From a55b90421b36855a01cbccc787acb1ff4bd5f40b Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Thu, 26 Feb 2015 01:08:27 +0000 Subject: [PATCH] regen v9_10 --- bin/dig/dig.1 | 186 +++++++++++--------- bin/dig/dig.html | 238 ++++++++++++++------------ bin/named/named.8 | 8 +- bin/named/named.html | 24 ++- doc/arm/Bv9ARM.ch09.html | 7 +- doc/arm/Bv9ARM.ch12.html | 40 ++--- doc/arm/Bv9ARM.html | 14 +- doc/arm/man.arpaname.html | 6 +- doc/arm/man.ddns-confgen.html | 8 +- doc/arm/man.delv.html | 12 +- doc/arm/man.dig.html | 244 +++++++++++++++------------ doc/arm/man.dnssec-checkds.html | 8 +- doc/arm/man.dnssec-coverage.html | 8 +- doc/arm/man.dnssec-dsfromkey.html | 14 +- doc/arm/man.dnssec-importkey.html | 12 +- doc/arm/man.dnssec-keyfromlabel.html | 12 +- doc/arm/man.dnssec-keygen.html | 14 +- doc/arm/man.dnssec-revoke.html | 8 +- doc/arm/man.dnssec-settime.html | 12 +- doc/arm/man.dnssec-signzone.html | 10 +- doc/arm/man.dnssec-verify.html | 8 +- doc/arm/man.genrandom.html | 8 +- doc/arm/man.host.html | 8 +- doc/arm/man.isc-hmac-fixup.html | 8 +- doc/arm/man.named-checkconf.html | 10 +- doc/arm/man.named-checkzone.html | 10 +- doc/arm/man.named-journalprint.html | 6 +- doc/arm/man.named-rrchecker.html | 4 +- doc/arm/man.named.html | 24 ++- doc/arm/man.nsec3hash.html | 8 +- doc/arm/man.nsupdate.html | 12 +- doc/arm/man.rndc-confgen.html | 10 +- doc/arm/man.rndc.conf.html | 10 +- doc/arm/man.rndc.html | 12 +- doc/arm/notes.html | 7 +- 35 files changed, 564 insertions(+), 466 deletions(-) diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index 25793ea657..f685dc993a 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -130,77 +130,97 @@ will perform a lookup for an A record. .RE .SH "OPTIONS" .PP -The -\fB\-b\fR -option sets the source IP address of the query to -\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#" +\-4 +.RS 4 +Use IPv4 only. +.RE .PP -The default query class (IN for internet) is overridden by the -\fB\-c\fR -option. +\-6 +.RS 4 +Use IPv6 only. +.RE +.PP +\-b \fIaddress\fR\fI[#port]\fR +.RS 4 +Set the source IP address of the query. The +\fIaddress\fR +must be a valid address on one of the host's network interfaces, or "0.0.0.0" or "::". An optional port may be specified by appending "#" +.RE +.PP +\-c \fIclass\fR +.RS 4 +Set the query class. The default \fIclass\fR -is any valid class, such as HS for Hesiod records or CH for Chaosnet records. +is IN; other classes are HS for Hesiod records or CH for Chaosnet records. +.RE .PP -The -\fB\-f\fR -option makes -\fBdig \fR -operate in batch mode by reading a list of lookup requests to process from the file -\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to +\-f \fIfile\fR +.RS 4 +Batch mode: +\fBdig\fR +reads a list of lookup requests to process from the given +\fIfile\fR. Each line in the file should be organized in the same way they would be presented as queries to \fBdig\fR using the command\-line interface. +.RE .PP -The -\fB\-m\fR -option enables memory usage debugging. +\-i +.RS 4 +Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT domain, which is no longer in use. Obsolete bit string label queries (RFC2874) are not attempted. +.RE .PP -If a non\-standard port number is to be queried, the -\fB\-p\fR -option is used. -\fIport#\fR -is the port number that -\fBdig\fR -will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number. +\-k \fIkeyfile\fR +.RS 4 +Sign queries using TSIG using a key read from the given file. Key files can be generated using +\fBtsig\-keygen\fR(8). When using TSIG authentication with +\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate +\fBkey\fR +and +\fBserver\fR +statements in +\fInamed.conf\fR. +.RE .PP -The -\fB\-4\fR -option forces -\fBdig\fR -to only use IPv4 query transport. The -\fB\-6\fR -option forces -\fBdig\fR -to only use IPv6 query transport. +\-m +.RS 4 +Enable memory usage debugging. +.RE .PP -The -\fB\-t\fR -option sets the query type to -\fItype\fR. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the -\fB\-x\fR -option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, -\fItype\fR -is set to -ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was -\fIN\fR. +\-p \fIport\fR +.RS 4 +Send the query to a non\-standard port on the server, instead of the defaut port 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number. +.RE .PP -The -\fB\-q\fR -option sets the query name to -\fIname\fR. This is useful to distinguish the +\-q \fIname\fR +.RS 4 +The domain name to query. This is useful to distinguish the \fIname\fR from other arguments. +.RE .PP -The -\fB\-v\fR -causes -\fBdig\fR -to print the version number and exit. -.PP -Reverse lookups \(em mapping addresses to names \(em are simplified by the +\-t \fItype\fR +.RS 4 +The resource record type to query. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the \fB\-x\fR -option. +option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, set the +\fItype\fR +to +ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was +\fIN\fR. +.RE +.PP +\-v +.RS 4 +Print the version number and exit. +.RE +.PP +\-x \fIaddr\fR +.RS 4 +Simplified reverse lookups, for mapping addresses to names. The \fIaddr\fR -is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When this option is used, there is no need to provide the +is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When the +\fB\-x\fR +is used, there is no need to provide the \fIname\fR, \fIclass\fR and @@ -208,35 +228,41 @@ and arguments. \fBdig\fR automatically performs a lookup for a name like -11.12.13.10.in\-addr.arpa -and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the +94.2.0.192.in\-addr.arpa +and sets the query type and class to PTR and IN respectively. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain (but see also the \fB\-i\fR -option. Bit string labels (RFC2874) are now experimental and are not attempted. +option). +.RE .PP -To sign the DNS queries sent by -\fBdig\fR -and their responses using transaction signatures (TSIG), specify a TSIG key file using the -\fB\-k\fR -option. You can also specify the TSIG key itself on the command line using the -\fB\-y\fR -option; +\-y \fI[hmac:]\fR\fIkeyname:secret\fR +.RS 4 +Sign queries using TSIG with the given authentication key. +\fIkeyname\fR +is the name of the key, and +\fIsecret\fR +is the base64 encoded shared secret. \fIhmac\fR -is the type of the TSIG, default HMAC\-MD5, -\fIname\fR -is the name of the TSIG key and -\fIkey\fR -is the actual key. The key is a base\-64 encoded string, typically generated by -\fBdnssec\-keygen\fR(8). Caution should be taken when using the +is the name of the key algorithm; valid choices are +hmac\-md5, +hmac\-sha1, +hmac\-sha224, +hmac\-sha256, +hmac\-sha384, or +hmac\-sha512. If +\fIhmac\fR +is not specified, the default is +hmac\-md5. +.sp +NOTE: You should use the +\fB\-k\fR +option and avoid the \fB\-y\fR -option on multi\-user systems as the key can be visible in the output from +option, because with +\fB\-y\fR +the shared secret is supplied as a command line argument in clear text. This may be visible in the output from \fBps\fR(1) -or in the shell's history file. When using TSIG authentication with -\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate -\fBkey\fR -and -\fBserver\fR -statements in -\fInamed.conf\fR. +or in a history file maintained by the user's shell. +.RE .SH "QUERY OPTIONS" .PP \fBdig\fR diff --git a/bin/dig/dig.html b/bin/dig/dig.html index 9016f4bc44..a645162cf1 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -135,114 +135,134 @@

OPTIONS

+
+
-4
+

+ Use IPv4 only. +

+
-6
+

+ Use IPv6 only. +

+
-b address[#port]
+

+ Set the source IP address of the query. + The address must be a valid address on + one of the host's network interfaces, or "0.0.0.0" or "::". An + optional port may be specified by appending "#<port>" +

+
-c class
+

+ Set the query class. The + default class is IN; other classes + are HS for Hesiod records or CH for Chaosnet records. +

+
-f file
+

+ Batch mode: dig reads a list of lookup + requests to process from the + given file. Each line in the file + should be organized in the same way they would be + presented as queries to + dig using the command-line interface. +

+
-i
+

+ Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT + domain, which is no longer in use. Obsolete bit string + label queries (RFC2874) are not attempted. +

+
-k keyfile
+

+ Sign queries using TSIG using a key read from the given file. + Key files can be generated using + tsig-keygen(8). + When using TSIG authentication with dig, + the name server that is queried needs to know the key and + algorithm that is being used. In BIND, this is done by + providing appropriate key + and server statements in + named.conf. +

+
-m
+

+ Enable memory usage debugging. + +

+
-p port
+

+ Send the query to a non-standard port on the server, + instead of the defaut port 53. This option would be used + to test a name server that has been configured to listen + for queries on a non-standard port number. +

+
-q name
+

+ The domain name to query. This is useful to distinguish + the name from other arguments. +

+
-t type
+

+ The resource record type to query. It can be any valid query type + which is + supported in BIND 9. The default query type is "A", unless the + -x option is supplied to indicate a reverse lookup. + A zone transfer can be requested by specifying a type of AXFR. When + an incremental zone transfer (IXFR) is required, set the + type to ixfr=N. + The incremental zone transfer will contain the changes + made to the zone since the serial number in the zone's SOA + record was + N. +

+
-v
+

+ Print the version number and exit. +

+
-x addr
+

+ Simplified reverse lookups, for mapping addresses to + names. The addr is an IPv4 address + in dotted-decimal notation, or a colon-delimited IPv6 + address. When the -x is used, there is no + need to provide + the name, class + and type + arguments. dig automatically performs a + lookup for a name like + 94.2.0.192.in-addr.arpa and sets the + query type and class to PTR and IN respectively. IPv6 + addresses are looked up using nibble format under the + IP6.ARPA domain (but see also the -i + option). +

+
-y [hmac:]keyname:secret
+

- The -b option sets the source IP address of the query - to address. This must be a valid - address on - one of the host's network interfaces or "0.0.0.0" or "::". An optional - port - may be specified by appending "#<port>" -

+ Sign queries using TSIG with the given authentication key. + keyname is the name of the key, and + secret is the base64 encoded shared secret. + hmac is the name of the key algorithm; + valid choices are hmac-md5, + hmac-sha1, hmac-sha224, + hmac-sha256, hmac-sha384, or + hmac-sha512. If hmac + is not specified, the default is hmac-md5. +

- The default query class (IN for internet) is overridden by the - -c option. class is - any valid - class, such as HS for Hesiod records or CH for Chaosnet records. -

-

- The -f option makes dig - operate - in batch mode by reading a list of lookup requests to process from the - file filename. The file contains a - number of - queries, one per line. Each entry in the file should be organized in - the same way they would be presented as queries to - dig using the command-line interface. -

-

- The -m option enables memory usage debugging. - -

-

- If a non-standard port number is to be queried, the - -p option is used. port# is - the port number that dig will send its - queries - instead of the standard DNS port number 53. This option would be used - to test a name server that has been configured to listen for queries - on a non-standard port number. -

-

- The -4 option forces dig - to only - use IPv4 query transport. The -6 option forces - dig to only use IPv6 query transport. -

-

- The -t option sets the query type to - type. It can be any valid query type - which is - supported in BIND 9. The default query type is "A", unless the - -x option is supplied to indicate a reverse lookup. - A zone transfer can be requested by specifying a type of AXFR. When - an incremental zone transfer (IXFR) is required, - type is set to ixfr=N. - The incremental zone transfer will contain the changes made to the zone - since the serial number in the zone's SOA record was - N. -

-

- The -q option sets the query name to - name. This is useful to distinguish the - name from other arguments. -

-

- The -v causes dig to - print the version number and exit. -

-

- Reverse lookups — mapping addresses to names — are simplified by the - -x option. addr is - an IPv4 - address in dotted-decimal notation, or a colon-delimited IPv6 address. - When this option is used, there is no need to provide the - name, class and - type arguments. dig - automatically performs a lookup for a name like - 11.12.13.10.in-addr.arpa and sets the - query type and - class to PTR and IN respectively. By default, IPv6 addresses are - looked up using nibble format under the IP6.ARPA domain. - To use the older RFC1886 method using the IP6.INT domain - specify the -i option. Bit string labels (RFC2874) - are now experimental and are not attempted. -

-

- To sign the DNS queries sent by dig and - their - responses using transaction signatures (TSIG), specify a TSIG key file - using the -k option. You can also specify the TSIG - key itself on the command line using the -y option; - hmac is the type of the TSIG, default HMAC-MD5, - name is the name of the TSIG key and - key is the actual key. The key is a - base-64 - encoded string, typically generated by - dnssec-keygen(8). - - Caution should be taken when using the -y option on - multi-user systems as the key can be visible in the output from - ps(1) - or in the shell's history file. When - using TSIG authentication with dig, the name - server that is queried needs to know the key and algorithm that is - being used. In BIND, this is done by providing appropriate - key and server statements in - named.conf. -

+ NOTE: You should use the -k option and + avoid the -y option, because + with -y the shared secret is supplied as + a command line argument in clear text. This may be visible + in the output from + ps(1) + or in a history file maintained by the user's shell. +

+
+
-

QUERY OPTIONS

+

QUERY OPTIONS

dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -628,7 +648,7 @@

-

MULTIPLE QUERIES

+

MULTIPLE QUERIES

The BIND 9 implementation of dig supports @@ -674,7 +694,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

IDN SUPPORT

+

IDN SUPPORT

If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -688,14 +708,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

FILES

+

FILES

/etc/resolv.conf

${HOME}/.digrc

-

SEE ALSO

+

SEE ALSO

host(1), named(8), dnssec-keygen(8), @@ -703,7 +723,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

BUGS

+

BUGS

There are probably too many query options.

diff --git a/bin/named/named.8 b/bin/named/named.8 index d2239f0c79..a8d8d3d69f 100644 --- a/bin/named/named.8 +++ b/bin/named/named.8 @@ -33,7 +33,7 @@ named \- Internet domain name server .SH "SYNOPSIS" .HP 6 -\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-D\ \fR\fB\fIstring\fR\fR] [\fB\-E\ \fR\fB\fIengine\-name\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-U\ \fR\fB\fI#listeners\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR] +\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-D\ \fR\fB\fIstring\fR\fR] [\fB\-E\ \fR\fB\fIengine\-name\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-M\ \fR\fB\fIoption\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-U\ \fR\fB\fI#listeners\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR] .SH "DESCRIPTION" .PP \fBnamed\fR @@ -110,6 +110,12 @@ Run the server in the foreground and force all logging to \fIstderr\fR. .RE .PP +\-M \fIoption\fR +.RS 4 +Sets the default memory context options. Currently the only supported option is +\fIexternal\fR, which causes the internal memory manager to be bypassed in favor of system\-provided memory allocation functions. +.RE +.PP \-m \fIflag\fR .RS 4 Turn on memory usage debugging flags. Possible flags are diff --git a/bin/named/named.html b/bin/named/named.html index d311847fa0..deedab8c44 100644 --- a/bin/named/named.html +++ b/bin/named/named.html @@ -29,10 +29,10 @@

Synopsis

-

named [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]

+

named [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-M option] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]

-

DESCRIPTION

+

DESCRIPTION

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -47,7 +47,7 @@

-

OPTIONS

+

OPTIONS

-4

@@ -111,6 +111,14 @@ Run the server in the foreground and force all logging to stderr.

+
-M option
+

+ Sets the default memory context options. Currently + the only supported option is + external, + which causes the internal memory manager to be bypassed + in favor of system-provided memory allocation functions. +

-m flag

Turn on memory usage debugging flags. Possible flags are @@ -258,7 +266,7 @@

-

SIGNALS

+

SIGNALS

In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -279,7 +287,7 @@

-

CONFIGURATION

+

CONFIGURATION

The named configuration file is too complex to describe in detail here. A complete description is provided @@ -296,7 +304,7 @@

-

FILES

+

FILES

/etc/named.conf

@@ -309,7 +317,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 1033, RFC 1034, RFC 1035, @@ -322,7 +330,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index d620c592dc..a4ff26bf14 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -306,7 +306,12 @@

  • Fixed some bugs in RFC 5011 trust anchor management, including a memory leak and a possible loss of state - information.[RT #38458] + information. [RT #38458] +

    • +

  • + Asynchronous zone loads were not handled correctly when the + zone load was already in progress; this could trigger a crash + in zt.c. [RT #37573]

    • diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index a5d2f092bd..5374076c94 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -47,13 +47,13 @@
    BIND 9 DNS Library Support
    -
    Prerequisite
    -
    Compilation
    -
    Installation
    -
    Known Defects/Restrictions
    -
    The dns.conf File
    -
    Sample Applications
    -
    Library References
    +
    Prerequisite
    +
    Compilation
    +
    Installation
    +
    Known Defects/Restrictions
    +
    The dns.conf File
    +
    Sample Applications
    +
    Library References
    @@ -89,7 +89,7 @@

    -Prerequisite

    +Prerequisite

    GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -98,7 +98,7 @@

    -Compilation

    +Compilation
     $ ./configure --enable-exportlib [other flags]
 $ make
@@ -113,7 +113,7 @@ $ make
 
 
    
 
    
-Installation
    
+Installation
    
 
     $ cd lib/export
 $ make install
@@ -135,7 +135,7 @@ $ make install
 
 
    
 
    
-Known Defects/Restrictions
    
+Known Defects/Restrictions
    
 
      
 
    • Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
@@ -175,7 +175,7 @@ $ make
 
    
 
    
 
    
-The dns.conf File
    
+The dns.conf File
    
 
    The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
@@ -193,14 +193,14 @@ $ make
 
 
    
 
    
-Sample Applications
    
+Sample Applications
    
 
    Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   
    
 
    
 
    
-sample: a simple stub resolver utility
    
+sample: a simple stub resolver utility
    
 
    
   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
@@ -264,7 +264,7 @@ $ make
 
 
    
 
    
-sample-async: a simple stub resolver, working asynchronously
    
+sample-async: a simple stub resolver, working asynchronously
    
 
    
   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
@@ -305,7 +305,7 @@ $ make
 
 
    
 
    
-sample-request: a simple DNS transaction client
    
+sample-request: a simple DNS transaction client
    
 
    
   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
@@ -346,7 +346,7 @@ $ make
 
 
    
 
    
-sample-gai: getaddrinfo() and getnameinfo() test code
    
+sample-gai: getaddrinfo() and getnameinfo() test code
    
 
    
   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -363,7 +363,7 @@ $ make
 
 
    
 
    
-sample-update: a simple dynamic update client program
    
+sample-update: a simple dynamic update client program
    
 
    
   It accepts a single update command as a
   command-line argument, sends an update request message to the
@@ -458,7 +458,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 
    
 
    
-nsprobe: domain/name server checker in terms of RFC 4074
    
+nsprobe: domain/name server checker in terms of RFC 4074
    
 
    
   It checks a set
   of domains to see the name servers of the domains behave
@@ -515,7 +515,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 
    
 
    
-Library References
    
+Library References
    
 
    As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index b0bb853d23..4deb47945d 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -268,13 +268,13 @@
 
    
 
    BIND 9 DNS Library Support
    
 
    
-
    Prerequisite
    
-
    Compilation
    
-
    Installation
    
-
    Known Defects/Restrictions
    
-
    The dns.conf File
    
-
    Sample Applications
    
-
    Library References
    
+
    Prerequisite
    
+
    Compilation
    
+
    Installation
    
+
    Known Defects/Restrictions
    
+
    The dns.conf File
    
+
    Sample Applications
    
+
    Library References
    
 
    
 
    
 
    I. Manual pages
    
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 73ccaaae26..9cd490d170 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -50,20 +50,20 @@
 
    arpaname  {ipaddress ...}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
       arpaname translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index b8825c4009..f2e76a84f7 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -51,7 +51,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name  |   -z zone ]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
       tsig-keygen and ddns-confgen
       are invocation methods for a utility that generates keys for use
@@ -87,7 +87,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -159,7 +159,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -167,7 +167,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index c629cb7830..deadfc27ef 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -53,7 +53,7 @@
 
    delv  [queryopt...] [query...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    delv
       (Domain Entity Lookup & Validation) is a tool for sending
       DNS queries and validating the results, using the the same internal
@@ -96,7 +96,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of delv looks like:
       
    
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a anchor-file
    
 
    
@@ -285,7 +285,7 @@
 
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    delv
       provides a number of query options which affect the way results are
       displayed, and in some cases the way lookups are performed.
@@ -465,12 +465,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/bind.keys
    
 
    /etc/resolv.conf
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8),
       RFC4034,
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 4ca5ec5e4b..0428752789 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -99,7 +99,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of dig looks like:
       
    
@@ -152,115 +152,135 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
+
    
+
    -4
    
+
    
+	    Use IPv4 only.
+	  
    
+
    -6
    
+
    
+	    Use IPv6 only.
+	  
    
+
    -b address[#port]
    
+
    
+	    Set the source IP address of the query.
+	    The address must be a valid address on
+	    one of the host's network interfaces, or "0.0.0.0" or "::". An
+	    optional port may be specified by appending "#<port>"
+	  
    
+
    -c class
    
+
    
+	    Set the query class. The
+	    default class is IN; other classes
+	    are HS for Hesiod records or CH for Chaosnet records.
+	  
    
+
    -f file
    
+
    
+	    Batch mode: dig reads a list of lookup
+	    requests to process from the
+	    given file. Each line in the file
+	    should be organized in the same way they would be
+	    presented as queries to
+	    dig using the command-line interface.
+	  
    
+
    -i
    
+
    
+	    Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT
+	    domain, which is no longer in use. Obsolete bit string
+	    label queries (RFC2874) are not attempted.
+	  
    
+
    -k keyfile
    
+
    
+	    Sign queries using TSIG using a key read from the given file.
+	    Key files can be generated using
+	    tsig-keygen(8).
+	    When using TSIG authentication with dig,
+	    the name server that is queried needs to know the key and
+	    algorithm that is being used. In BIND, this is done by
+	    providing appropriate key
+	    and server statements in
+	    named.conf.
+	  
    
+
    -m
    
+
    
+	    Enable memory usage debugging.
+	    
+	  
    
+
    -p port
    
+
    
+	    Send the query to a non-standard port on the server,
+	    instead of the defaut port 53. This option would be used
+	    to test a name server that has been configured to listen
+	    for queries on a non-standard port number.
+	  
    
+
    -q name
    
+
    
+	    The domain name to query. This is useful to distinguish
+	    the name from other arguments.
+	  
    
+
    -t type
    
+
    
+	    The resource record type to query. It can be any valid query type
+	    which is
+	    supported in BIND 9.  The default query type is "A", unless the
+	    -x option is supplied to indicate a reverse lookup.
+	    A zone transfer can be requested by specifying a type of AXFR.  When
+	    an incremental zone transfer (IXFR) is required, set the
+	    type to ixfr=N.
+	    The incremental zone transfer will contain the changes
+	    made to the zone since the serial number in the zone's SOA
+	    record was
+	    N.
+	  
    
+
    -v
    
+
    
+	    Print the version number and exit.
+	  
    
+
    -x addr
    
+
    
+	    Simplified reverse lookups, for mapping addresses to
+	    names. The addr is an IPv4 address
+	    in dotted-decimal notation, or a colon-delimited IPv6
+	    address. When the -x is used, there is no
+	    need to provide
+	    the name, class
+	    and type
+	    arguments. dig automatically performs a
+	    lookup for a name like
+	    94.2.0.192.in-addr.arpa and sets the
+	    query type and class to PTR and IN respectively. IPv6
+	    addresses are looked up using nibble format under the
+	    IP6.ARPA domain (but see also the -i
+	    option).
+	  
    
+
    -y [hmac:]keyname:secret
    
+
    
 
    
-      The -b option sets the source IP address of the query
-      to address.  This must be a valid
-      address on
-      one of the host's network interfaces or "0.0.0.0" or "::".  An optional
-      port
-      may be specified by appending "#<port>"
-    
    
+	    Sign queries using TSIG with the given authentication key.
+	    keyname is the name of the key, and
+	    secret is the base64 encoded shared secret.
+	    hmac is the name of the key algorithm;
+	    valid choices are hmac-md5,
+	    hmac-sha1, hmac-sha224,
+	    hmac-sha256, hmac-sha384, or
+	    hmac-sha512.  If hmac
+	    is not specified, the default is hmac-md5.
+	  
    
 
    
-      The default query class (IN for internet) is overridden by the
-      -c option.  class is
-      any valid
-      class, such as HS for Hesiod records or CH for Chaosnet records.
-    
    
-
    
-      The -f option makes dig 
-      operate
-      in batch mode by reading a list of lookup requests to process from the
-      file filename.  The file contains a
-      number of
-      queries, one per line.  Each entry in the file should be organized in
-      the same way they would be presented as queries to
-      dig using the command-line interface.
-    
    
-
    
-      The -m option enables memory usage debugging.
-      
-    
    
-
    
-      If a non-standard port number is to be queried, the
-      -p option is used.  port# is
-      the port number that dig will send its
-      queries
-      instead of the standard DNS port number 53.  This option would be used
-      to test a name server that has been configured to listen for queries
-      on a non-standard port number.
-    
    
-
    
-      The -4 option forces dig
-      to only
-      use IPv4 query transport.  The -6 option forces
-      dig to only use IPv6 query transport.
-    
    
-
    
-      The -t option sets the query type to
-      type.  It can be any valid query type
-      which is
-      supported in BIND 9.  The default query type is "A", unless the
-      -x option is supplied to indicate a reverse lookup.
-      A zone transfer can be requested by specifying a type of AXFR.  When
-      an incremental zone transfer (IXFR) is required,
-      type is set to ixfr=N.
-      The incremental zone transfer will contain the changes made to the zone
-      since the serial number in the zone's SOA record was
-      N.
-    
    
-
    
-      The -q option sets the query name to 
-      name.  This is useful to distinguish the
-      name from other arguments.
-    
    
-
    
-      The -v causes dig to
-      print the version number and exit.
-    
    
-
    
-      Reverse lookups — mapping addresses to names — are simplified by the
-      -x option.  addr is
-      an IPv4
-      address in dotted-decimal notation, or a colon-delimited IPv6 address.
-      When this option is used, there is no need to provide the
-      name, class and
-      type arguments.  dig
-      automatically performs a lookup for a name like
-      11.12.13.10.in-addr.arpa and sets the
-      query type and
-      class to PTR and IN respectively.  By default, IPv6 addresses are
-      looked up using nibble format under the IP6.ARPA domain.
-      To use the older RFC1886 method using the IP6.INT domain
-      specify the -i option.  Bit string labels (RFC2874)
-      are now experimental and are not attempted.
-    
    
-
    
-      To sign the DNS queries sent by dig and
-      their
-      responses using transaction signatures (TSIG), specify a TSIG key file
-      using the -k option.  You can also specify the TSIG
-      key itself on the command line using the -y option;
-      hmac is the type of the TSIG, default HMAC-MD5,
-      name is the name of the TSIG key and
-      key is the actual key.  The key is a
-      base-64
-      encoded string, typically generated by
-      dnssec-keygen(8).
-
-      Caution should be taken when using the -y option on
-      multi-user systems as the key can be visible in the output from
-      ps(1)
-      or in the shell's history file.  When
-      using TSIG authentication with dig, the name
-      server that is queried needs to know the key and algorithm that is
-      being used.  In BIND, this is done by providing appropriate
-      key and server statements in
-      named.conf.
-    
    
+	    NOTE: You should use the -k option and
+	    avoid the -y option, because
+	    with -y the shared secret is supplied as
+	    a command line argument in clear text. This may be visible
+	    in the output from
+	    ps(1)
+	    or in a history file maintained by the user's shell.
+	  
    
+
    
+
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -646,7 +666,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
@@ -692,7 +712,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -706,14 +726,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    ${HOME}/.digrc
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    host(1),
       named(8),
       dnssec-keygen(8),
@@ -721,7 +741,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       There are probably too many query options.
     
    
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 03429b0252..45097b7e88 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -51,7 +51,7 @@
 
    dnssec-dsfromkey  [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-checkds
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f file
    
 
    
@@ -88,14 +88,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-dsfromkey(8),
       dnssec-keygen(8),
       dnssec-signzone(8),
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 6dcae070b8..f9d6cc8248 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -50,7 +50,7 @@
 
    dnssec-coverage  [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-coverage
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -K directory
    
 
    
@@ -192,7 +192,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       dnssec-checkds(8),
       dnssec-dsfromkey(8),
@@ -201,7 +201,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 6e5fee8534..dd6b3a3c7e 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -52,14 +52,14 @@
 
    dnssec-dsfromkey  [-h] [-V]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -1
    
 
    
@@ -144,7 +144,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -159,7 +159,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -173,13 +173,13 @@
     
    
 
    
 
    
-
    CAVEAT
    
+
    CAVEAT
    
 
    
       A keyfile error can give a "file not found" even if the file exists.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -189,7 +189,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index 158a5bb410..c90a6e602c 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -51,7 +51,7 @@
 
    dnssec-importkey  {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-importkey
       reads a public DNSKEY record and generates a pair of
       .key/.private files.  The DNSKEY record may be read from an
@@ -71,7 +71,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f filename
    
 
    
@@ -114,7 +114,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -142,7 +142,7 @@
 
    
 
 
    
-
    FILES
    
+
    FILES
    
 
    
       A keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -159,7 +159,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 0d36ef25d8..7270a2cfd4 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -50,7 +50,7 @@
 
    dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -243,7 +243,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -315,7 +315,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -354,7 +354,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -363,7 +363,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 52963c84cb..15bfa0afc3 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -50,7 +50,7 @@
 
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -287,7 +287,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -361,7 +361,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -407,7 +407,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -428,7 +428,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -437,7 +437,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 2a61541778..ddc5e2fd71 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -50,7 +50,7 @@
 
    dnssec-revoke  [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -109,14 +109,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index df5835f091..c8f201164f 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -50,7 +50,7 @@
 
    dnssec-settime  [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -76,7 +76,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -133,7 +133,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -212,7 +212,7 @@
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -238,7 +238,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -246,7 +246,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index ed1afb6553..06f1fa4647 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -50,7 +50,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -509,7 +509,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -539,14 +539,14 @@ db.example.com.signed
 %
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033, RFC 4641.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index 9003673f8f..a9545c4dc5 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -50,7 +50,7 @@
 
    dnssec-verify  [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-verify
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -c class
    
 
    
@@ -138,7 +138,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -146,7 +146,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index e4f610dfec..ec5f9f4fc1 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -50,7 +50,7 @@
 
    genrandom  [-n number] {size} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
       genrandom
       generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
     
    
 
    
 
    
-
    ARGUMENTS
    
+
    ARGUMENTS
    
 
    
 
    -n number
    
 
    
@@ -77,14 +77,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       rand(3),
       arc4random(3)
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index aaf00d51fc..78756cf765 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -50,7 +50,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -206,7 +206,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -220,12 +220,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index c73867bfbe..457a4e82c9 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -50,7 +50,7 @@
 
    isc-hmac-fixup  {algorithm} {secret}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
     
    
 
    
 
    
-
    SECURITY CONSIDERATIONS
    
+
    SECURITY CONSIDERATIONS
    
 
    
       Secrets that have been converted by isc-hmac-fixup
       are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       BIND 9 Administrator Reference Manual,
       RFC 2104.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 56148e98ea..e6a9299c72 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -50,7 +50,7 @@
 
    named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a
       named configuration file.  The file is parsed
@@ -70,7 +70,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -119,21 +119,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index b139e66484..7669998971 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -305,14 +305,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -320,7 +320,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 1494228e19..7aadb2c6e2 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -50,7 +50,7 @@
 
    named-journalprint  {journal}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
       named-journalprint
       prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       named(8),
       nsupdate(8),
@@ -84,7 +84,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 9b39443288..68254fe350 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -50,7 +50,7 @@
 
    named-rrchecker  [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-rrchecker
      read a individual DNS resource record from standard input and checks if it
      is syntactically correct.
@@ -78,7 +78,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       RFC 1034,
       RFC 1035,
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 1903a9724e..1257510d1b 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -47,10 +47,10 @@
 
    
 
    
 
    Synopsis
    
-
    named  [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]
    
+
    named  [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-M option] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -129,6 +129,14 @@
             Run the server in the foreground and force all logging
             to stderr.
           
    
+
    -M option
    
+
    
+	    Sets the default memory context options.  Currently
+	    the only supported option is
+	    external,
+	    which causes the internal memory manager to be bypassed
+	    in favor of system-provided memory allocation functions.
+          
    
 
    -m flag
    
 
    
 	    Turn on memory usage debugging flags.  Possible flags are
@@ -276,7 +284,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -297,7 +305,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -314,7 +322,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -327,7 +335,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -340,7 +348,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 96955bb962..b539f8ce7d 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -48,7 +48,7 @@
 
    nsec3hash  {salt} {algorithm} {iterations} {domain}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
       nsec3hash generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
@@ -56,7 +56,7 @@
     
    
 
    
 
    
-
    ARGUMENTS
    
+
    ARGUMENTS
    
 
    
 
    salt
    
 
    
@@ -80,14 +80,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       BIND 9 Administrator Reference Manual,
       RFC 5155.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 1501ad7cee..1c9ae0b8b1 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -50,7 +50,7 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -236,7 +236,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -538,7 +538,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -592,7 +592,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -615,7 +615,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       RFC 2136,
       RFC 3007,
@@ -630,7 +630,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index dacda17283..781fbf1e87 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -180,7 +180,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -197,7 +197,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -205,7 +205,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 5108b457a7..1073e79bf2 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -210,7 +210,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -220,7 +220,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -228,7 +228,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index c61c9c3f0f..501d1431c1 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -81,7 +81,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -152,7 +152,7 @@
 
    
 
    
 
    
-
    COMMANDS
    
+
    COMMANDS
    
 
    
       A list of commands supported by rndc can
       be seen by running rndc without arguments.
@@ -537,7 +537,7 @@
 
    
 
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    
       There is currently no way to provide the shared secret for a
       key_id without using the configuration file.
@@ -547,7 +547,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -557,7 +557,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 4bf52808e7..82c50fb6da 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -267,7 +267,12 @@
 
  • 
 	  Fixed some bugs in RFC 5011 trust anchor management,
 	  including a memory leak and a possible loss of state
-	  information.[RT #38458]
+	  information. [RT #38458]
+	
    • 
+
  • 
+	  Asynchronous zone loads were not handled correctly when the
+	  zone load was already in progress; this could trigger a crash
+	  in zt.c. [RT #37573]
 	
    •