( | * ) ]; transfers-in ; transfers-out ; transfers-per-ns ; treat-cr-as-space ; // obsolete - try-tcp-refresh ; - update-check-ksk ; - use-alt-transfer-source ; use-id-pool ; // obsolete use-ixfr ; - use-queryport-pool ; // obsolete use-v4-udp-ports { ; ... }; use-v6-udp-ports { ; ... }; version ( | none ); - zero-no-soa-ttl ; - zero-no-soa-ttl-cache ; - zone-statistics ; -}; - -server { - bogus ; - edns ; - edns-udp-size ; - keys ; - max-udp-size ; - notify-source ( | * ) [ port ( | * ) ]; - notify-source-v6 (