diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 609e18f8fb..8fd4b994b7 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -99,7 +99,7 @@ server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen .RS 4 .nf trusted\-keys { - \fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... + \fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... }; .fi .RE @@ -108,7 +108,7 @@ trusted\-keys { .RS 4 .nf managed\-keys { - \fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... + \fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... }; .fi .RE @@ -265,9 +265,9 @@ options { dns64\-server \fIstring\fR; dns64\-contact \fIstring\fR; dns64 \fIprefix\fR { - clients { acl; }; - exclude { acl; }; - mapped { acl; }; + clients { \fIacl\fR; }; + exclude { \fIacl\fR; }; + mapped { \fIacl\fR; }; break\-dnssec \fIboolean\fR; recursive\-only \fIboolean\fR; suffix \fIipv6_address\fR; @@ -333,6 +333,11 @@ options { zero\-no\-soa\-ttl \fIboolean\fR; zero\-no\-soa\-ttl\-cache \fIboolean\fR; dnssec\-secure\-to\-insecure \fIboolean\fR; + cookie\-algorithm ( \fIaes\fR | \fIsha1\fR | \fIsha256\fR ); + cookie\-secret \fIstring\fR; + require\-server\-cookie \fIboolean\fR; + send\-cookie \fIboolean\fR; + nocookie\-udp\-size \fIinteger\fR; deny\-answer\-addresses { \fIaddress_match_list\fR } [ except\-from { \fInamelist\fR } ]; @@ -436,9 +441,9 @@ view \fIstring\fR \fIoptional_class\fR { dns64\-server \fIstring\fR; dns64\-contact \fIstring\fR; dns64 \fIprefix\fR { - clients { acl; }; - exclude { acl; }; - mapped { acl; }; + clients { \fIacl\fR; }; + exclude { \fIacl\fR; }; + mapped { \fIacl\fR; }; break\-dnssec \fIboolean\fR; recursive\-only \fIboolean\fR; suffix \fIipv6_address\fR; @@ -498,6 +503,9 @@ view \fIstring\fR \fIoptional_class\fR { zero\-no\-soa\-ttl \fIboolean\fR; zero\-no\-soa\-ttl\-cache \fIboolean\fR; dnssec\-secure\-to\-insecure \fIboolean\fR; + require\-server\-cookie \fIboolean\fR; + send\-cookie \fIboolean\fR; + nocookie\-udp\-size \fIinteger\fR; allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete fetch\-glue \fIboolean\fR; // obsolete maintain\-ixfr\-base \fIboolean\fR; // obsolete @@ -538,7 +546,7 @@ zone \fIstring\fR \fIoptional_class\fR { update\-policy \fIlocal\fR | \fI { ( grant | deny ) \fR\fI\fIstring\fR\fR\fI ( name | subdomain | wildcard | self | selfsub | selfwild | - krb5\-self | ms\-self | krb5\-subdomain | ms\-subdomain | + krb5\-self | ms\-self | krb5\-subdomain | ms\-subdomain | tcp\-self | zonesub | 6to4\-self ) \fR\fI\fIstring\fR\fR\fI \fR\fI\fIrrtypelist\fR\fR\fI; \fR\fI[...]\fR\fI diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index 44cb95c719..0b4ed223d3 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -101,7 +101,7 @@ server

TRUSTED-KEYS


trusted-keys {
- domain_name flags protocol algorithm key; ... 
+ domain_name flags protocol algorithm key; ...
};

@@ -109,7 +109,7 @@ trusted-keys

MANAGED-KEYS


managed-keys {
- domain_name initial-key flags protocol algorithm key; ... 
+ domain_name initial-key flags protocol algorithm key; ...
};

@@ -263,9 +263,9 @@ options dns64-server string;
dns64-contact string;
dns64 prefix {
- clients { <replacable>acl</replacable>; };
- exclude { <replacable>acl</replacable>; };
- mapped { <replacable>acl</replacable>; };
+ clients { acl; };
+ exclude { acl; };
+ mapped { acl; };
break-dnssec boolean;
recursive-only boolean;
suffix ipv6_address;
@@ -341,6 +341,13 @@ options zero-no-soa-ttl boolean;
zero-no-soa-ttl-cache boolean;
dnssec-secure-to-insecure boolean;
+
+ cookie-algorithm ( aes | sha1 | sha256 );
+ cookie-secret string;
+ require-server-cookie boolean;
+ send-cookie boolean;
+ nocookie-udp-size integer;
+
deny-answer-addresses {
address_match_list
} [ except-from { namelist } ];
@@ -366,7 +373,7 @@ options

-

VIEW

+

VIEW


view string optional_class {
match-clients { address_match_element; ... };
@@ -451,9 +458,9 @@ view dns64-server string;
dns64-contact string;
dns64 prefix {
- clients { <replacable>acl</replacable>; };
- exclude { <replacable>acl</replacable>; };
- mapped { <replacable>acl</replacable>; };
+ clients { acl; };
+ exclude { acl; };
+ mapped { acl; };
break-dnssec boolean;
recursive-only boolean;
suffix ipv6_address;
@@ -522,6 +529,10 @@ view zero-no-soa-ttl boolean;
zero-no-soa-ttl-cache boolean;
dnssec-secure-to-insecure boolean;
+
+ require-server-cookie boolean;
+ send-cookie boolean;
+ nocookie-udp-size integer;

allow-v6-synthesis { address_match_element; ... }; // obsolete
fetch-glue boolean; // obsolete
@@ -531,7 +542,7 @@ view

-

ZONE

+

ZONE


zone string optional_class {
type ( master | slave | stub | hint | redirect |
@@ -565,7 +576,7 @@ zone update-policy local |  {
( grant | deny ) string
( name | subdomain | wildcard | self | selfsub | selfwild |
-                  krb5-self | ms-self | krb5-subdomain | ms-subdomain |
+   krb5-self | ms-self | krb5-subdomain | ms-subdomain |
  tcp-self | zonesub | 6to4-self ) string
rrtypelist;
[...]
@@ -628,12 +639,12 @@ zone

-

FILES

+

FILES

/etc/named.conf

-

SEE ALSO

+

SEE ALSO

named(8), named-checkconf(8), rndc(8), diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index ba9a9efe50..28a0833e9f 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -70,39 +70,39 @@

DNSSEC, Dynamic Zones, and Automatic Signing
-
Converting from insecure to secure
-
Dynamic DNS update method
-
Fully automatic zone signing
-
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
Converting from insecure to secure
+
Dynamic DNS update method
+
Fully automatic zone signing
+
Private-type records
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
-
Validating Resolver
-
Authoritative Server
+
Validating Resolver
+
Authoritative Server
PKCS#11 (Cryptoki) support
-
Prerequisites
-
Native PKCS#11
-
OpenSSL-based PKCS#11
-
PKCS#11 Tools
-
Using the HSM
-
Specifying the engine on the command line
-
Running named with automatic zone re-signing
+
Prerequisites
+
Native PKCS#11
+
OpenSSL-based PKCS#11
+
PKCS#11 Tools
+
Using the HSM
+
Specifying the engine on the command line
+
Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
-
Configuring DLZ
-
Sample DLZ Driver
+
Configuring DLZ
+
Sample DLZ Driver
IPv6 Support in BIND 9
@@ -1080,7 +1080,7 @@ options { from insecure to signed and back again. A secure zone can use either NSEC or NSEC3 chains.

-Converting from insecure to secure

+Converting from insecure to secure

Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

@@ -1106,7 +1106,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process.

-Dynamic DNS update method

+Dynamic DNS update method

To insert the keys via dynamic update:

         % nsupdate
@@ -1142,7 +1142,7 @@ options {
 
While the initial signing and NSEC/NSEC3 chain generation
   is happening, other updates are possible as well.

 

-Fully automatic zone signing

+Fully automatic zone signing
 
To enable automatic signing, add the 
   auto-dnssec option to the zone statement in 
   named.conf. 
@@ -1205,7 +1205,7 @@ options {
   configuration. If this has not been done, the configuration will
   fail.

 

-Private-type records

+Private-type records
 
The state of the signing process is signaled by
   private-type records (with a default type value of 65534). When
   signing is complete, these records will have a nonzero value for
@@ -1246,12 +1246,12 @@ options {
 

   

 

-DNSKEY rollovers

+DNSKEY rollovers
 
As with insecure-to-secure conversions, rolling DNSSEC
   keys can be done in two ways: using a dynamic DNS update, or the 
   auto-dnssec zone option.

 

-Dynamic DNS update method

+Dynamic DNS update method
 
 To perform key rollovers via dynamic update, you need to add
   the K* files for the new keys so that 
   named can find them. You can then add the new
@@ -1273,7 +1273,7 @@ options {
   named will clean out any signatures generated
   by the old key after the update completes.

 

-Automatic key rollovers

+Automatic key rollovers
 
When a new key reaches its activation date (as set by
   dnssec-keygen or dnssec-settime),
   if the auto-dnssec zone option is set to 
@@ -1288,27 +1288,27 @@ options {
   completes in 30 days, after which it will be safe to remove the
   old key from the DNSKEY RRset.

 

-NSEC3PARAM rollovers via UPDATE

+NSEC3PARAM rollovers via UPDATE
 
Add the new NSEC3PARAM record via dynamic update. When the
   new NSEC3 chain has been generated, the NSEC3PARAM flag field
   will be zero. At this point you can remove the old NSEC3PARAM
   record. The old chain will be removed after the update request
   completes.

 

-Converting from NSEC to NSEC3

+Converting from NSEC to NSEC3
 
To do this, you just need to add an NSEC3PARAM record. When
   the conversion is complete, the NSEC chain will have been removed
   and the NSEC3PARAM record will have a zero flag field. The NSEC3
   chain will be generated before the NSEC chain is
   destroyed.

 

-Converting from NSEC3 to NSEC

+Converting from NSEC3 to NSEC
 
To do this, use nsupdate to
   remove all NSEC3PARAM records with a zero flag
   field. The NSEC chain will be generated before the NSEC3 chain is
   removed.

 

-Converting from secure to insecure

+Converting from secure to insecure
 
To convert a signed zone to unsigned using dynamic DNS,
   delete all the DNSKEY records from the zone apex using
   nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1323,14 +1323,14 @@ options {
   allow instead (or it will re-sign).
   

 

-Periodic re-signing

+Periodic re-signing
 
In any secure zone which supports dynamic updates, named
   will periodically re-sign RRsets which have not been re-signed as
   a result of some update action. The signature lifetimes will be
   adjusted so as to spread the re-sign load over time rather than
   all at once.

 

-NSEC3 and OPTOUT

+NSEC3 and OPTOUT
 

   named only supports creating new NSEC3 chains
   where all the NSEC3 records in the zone have the same OPTOUT
@@ -1352,7 +1352,7 @@ options {
   configuration files.

 

 

-Validating Resolver

+Validating Resolver

 
To configure a validating resolver to use RFC 5011 to
     maintain a trust anchor, configure the trust anchor using a 
     managed-keys statement. Information about
@@ -1363,7 +1363,7 @@ options {
 
 

 

-Authoritative Server

+Authoritative Server

 
To set up an authoritative zone for RFC 5011 trust anchor
     maintenance, generate two (or more) key signing keys (KSKs) for
     the zone. Sign the zone with one of them; this is the "active"
@@ -1460,7 +1460,7 @@ $ dnssec-signzone -S -K keys example.net<
   

 

 

-Prerequisites

+Prerequisites

 

       See the documentation provided by your HSM vendor for
       information about installing, initializing, testing and
@@ -1469,7 +1469,7 @@ $ dnssec-signzone -S -K keys example.net<
 
 

 

-Native PKCS#11

+Native PKCS#11

 

       Native PKCS#11 mode will only work with an HSM capable of carrying
       out every cryptographic operation BIND 9 may
@@ -1502,7 +1502,7 @@ $ ./configure --enable-native-pkcs11 \
     

 

 

-Building SoftHSMv2

+Building SoftHSMv2

 

 	SoftHSMv2, the latest development version of SoftHSM, is available
 	from
@@ -1540,7 +1540,7 @@ $  /opt/pkcs11/usr/bin/softhsm-util --init-token
 
 

 

-OpenSSL-based PKCS#11

+OpenSSL-based PKCS#11

 

       OpenSSL-based PKCS#11 mode uses a modified version of the
       OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1598,7 +1598,7 @@ $  /opt/pkcs11/usr/bin/softhsm-util --init-token
     

 

 

-Patching OpenSSL

+Patching OpenSSL

 
 $ wget http://www.openssl.org/source/openssl-0.9.8zc.tar.gz
   

@@ -1631,7 +1631,7 @@ $ patch -p1 -d openssl-0.9.8zc \
 
 

 

-Building OpenSSL for the AEP Keyper on Linux

+Building OpenSSL for the AEP Keyper on Linux

 

 	The AEP Keyper is a highly secure key storage device,
 	but does not provide hardware cryptographic acceleration. It
@@ -1673,7 +1673,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
 
 

 

-Building OpenSSL for the SCA 6000 on Solaris

+Building OpenSSL for the SCA 6000 on Solaris

 

 	The SCA-6000 PKCS#11 provider is installed as a system
 	library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1702,7 +1702,7 @@ $ ./Configure solaris64-x86_64-cc \
 
 

 

-Building OpenSSL for SoftHSM

+Building OpenSSL for SoftHSM

 

 	SoftHSM (version 1) is a software library developed by the
 	OpenDNSSEC project
@@ -1777,7 +1777,7 @@ $ ./Configure linux-x86_64 -pthread \
     

 

 

-Configuring BIND 9 for Linux with the AEP Keyper

+Configuring BIND 9 for Linux with the AEP Keyper

 

 	To link with the PKCS#11 provider, threads must be
 	enabled in the BIND 9 build.
@@ -1797,7 +1797,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
 
 

 

-Configuring BIND 9 for Solaris with the SCA 6000

+Configuring BIND 9 for Solaris with the SCA 6000

 

 	To link with the PKCS#11 provider, threads must be
 	enabled in the BIND 9 build.
@@ -1819,7 +1819,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
 
 

 

-Configuring BIND 9 for SoftHSM

+Configuring BIND 9 for SoftHSM

 
 $ cd ../bind9
 $ ./configure --enable-threads \
@@ -1840,7 +1840,7 @@ $ ./configure --enable-threads \
 
 

 

-PKCS#11 Tools

+PKCS#11 Tools

 

       BIND 9 includes a minimal set of tools to operate the
       HSM, including 
@@ -1863,7 +1863,7 @@ $ ./configure --enable-threads \
 
 

 

-Using the HSM

+Using the HSM

 

       For OpenSSL-based PKCS#11, we must first set up the runtime
       environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1984,7 +1984,7 @@ example.net.signed
 
 

 

-Specifying the engine on the command line

+Specifying the engine on the command line

 

       When using OpenSSL-based PKCS#11, the "engine" to be used by
       OpenSSL can be specified in named and all of
@@ -2016,7 +2016,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Running named with automatic zone re-signing

+Running named with automatic zone re-signing

 

       If you want named to dynamically re-sign zones
       using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2103,7 +2103,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Configuring DLZ

+Configuring DLZ

 

       A DLZ database is configured with a dlz
       statement in named.conf:
@@ -2152,7 +2152,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Sample DLZ Driver

+Sample DLZ Driver

 

       For guidance in implementation of DLZ modules, the directory
       contrib/dlz/example contains a basic
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index fb46206ba4..473e1527b6 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -78,28 +78,28 @@
 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

 
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Definition
             and Usage

-
managed-keys Statement Grammar

+
managed-keys Statement Grammar

 
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -2267,6 +2267,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     [ notify yes_or_no | explicit | master-only; ]
     [ recursion yes_or_no; ]
     [ send-cookie yes_or_no; ]
+    [ require-server-cookie yes_or_no; ]
     [ cookie-algorithm secret_string; ]
     [ cookie-secret secret_string; ]
     [ request-nsid yes_or_no; ]
@@ -3661,6 +3662,8 @@ options {
                 

 
request-sit

 

+
require-server-cookie

+

 
send-cookie

 

                   If yes, then a COOKIE EDNS
@@ -4218,7 +4221,7 @@ options {
 
 

 

-Forwarding

+Forwarding

 

             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -4262,7 +4265,7 @@ options {
 
 

 

-Dual-stack Servers

+Dual-stack Servers

 

             Dual-stack servers are used as servers of last resort to work
             around
@@ -4538,7 +4541,7 @@ options {
 
 

 

-Interfaces

+Interfaces

 

             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -5015,7 +5018,7 @@ avoid-v6-udp-ports {};
 
 

 

-UDP Port Lists

+UDP Port Lists

 

             use-v4-udp-ports,
             avoid-v4-udp-ports,
@@ -5057,7 +5060,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 

             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -5398,7 +5401,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 

@@ -6441,7 +6444,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 

 

 

-Content Filtering

+Content Filtering

 

             BIND 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -6564,7 +6567,7 @@ deny-answer-aliases { "example.net"; };
 
 

 

-Response Policy Zone (RPZ) Rewriting

+Response Policy Zone (RPZ) Rewriting

 

             BIND 9 includes a limited
             mechanism to modify DNS responses for requests
@@ -6942,7 +6945,7 @@ example.com                 CNAME   rpz-tcp-only.
 
 

 

-Response Rate Limiting

+Response Rate Limiting

 

             Excessive almost identical UDP responses
             can be controlled by configuring a
@@ -7505,7 +7508,7 @@ example.com                 CNAME   rpz-tcp-only.
 
 

 

-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage

 

           The statistics-channels statement
@@ -7625,7 +7628,7 @@ example.com                 CNAME   rpz-tcp-only.
 

 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -7669,7 +7672,7 @@ example.com                 CNAME   rpz-tcp-only.
 

 

 

-managed-keys Statement Grammar

+managed-keys Statement Grammar

 
managed-keys {
     name initial-key flags protocol algorithm key-data ;
     [ name initial-key flags protocol algorithm key-data ; [...]]
@@ -7807,7 +7810,7 @@ example.com                 CNAME   rpz-tcp-only.
 
 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -8129,10 +8132,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 
@@ -8450,7 +8453,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -8472,7 +8475,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
allow-notify

 

@@ -9403,7 +9406,7 @@ example.com. NS ns2.example.net.
 

 

 

-Multiple views

+Multiple views

 

               When multiple views are in use, a zone may be
               referenced by more than one of them. Often, the views
@@ -9465,7 +9468,7 @@ view external {
 
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -9478,7 +9481,7 @@ view external {
           

 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -10215,7 +10218,7 @@ view external {
 
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -10418,7 +10421,7 @@ view external {
 
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -10673,7 +10676,7 @@ view external {
 
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -10734,7 +10737,7 @@ view external {
 
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -10749,7 +10752,7 @@ view external {
           

 

 

-The @ (at-sign)

+The @ (at-sign)

 

               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -10760,7 +10763,7 @@ view external {
 
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -10789,7 +10792,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -10825,7 +10828,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -10844,7 +10847,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
@@ -11287,7 +11290,7 @@ HOST-127.EXAMPLE. MX 0 .
           

 

 

-Name Server Statistics Counters

+Name Server Statistics Counters

 

 
 

@@ -11910,7 +11913,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

 
 

 
 
@@ -12064,7 +12067,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Resolver Statistics Counters

+Resolver Statistics Counters

 
 

 
 
@@ -12447,7 +12450,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

               Socket I/O statistics counters are defined per socket
               types, which are
@@ -12602,7 +12605,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 652c1267b4..5c74824522 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -46,10 +46,10 @@
 
Table of Contents

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -245,7 +245,7 @@ allow-query { !{ !10/8; any; }; key example; };
 

 

-Chroot and Setuid
+Chroot and Setuid
 

 

           On UNIX servers, it is possible to run BIND
@@ -271,7 +271,7 @@ allow-query { !{ !10/8; any; }; key example; };
         

 

 

-The chroot Environment

+The chroot Environment

             In order for a chroot environment
             to
@@ -299,7 +299,7 @@ allow-query { !{ !10/8; any; }; key example; };
 
 

 

-Using the setuid Function

+Using the setuid Function

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index c98a543ca1..1807dac1cf 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

-Common Problems

+Common Problems

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 9c05c40c90..9fce18fa68 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -42,7 +42,674 @@
 

 

 Appendix A. Release Notes

-<xi:include></xi:include>
+

+
Table of Contents

+

+
Release Notes for BIND Version 9.11.0pre-alpha

+

+
Introduction

+
Download

+
Security Fixes

+
New Features

+
Feature Changes

+
Bug Fixes

+
End of Life

+
Thank You

+

+

+

+

+

+Release Notes for BIND Version 9.11.0pre-alpha

+

+

+Introduction

+

+      This document summarizes changes since the last production release
+      of BIND on the corresponding major release branch.
+    

+

+

+

+Download

+

+      The latest versions of BIND 9 software can always be found at
+      http://www.isc.org/downloads/.
+      There you will find additional information about each release,
+      source code, and pre-compiled versions for Microsoft Windows
+      operating systems.
+    

+

+

+

+Security Fixes

+
    
+
  • 
+	  An incorrect boundary check in the OPENPGPKEY rdatatype
+	  could trigger an assertion failure. [RT #40286]
+	
    • 
+
  • 
+
    
+	  A buffer accounting error could trigger an assertion failure
+	  when parsing certain malformed DNSSEC keys.
+	
    
+
    
+	  This flaw was discovered by Hanno Boeck of the Fuzzing
+	  Project, and is disclosed in CVE-2015-5722. [RT #40212]
+	
    
+
    • 
+
  • 
+
    
+	  A specially crafted query could trigger an assertion failure
+	  in message.c.
+	
    
+
    
+	  This flaw was discovered by Jonathan Foote, and is disclosed
+	  in CVE-2015-5477. [RT #39795]
+	
    
+
    • 
+
  • 
+
    
+	  On servers configured to perform DNSSEC validation, an
+	  assertion failure could be triggered on answers from
+	  a specially configured server.
+	
    
+
    
+	  This flaw was discovered by Breno Silveira Soares, and is
+	  disclosed in CVE-2015-4620. [RT #39795]
+	
    
+
    • 
+
  • 
+
    
+	  On servers configured to perform DNSSEC validation using
+	  managed trust anchors (i.e., keys configured explicitly
+	  via managed-keys, or implicitly 
+	  via dnssec-validation auto; or
+	  dnssec-lookaside auto;), revoking
+	  a trust anchor and sending a new untrusted replacement
+	  could cause named to crash with an
+	  assertion failure. This could occur in the event of a
+	  botched key rollover, or potentially as a result of a
+	  deliberate attack if the attacker was in position to
+	  monitor the victim's DNS traffic.
+	
    
+
    
+	  This flaw was discovered by Jan-Piet Mens, and is
+	  disclosed in CVE-2015-1349. [RT #38344]
+	
    
+
    • 
+
  • 
+
    
+	  A flaw in delegation handling could be exploited to put
+	  named into an infinite loop, in which
+	  each lookup of a name server triggered additional lookups
+	  of more name servers.  This has been addressed by placing
+	  limits on the number of levels of recursion
+	  named will allow (default 7), and
+	  on the number of queries that it will send before
+	  terminating a recursive query (default 50).
+	
    
+
    
+	  The recursion depth limit is configured via the
+	  max-recursion-depth option, and the query limit
+	  via the max-recursion-queries option.
+	
    
+
    
+	  The flaw was discovered by Florian Maury of ANSSI, and is
+	  disclosed in CVE-2014-8500. [RT #37580]
+	
    
+
    • 
+
  • 
+
    
+	  Two separate problems were identified in BIND's GeoIP code that
+	  could lead to an assertion failure. One was triggered by use of
+	  both IPv4 and IPv6 address families, the other by referencing
+	  a GeoIP database in named.conf which was
+	  not installed. Both are covered by CVE-2014-8680. [RT #37672]
+	  [RT #37679]
+	
    
+
    
+	  A less serious security flaw was also found in GeoIP: changes
+	  to the geoip-directory option in
+	  named.conf were ignored when running
+	  rndc reconfig. In theory, this could allow
+	  named to allow access to unintended clients.
+	
    
+
    • 
+

+

+

+

+New Features

+
    
+
  • 
+
    
+	  New quotas have been added to limit the queries that are
+	  sent by recursive resolvers to authoritative servers
+	  experiencing denial-of-service attacks. When configured,
+	  these options can both reduce the harm done to authoritative
+	  servers and also avoid the resource exhaustion that can be
+	  experienced by recursives when they are being used as a
+	  vehicle for such an attack.
+	
    
+
      
+
    • 
+	      fetches-per-server limits the number of
+	      simultaneous queries that can be sent to any single
+	      authoritative server.  The configured value is a starting
+	      point; it is automatically adjusted downward if the server is
+	      partially or completely non-responsive. The algorithm used to
+	      adjust the quota can be configured via the
+	      fetch-quota-params option.
+	    
      • 
+
    • 
+	      fetches-per-zone limits the number of
+	      simultaneous queries that can be sent for names within a
+	      single domain.  (Note: Unlike "fetches-per-server", this
+	      value is not self-tuning.)
+	    
      • 
+
    
+
    
+	  Statistics counters have also been added to track the number
+	  of queries affected by these quotas.
+	
    
+
    • 
+
  • 
+	  New statistics counters have been added to track traffic
+	  sizes, as specified in RSSAC002.  Query and response
+	  message sizes are broken up into ranges of histogram buckets:
+	  TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
+	  and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
+	  and 4096+.  These values can be accessed via the XML and JSON
+	  statistics channels at, for example,
+	  http://localhost:8888/xml/v3/traffic
+	  or
+	  http://localhost:8888/json/v1/traffic.
+	
    • 
+
  • 
+	  The serial number of a dynamically updatable zone can
+	  now be set using
+	  rndc signing -serial number zonename.
+	  This is particularly useful with inline-signing
+	  zones that have been reset.  Setting the serial number to a value
+	  larger than that on the slaves will trigger an AXFR-style
+	  transfer.
+	
    • 
+
  • 
+	  When answering recursive queries, SERVFAIL responses can now be
+	  cached by the server for a limited time; subsequent queries for
+	  the same query name and type will return another SERVFAIL until
+	  the cache times out.  This reduces the frequency of retries
+	  when a query is persistently failing, which can be a burden
+	  on recursive serviers.  The SERVFAIL cache timeout is controlled
+	  by servfail-ttl, which defaults to 10 seconds
+	  and has an upper limit of 30.
+	
    • 
+
  • 
+	  The new rndc nta command can now be used to
+	  set a "negative trust anchor" (NTA), disabling DNSSEC validation for
+	  a specific domain; this can be used when responses from a domain
+	  are known to be failing validation due to administrative error
+	  rather than because of a spoofing attack. NTAs are strictly
+	  temporary; by default they expire after one hour, but can be
+	  configured to last up to one week.  The default NTA lifetime
+	  can be changed by setting the nta-lifetime in
+	  named.conf. When added, NTAs are stored in a
+	  file (viewname.nta)
+	  in order to persist across restarts of the named server.
+	
    • 
+
  • 
+	  The EDNS Client Subnet (ECS) option is now supported for
+	  authoritative servers; if a query contains an ECS option then
+	  ACLs containing geoip or ecs
+	  elements can match against the the address encoded in the option.
+	  This can be used to select a view for a query, so that different
+	  answers can be provided depending on the client network.
+	
    • 
+
  • 
+	  The EDNS EXPIRE option has been implemented on the client
+	  side, allowing a slave server to set the expiration timer
+	  correctly when transferring zone data from another slave
+	  server.
+	
    • 
+
  • 
+	  A new masterfile-style zone option controls
+	  the formatting of text zone files:  When set to
+	  full, the zone file will dumped in
+	  single-line-per-record format.
+	
    • 
+
  • 
+	  dig +ednsopt can now be used to set
+	  arbitrary EDNS options in DNS requests.
+	
    • 
+
  • 
+	  dig +ednsflags can now be used to set
+	  yet-to-be-defined EDNS flags in DNS requests.
+	
    • 
+
  • 
+	  dig +[no]ednsnegotiation can now be used enable /
+	  disable EDNS version negotiation.
+	
    • 
+
  • 
+	  dig +header-only can now be used to send
+	  queries without a question section.
+	
    • 
+
  • 
+	  dig +ttlunits causes dig
+	  to print TTL values with time-unit suffixes: w, d, h, m, s for
+	  weeks, days, hours, minutes, and seconds.
+	
    • 
+
  • 
+	  dig +zflag can be used to set the last
+	  unassigned DNS header flag bit.  This bit in normally zero.
+	
    • 
+
  • 
+	  dig +dscp=value
+	  can now be used to set the DSCP code point in outgoing query
+	  packets.
+	
    • 
+
  • 
+	  serial-update-method can now be set to
+	  date. On update, the serial number will
+	  be set to the current date in YYYYMMDDNN format.
+	
    • 
+
  • 
+	  dnssec-signzone -N date also sets the serial
+	  number to YYYYMMDDNN.
+	
    • 
+
  • 
+	  named -L filename
+	  causes named to send log messages to the specified file by
+	  default instead of to the system log.
+	
    • 
+
  • 
+	  The rate limiter configured by the
+	  serial-query-rate option no longer covers
+	  NOTIFY messages; those are now separately controlled by
+	  notify-rate and
+	  startup-notify-rate (the latter of which
+	  controls the rate of NOTIFY messages sent when the server
+	  is first started up or reconfigured).
+	
    • 
+
  • 
+	  The default number of tasks and client objects available
+	  for serving lightweight resolver queries have been increased,
+	  and are now configurable via the new lwres-tasks
+	  and lwres-clients options in
+	  named.conf. [RT #35857]
+	
    • 
+
  • 
+	  Log output to files can now be buffered by specifying
+	  buffered yes; when creating a channel.
+	
    • 
+
  • 
+	  delv +tcp will exclusively use TCP when
+	  sending queries.
+	
    • 
+
  • 
+	  named will now check to see whether
+	  other name server processes are running before starting up.
+	  This is implemented in two ways: 1) by refusing to start
+	  if the configured network interfaces all return "address
+	  in use", and 2) by attempting to acquire a lock on a file
+	  specified by the lock-file option or
+	  the -X command line option.  The
+	  default lock file is
+	  /var/run/named/named.lock.
+	  Specifying none will disable the lock
+	  file check.
+	
    • 
+
  • 
+	  rndc delzone can now be applied to zones
+	  which were configured in named.conf;
+	  it is no longer restricted to zones which were added by
+	  rndc addzone.  (Note, however, that
+	  this does not edit named.conf; the zone
+	  must be removed from the configuration or it will return
+	  when named is restarted or reloaded.)
+	
    • 
+
  • 
+	  rndc modzone can be used to reconfigure
+	  a zone, using similar syntax to rndc addzone. 
+	
    • 
+
  • 
+	  rndc showzone displays the current
+	  configuration for a specified zone.
+	
    • 
+
  • 
+
    
+	  Added server-side support for pipelined TCP queries.  Clients
+	  may continue sending queries via TCP while previous queries are
+	  processed in parallel.  Responses are sent when they are
+	  ready, not necessarily in the order in which the queries were
+	  received.
+	
    
+
    
+	  To revert to the former behavior for a particular
+	  client address or range of addresses, specify the address prefix
+	  in the "keep-response-order" option.  To revert to the former
+	  behavior for all clients, use "keep-response-order { any; };".
+	
    
+
    • 
+
  • 
+	  The new mdig command is a version of
+	  dig that sends multiple pipelined
+	  queries and then waits for responses, instead of sending one
+	  query and waiting the response before sending the next. [RT #38261]
+	
    • 
+
  • 
+	  To enable better monitoring and troubleshooting of RFC 5011
+	  trust anchor management, the new rndc managed-keys
+	  can be used to check status of trust anchors or to force keys
+	  to be refreshed.  Also, the managed-keys data file now has
+	  easier-to-read comments. [RT #38458]
+	
    • 
+
  • 
+	  An --enable-querytrace configure switch is
+	  now available to enable very verbose query tracelogging. This
+	  option can only be set at compile time. This option has a
+	  negative performance impact and should be used only for
+	  debugging. [RT #37520]
+	
    • 
+
  • 
+	  A new tcp-only option can be specified
+	  in server statements to force
+	  named to connect to the specified
+	  server via TCP. [RT #37800]
+	
    • 
+
  • 
+	  The nxdomain-redirect option specifies
+	  a DNS namespace to use for NXDOMAIN redirection. When a 
+	  recursive lookup returns NXDOMAIN, a second lookup is
+	  initiated with the specified name appended to the query
+	  name. This allows NXDOMAIN redirection data to be supplied
+	  by multiple zones configured on the server or by recursive
+	  queries to other servers. (The older method, using
+	  a single type redirect zone, has
+	  better average performance but is less flexible.) [RT #37989]
+	
    • 
+

+

+

+

+Feature Changes

+
    
+
  • 
+	  ACLs containing geoip asnum elements were
+	  not correctly matched unless the full organization name was
+	  specified in the ACL (as in
+	  geoip asnum "AS1234 Example, Inc.";).
+	  They can now match against the AS number alone (as in
+	  geoip asnum "AS1234";).
+	
    • 
+
  • 
+	  When using native PKCS#11 cryptography (i.e.,
+	  configure --enable-native-pkcs11) HSM PINs
+	  of up to 256 characters can now be used.
+	
    • 
+
  • 
+	  NXDOMAIN responses to queries of type DS are now cached separately
+	  from those for other types. This helps when using "grafted" zones
+	  of type forward, for which the parent zone does not contain a
+	  delegation, such as local top-level domains.  Previously a query
+	  of type DS for such a zone could cause the zone apex to be cached
+	  as NXDOMAIN, blocking all subsequent queries.  (Note: This
+	  change is only helpful when DNSSEC validation is not enabled.
+	  "Grafted" zones without a delegation in the parent are not a
+	  recommended configuration.)
+	
    • 
+
  • 
+	  Update forwarding performance has been improved by allowing
+	  a single TCP connection to be shared between multiple updates.
+	
    • 
+
  • 
+	  By default, nsupdate will now check
+	  the correctness of hostnames when adding records of type
+	  A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
+	  disabled with check-names no.
+	
    • 
+
  • 
+	  Added support for OPENPGPKEY type.
+	
    • 
+
  • 
+	  The names of the files used to store managed keys and added
+	  zones for each view are no longer based on the SHA256 hash
+	  of the view name, except when this is necessary because the
+	  view name contains characters that would be incompatible with use
+	  as a file name.  For views whose names do not contain forward
+	  slashes ('/'), backslashes ('\'), or capital letters - which
+	  could potentially cause namespace collision problems on
+	  case-insensitive filesystems - files will now be named
+	  after the view (for example, internal.mkeys
+	  or external.nzf).  However, to ensure
+	  consistent behavior when upgrading, if a file using the old
+	  name format is found to exist, it will continue to be used.
+	
    • 
+
  • 
+	  "rndc" can now return text output of arbitrary size to
+	  the caller. (Prior to this, certain commands such as
+	  "rndc tsig-list" and "rndc zonestatus" could return
+	  truncated output.)
+	
    • 
+
  • 
+	  Errors reported when running rndc addzone
+	  (e.g., when a zone file cannot be loaded) have been clarified
+	  to make it easier to diagnose problems.
+	
    • 
+
  • 
+	  When encountering an authoritative name server whose name is
+	  an alias pointing to another name, the resolver treats
+	  this as an error and skips to the next server. Previously
+	  this happened silently; now the error will be logged to
+	  the newly-created "cname" log category.
+	
    • 
+
  • 
+	  If named is not configured to validate the answer then
+	  allow fallback to plain DNS on timeout even when we know
+	  the server supports EDNS.  This will allow the server to
+	  potentially resolve signed queries when TCP is being
+	  blocked.
+	
    • 
+
  • 
+	  Large inline-signing changes should be less disruptive.
+	  Signature generation is now done incrementally; the number
+	  of signatures to be generated in each quantum is controlled
+	  by "sig-signing-signatures number;".
+	  [RT #37927]
+	
    • 
+
  • 
+
    
+	  The experimental SIT option (code point 65001) of BIND
+	  9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
+	  option (code point 10). It is no longer experimental, and
+	  is sent by default, by both named and
+	  dig.
+	
    
+
    
+	  The SIT-related named.conf options have been marked as
+	  obsolete, and are otherwise ignored.
+	
    
+
    • 
+
  • 
+	  When dig receives a truncated (TC=1)
+	  response or a BADCOOKIE response code from a server, it
+	  will automatically retry the query using the server COOKIE
+	  that was returned by the server in its initial response.
+	  [RT #39047]
+	
    • 
+
  • 
+	  A alternative NXDOMAIN redirect method (nxdomain-redirect)
+	  which allows the redirect information to be looked up from
+	  a namespace on the Internet rather than requiring a zone
+	  to be configured on the server is now available.
+	
    • 
+
  • 
+	  Retrieving the local port range from net.ipv4.ip_local_port_range
+	  on Linux is now supported.
+	
    • 
+
  • 
+	  Within the response-policy option, it is now
+	  possible to configure RPZ rewrite logging on a per-zone basis
+	  using the log clause.
+	
    • 
+

+

+

+

+Bug Fixes

+
    
+
  • 
+	  dig, host and
+	  nslookup aborted when encountering
+	  a name which, after appending search list elements,
+	  exceeded 255 bytes. Such names are now skipped, but
+	  processing of other names will continue. [RT #36892]
+	
    • 
+
  • 
+	  The error message generated when
+	  named-checkzone or
+	  named-checkconf -z encounters a
+	  $TTL directive without a value has
+	  been clarified. [RT #37138]
+	
    • 
+
  • 
+	  Semicolon characters (;) included in TXT records were
+	  incorrectly escaped with a backslash when the record was
+	  displayed as text. This is actually only necessary when there
+	  are no quotation marks. [RT #37159]
+	
    • 
+
  • 
+	  When files opened for writing by named,
+	  such as zone journal files, were referenced more than once
+	  in named.conf, it could lead to file
+	  corruption as multiple threads wrote to the same file. This
+	  is now detected when loading named.conf
+	  and reported as an error. [RT #37172]
+	
    • 
+
  • 
+	  When checking for updates to trust anchors listed in
+	  managed-keys, named
+	  now revalidates keys based on the current set of
+	  active trust anchors, without relying on any cached
+	  record of previous validation. [RT #37506]
+	
    • 
+
  • 
+	  Large-system tuning
+	  (configure --with-tuning=large) caused
+	  problems on some platforms by setting a socket receive
+	  buffer size that was too large.  This is now detected and
+	  corrected at run time. [RT #37187]
+	
    • 
+
  • 
+	  When NXDOMAIN redirection is in use, queries for a name
+	  that is present in the redirection zone but a type that
+	  is not present will now return NOERROR instead of NXDOMAIN.
+	
    • 
+
  • 
+	  Due to an inadvertent removal of code in the previous
+	  release, when named encountered an
+	  authoritative name server which dropped all EDNS queries,
+	  it did not always try plain DNS. This has been corrected.
+	  [RT #37965]
+	
    • 
+
  • 
+	  A regression caused nsupdate to use the default recursive servers
+	  rather than the SOA MNAME server when sending the UPDATE.
+	
    • 
+
  • 
+	  Adjusted max-recursion-queries to accommodate the smaller
+	  initial packet sizes used in BIND 9.10 and higher when
+	  contacting authoritative servers for the first time.
+	
    • 
+
  • 
+	  Built-in "empty" zones did not correctly inherit the
+	  "allow-transfer" ACL from the options or view. [RT #38310]
+	
    • 
+
  • 
+	  Two leaks were fixed that could cause named
+	  processes to grow to very large sizes. [RT #38454]
+	
    • 
+
  • 
+	  Fixed some bugs in RFC 5011 trust anchor management,
+	  including a memory leak and a possible loss of state
+	  information. [RT #38458]
+	
    • 
+
  • 
+	  Asynchronous zone loads were not handled correctly when the
+	  zone load was already in progress; this could trigger a crash
+	  in zt.c. [RT #37573]
+	
    • 
+
  • 
+	  A race during shutdown or reconfiguration could
+	  cause an assertion failure in mem.c. [RT #38979]
+	
    • 
+
  • 
+	  Some answer formatting options didn't work correctly with
+	  dig +short. [RT #39291]
+	
    • 
+
  • 
+
    
+	  Several bugs have been fixed in the RPZ implementation:
+	
    
+
      
+
    • 
+	      Policy zones that did not specifically require recursion
+	      could be treated as if they did; consequently, setting
+	      qname-wait-recurse no; was
+	      sometimes ineffective.  This has been corrected.
+	      In most configurations, behavioral changes due to this
+	      fix will not be noticeable. [RT #39229]
+	    
      • 
+
    • 
+	      The server could crash if policy zones were updated (e.g.
+	      via rndc reload or an incoming zone
+	      transfer) while RPZ processing was still ongoing for an
+	      active query. [RT #39415]
+	    
      • 
+
    • 
+	      On servers with one or more policy zones configured as
+	      slaves, if a policy zone updated during regular operation
+	      (rather than at startup) using a full zone reload, such as
+	      via AXFR, a bug could allow the RPZ summary data to fall out
+	      of sync, potentially leading to an assertion failure in
+	      rpz.c when further incremental updates were made to the
+	      zone, such as via IXFR. [RT #39567]
+	    
      • 
+
    • 
+	      The server could match a shorter prefix than what was
+	      available in CLIENT-IP policy triggers, and so, an
+	      unexpected action could be taken. This has been
+	      corrected. [RT #39481]
+	    
      • 
+
    • 
+	      The server could crash if a reload of an RPZ zone was
+	      initiated while another reload of the same zone was
+	      already in progress. [RT #39649]
+	    
      • 
+
    
+
    • 
+

+

+

+

+End of Life

+

+      The end of life for BIND 9.11 is yet to be determined but
+      will not be before BIND 9.13.0 has been released for 6 months.
+      https://www.isc.org/downloads/software-support-policy/
+    

+

+

+

+Thank You

+

+      Thank you to everyone who assisted us in making this release possible.
+      If you would like to contribute to ISC to assist us in continuing to
+      make quality open source software, please visit our donations page at
+      http://www.isc.org/donate/.
+    

+

+

 

 

diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index 8e254ca601..c5c872f4e5 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -50,7 +50,7 @@
 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 
 

@@ -140,17 +140,17 @@
           

 

-Bibliography

+Bibliography

 
Standards

 

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

+
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

 

 

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

+
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

 

 

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 

 

 

@@ -158,42 +158,42 @@
 

 Proposed Standards

 

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 

 

 

-
[RFC2308] M. Andrews. Negative Caching of DNS
+
[RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 

 

 

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 

 

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 

 

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

 

 

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 

 

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 

 

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 

 

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

 

 

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

 

 

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

 

 

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 

 

@@ -202,19 +202,19 @@
 

 DNS Security Proposed Standards

 

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

 

 

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

 

 

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

 

 

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

 

 

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 

 

 
@@ -222,146 +222,146 @@
 
Other Important RFCs About DNS
                 Implementation

 

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software. October 1993. 

 

 

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 

 

 

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

 

 

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 

 

 
 

 
Resource Record Types

 

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

 

 

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

 

 

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 

 

 

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 

 

 

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services. October 1996. 

 

 

-
[RFC2163] A. Allocchio. Using the Internet DNS to
+
[RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 

 

 

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

 

 

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

 

 

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

 

 

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

 

 

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

 

 

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

 

 

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 

 

 

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

 

 

 

 

 DNS and the Internet

 

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 

 

 

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 

 

 

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

 

 

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

 

 

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

 

 

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

 

 

 

 

 DNS Operations

 

-
[RFC1033] M. Lottor. Domain administrators operations guide. November 1987. 

+
[RFC1033] M. Lottor. Domain administrators operations guide. November 1987. 

 

 

-
[RFC1537] P. Beertema. Common DNS Data File
+
[RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 

 

 

-
[RFC1912] D. Barr. Common DNS Operational and
+
[RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 

 

 

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers. October 1996. 

+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers. October 1996. 

 

 

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services. October 1997. 

 

 

 

 
Internationalized Domain Names

 

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 

 

 

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

 

 

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

 

 

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 

 

@@ -377,47 +377,47 @@
                 

 

 

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 

 

 

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

 

 

-
[RFC1794] T. Brisco. DNS Support for Load
+
[RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 

 

 

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

 

 

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

 

 

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

 

 

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

 

 

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 

 

 

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

 

 
 

 
Obsolete and Unimplemented Experimental RFC

 

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 

 

 

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

 

 

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 

 

 

@@ -431,39 +431,39 @@
                 

 
 

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

 

 

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

 

 

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

 

 

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 

 

 

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

 

 

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

 

 

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

 

 

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

 

 

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

 

 

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 

 

 

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

 

 
 
@@ -484,14 +484,14 @@
 
 

 

-Other Documents About BIND
+Other Documents About BIND
 

 

 

 

-Bibliography

+Bibliography

 

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 

 
 
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index f0c7e98a47..8e03d53feb 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -47,13 +47,13 @@
 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 
@@ -89,7 +89,7 @@
 
 

 

-Prerequisite

+Prerequisite

 
GNU make is required to build the export libraries (other
   part of BIND 9 can still be built with other types of make). In
   the reminder of this document, "make" means GNU make. Note that
@@ -98,7 +98,7 @@
 
 

 

-Compilation

+Compilation

 
 $ ./configure --enable-exportlib [other flags]
 $ make
@@ -113,7 +113,7 @@ $ make
 
 

 

-Installation

+Installation

 
 $ cd lib/export
 $ make install
@@ -135,7 +135,7 @@ $ make install
 
 

 

-Known Defects/Restrictions

+Known Defects/Restrictions

 
    
 
  • Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
@@ -175,7 +175,7 @@ $ make
 

 

 

-The dns.conf File

+The dns.conf File

 
The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
@@ -193,14 +193,14 @@ $ make
 
 

 

-Sample Applications

+Sample Applications

 
Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   

 

 

-sample: a simple stub resolver utility

+sample: a simple stub resolver utility

 

   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
@@ -264,7 +264,7 @@ $ make
 
 

 

-sample-async: a simple stub resolver, working asynchronously

+sample-async: a simple stub resolver, working asynchronously

 

   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
@@ -305,7 +305,7 @@ $ make
 
 

 

-sample-request: a simple DNS transaction client

+sample-request: a simple DNS transaction client

 

   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
@@ -346,7 +346,7 @@ $ make
 
 

 

-sample-gai: getaddrinfo() and getnameinfo() test code

+sample-gai: getaddrinfo() and getnameinfo() test code

 

   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -363,7 +363,7 @@ $ make
 
 

 

-sample-update: a simple dynamic update client program

+sample-update: a simple dynamic update client program

 

   It accepts a single update command as a
   command-line argument, sends an update request message to the
@@ -458,7 +458,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-nsprobe: domain/name server checker in terms of RFC 4074

+nsprobe: domain/name server checker in terms of RFC 4074

 

   It checks a set
   of domains to see the name servers of the domains behave
@@ -515,7 +515,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-Library References

+Library References

 
As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 4528ed900d..7582523cb7 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -114,39 +114,39 @@
 
 
DNSSEC, Dynamic Zones, and Automatic Signing

 

-
Converting from insecure to secure

-
Dynamic DNS update method

-
Fully automatic zone signing

-
Private-type records

-
DNSKEY rollovers

-
Dynamic DNS update method

-
Automatic key rollovers

-
NSEC3PARAM rollovers via UPDATE

-
Converting from NSEC to NSEC3

-
Converting from NSEC3 to NSEC

-
Converting from secure to insecure

-
Periodic re-signing

-
NSEC3 and OPTOUT

+
Converting from insecure to secure

+
Dynamic DNS update method

+
Fully automatic zone signing

+
Private-type records

+
DNSKEY rollovers

+
Dynamic DNS update method

+
Automatic key rollovers

+
NSEC3PARAM rollovers via UPDATE

+
Converting from NSEC to NSEC3

+
Converting from NSEC3 to NSEC

+
Converting from secure to insecure

+
Periodic re-signing

+
NSEC3 and OPTOUT

 

 
Dynamic Trust Anchor Management

 

-
Validating Resolver

-
Authoritative Server

+
Validating Resolver

+
Authoritative Server

 

 
PKCS#11 (Cryptoki) support

 

-
Prerequisites

-
Native PKCS#11

-
OpenSSL-based PKCS#11

-
PKCS#11 Tools

-
Using the HSM

-
Specifying the engine on the command line

-
Running named with automatic zone re-signing

+
Prerequisites

+
Native PKCS#11

+
OpenSSL-based PKCS#11

+
PKCS#11 Tools

+
Using the HSM

+
Specifying the engine on the command line

+
Running named with automatic zone re-signing

 

 
DLZ (Dynamically Loadable Zones)

 

-
Configuring DLZ

-
Sample DLZ Driver

+
Configuring DLZ

+
Sample DLZ Driver

 

 
IPv6 Support in BIND 9

 

@@ -194,28 +194,28 @@
 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

 
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Definition
             and Usage

-
managed-keys Statement Grammar

+
managed-keys Statement Grammar

 
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -224,21 +224,34 @@
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Release Notes

+

+
Release Notes for BIND Version 9.11.0pre-alpha

+

+
Introduction

+
Download

+
Security Fixes

+
New Features

+
Feature Changes

+
Bug Fixes

+
End of Life

+
Thank You

+

+

 
B. A Brief History of the DNS and BIND

 

 
C. General DNS Reference Information

@@ -248,20 +261,20 @@
 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 
 
D. BIND 9 DNS Library Support

 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 
I. Manual pages

diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index a612f9756f..8a54e41188 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -50,20 +50,20 @@
 
arpaname  {ipaddress ...}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       arpaname translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 1d975d9aab..e652f0daa7 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -51,7 +51,7 @@
 
ddns-confgen  [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name  |   -z zone ]

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       tsig-keygen and ddns-confgen
       are invocation methods for a utility that generates keys for use
@@ -87,7 +87,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -159,7 +159,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
nsupdate(1),
       named.conf(5),
       named(8),
@@ -167,7 +167,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index 151273b56a..dd82e60255 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -53,7 +53,7 @@
 
delv  [queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
delv
       (Domain Entity Lookup & Validation) is a tool for sending
       DNS queries and validating the results, using the same internal
@@ -96,7 +96,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of delv looks like:
       

@@ -151,7 +151,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a anchor-file

 

@@ -285,7 +285,7 @@
 

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
delv
       provides a number of query options which affect the way results are
       displayed, and in some cases the way lookups are performed.
@@ -471,12 +471,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/bind.keys

 
/etc/resolv.conf

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8),
       RFC4034,
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index d8889d5484..c9dec21eb0 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -99,7 +99,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -152,7 +152,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -280,7 +280,7 @@
 

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -735,7 +735,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -781,7 +781,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -795,14 +795,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -810,7 +810,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 53d0708164..c7923f8bc2 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -51,7 +51,7 @@
 
dnssec-dsfromkey  [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-checkds
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f file

 

@@ -88,14 +88,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-dsfromkey(8),
       dnssec-keygen(8),
       dnssec-signzone(8),
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index a3acd5b4a7..cada916dc6 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -50,7 +50,7 @@
 
dnssec-coverage  [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-coverage
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-K directory

 

@@ -192,7 +192,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-checkds(8),
       dnssec-dsfromkey(8),
@@ -201,7 +201,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 5ad36ff9fe..a550799413 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -52,14 +52,14 @@
 
dnssec-dsfromkey  [-h] [-V]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -150,7 +150,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -165,7 +165,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -179,13 +179,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -195,7 +195,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index f4793d652e..448fadb5db 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -51,7 +51,7 @@
 
dnssec-importkey  {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-importkey
       reads a public DNSKEY record and generates a pair of
       .key/.private files.  The DNSKEY record may be read from an
@@ -71,7 +71,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f filename

 

@@ -114,7 +114,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -142,7 +142,7 @@
 

 
 

-
FILES

+
FILES

 

       A keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -151,7 +151,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -159,7 +159,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 2a43764eb9..f90d5f213e 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -243,7 +243,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -315,7 +315,7 @@
 

 
 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -354,7 +354,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -363,7 +363,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 5fddad7938..aa6f9140f6 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -50,7 +50,7 @@
 
dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -287,7 +287,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -361,7 +361,7 @@
 

 
 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -407,7 +407,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -428,7 +428,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -437,7 +437,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 14464959ec..7c7142f7ff 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -50,7 +50,7 @@
 
dnssec-revoke  [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -109,14 +109,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index e24ac62302..550f9fe62f 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -50,7 +50,7 @@
 
dnssec-settime  [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -76,7 +76,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f

 

@@ -133,7 +133,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -212,7 +212,7 @@
 

 
 

-
PRINTING OPTIONS

+
PRINTING OPTIONS

 

       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -238,7 +238,7 @@
 

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -246,7 +246,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 074471343d..e4d29b7356 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-Q] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -512,7 +512,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -542,14 +542,14 @@ db.example.com.signed
 %

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033, RFC 4641.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index 6b7319c4d2..d5185d9af2 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -50,7 +50,7 @@
 
dnssec-verify  [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-verify
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-c class

 

@@ -138,7 +138,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -146,7 +146,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 1f90325bfc..957188315d 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -50,7 +50,7 @@
 
genrandom  [-n number] {size} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       genrandom
       generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
-n number

 

@@ -77,14 +77,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       rand(3),
       arc4random(3)
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index fb9b7153ab..ccb7af9ee6 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -214,7 +214,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -228,12 +228,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index e0bfb4858e..f1a7c385d4 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -50,7 +50,7 @@
 
isc-hmac-fixup  {algorithm} {secret}

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
     

 

 

-
SECURITY CONSIDERATIONS

+
SECURITY CONSIDERATIONS

 

       Secrets that have been converted by isc-hmac-fixup
       are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 2104.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 1f5345c783..b9a07bf6a8 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -50,7 +50,7 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a
       named configuration file.  The file is parsed
@@ -70,7 +70,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -119,21 +119,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 4d5b2b7fbb..fd39e53a39 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -305,14 +305,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -320,7 +320,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 52a6ae8b6e..358fbd2cdc 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -50,7 +50,7 @@
 
named-journalprint  {journal}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       named-journalprint
       prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       named(8),
       nsupdate(8),
@@ -84,7 +84,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 367f1c5974..184de35480 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -50,7 +50,7 @@
 
named-rrchecker  [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-rrchecker
      read a individual DNS resource record from standard input and checks if it
      is syntactically correct.
@@ -78,7 +78,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 1034,
       RFC 1035,
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index bafaf4fb5d..ae9cb325d8 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-M option] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-X lock-file] [-x cache-file]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -299,7 +299,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -320,7 +320,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -337,7 +337,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -350,7 +350,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -363,7 +363,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index fd7ef6059a..2f78a0fb0d 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -48,7 +48,7 @@
 
nsec3hash  {salt} {algorithm} {iterations} {domain}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       nsec3hash generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
@@ -56,7 +56,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
salt

 

@@ -80,14 +80,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 5155.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index eb39d9f317..eb9f37a943 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [-L level] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -108,7 +108,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -242,7 +242,7 @@
 

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -555,7 +555,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -609,7 +609,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -632,7 +632,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 2136,
       RFC 3007,
@@ -647,7 +647,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index b1ee390f83..753fdb24e0 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
 
rndc-confgen  [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -180,7 +180,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -197,7 +197,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -205,7 +205,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 1562ee869c..065af15de9 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -210,7 +210,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -220,7 +220,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -228,7 +228,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index a8ba0cd1bc..58576fe616 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-r] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -81,7 +81,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -158,7 +158,7 @@
 

 

 

-
COMMANDS

+
COMMANDS

 

       A list of commands supported by rndc can
       be seen by running rndc without arguments.
@@ -744,7 +744,7 @@
 

 
 

-
LIMITATIONS

+
LIMITATIONS

 

       There is currently no way to provide the shared secret for a
       key_id without using the configuration file.
@@ -754,7 +754,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -764,7 +764,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index c2670d314e..d6d8ff91d8 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -19,5 +19,656 @@
 
 
 
-
<xi:include></xi:include>

+

+

+Release Notes for BIND Version 9.11.0pre-alpha

+

+

+Introduction

+

+      This document summarizes changes since the last production release
+      of BIND on the corresponding major release branch.
+    

+

+

+

+Download

+

+      The latest versions of BIND 9 software can always be found at
+      http://www.isc.org/downloads/.
+      There you will find additional information about each release,
+      source code, and pre-compiled versions for Microsoft Windows
+      operating systems.
+    

+

+

+

+Security Fixes

+
    
+
  • 
+	  An incorrect boundary check in the OPENPGPKEY rdatatype
+	  could trigger an assertion failure. [RT #40286]
+	
    • 
+
  • 
+
    
+	  A buffer accounting error could trigger an assertion failure
+	  when parsing certain malformed DNSSEC keys.
+	
    
+
    
+	  This flaw was discovered by Hanno Boeck of the Fuzzing
+	  Project, and is disclosed in CVE-2015-5722. [RT #40212]
+	
    
+
    • 
+
  • 
+
    
+	  A specially crafted query could trigger an assertion failure
+	  in message.c.
+	
    
+
    
+	  This flaw was discovered by Jonathan Foote, and is disclosed
+	  in CVE-2015-5477. [RT #39795]
+	
    
+
    • 
+
  • 
+
    
+	  On servers configured to perform DNSSEC validation, an
+	  assertion failure could be triggered on answers from
+	  a specially configured server.
+	
    
+
    
+	  This flaw was discovered by Breno Silveira Soares, and is
+	  disclosed in CVE-2015-4620. [RT #39795]
+	
    
+
    • 
+
  • 
+
    
+	  On servers configured to perform DNSSEC validation using
+	  managed trust anchors (i.e., keys configured explicitly
+	  via managed-keys, or implicitly 
+	  via dnssec-validation auto; or
+	  dnssec-lookaside auto;), revoking
+	  a trust anchor and sending a new untrusted replacement
+	  could cause named to crash with an
+	  assertion failure. This could occur in the event of a
+	  botched key rollover, or potentially as a result of a
+	  deliberate attack if the attacker was in position to
+	  monitor the victim's DNS traffic.
+	
    
+
    
+	  This flaw was discovered by Jan-Piet Mens, and is
+	  disclosed in CVE-2015-1349. [RT #38344]
+	
    
+
    • 
+
  • 
+
    
+	  A flaw in delegation handling could be exploited to put
+	  named into an infinite loop, in which
+	  each lookup of a name server triggered additional lookups
+	  of more name servers.  This has been addressed by placing
+	  limits on the number of levels of recursion
+	  named will allow (default 7), and
+	  on the number of queries that it will send before
+	  terminating a recursive query (default 50).
+	
    
+
    
+	  The recursion depth limit is configured via the
+	  max-recursion-depth option, and the query limit
+	  via the max-recursion-queries option.
+	
    
+
    
+	  The flaw was discovered by Florian Maury of ANSSI, and is
+	  disclosed in CVE-2014-8500. [RT #37580]
+	
    
+
    • 
+
  • 
+
    
+	  Two separate problems were identified in BIND's GeoIP code that
+	  could lead to an assertion failure. One was triggered by use of
+	  both IPv4 and IPv6 address families, the other by referencing
+	  a GeoIP database in named.conf which was
+	  not installed. Both are covered by CVE-2014-8680. [RT #37672]
+	  [RT #37679]
+	
    
+
    
+	  A less serious security flaw was also found in GeoIP: changes
+	  to the geoip-directory option in
+	  named.conf were ignored when running
+	  rndc reconfig. In theory, this could allow
+	  named to allow access to unintended clients.
+	
    
+
    • 
+

+

+

+

+New Features

+
    
+
  • 
+
    
+	  New quotas have been added to limit the queries that are
+	  sent by recursive resolvers to authoritative servers
+	  experiencing denial-of-service attacks. When configured,
+	  these options can both reduce the harm done to authoritative
+	  servers and also avoid the resource exhaustion that can be
+	  experienced by recursives when they are being used as a
+	  vehicle for such an attack.
+	
    
+
      
+
    • 
+	      fetches-per-server limits the number of
+	      simultaneous queries that can be sent to any single
+	      authoritative server.  The configured value is a starting
+	      point; it is automatically adjusted downward if the server is
+	      partially or completely non-responsive. The algorithm used to
+	      adjust the quota can be configured via the
+	      fetch-quota-params option.
+	    
      • 
+
    • 
+	      fetches-per-zone limits the number of
+	      simultaneous queries that can be sent for names within a
+	      single domain.  (Note: Unlike "fetches-per-server", this
+	      value is not self-tuning.)
+	    
      • 
+
    
+
    
+	  Statistics counters have also been added to track the number
+	  of queries affected by these quotas.
+	
    
+
    • 
+
  • 
+	  New statistics counters have been added to track traffic
+	  sizes, as specified in RSSAC002.  Query and response
+	  message sizes are broken up into ranges of histogram buckets:
+	  TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
+	  and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
+	  and 4096+.  These values can be accessed via the XML and JSON
+	  statistics channels at, for example,
+	  http://localhost:8888/xml/v3/traffic
+	  or
+	  http://localhost:8888/json/v1/traffic.
+	
    • 
+
  • 
+	  The serial number of a dynamically updatable zone can
+	  now be set using
+	  rndc signing -serial number zonename.
+	  This is particularly useful with inline-signing
+	  zones that have been reset.  Setting the serial number to a value
+	  larger than that on the slaves will trigger an AXFR-style
+	  transfer.
+	
    • 
+
  • 
+	  When answering recursive queries, SERVFAIL responses can now be
+	  cached by the server for a limited time; subsequent queries for
+	  the same query name and type will return another SERVFAIL until
+	  the cache times out.  This reduces the frequency of retries
+	  when a query is persistently failing, which can be a burden
+	  on recursive serviers.  The SERVFAIL cache timeout is controlled
+	  by servfail-ttl, which defaults to 10 seconds
+	  and has an upper limit of 30.
+	
    • 
+
  • 
+	  The new rndc nta command can now be used to
+	  set a "negative trust anchor" (NTA), disabling DNSSEC validation for
+	  a specific domain; this can be used when responses from a domain
+	  are known to be failing validation due to administrative error
+	  rather than because of a spoofing attack. NTAs are strictly
+	  temporary; by default they expire after one hour, but can be
+	  configured to last up to one week.  The default NTA lifetime
+	  can be changed by setting the nta-lifetime in
+	  named.conf. When added, NTAs are stored in a
+	  file (viewname.nta)
+	  in order to persist across restarts of the named server.
+	
    • 
+
  • 
+	  The EDNS Client Subnet (ECS) option is now supported for
+	  authoritative servers; if a query contains an ECS option then
+	  ACLs containing geoip or ecs
+	  elements can match against the the address encoded in the option.
+	  This can be used to select a view for a query, so that different
+	  answers can be provided depending on the client network.
+	
    • 
+
  • 
+	  The EDNS EXPIRE option has been implemented on the client
+	  side, allowing a slave server to set the expiration timer
+	  correctly when transferring zone data from another slave
+	  server.
+	
    • 
+
  • 
+	  A new masterfile-style zone option controls
+	  the formatting of text zone files:  When set to
+	  full, the zone file will dumped in
+	  single-line-per-record format.
+	
    • 
+
  • 
+	  dig +ednsopt can now be used to set
+	  arbitrary EDNS options in DNS requests.
+	
    • 
+
  • 
+	  dig +ednsflags can now be used to set
+	  yet-to-be-defined EDNS flags in DNS requests.
+	
    • 
+
  • 
+	  dig +[no]ednsnegotiation can now be used enable /
+	  disable EDNS version negotiation.
+	
    • 
+
  • 
+	  dig +header-only can now be used to send
+	  queries without a question section.
+	
    • 
+
  • 
+	  dig +ttlunits causes dig
+	  to print TTL values with time-unit suffixes: w, d, h, m, s for
+	  weeks, days, hours, minutes, and seconds.
+	
    • 
+
  • 
+	  dig +zflag can be used to set the last
+	  unassigned DNS header flag bit.  This bit in normally zero.
+	
    • 
+
  • 
+	  dig +dscp=value
+	  can now be used to set the DSCP code point in outgoing query
+	  packets.
+	
    • 
+
  • 
+	  serial-update-method can now be set to
+	  date. On update, the serial number will
+	  be set to the current date in YYYYMMDDNN format.
+	
    • 
+
  • 
+	  dnssec-signzone -N date also sets the serial
+	  number to YYYYMMDDNN.
+	
    • 
+
  • 
+	  named -L filename
+	  causes named to send log messages to the specified file by
+	  default instead of to the system log.
+	
    • 
+
  • 
+	  The rate limiter configured by the
+	  serial-query-rate option no longer covers
+	  NOTIFY messages; those are now separately controlled by
+	  notify-rate and
+	  startup-notify-rate (the latter of which
+	  controls the rate of NOTIFY messages sent when the server
+	  is first started up or reconfigured).
+	
    • 
+
  • 
+	  The default number of tasks and client objects available
+	  for serving lightweight resolver queries have been increased,
+	  and are now configurable via the new lwres-tasks
+	  and lwres-clients options in
+	  named.conf. [RT #35857]
+	
    • 
+
  • 
+	  Log output to files can now be buffered by specifying
+	  buffered yes; when creating a channel.
+	
    • 
+
  • 
+	  delv +tcp will exclusively use TCP when
+	  sending queries.
+	
    • 
+
  • 
+	  named will now check to see whether
+	  other name server processes are running before starting up.
+	  This is implemented in two ways: 1) by refusing to start
+	  if the configured network interfaces all return "address
+	  in use", and 2) by attempting to acquire a lock on a file
+	  specified by the lock-file option or
+	  the -X command line option.  The
+	  default lock file is
+	  /var/run/named/named.lock.
+	  Specifying none will disable the lock
+	  file check.
+	
    • 
+
  • 
+	  rndc delzone can now be applied to zones
+	  which were configured in named.conf;
+	  it is no longer restricted to zones which were added by
+	  rndc addzone.  (Note, however, that
+	  this does not edit named.conf; the zone
+	  must be removed from the configuration or it will return
+	  when named is restarted or reloaded.)
+	
    • 
+
  • 
+	  rndc modzone can be used to reconfigure
+	  a zone, using similar syntax to rndc addzone. 
+	
    • 
+
  • 
+	  rndc showzone displays the current
+	  configuration for a specified zone.
+	
    • 
+
  • 
+
    
+	  Added server-side support for pipelined TCP queries.  Clients
+	  may continue sending queries via TCP while previous queries are
+	  processed in parallel.  Responses are sent when they are
+	  ready, not necessarily in the order in which the queries were
+	  received.
+	
    
+
    
+	  To revert to the former behavior for a particular
+	  client address or range of addresses, specify the address prefix
+	  in the "keep-response-order" option.  To revert to the former
+	  behavior for all clients, use "keep-response-order { any; };".
+	
    
+
    • 
+
  • 
+	  The new mdig command is a version of
+	  dig that sends multiple pipelined
+	  queries and then waits for responses, instead of sending one
+	  query and waiting the response before sending the next. [RT #38261]
+	
    • 
+
  • 
+	  To enable better monitoring and troubleshooting of RFC 5011
+	  trust anchor management, the new rndc managed-keys
+	  can be used to check status of trust anchors or to force keys
+	  to be refreshed.  Also, the managed-keys data file now has
+	  easier-to-read comments. [RT #38458]
+	
    • 
+
  • 
+	  An --enable-querytrace configure switch is
+	  now available to enable very verbose query tracelogging. This
+	  option can only be set at compile time. This option has a
+	  negative performance impact and should be used only for
+	  debugging. [RT #37520]
+	
    • 
+
  • 
+	  A new tcp-only option can be specified
+	  in server statements to force
+	  named to connect to the specified
+	  server via TCP. [RT #37800]
+	
    • 
+
  • 
+	  The nxdomain-redirect option specifies
+	  a DNS namespace to use for NXDOMAIN redirection. When a 
+	  recursive lookup returns NXDOMAIN, a second lookup is
+	  initiated with the specified name appended to the query
+	  name. This allows NXDOMAIN redirection data to be supplied
+	  by multiple zones configured on the server or by recursive
+	  queries to other servers. (The older method, using
+	  a single type redirect zone, has
+	  better average performance but is less flexible.) [RT #37989]
+	
    • 
+

+

+

+

+Feature Changes

+
    
+
  • 
+	  ACLs containing geoip asnum elements were
+	  not correctly matched unless the full organization name was
+	  specified in the ACL (as in
+	  geoip asnum "AS1234 Example, Inc.";).
+	  They can now match against the AS number alone (as in
+	  geoip asnum "AS1234";).
+	
    • 
+
  • 
+	  When using native PKCS#11 cryptography (i.e.,
+	  configure --enable-native-pkcs11) HSM PINs
+	  of up to 256 characters can now be used.
+	
    • 
+
  • 
+	  NXDOMAIN responses to queries of type DS are now cached separately
+	  from those for other types. This helps when using "grafted" zones
+	  of type forward, for which the parent zone does not contain a
+	  delegation, such as local top-level domains.  Previously a query
+	  of type DS for such a zone could cause the zone apex to be cached
+	  as NXDOMAIN, blocking all subsequent queries.  (Note: This
+	  change is only helpful when DNSSEC validation is not enabled.
+	  "Grafted" zones without a delegation in the parent are not a
+	  recommended configuration.)
+	
    • 
+
  • 
+	  Update forwarding performance has been improved by allowing
+	  a single TCP connection to be shared between multiple updates.
+	
    • 
+
  • 
+	  By default, nsupdate will now check
+	  the correctness of hostnames when adding records of type
+	  A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
+	  disabled with check-names no.
+	
    • 
+
  • 
+	  Added support for OPENPGPKEY type.
+	
    • 
+
  • 
+	  The names of the files used to store managed keys and added
+	  zones for each view are no longer based on the SHA256 hash
+	  of the view name, except when this is necessary because the
+	  view name contains characters that would be incompatible with use
+	  as a file name.  For views whose names do not contain forward
+	  slashes ('/'), backslashes ('\'), or capital letters - which
+	  could potentially cause namespace collision problems on
+	  case-insensitive filesystems - files will now be named
+	  after the view (for example, internal.mkeys
+	  or external.nzf).  However, to ensure
+	  consistent behavior when upgrading, if a file using the old
+	  name format is found to exist, it will continue to be used.
+	
    • 
+
  • 
+	  "rndc" can now return text output of arbitrary size to
+	  the caller. (Prior to this, certain commands such as
+	  "rndc tsig-list" and "rndc zonestatus" could return
+	  truncated output.)
+	
    • 
+
  • 
+	  Errors reported when running rndc addzone
+	  (e.g., when a zone file cannot be loaded) have been clarified
+	  to make it easier to diagnose problems.
+	
    • 
+
  • 
+	  When encountering an authoritative name server whose name is
+	  an alias pointing to another name, the resolver treats
+	  this as an error and skips to the next server. Previously
+	  this happened silently; now the error will be logged to
+	  the newly-created "cname" log category.
+	
    • 
+
  • 
+	  If named is not configured to validate the answer then
+	  allow fallback to plain DNS on timeout even when we know
+	  the server supports EDNS.  This will allow the server to
+	  potentially resolve signed queries when TCP is being
+	  blocked.
+	
    • 
+
  • 
+	  Large inline-signing changes should be less disruptive.
+	  Signature generation is now done incrementally; the number
+	  of signatures to be generated in each quantum is controlled
+	  by "sig-signing-signatures number;".
+	  [RT #37927]
+	
    • 
+
  • 
+
    
+	  The experimental SIT option (code point 65001) of BIND
+	  9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
+	  option (code point 10). It is no longer experimental, and
+	  is sent by default, by both named and
+	  dig.
+	
    
+
    
+	  The SIT-related named.conf options have been marked as
+	  obsolete, and are otherwise ignored.
+	
    
+
    • 
+
  • 
+	  When dig receives a truncated (TC=1)
+	  response or a BADCOOKIE response code from a server, it
+	  will automatically retry the query using the server COOKIE
+	  that was returned by the server in its initial response.
+	  [RT #39047]
+	
    • 
+
  • 
+	  A alternative NXDOMAIN redirect method (nxdomain-redirect)
+	  which allows the redirect information to be looked up from
+	  a namespace on the Internet rather than requiring a zone
+	  to be configured on the server is now available.
+	
    • 
+
  • 
+	  Retrieving the local port range from net.ipv4.ip_local_port_range
+	  on Linux is now supported.
+	
    • 
+
  • 
+	  Within the response-policy option, it is now
+	  possible to configure RPZ rewrite logging on a per-zone basis
+	  using the log clause.
+	
    • 
+

+

+

+

+Bug Fixes

+
    
+
  • 
+	  dig, host and
+	  nslookup aborted when encountering
+	  a name which, after appending search list elements,
+	  exceeded 255 bytes. Such names are now skipped, but
+	  processing of other names will continue. [RT #36892]
+	
    • 
+
  • 
+	  The error message generated when
+	  named-checkzone or
+	  named-checkconf -z encounters a
+	  $TTL directive without a value has
+	  been clarified. [RT #37138]
+	
    • 
+
  • 
+	  Semicolon characters (;) included in TXT records were
+	  incorrectly escaped with a backslash when the record was
+	  displayed as text. This is actually only necessary when there
+	  are no quotation marks. [RT #37159]
+	
    • 
+
  • 
+	  When files opened for writing by named,
+	  such as zone journal files, were referenced more than once
+	  in named.conf, it could lead to file
+	  corruption as multiple threads wrote to the same file. This
+	  is now detected when loading named.conf
+	  and reported as an error. [RT #37172]
+	
    • 
+
  • 
+	  When checking for updates to trust anchors listed in
+	  managed-keys, named
+	  now revalidates keys based on the current set of
+	  active trust anchors, without relying on any cached
+	  record of previous validation. [RT #37506]
+	
    • 
+
  • 
+	  Large-system tuning
+	  (configure --with-tuning=large) caused
+	  problems on some platforms by setting a socket receive
+	  buffer size that was too large.  This is now detected and
+	  corrected at run time. [RT #37187]
+	
    • 
+
  • 
+	  When NXDOMAIN redirection is in use, queries for a name
+	  that is present in the redirection zone but a type that
+	  is not present will now return NOERROR instead of NXDOMAIN.
+	
    • 
+
  • 
+	  Due to an inadvertent removal of code in the previous
+	  release, when named encountered an
+	  authoritative name server which dropped all EDNS queries,
+	  it did not always try plain DNS. This has been corrected.
+	  [RT #37965]
+	
    • 
+
  • 
+	  A regression caused nsupdate to use the default recursive servers
+	  rather than the SOA MNAME server when sending the UPDATE.
+	
    • 
+
  • 
+	  Adjusted max-recursion-queries to accommodate the smaller
+	  initial packet sizes used in BIND 9.10 and higher when
+	  contacting authoritative servers for the first time.
+	
    • 
+
  • 
+	  Built-in "empty" zones did not correctly inherit the
+	  "allow-transfer" ACL from the options or view. [RT #38310]
+	
    • 
+
  • 
+	  Two leaks were fixed that could cause named
+	  processes to grow to very large sizes. [RT #38454]
+	
    • 
+
  • 
+	  Fixed some bugs in RFC 5011 trust anchor management,
+	  including a memory leak and a possible loss of state
+	  information. [RT #38458]
+	
    • 
+
  • 
+	  Asynchronous zone loads were not handled correctly when the
+	  zone load was already in progress; this could trigger a crash
+	  in zt.c. [RT #37573]
+	
    • 
+
  • 
+	  A race during shutdown or reconfiguration could
+	  cause an assertion failure in mem.c. [RT #38979]
+	
    • 
+
  • 
+	  Some answer formatting options didn't work correctly with
+	  dig +short. [RT #39291]
+	
    • 
+
  • 
+
    
+	  Several bugs have been fixed in the RPZ implementation:
+	
    
+
      
+
    • 
+	      Policy zones that did not specifically require recursion
+	      could be treated as if they did; consequently, setting
+	      qname-wait-recurse no; was
+	      sometimes ineffective.  This has been corrected.
+	      In most configurations, behavioral changes due to this
+	      fix will not be noticeable. [RT #39229]
+	    
      • 
+
    • 
+	      The server could crash if policy zones were updated (e.g.
+	      via rndc reload or an incoming zone
+	      transfer) while RPZ processing was still ongoing for an
+	      active query. [RT #39415]
+	    
      • 
+
    • 
+	      On servers with one or more policy zones configured as
+	      slaves, if a policy zone updated during regular operation
+	      (rather than at startup) using a full zone reload, such as
+	      via AXFR, a bug could allow the RPZ summary data to fall out
+	      of sync, potentially leading to an assertion failure in
+	      rpz.c when further incremental updates were made to the
+	      zone, such as via IXFR. [RT #39567]
+	    
      • 
+
    • 
+	      The server could match a shorter prefix than what was
+	      available in CLIENT-IP policy triggers, and so, an
+	      unexpected action could be taken. This has been
+	      corrected. [RT #39481]
+	    
      • 
+
    • 
+	      The server could crash if a reload of an RPZ zone was
+	      initiated while another reload of the same zone was
+	      already in progress. [RT #39649]
+	    
      • 
+
    
+
    • 
+

+

+

+

+End of Life

+

+      The end of life for BIND 9.11 is yet to be determined but
+      will not be before BIND 9.13.0 has been released for 6 months.
+      https://www.isc.org/downloads/software-support-policy/
+    

+

+

+

+Thank You

+

+      Thank you to everyone who assisted us in making this release possible.
+      If you would like to contribute to ISC to assist us in continuing to
+      make quality open source software, please visit our donations page at
+      http://www.isc.org/donate/.
+    

+

+

 
diff --git a/doc/misc/options b/doc/misc/options
index 95e2c321a7..26e409e975 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -255,6 +255,7 @@ options {
         request-ixfr ;
         request-nsid ;
         request-sit ; // obsolete
+        require-server-cookie ;
         reserved-sockets ;
         resolver-query-timeout ;
         response-policy { zone  [ policy ( given | disabled
@@ -524,6 +525,7 @@ view   {
         request-ixfr ;
         request-nsid ;
         request-sit ; // obsolete
+        require-server-cookie ;
         resolver-query-timeout ;
         response-policy { zone  [ policy ( given | disabled
             | passthru | no-op | drop | tcp-only | nxdomain | nodata |