From 1559511adae0b5c710d9cb13f8c1058f4e867a67 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 4 Mar 2009 05:48:32 +0000 Subject: [PATCH 01/60] don't use a implied source in a direct rule --- bin/named/Makefile.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in index 9dfe4f3484..c7ba054035 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.102 2009/03/04 02:42:30 each Exp $ +# $Id: Makefile.in,v 1.103 2009/03/04 05:48:32 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -112,7 +112,7 @@ main.@O@: main.c -DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c bind.keys.h: ${top_srcdir}/bind.keys - ${PERL} ${srcdir}/bindkeys.pl < $< > $@ + ${PERL} ${srcdir}/bindkeys.pl < ${top_srcdir}/bind.keys > $@ config.@O@: config.c bind.keys.h ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ From e61db954bfbbf0555038f36b35680d77c7e07049 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 4 Mar 2009 23:48:02 +0000 Subject: [PATCH 02/60] update copyright notice --- bin/named/server.c | 10 +++++----- lib/bind9/check.c | 8 ++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c index 4dba2bff54..04a25361c1 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.529 2009/03/04 02:42:30 each Exp $ */ +/* $Id: server.c,v 1.530 2009/03/04 23:48:01 tbox Exp $ */ /*! \file */ @@ -494,7 +494,7 @@ configure_view_dnsseckeylist(const cfg_obj_t *keys, const cfg_obj_t *vconfig, * from 'vconfig' and 'config'. The variable to be configured is '*target'. */ static isc_result_t -configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config, +configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config, const cfg_obj_t *bindkeys, isc_boolean_t auto_dlv, isc_mem_t *mctx, dns_keytable_t **target) { @@ -1105,8 +1105,8 @@ cache_sharable(dns_view_t *originview, dns_view_t *view, static isc_result_t configure_view(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *vconfig, ns_cachelist_t *cachelist, - const cfg_obj_t *bindkeys, isc_mem_t *mctx, - cfg_aclconfctx_t *actx, isc_boolean_t need_hints) + const cfg_obj_t *bindkeys, isc_mem_t *mctx, + cfg_aclconfctx_t *actx, isc_boolean_t need_hints) { const cfg_obj_t *maps[4]; const cfg_obj_t *cfgmaps[3]; @@ -1923,7 +1923,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, dlvobj = cfg_listelt_value(cfg_list_first(obj)); if (!strcmp(cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain")), "auto") && - cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) { + cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) { auto_dlv = ISC_TRUE; obj = NULL; result = cfg_map_get(ns_g_defaults, diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 931dd017e2..bbc138847c 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.99 2009/03/04 02:42:31 each Exp $ */ +/* $Id: check.c,v 1.100 2009/03/04 23:48:02 tbox Exp $ */ /*! \file */ @@ -671,9 +671,9 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) { anchor = cfg_tuple_get(obj, "trust-anchor"); /* - * If domain is "auto" and trust anchor is missing, - * skip remaining tests - */ + * If domain is "auto" and trust anchor is missing, + * skip remaining tests + */ if (!strcmp(dlv, "auto") && cfg_obj_isvoid(anchor)) continue; From 3d3088c228153b21af8c278c46294217c545dc45 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 4 Mar 2009 23:59:32 +0000 Subject: [PATCH 03/60] add bind.keys --- util/copyrights | 1 + 1 file changed, 1 insertion(+) diff --git a/util/copyrights b/util/copyrights index 260516d633..ae7f38a8d5 100644 --- a/util/copyrights +++ b/util/copyrights @@ -918,6 +918,7 @@ ./bin/win32/BINDInstall/res/BINDInstall.ico X 2001 ./bin/win32/BINDInstall/res/BINDInstall.rc2 X 2001 ./bin/win32/BINDInstall/resource.h X 2001,2005 +./bind.keys X 2009 ./config.guess X 1998,1999,2000,2001,2004,2009 ./config.h.in X 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./config.h.win32 C 1999,2000,2001,2004,2006,2007,2008 From 0072e4bb3c2298e85ebee8cee1b642bfd70373b0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 5 Mar 2009 02:09:40 +0000 Subject: [PATCH 04/60] unbalanced tag --- doc/arm/Bv9ARM-book.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 091b79853a..c93c954cbc 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -5287,7 +5287,7 @@ options { NOTE: Since the built-in key may expire, it can be overridden without recompiling named by placing a new key - in the file bind.keys. + in the file bind.keys. From f605647060939871d5f219b998d8e5a2cd6c0afb Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 5 Mar 2009 03:13:55 +0000 Subject: [PATCH 05/60] Undocumented firewall test hook. [RT #19398] --- bin/named/main.c | 10 ++++++++-- lib/isc/include/isc/socket.h | 8 +++++++- lib/isc/unix/socket.c | 17 ++++++++++++++++- lib/isc/win32/libisc.def | 1 + lib/isc/win32/socket.c | 9 ++++++++- 5 files changed, 40 insertions(+), 5 deletions(-) diff --git a/bin/named/main.c b/bin/named/main.c index 12cc84cf2e..8cb54ab02d 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.c,v 1.169 2009/03/04 02:42:30 each Exp $ */ +/* $Id: main.c,v 1.170 2009/03/05 03:13:55 marka Exp $ */ /*! \file */ @@ -87,6 +87,7 @@ static char absolute_conffile[ISC_DIR_PATHMAX]; static char saved_command_line[512]; static char version[512]; static unsigned int maxsocks = 0; +static int maxudp = 0; void ns_main_earlywarning(const char *format, ...) { @@ -451,8 +452,12 @@ parse_command_line(int argc, char *argv[]) { * clienttest: make clients single shot with their * own memory context. */ - if (strcmp(isc_commandline_argument, "clienttest") == 0) + if (!strcmp(isc_commandline_argument, "clienttest")) ns_g_clienttest = ISC_TRUE; + else if (!strcmp(isc_commandline_argument, "maxudp512")) + maxudp = 512; + else if (!strcmp(isc_commandline_argument, "maxudp1460")) + maxudp = 1460; else fprintf(stderr, "unknown -T flag '%s\n", isc_commandline_argument); @@ -525,6 +530,7 @@ create_managers(void) { isc_result_totext(result)); return (ISC_R_UNEXPECTED); } + isc__socketmgr_maxudp(ns_g_socketmgr, maxudp); result = isc_socketmgr_getmaxsockets(ns_g_socketmgr, &socks); if (result == ISC_R_SUCCESS) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h index 90f6565e27..4f654a2967 100644 --- a/lib/isc/include/isc/socket.h +++ b/lib/isc/include/isc/socket.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.h,v 1.88 2009/01/27 22:29:59 jinmei Exp $ */ +/* $Id: socket.h,v 1.89 2009/03/05 03:13:55 marka Exp $ */ #ifndef ISC_SOCKET_H #define ISC_SOCKET_H 1 @@ -992,6 +992,12 @@ isc__socketmgr_setreserved(isc_socketmgr_t *mgr, isc_uint32_t); * Temporary. For use by named only. */ +void +isc__socketmgr_maxudp(isc_socketmgr_t *mgr, int maxudp); +/*%< + * Test interface. Drop UDP packet > 'maxudp'. + */ + #ifdef HAVE_LIBXML2 void diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c index 5dd4cdc392..8062e9b980 100644 --- a/lib/isc/unix/socket.c +++ b/lib/isc/unix/socket.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.316 2009/01/27 22:30:00 jinmei Exp $ */ +/* $Id: socket.c,v 1.317 2009/03/05 03:13:55 marka Exp $ */ /*! \file */ @@ -388,6 +388,7 @@ struct isc_socketmgr { #else /* ISC_PLATFORM_USETHREADS */ unsigned int refs; #endif /* ISC_PLATFORM_USETHREADS */ + int maxudp; }; #ifndef ISC_PLATFORM_USETHREADS @@ -1538,6 +1539,12 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) { } return (DOIO_SOFT); } + /* + * Simulate a firewall blocking UDP responses bigger than + * 512 bytes. + */ + if (sock->manager->maxudp != 0 && cc > sock->manager->maxudp) + return (DOIO_SOFT); } socket_log(sock, &dev->address, IOEVENT, @@ -3556,6 +3563,13 @@ isc__socketmgr_setreserved(isc_socketmgr_t *manager, isc_uint32_t reserved) { manager->reserved = reserved; } +void +isc__socketmgr_maxudp(isc_socketmgr_t *manager, int maxudp) { + REQUIRE(VALID_MANAGER(manager)); + + manager->maxudp = maxudp; +} + /* * Create a new socket manager. */ @@ -3811,6 +3825,7 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp, memset(manager, 0, sizeof(*manager)); manager->maxsocks = maxsocks; manager->reserved = 0; + manager->maxudp = 0; manager->fds = isc_mem_get(mctx, manager->maxsocks * sizeof(isc_socket_t *)); if (manager->fds == NULL) { diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def index 19a2fef661..ad24ecb5ed 100644 --- a/lib/isc/win32/libisc.def +++ b/lib/isc/win32/libisc.def @@ -35,6 +35,7 @@ isc__mem_reallocate isc__mem_strdup isc__mempool_get isc__mempool_put +isc__socketmgr_maxudp isc__socketmgr_setreserved isc__strerror isc_app_block diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c index ac9503c7a3..96c469a98d 100644 --- a/lib/isc/win32/socket.c +++ b/lib/isc/win32/socket.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.74 2009/01/27 22:30:00 jinmei Exp $ */ +/* $Id: socket.c,v 1.75 2009/03/05 03:13:55 marka Exp $ */ /* This code uses functions which are only available on Server 2003 and * higher, and Windows XP and higher. @@ -3672,3 +3672,10 @@ isc__socketmgr_setreserved(isc_socketmgr_t *manager, isc_uint32_t reserved) { UNUSED(manager); UNUSED(reserved); } + +void +isc__socketmgr_maxudp(isc_socketmgr_t *manager, int maxudp) { + + UNUSED(manager); + UNUSED(maxudp); +} From 29bc980c421bbc8801bd703c8808dfc35a145485 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 5 Mar 2009 04:32:34 +0000 Subject: [PATCH 06/60] side -> string --- doc/arm/Bv9ARM-book.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index c93c954cbc..f8e4f4b2e4 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -11485,7 +11485,7 @@ HOST-127.EXAMPLE. MX 0 . describes the owner name of the resource records to be created. Any single $ (dollar sign) - symbols within the lhs side + symbols within the lhs string are replaced by the iterator value. To get a $ in the output, you need to escape the From e422b84c737d6bb4cf09657777992a30903e187a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 5 Mar 2009 04:54:33 +0000 Subject: [PATCH 07/60] 2573. [bug] Replacing a non-CNAME record with a CNAME record in a single transaction in a signed zone failed. [RT #19397] --- CHANGES | 3 +++ lib/dns/rbtdb.c | 18 +++++++----------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index 7b14d6788d..7951fbd2cb 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2573. [bug] Replacing a non-CNAME record with a CNAME record in a + single transaction in a signed zone failed. [RT #19397] + 2572. [func] Simplify DLV configuration, with a new option "dnssec-lookaside auto;" This is the equivalent of "dnssec-lookaside . trust-anchor dlv.isc.org;" diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 02c1c47849..5b5882611a 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.273 2009/01/28 23:20:23 jinmei Exp $ */ +/* $Id: rbtdb.c,v 1.274 2009/03/05 04:54:33 marka Exp $ */ /*! \file */ @@ -5235,19 +5235,15 @@ cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) { * Look for active extant "other data". * * "Other data" is any rdataset whose type is not - * KEY, RRSIG KEY, NSEC, RRSIG NSEC or RRSIG CNAME. + * KEY, NSEC, SIG or RRSIG. */ rdtype = RBTDB_RDATATYPE_BASE(header->type); - if (rdtype == dns_rdatatype_rrsig || - rdtype == dns_rdatatype_sig) - rdtype = RBTDB_RDATATYPE_EXT(header->type); - if (rdtype != dns_rdatatype_nsec && - rdtype != dns_rdatatype_key && - rdtype != dns_rdatatype_cname) { + if (rdtype != dns_rdatatype_key && + rdtype != dns_rdatatype_sig && + rdtype != dns_rdatatype_nsec && + rdtype != dns_rdatatype_rrsig) { /* - * We've found a type that isn't - * NSEC, KEY, CNAME, or one of their - * signatures. Is it active and extant? + * Is it active and extant? */ do { if (header->serial <= serial && From f3627d12970d41a51e5c9d6af55575d08e608d02 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 5 Mar 2009 23:18:00 +0000 Subject: [PATCH 08/60] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 805b6d97fd..b18a719064 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -204,6 +204,7 @@ rt19310 new marka // 2009-02-11 09:42 +0000 rt19360 new fdupont // 2009-02-17 09:10 +0000 rt19369 new jinmei // 2009-02-19 00:40 +0000 rt19384 new marka // 2009-02-23 03:32 +0000 +rt19387 new jinmei // 2009-03-05 19:37 +0000 rt19495 new marka // 2009-01-19 01:19 +0000 shane_dbbackend open skan open explorer From 0df8ead472f207020f8da22a185fe4b945248ab8 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 5 Mar 2009 23:30:30 +0000 Subject: [PATCH 09/60] newcopyrights --- util/copyrights | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/util/copyrights b/util/copyrights index ae7f38a8d5..fed7d1bcee 100644 --- a/util/copyrights +++ b/util/copyrights @@ -96,12 +96,14 @@ ./bin/dnssec/win32/signzone.dsw X 2001 ./bin/dnssec/win32/signzone.mak X 2001,2004,2005,2006 ./bin/named/.cvsignore X 1999,2000,2001,2007,2008 -./bin/named/Makefile.in MAKE 1998,1999,2000,2001,2002,2004,2005,2006,2007,2008 +./bin/named/Makefile.in MAKE 1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009 +./bin/named/bind.keys.h C 2009 ./bin/named/bind9.xsl SGML 2006,2007,2008,2009 ./bin/named/bind9.xsl.h X 2007,2008,2009 +./bin/named/bindkeys.pl PERL 2009 ./bin/named/builtin.c C 2001,2002,2003,2004,2005,2007,2009 ./bin/named/client.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 -./bin/named/config.c C 2001,2002,2003,2004,2005,2006,2007,2008 +./bin/named/config.c C 2001,2002,2003,2004,2005,2006,2007,2008,2009 ./bin/named/control.c C 2001,2002,2003,2004,2005,2006,2007 ./bin/named/controlconf.c C 2001,2002,2003,2004,2005,2006,2007,2008 ./bin/named/convertxsl.pl PERL 2006,2007,2008 @@ -109,7 +111,7 @@ ./bin/named/include/named/client.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./bin/named/include/named/config.h C 2001,2002,2004,2005,2006,2007 ./bin/named/include/named/control.h C 2001,2002,2003,2004,2005,2006,2007 -./bin/named/include/named/globals.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008 +./bin/named/include/named/globals.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./bin/named/include/named/interfacemgr.h C 1999,2000,2001,2002,2004,2005,2007 ./bin/named/include/named/listenlist.h C 2000,2001,2004,2005,2007 ./bin/named/include/named/log.h C 1999,2000,2001,2002,2004,2005,2007,2009 @@ -886,7 +888,12 @@ ./bin/tests/wire_test.data3 X 1999,2000,2001 ./bin/tests/wire_test.data4 X 1999,2000,2001 ./bin/tests/zone_test.c C 1999,2000,2001,2002,2004,2005,2007 +./bin/tools/.cvsignore X 2009 ./bin/tools/Makefile.in MAKE 2009 +./bin/tools/arpaname.1 MAN 2009 +./bin/tools/arpaname.c C 2009 +./bin/tools/arpaname.docbook SGML 2009 +./bin/tools/arpaname.html HTML 2009 ./bin/tools/genrandom.8 MAN 2009 ./bin/tools/genrandom.c C 2009 ./bin/tools/genrandom.docbook SGML 2009 @@ -2241,7 +2248,7 @@ ./lib/isccfg/include/isccfg/cfg.h C 2000,2001,2002,2004,2005,2006,2007 ./lib/isccfg/include/isccfg/grammar.h C 2002,2003,2004,2005,2006,2007,2008 ./lib/isccfg/include/isccfg/log.h C 2001,2004,2005,2006,2007,2009 -./lib/isccfg/include/isccfg/namedconf.h C 2002,2004,2005,2006,2007 +./lib/isccfg/include/isccfg/namedconf.h C 2002,2004,2005,2006,2007,2009 ./lib/isccfg/include/isccfg/version.h C 2001,2004,2005,2006,2007 ./lib/isccfg/log.c C 2001,2004,2005,2006,2007 ./lib/isccfg/namedconf.c C 2002,2003,2004,2005,2006,2007,2008,2009 From 2464bd58eb0b2e8564557fbad43778f03a958418 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 5 Mar 2009 23:47:36 +0000 Subject: [PATCH 10/60] update copyright notice --- bin/named/Makefile.in | 4 ++-- bin/named/bind.keys.h | 22 ++++++++++++++++++++-- bin/named/config.c | 4 ++-- bin/named/include/named/globals.h | 4 ++-- bin/tools/arpaname.1 | 12 ++++++------ bin/tools/arpaname.html | 13 +++++++------ lib/isccfg/include/isccfg/namedconf.h | 4 ++-- 7 files changed, 41 insertions(+), 22 deletions(-) diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in index c7ba054035..69438e2f04 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.103 2009/03/04 05:48:32 marka Exp $ +# $Id: Makefile.in,v 1.104 2009/03/05 23:47:35 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/bin/named/bind.keys.h b/bin/named/bind.keys.h index 1b287a5184..3486fc1fd9 100644 --- a/bin/named/bind.keys.h +++ b/bin/named/bind.keys.h @@ -1,7 +1,25 @@ +/* + * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: bind.keys.h,v 1.3 2009/03/05 23:47:35 tbox Exp $ */ + #define TRUSTED_KEYS "\ trusted-keys {\n\ - # NOTE: This key expires September 2009 \n\ - # Go to https://www.isc.org/solutions/dlv to download a replacement\n\ + # NOTE: This key expires September 2009 \n\ + # Go to https://www.isc.org/solutions/dlv to download a replacement\n\ dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\ };\n\ " diff --git a/bin/named/config.c b/bin/named/config.c index 543fb53a2a..532b0f944a 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.94 2009/03/04 02:42:30 each Exp $ */ +/* $Id: config.c,v 1.95 2009/03/05 23:47:35 tbox Exp $ */ /*! \file */ diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h index 5aa57f759b..ef0416cb3a 100644 --- a/bin/named/include/named/globals.h +++ b/bin/named/include/named/globals.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: globals.h,v 1.81 2009/03/04 02:42:30 each Exp $ */ +/* $Id: globals.h,v 1.82 2009/03/05 23:47:35 tbox Exp $ */ #ifndef NAMED_GLOBALS_H #define NAMED_GLOBALS_H 1 diff --git a/bin/tools/arpaname.1 b/bin/tools/arpaname.1 index 0f911d0bb1..8daef948ff 100644 --- a/bin/tools/arpaname.1 +++ b/bin/tools/arpaname.1 @@ -1,18 +1,18 @@ -.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") -.\" -.\" Permission to use, copy, modify, and distribute this software for any +.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +.\" +.\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: arpaname.1,v 1.1 2009/03/04 01:30:27 marka Exp $ +.\" $Id: arpaname.1,v 1.2 2009/03/05 23:47:36 tbox Exp $ .\" .hy 0 .ad l diff --git a/bin/tools/arpaname.html b/bin/tools/arpaname.html index 96e377b72d..b5b57f834f 100644 --- a/bin/tools/arpaname.html +++ b/bin/tools/arpaname.html @@ -1,19 +1,20 @@ - + + diff --git a/lib/isccfg/include/isccfg/namedconf.h b/lib/isccfg/include/isccfg/namedconf.h index af424298bb..cd9c083144 100644 --- a/lib/isccfg/include/isccfg/namedconf.h +++ b/lib/isccfg/include/isccfg/namedconf.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: namedconf.h,v 1.10 2009/03/04 02:42:31 each Exp $ */ +/* $Id: namedconf.h,v 1.11 2009/03/05 23:47:36 tbox Exp $ */ #ifndef ISCCFG_NAMEDCONF_H #define ISCCFG_NAMEDCONF_H 1 From 62ac086e8978d5103707fedb452b9d31db0a7340 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 6 Mar 2009 00:08:46 +0000 Subject: [PATCH 11/60] genrandom.c journalprint.c nsec3hash.c --- util/copyrights | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/util/copyrights b/util/copyrights index fed7d1bcee..59e3af7203 100644 --- a/util/copyrights +++ b/util/copyrights @@ -303,13 +303,11 @@ ./bin/tests/entropy2_test.c C 2000,2001,2004,2005,2007 ./bin/tests/entropy_test.c C 2000,2001,2004,2005,2007 ./bin/tests/fsaccess_test.c C 2000,2001,2004,2005,2007 -./bin/tests/genrandom.c C 2000,2001,2002,2003,2004,2005,2007 ./bin/tests/gxba_test.c C 2000,2001,2004,2005,2007 ./bin/tests/gxbn_test.c C 2000,2001,2004,2005,2007 ./bin/tests/hash_test.c C 2000,2001,2004,2005,2006,2007 ./bin/tests/headerdep_test.sh.in SH 2000,2001,2004,2007 ./bin/tests/inter_test.c C 2000,2001,2003,2004,2005,2007,2008 -./bin/tests/journalprint.c C 2000,2001,2004,2005,2006,2007,2008 ./bin/tests/keyboard_test.c C 2000,2001,2004,2005,2007 ./bin/tests/lex_test.c C 1998,1999,2000,2001,2004,2005,2007 ./bin/tests/lfsr_test.c C 1999,2000,2001,2004,2005,2007 @@ -392,7 +390,6 @@ ./bin/tests/net/netaddr_multicast.c C 2000,2001,2004,2007 ./bin/tests/net/sockaddr_multicast.c C 2000,2001,2004,2007 ./bin/tests/net/testsuite.h C 2000,2001,2004,2007 -./bin/tests/nsec3hash.c C 2006,2008 ./bin/tests/nsecify.c C 1999,2000,2001,2003,2004,2007,2008 ./bin/tests/printmsg.c C 1998,1999,2000,2001,2004,2007 ./bin/tests/printmsg.h C 1998,1999,2000,2001,2004,2007 @@ -895,15 +892,15 @@ ./bin/tools/arpaname.docbook SGML 2009 ./bin/tools/arpaname.html HTML 2009 ./bin/tools/genrandom.8 MAN 2009 -./bin/tools/genrandom.c C 2009 +./bin/tests/genrandom.c C 2000,2001,2002,2003,2004,2005,2007,2009 ./bin/tools/genrandom.docbook SGML 2009 ./bin/tools/genrandom.html HTML 2009 ./bin/tools/journalprint.8 MAN 2009 -./bin/tools/journalprint.c C 2009 +./bin/tests/journalprint.c C 2000,2001,2004,2005,2006,2007,2008,2009 ./bin/tools/journalprint.docbook SGML 2009 ./bin/tools/journalprint.html HTML 2009 ./bin/tools/nsec3hash.8 MAN 2009 -./bin/tools/nsec3hash.c C 2009 +./bin/tests/nsec3hash.c C 2006,2008 ./bin/tools/nsec3hash.docbook SGML 2009 ./bin/tools/nsec3hash.html HTML 2009 ./bin/win32/BINDInstall/AccountInfo.cpp C.PORTION 2001,2002,2004,2007 From 7a7a44400d49122d4cc207b43922a7b9c5afe443 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Fri, 6 Mar 2009 01:12:33 +0000 Subject: [PATCH 12/60] regen --- bin/tools/arpaname.1 | 173 ++----------------------- bin/tools/arpaname.html | 12 +- doc/arm/Bv9ARM.ch06.html | 169 ++++++++++++++----------- doc/arm/Bv9ARM.ch07.html | 14 +-- doc/arm/Bv9ARM.ch08.html | 18 +-- doc/arm/Bv9ARM.ch09.html | 180 +++++++++++++-------------- doc/arm/Bv9ARM.html | 42 +++---- doc/arm/man.dig.html | 20 +-- doc/arm/man.dnssec-dsfromkey.html | 16 +-- doc/arm/man.dnssec-keyfromlabel.html | 12 +- doc/arm/man.dnssec-keygen.html | 14 +-- doc/arm/man.dnssec-signzone.html | 12 +- doc/arm/man.host.html | 10 +- doc/arm/man.named-checkconf.html | 12 +- doc/arm/man.named-checkzone.html | 12 +- doc/arm/man.named.html | 16 +-- doc/arm/man.nsupdate.html | 14 +-- doc/arm/man.rndc-confgen.html | 12 +- doc/arm/man.rndc.conf.html | 12 +- doc/arm/man.rndc.html | 12 +- doc/misc/options | 1 + 21 files changed, 327 insertions(+), 456 deletions(-) diff --git a/bin/tools/arpaname.1 b/bin/tools/arpaname.1 index 8daef948ff..f35f994aee 100644 --- a/bin/tools/arpaname.1 +++ b/bin/tools/arpaname.1 @@ -12,194 +12,37 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: arpaname.1,v 1.2 2009/03/05 23:47:36 tbox Exp $ +.\" $Id: arpaname.1,v 1.3 2009/03/06 01:12:32 tbox Exp $ .\" .hy 0 .ad l .\" Title: arpaname -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.74.0 +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: March 4, 2009 .\" Manual: BIND9 .\" Source: BIND9 -.\" Language: English .\" .TH "ARPANAME" "1" "March 4, 2009" "BIND9" "BIND9" -.\" ----------------------------------------------------------------- -.\" * (re)Define some macros -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" toupper - uppercase a string (locale-aware) -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de toupper -.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -\\$* -.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SH-xref - format a cross-reference to an SH section -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de SH-xref -.ie n \{\ -.\} -.toupper \\$* -.el \{\ -\\$* -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SH - level-one heading that works better for non-TTY output -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de1 SH -.\" put an extra blank line of space above the head in non-TTY output -.if t \{\ -.sp 1 -.\} -.sp \\n[PD]u -.nr an-level 1 -.set-an-margin -.nr an-prevailing-indent \\n[IN] -.fi -.in \\n[an-margin]u -.ti 0 -.HTML-TAG ".NH \\n[an-level]" -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -\." make the size of the head bigger -.ps +3 -.ft B -.ne (2v + 1u) -.ie n \{\ -.\" if n (TTY output), use uppercase -.toupper \\$* -.\} -.el \{\ -.nr an-break-flag 0 -.\" if not n (not TTY), use normal case (not uppercase) -\\$1 -.in \\n[an-margin]u -.ti 0 -.\" if not n (not TTY), put a border/line under subheading -.sp -.6 -\l'\n(.lu' -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SS - level-two heading that works better for non-TTY output -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de1 SS -.sp \\n[PD]u -.nr an-level 1 -.set-an-margin -.nr an-prevailing-indent \\n[IN] -.fi -.in \\n[IN]u -.ti \\n[SN]u -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.ps \\n[PS-SS]u -\." make the size of the head bigger -.ps +2 -.ft B -.ne (2v + 1u) -.if \\n[.$] \&\\$* -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" BB/BE - put background/screen (filled box) around block of text -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de BB -.if t \{\ -.sp -.5 -.br -.in +2n -.ll -2n -.gcolor red -.di BX -.\} -.. -.de EB -.if t \{\ -.if "\\$2"adjust-for-leading-newline" \{\ -.sp -1 -.\} -.br -.di -.in -.ll -.gcolor -.nr BW \\n(.lu-\\n(.i -.nr BH \\n(dn+.5v -.ne \\n(BHu+.5v -.ie "\\$2"adjust-for-leading-newline" \{\ -\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -.\} -.el \{\ -\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -.\} -.in 0 -.sp -.5v -.nf -.BX -.in -.sp .5v -.fi -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" BM/EM - put colored marker in margin next to block of text -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de BM -.if t \{\ -.br -.ll -2n -.gcolor red -.di BX -.\} -.. -.de EM -.if t \{\ -.br -.di -.ll -.gcolor -.nr BH \\n(dn -.ne \\n(BHu -\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -.in 0 -.nf -.BX -.in -.fi -.\} -.. -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "Name" +.SH "NAME" arpaname \- translate IP addresses to the corresponding ARPA names -.SH "Synopsis" +.SH "SYNOPSIS" .HP 9 \fBarpaname\fR {\fIipaddress\ \fR...} .SH "DESCRIPTION" .PP \fBarpaname\fR -translates IP addresses (IPv4 and IPv6) to the corresponding IN\-ADDR\&.ARPA or IP6\&.ARPA names\&. +translates IP addresses (IPv4 and IPv6) to the corresponding IN\-ADDR.ARPA or IP6.ARPA names. .SH "SEE ALSO" .PP -BIND 9 Administrator Reference Manual\&. +BIND 9 Administrator Reference Manual. .SH "AUTHOR" .PP Internet Systems Consortium -.SH "Copyright" -.br +.SH "COPYRIGHT" Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/bin/tools/arpaname.html b/bin/tools/arpaname.html index b5b57f834f..e5f898b263 100644 --- a/bin/tools/arpaname.html +++ b/bin/tools/arpaname.html @@ -14,12 +14,12 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + arpaname - +
@@ -32,20 +32,20 @@

arpaname {ipaddress ...}

-

DESCRIPTION

+

DESCRIPTION

- arpaname translates IP addresses (IPv4 and + arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 58f783dc16..5ab9621e1e 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -78,25 +78,25 @@
server Statement Definition and Usage
statistics-channels Statement Grammar
-
statistics-channels Statement Definition and +
statistics-channels Statement Definition and Usage
-
trusted-keys Statement Grammar
-
trusted-keys Statement Definition +
trusted-keys Statement Grammar
+
trusted-keys Statement Definition and Usage
view Statement Grammar
-
view Statement Definition and Usage
+
view Statement Definition and Usage
zone Statement Grammar
-
zone Statement Definition and Usage
+
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
@@ -2045,6 +2045,7 @@ category notify { null; }; [ tkey-dhkey key_name key_tag; ] [ cache-file path_name; ] [ dump-file path_name; ] + [ bindkeys-file path_name; ] [ memstatistics yes_or_no; ] [ memstatistics-file path_name; ] [ pid-file path_name; ] @@ -2070,7 +2071,7 @@ category notify { null; }; [ ixfr-from-differences (yes_or_no | master | slave); ] [ dnssec-enable yes_or_no; ] [ dnssec-validation yes_or_no; ] - [ dnssec-lookaside domain trust-anchor domain; ] + [ dnssec-lookaside ( auto | domain trust-anchor domain ); ] [ dnssec-must-be-secure domain yes_or_no; ] [ dnssec-accept-expired yes_or_no; ] [ forward ( only | first ); ] @@ -2418,6 +2419,14 @@ category notify { null; }; described in the section called “The Statistics File”.

+
bindkeys-file
+

+ The pathname of a file to override the built-in trusted + keys provided by named. See the discussion of + dnssec-lookaside for details. + If not specified, the default is + /etc/bind.keys. +

port

The UDP/TCP port number the server uses for @@ -2480,36 +2489,41 @@ options { Only the most specific will be applied.

dnssec-lookaside
-

- When set, dnssec-lookaside - provides the - validator with an alternate method to validate DNSKEY records - at the - top of a zone. When a DNSKEY is at or below a domain - specified by the - deepest dnssec-lookaside, and - the normal DNSSEC validation - has left the key untrusted, the trust-anchor will be append to - the key - name and a DLV record will be looked up to see if it can - validate the - key. If the DLV record validates a DNSKEY (similarly to the - way a DS - record does) the DNSKEY RRset is deemed to be trusted. -

+
+

+ When set, dnssec-lookaside provides the + validator with an alternate method to validate DNSKEY + records at the top of a zone. When a DNSKEY is at or + below a domain specified by the deepest + dnssec-lookaside, and the normal dnssec + validation has left the key untrusted, the trust-anchor + will be append to the key name and a DLV record will be + looked up to see if it can validate the key. If the DLV + record validates a DNSKEY (similarly to the way a DS record + does) the DNSKEY RRset is deemed to be trusted. +

+

+ If dnssec-lookaside is set to + "auto", then built-in default values for + the domain and trust anchor will be used, along + with a built-in key for validation. +

+

+ NOTE: Since the built-in key may expire, it can be + overridden without recompiling named by placing a new key + in the file bind.keys. +

+
dnssec-must-be-secure

- Specify hierarchies which must be or may not be secure (signed and - validated). - If yes, then named will only accept - answers if they - are secure. - If no, then normal DNSSEC validation - applies - allowing for insecure answers to be accepted. - The specified domain must be under a trusted-key or - dnssec-lookaside must be - active. + Specify hierarchies which must be or may not be secure + (signed and validated). If yes, + then named will only accept answers if + they are secure. If no, then normal + DNSSEC validation applies allowing for insecure answers to + be accepted. The specified domain must be under a + trusted-key or + dnssec-lookaside must be active.

@@ -3238,7 +3252,7 @@ options {

-Forwarding

+Forwarding

The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3282,7 +3296,7 @@ options {

-Dual-stack Servers

+Dual-stack Servers

Dual-stack servers are used as servers of last resort to work around @@ -3479,7 +3493,7 @@ options {

-Interfaces

+Interfaces

The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -3931,7 +3945,7 @@ avoid-v6-udp-ports {};

-UDP Port Lists

+UDP Port Lists

use-v4-udp-ports, avoid-v4-udp-ports, @@ -3973,7 +3987,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Operating System Resource Limits

+Operating System Resource Limits

The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -4135,7 +4149,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Periodic Task Intervals

+Periodic Task Intervals
cleaning-interval

@@ -5113,7 +5127,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-statistics-channels Statement Definition and +statistics-channels Statement Definition and Usage

The statistics-channels statement @@ -5164,7 +5178,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5173,7 +5187,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -5203,6 +5217,19 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
             in the key data, so the configuration may be split up into
             multiple lines.
           

+

+            trusted-keys may be set at the top level
+            of named.conf or within a view.  If it is
+            set in both places, they are additive: keys defined at the top
+            level are inherited by all views, but keys defined in a view
+            are only used within that view.
+          

+

+            In addition to keys specified in
+            trusted-keys statements, if the
+            dnssec-lookaside option is set to "auto",
+            named will also load a built-in trusted key for dlv.isc.org.
+          

 

 

 

@@ -5219,7 +5246,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -5485,10 +5512,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 
@@ -5697,7 +5724,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5719,7 +5746,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
allow-notify

 

@@ -6294,7 +6321,7 @@ zone zone_name [
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -6307,7 +6334,7 @@ zone zone_name [
 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7044,7 +7071,7 @@ zone zone_name [
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7247,7 +7274,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -7503,7 +7530,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -7564,7 +7591,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -7579,7 +7606,7 @@ zone zone_name [
 

 

-The @ (at-sign)

+The @ (at-sign)

 

               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -7590,7 +7617,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -7619,7 +7646,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -7655,7 +7682,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -7674,7 +7701,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
@@ -7756,7 +7783,7 @@ HOST-127.EXAMPLE. MX 0 .
                       describes the owner name of the resource records
                       to be created.  Any single $
                       (dollar sign)
-                      symbols within the lhs side
+                      symbols within the lhs string
                       are replaced by the iterator value.
 
                       To get a $ in the output, you need to escape the
@@ -8098,7 +8125,7 @@ HOST-127.EXAMPLE. MX 0 .
           

 

 

-Name Server Statistics Counters

+Name Server Statistics Counters

 

 
 

@@ -8639,7 +8666,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

 
 

 
 
@@ -8793,7 +8820,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Resolver Statistics Counters

+Resolver Statistics Counters

 
 

 
 
@@ -9169,7 +9196,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9324,7 +9351,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index bc2b48d422..881d076fc7 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -119,7 +119,7 @@ zone "example.com" {
 

 

-Chroot and Setuid
+Chroot and Setuid
 

 

           On UNIX servers, it is possible to run BIND
@@ -145,7 +145,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

             In order for a chroot environment
             to
@@ -173,7 +173,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 3d1d68cce1..6f21f57f0b 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

-Common Problems

+Common Problems

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 5eba707f3e..a34b9cb726 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -250,17 +250,17 @@
           

 

 

-Bibliography

+Bibliography

 
Standards

 

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

+
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

 

 

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

+
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

 

 

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 

 

 

@@ -268,42 +268,42 @@
 

 Proposed Standards

 

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 

 

 

-
[RFC2308] M. Andrews. Negative Caching of DNS
+
[RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 

 

 

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 

 

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 

 

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

 

 

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 

 

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 

 

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 

 

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

 

 

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

 

 

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

 

 

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 

 

@@ -312,19 +312,19 @@
 

 DNS Security Proposed Standards

 

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

 

 

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

 

 

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

 

 

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

 

 

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 

 

 
@@ -332,146 +332,146 @@
 
Other Important RFCs About DNS
                 Implementation

 

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 

 

 

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 

 

 

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

 

 

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 

 

 
 

 
Resource Record Types

 

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

 

 

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

 

 

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 

 

 

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 

 

 

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 

 

 

-
[RFC2163] A. Allocchio. Using the Internet DNS to
+
[RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 

 

 

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

 

 

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

 

 

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

 

 

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

 

 

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

 

 

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

 

 

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 

 

 

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

 

 

 

 

 DNS and the Internet

 

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 

 

 

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 

 

 

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

 

 

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

 

 

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

 

 

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

 

 

 

 

 DNS Operations

 

-
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

+
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

 

 

-
[RFC1537] P. Beertema. Common DNS Data File
+
[RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 

 

 

-
[RFC1912] D. Barr. Common DNS Operational and
+
[RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 

 

 

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

 

 

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 

 

 

 

 
Internationalized Domain Names

 

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 

 

 

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

 

 

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

 

 

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 

 

@@ -487,47 +487,47 @@
                 

 

 

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 

 

 

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

 

 

-
[RFC1794] T. Brisco. DNS Support for Load
+
[RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 

 

 

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

 

 

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

 

 

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

 

 

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

 

 

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 

 

 

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

 

 
 

 
Obsolete and Unimplemented Experimental RFC

 

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 

 

 

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

 

 

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 

 

 

@@ -541,39 +541,39 @@
                 

 
 

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

 

 

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

 

 

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

 

 

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 

 

 

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

 

 

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

 

 

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

 

 

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

 

 

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

 

 

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 

 

 

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

 

 
 
@@ -594,14 +594,14 @@
 
 

 

-Other Documents About BIND
+Other Documents About BIND
 

 

 

 

-Bibliography

+Bibliography

 

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 67256a4ad6..1a40109122 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -157,25 +157,25 @@
 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -184,31 +184,31 @@
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 32304da995..b63ac1d871 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -144,7 +144,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index b01036bc10..42f56fd585 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
dnssec-dsfromkey  {-s} [-v level] [-1] [-2] [-a alg] [-c class] [-d dir] {dnsname}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -99,7 +99,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -114,7 +114,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -128,13 +128,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -143,7 +143,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 93afe189b6..d37c245aea 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-a algorithm} {-l label} [-c class] [-f flag] [-k] [-n nametype] [-p protocol] [-t type] [-v level] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -131,7 +131,7 @@
 

 

 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -172,7 +172,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -182,7 +182,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 0a2aa2562c..5a67b3ae63 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index eac59b8dcc..53eebb62b2 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -276,7 +276,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -305,14 +305,14 @@ db.example.com.signed
 %
 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index f24a365370..8afa9d396f 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 2efd4b4a14..bf0d1adca3 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -92,21 +92,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index b8bf8545e4..2e40e30830 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -257,14 +257,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index fb194c7e1d..71fdb1caa6 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -238,7 +238,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -259,7 +259,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -268,7 +268,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -281,7 +281,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -294,7 +294,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index d33c25a314..1940bb3074 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [[-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -186,7 +186,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -450,7 +450,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -504,7 +504,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -523,7 +523,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2136,
       RFC3007,
       RFC2104,
@@ -536,7 +536,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 6e6c12a508..c9eaa344fd 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 877ed7af7d..8475ad0709 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index c1ec56b231..5f4d424854 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -151,7 +151,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/misc/options b/doc/misc/options
index bd74cc640b..e76d3bd6f9 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -72,6 +72,7 @@ options {
         auth-nxdomain ; // default changed
         avoid-v4-udp-ports { ; ... };
         avoid-v6-udp-ports { ; ... };
+        bindkeys-file ;
         blackhole { ; ... };
         cache-file ;
         check-integrity ;

From 8ba94ff0c459327b577ce2284a74b427dd749ad4 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 6 Mar 2009 23:30:30 +0000
Subject: [PATCH 13/60] newcopyrights

---
 util/copyrights | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 59e3af7203..7b070b85a2 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -303,11 +303,13 @@
 ./bin/tests/entropy2_test.c			C	2000,2001,2004,2005,2007
 ./bin/tests/entropy_test.c			C	2000,2001,2004,2005,2007
 ./bin/tests/fsaccess_test.c			C	2000,2001,2004,2005,2007
+./bin/tests/genrandom.c				C	2000,2001,2002,2003,2004,2005,2007,2009
 ./bin/tests/gxba_test.c				C	2000,2001,2004,2005,2007
 ./bin/tests/gxbn_test.c				C	2000,2001,2004,2005,2007
 ./bin/tests/hash_test.c				C	2000,2001,2004,2005,2006,2007
 ./bin/tests/headerdep_test.sh.in		SH	2000,2001,2004,2007
 ./bin/tests/inter_test.c			C	2000,2001,2003,2004,2005,2007,2008
+./bin/tests/journalprint.c			C	2000,2001,2004,2005,2006,2007,2008,2009
 ./bin/tests/keyboard_test.c			C	2000,2001,2004,2005,2007
 ./bin/tests/lex_test.c				C	1998,1999,2000,2001,2004,2005,2007
 ./bin/tests/lfsr_test.c				C	1999,2000,2001,2004,2005,2007
@@ -390,6 +392,7 @@
 ./bin/tests/net/netaddr_multicast.c		C	2000,2001,2004,2007
 ./bin/tests/net/sockaddr_multicast.c		C	2000,2001,2004,2007
 ./bin/tests/net/testsuite.h			C	2000,2001,2004,2007
+./bin/tests/nsec3hash.c				C	2006,2008
 ./bin/tests/nsecify.c				C	1999,2000,2001,2003,2004,2007,2008
 ./bin/tests/printmsg.c				C	1998,1999,2000,2001,2004,2007
 ./bin/tests/printmsg.h				C	1998,1999,2000,2001,2004,2007
@@ -892,15 +895,15 @@
 ./bin/tools/arpaname.docbook			SGML	2009
 ./bin/tools/arpaname.html			HTML	2009
 ./bin/tools/genrandom.8				MAN	2009
-./bin/tests/genrandom.c				C	2000,2001,2002,2003,2004,2005,2007,2009
+./bin/tools/genrandom.c				C	2009
 ./bin/tools/genrandom.docbook			SGML	2009
 ./bin/tools/genrandom.html			HTML	2009
 ./bin/tools/journalprint.8			MAN	2009
-./bin/tests/journalprint.c			C	2000,2001,2004,2005,2006,2007,2008,2009
+./bin/tools/journalprint.c			C	2009
 ./bin/tools/journalprint.docbook		SGML	2009
 ./bin/tools/journalprint.html			HTML	2009
 ./bin/tools/nsec3hash.8				MAN	2009
-./bin/tests/nsec3hash.c				C	2006,2008
+./bin/tools/nsec3hash.c				C	2009
 ./bin/tools/nsec3hash.docbook			SGML	2009
 ./bin/tools/nsec3hash.html			HTML	2009
 ./bin/win32/BINDInstall/AccountInfo.cpp		C.PORTION	2001,2002,2004,2007

From cab3e375b77a980a5d4b7e5e4ee90167439e7934 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sat, 7 Mar 2009 00:39:35 +0000
Subject: [PATCH 14/60] nsec3hash journalprint genrandom

---
 util/copyrights | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 7b070b85a2..c53de77180 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -303,13 +303,11 @@
 ./bin/tests/entropy2_test.c			C	2000,2001,2004,2005,2007
 ./bin/tests/entropy_test.c			C	2000,2001,2004,2005,2007
 ./bin/tests/fsaccess_test.c			C	2000,2001,2004,2005,2007
-./bin/tests/genrandom.c				C	2000,2001,2002,2003,2004,2005,2007,2009
 ./bin/tests/gxba_test.c				C	2000,2001,2004,2005,2007
 ./bin/tests/gxbn_test.c				C	2000,2001,2004,2005,2007
 ./bin/tests/hash_test.c				C	2000,2001,2004,2005,2006,2007
 ./bin/tests/headerdep_test.sh.in		SH	2000,2001,2004,2007
 ./bin/tests/inter_test.c			C	2000,2001,2003,2004,2005,2007,2008
-./bin/tests/journalprint.c			C	2000,2001,2004,2005,2006,2007,2008,2009
 ./bin/tests/keyboard_test.c			C	2000,2001,2004,2005,2007
 ./bin/tests/lex_test.c				C	1998,1999,2000,2001,2004,2005,2007
 ./bin/tests/lfsr_test.c				C	1999,2000,2001,2004,2005,2007
@@ -392,7 +390,6 @@
 ./bin/tests/net/netaddr_multicast.c		C	2000,2001,2004,2007
 ./bin/tests/net/sockaddr_multicast.c		C	2000,2001,2004,2007
 ./bin/tests/net/testsuite.h			C	2000,2001,2004,2007
-./bin/tests/nsec3hash.c				C	2006,2008
 ./bin/tests/nsecify.c				C	1999,2000,2001,2003,2004,2007,2008
 ./bin/tests/printmsg.c				C	1998,1999,2000,2001,2004,2007
 ./bin/tests/printmsg.h				C	1998,1999,2000,2001,2004,2007
@@ -895,15 +892,15 @@
 ./bin/tools/arpaname.docbook			SGML	2009
 ./bin/tools/arpaname.html			HTML	2009
 ./bin/tools/genrandom.8				MAN	2009
-./bin/tools/genrandom.c				C	2009
+./bin/tools/genrandom.c				C	2000,2001,2002,2003,2004,2005,2007,2009
 ./bin/tools/genrandom.docbook			SGML	2009
 ./bin/tools/genrandom.html			HTML	2009
 ./bin/tools/journalprint.8			MAN	2009
-./bin/tools/journalprint.c			C	2009
+./bin/tools/journalprint.c			C	2000,2001,2004,2005,2006,2007,2008,2009
 ./bin/tools/journalprint.docbook		SGML	2009
 ./bin/tools/journalprint.html			HTML	2009
 ./bin/tools/nsec3hash.8				MAN	2009
-./bin/tools/nsec3hash.c				C	2009
+./bin/tools/nsec3hash.c				C	2006,2008
 ./bin/tools/nsec3hash.docbook			SGML	2009
 ./bin/tools/nsec3hash.html			HTML	2009
 ./bin/win32/BINDInstall/AccountInfo.cpp		C.PORTION	2001,2002,2004,2007

From 510f19039bcd402dff28c85114551179670f482a Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sat, 7 Mar 2009 23:30:32 +0000
Subject: [PATCH 15/60] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index c53de77180..5fc2e5d52f 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -900,7 +900,7 @@
 ./bin/tools/journalprint.docbook		SGML	2009
 ./bin/tools/journalprint.html			HTML	2009
 ./bin/tools/nsec3hash.8				MAN	2009
-./bin/tools/nsec3hash.c				C	2006,2008
+./bin/tools/nsec3hash.c				C	2006,2008,2009
 ./bin/tools/nsec3hash.docbook			SGML	2009
 ./bin/tools/nsec3hash.html			HTML	2009
 ./bin/win32/BINDInstall/AccountInfo.cpp		C.PORTION	2001,2002,2004,2007

From 2919fef5d11189211097174dc136e5fe3848b20b Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sat, 7 Mar 2009 23:47:45 +0000
Subject: [PATCH 16/60] update copyright notice

---
 bin/tools/genrandom.c    | 5 +++--
 bin/tools/journalprint.c | 5 +++--
 bin/tools/nsec3hash.c    | 4 ++--
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/bin/tools/genrandom.c b/bin/tools/genrandom.c
index 35ae8696ea..b34416e7d0 100644
--- a/bin/tools/genrandom.c
+++ b/bin/tools/genrandom.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: genrandom.c,v 1.3 2009/03/02 23:47:43 tbox Exp $ */
+/* $Id: genrandom.c,v 1.4 2009/03/07 23:47:45 tbox Exp $ */
 
 /*! \file */
 #include 
diff --git a/bin/tools/journalprint.c b/bin/tools/journalprint.c
index 3d648bb200..41ee176391 100644
--- a/bin/tools/journalprint.c
+++ b/bin/tools/journalprint.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journalprint.c,v 1.3 2009/03/02 23:47:43 tbox Exp $ */
+/* $Id: journalprint.c,v 1.4 2009/03/07 23:47:45 tbox Exp $ */
 
 /*! \file */
 #include 
diff --git a/bin/tools/nsec3hash.c b/bin/tools/nsec3hash.c
index 5245742ab5..65bddf6fec 100644
--- a/bin/tools/nsec3hash.c
+++ b/bin/tools/nsec3hash.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3hash.c,v 1.3 2009/03/02 23:47:43 tbox Exp $ */
+/* $Id: nsec3hash.c,v 1.4 2009/03/07 23:47:45 tbox Exp $ */
 
 #include 
 

From b98225ff8a5721a998ccb440df4d261488fef163 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 9 Mar 2009 04:18:51 +0000
Subject: [PATCH 17/60] 2574.   [doc]           Document nsupdate -g and -o.
 [RT #19351]

---
 CHANGES                       |  2 ++
 bin/nsupdate/nsupdate.docbook | 53 ++++++++++++++++++-----------------
 2 files changed, 30 insertions(+), 25 deletions(-)

diff --git a/CHANGES b/CHANGES
index 7951fbd2cb..e4217d85ba 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
+
 2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
 			single transaction in a signed zone failed. [RT #19397]
 
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index 969d25883d..013bb5da34 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     Jun 30, 2000
@@ -58,6 +58,8 @@
       
       
       
+	
+	
         
         
       
@@ -109,31 +111,27 @@
       report additional debugging information to .
     
     
-      Transaction signatures can be used to authenticate the Dynamic DNS
-      updates.
-      These use the TSIG resource record type described in RFC2845 or the
-      SIG(0) record described in RFC3535 and RFC2931.
-      TSIG relies on a shared secret that should only be known to
-      nsupdate and the name server.
-      Currently, the only supported encryption algorithm for TSIG is
-      HMAC-MD5, which is defined in RFC 2104.
-      Once other algorithms are defined for TSIG, applications will need to
-      ensure they select the appropriate algorithm as well as the key when
-      authenticating each other.
-      For instance, suitable
-      key
-      and
-      server
-      statements would be added to
-      /etc/named.conf
-      so that the name server can associate the appropriate secret key
-      and algorithm with the IP address of the
-      client application that will be using TSIG authentication.
-      SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
-      key must be stored in a KEY record in a zone served by the name server.
-      nsupdate
-      does not read
+      Transaction signatures can be used to authenticate the Dynamic
+      DNS updates.  These use the TSIG resource record type described
+      in RFC2845 or the SIG(0) record described in RFC3535 and
+      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      a shared secret that should only be known to
+      nsupdate and the name server.  Currently,
+      the only supported encryption algorithm for TSIG is HMAC-MD5,
+      which is defined in RFC 2104.  Once other algorithms are
+      defined for TSIG, applications will need to ensure they select
+      the appropriate algorithm as well as the key when authenticating
+      each other.  For instance, suitable key and
+      server statements would be added to
+      /etc/named.conf so that the name server
+      can associate the appropriate secret key and algorithm with
+      the IP address of the client application that will be using
+      TSIG authentication.  SIG(0) uses public key cryptography.
+      To use a SIG(0) key, the public key must be stored in a KEY
+      record in a zone served by the name server.
+      nsupdate does not read
       /etc/named.conf.
+      GSS-TSIG uses Kerberos credentials.
     
     nsupdate
       uses the  or  option
@@ -165,6 +163,11 @@
       to authenticate Dynamic DNS update requests.  In this case, the key
       specified is not an HMAC-MD5 key.
     
+    
+      The  and  specify that
+      GSS-TSIG is to be used.  The  should only
+      be used with old Microsoft Windows 2000 servers.
+    
     
       By default,
       nsupdate

From ed4475f3f583f6137b4ff7fea775c5363a4fdb29 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 10 Mar 2009 01:12:31 +0000
Subject: [PATCH 18/60] regen

---
 bin/nsupdate/nsupdate.1       | 16 ++++++---
 bin/nsupdate/nsupdate.html    | 65 ++++++++++++++++++-----------------
 doc/arm/man.nsupdate.html     | 65 ++++++++++++++++++-----------------
 doc/arm/man.rndc-confgen.html | 12 +++----
 doc/arm/man.rndc.conf.html    | 12 +++----
 doc/arm/man.rndc.html         | 12 +++----
 6 files changed, 96 insertions(+), 86 deletions(-)

diff --git a/bin/nsupdate/nsupdate.1 b/bin/nsupdate/nsupdate.1
index c7fef2ba87..3184ba4fb6 100644
--- a/bin/nsupdate/nsupdate.1
+++ b/bin/nsupdate/nsupdate.1
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nsupdate.1,v 1.4 2009/01/21 01:12:08 tbox Exp $
+.\" $Id: nsupdate.1,v 1.5 2009/03/10 01:12:31 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -33,7 +33,7 @@
 nsupdate \- Dynamic DNS update utility
 .SH "SYNOPSIS"
 .HP 9
-\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [filename]
+\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [filename]
 .SH "DESCRIPTION"
 .PP
 \fBnsupdate\fR
@@ -60,7 +60,7 @@ option makes
 report additional debugging information to
 \fB\-d\fR.
 .PP
-Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931. TSIG relies on a shared secret that should only be known to
+Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931 or GSS\-TSIG as described in RFC3645. TSIG relies on a shared secret that should only be known to
 \fBnsupdate\fR
 and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable
 \fBkey\fR
@@ -71,7 +71,7 @@ statements would be added to
 so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server.
 \fBnsupdate\fR
 does not read
-\fI/etc/named.conf\fR.
+\fI/etc/named.conf\fR. GSS\-TSIG uses Kerberos credentials.
 .PP
 \fBnsupdate\fR
 uses the
@@ -103,6 +103,14 @@ The
 \fB\-k\fR
 may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key.
 .PP
+The
+\fB\-g\fR
+and
+\fB\-o\fR
+specify that GSS\-TSIG is to be used. The
+\fB\-o\fR
+should only be used with old Microsoft Windows 2000 servers.
+.PP
 By default,
 \fBnsupdate\fR
 uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index 98138e0b0f..2f9c180b60 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -29,10 +29,10 @@
 

 

 
Synopsis

-
nsupdate  [-d] [-D] [[-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

+
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -70,31 +70,27 @@
       report additional debugging information to -d.
     

 

-      Transaction signatures can be used to authenticate the Dynamic DNS
-      updates.
-      These use the TSIG resource record type described in RFC2845 or the
-      SIG(0) record described in RFC3535 and RFC2931.
-      TSIG relies on a shared secret that should only be known to
-      nsupdate and the name server.
-      Currently, the only supported encryption algorithm for TSIG is
-      HMAC-MD5, which is defined in RFC 2104.
-      Once other algorithms are defined for TSIG, applications will need to
-      ensure they select the appropriate algorithm as well as the key when
-      authenticating each other.
-      For instance, suitable
-      key
-      and
-      server
-      statements would be added to
-      /etc/named.conf
-      so that the name server can associate the appropriate secret key
-      and algorithm with the IP address of the
-      client application that will be using TSIG authentication.
-      SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
-      key must be stored in a KEY record in a zone served by the name server.
-      nsupdate
-      does not read
+      Transaction signatures can be used to authenticate the Dynamic
+      DNS updates.  These use the TSIG resource record type described
+      in RFC2845 or the SIG(0) record described in RFC3535 and
+      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      a shared secret that should only be known to
+      nsupdate and the name server.  Currently,
+      the only supported encryption algorithm for TSIG is HMAC-MD5,
+      which is defined in RFC 2104.  Once other algorithms are
+      defined for TSIG, applications will need to ensure they select
+      the appropriate algorithm as well as the key when authenticating
+      each other.  For instance, suitable key and
+      server statements would be added to
+      /etc/named.conf so that the name server
+      can associate the appropriate secret key and algorithm with
+      the IP address of the client application that will be using
+      TSIG authentication.  SIG(0) uses public key cryptography.
+      To use a SIG(0) key, the public key must be stored in a KEY
+      record in a zone served by the name server.
+      nsupdate does not read
       /etc/named.conf.
+      GSS-TSIG uses Kerberos credentials.
     

 
nsupdate
       uses the -y or -k option
@@ -124,6 +120,11 @@
       to authenticate Dynamic DNS update requests.  In this case, the key
       specified is not an HMAC-MD5 key.
     

+

+      The -g and -o specify that
+      GSS-TSIG is to be used.  The -o should only
+      be used with old Microsoft Windows 2000 servers.
+    

 

       By default,
       nsupdate
@@ -168,7 +169,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -432,7 +433,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -486,7 +487,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -505,7 +506,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2136,
       RFC3007,
       RFC2104,
@@ -518,7 +519,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 1940bb3074..9841b5a302 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,10 +47,10 @@
 

 

 
Synopsis

-
nsupdate  [-d] [-D] [[-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

+
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -88,31 +88,27 @@
       report additional debugging information to -d.
     

 

-      Transaction signatures can be used to authenticate the Dynamic DNS
-      updates.
-      These use the TSIG resource record type described in RFC2845 or the
-      SIG(0) record described in RFC3535 and RFC2931.
-      TSIG relies on a shared secret that should only be known to
-      nsupdate and the name server.
-      Currently, the only supported encryption algorithm for TSIG is
-      HMAC-MD5, which is defined in RFC 2104.
-      Once other algorithms are defined for TSIG, applications will need to
-      ensure they select the appropriate algorithm as well as the key when
-      authenticating each other.
-      For instance, suitable
-      key
-      and
-      server
-      statements would be added to
-      /etc/named.conf
-      so that the name server can associate the appropriate secret key
-      and algorithm with the IP address of the
-      client application that will be using TSIG authentication.
-      SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
-      key must be stored in a KEY record in a zone served by the name server.
-      nsupdate
-      does not read
+      Transaction signatures can be used to authenticate the Dynamic
+      DNS updates.  These use the TSIG resource record type described
+      in RFC2845 or the SIG(0) record described in RFC3535 and
+      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      a shared secret that should only be known to
+      nsupdate and the name server.  Currently,
+      the only supported encryption algorithm for TSIG is HMAC-MD5,
+      which is defined in RFC 2104.  Once other algorithms are
+      defined for TSIG, applications will need to ensure they select
+      the appropriate algorithm as well as the key when authenticating
+      each other.  For instance, suitable key and
+      server statements would be added to
+      /etc/named.conf so that the name server
+      can associate the appropriate secret key and algorithm with
+      the IP address of the client application that will be using
+      TSIG authentication.  SIG(0) uses public key cryptography.
+      To use a SIG(0) key, the public key must be stored in a KEY
+      record in a zone served by the name server.
+      nsupdate does not read
       /etc/named.conf.
+      GSS-TSIG uses Kerberos credentials.
     

 
nsupdate
       uses the -y or -k option
@@ -142,6 +138,11 @@
       to authenticate Dynamic DNS update requests.  In this case, the key
       specified is not an HMAC-MD5 key.
     

+

+      The -g and -o specify that
+      GSS-TSIG is to be used.  The -o should only
+      be used with old Microsoft Windows 2000 servers.
+    

 

       By default,
       nsupdate
@@ -186,7 +187,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -450,7 +451,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -504,7 +505,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -523,7 +524,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2136,
       RFC3007,
       RFC2104,
@@ -536,7 +537,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index c9eaa344fd..603c8a7b10 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 8475ad0709..7c761e9b02 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 5f4d424854..eb487955cb 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -151,7 +151,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 


From 3f8be559f0871022c78a229bad0eb09560b90909 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 11 Mar 2009 07:02:34 +0000
Subject: [PATCH 19/60] 2575.	[func]		New functions
 dns_name_fromstring() and 			dns_name_tostring(), to
 simplify conversion 			of a string to a dns_name structure
 and vice 			versa. [RT #19451]

---
 CHANGES                    |  5 ++++
 lib/dns/include/dns/name.h | 38 +++++++++++++++++++++++++-
 lib/dns/name.c             | 55 +++++++++++++++++++++++++++++++++++++-
 3 files changed, 96 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index e4217d85ba..4d556dcba2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+2575.	[func]		New functions dns_name_fromstring() and
+			dns_name_tostring(), to simplify conversion
+			of a string to a dns_name structure and vice
+			versa. [RT #19451]
+
 2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
 
 2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index 5bbb602777..f42fcbb23c 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.128 2009/01/17 23:47:43 tbox Exp $ */
+/* $Id: name.h,v 1.129 2009/03/11 07:02:34 each Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -1129,6 +1129,42 @@ dns_name_format(dns_name_t *name, char *cp, unsigned int size);
  *
  */
 
+isc_result_t
+dns_name_tostring(dns_name_t *source, char **target, isc_mem_t *mctx);
+/*%<
+ * Convert 'name' to string format, allocating sufficient memory to
+ * hold it (free with isc_mem_free()).
+ *
+ * Differs from dns_name_format in that it allocates its own memory.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name.
+ *\li	'target' is not NULL.
+ *\li	'*target' is NULL.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_name_totext() can return.
+ */
+
+isc_result_t
+dns_name_fromstring(dns_name_t *target, const char *src, isc_mem_t *mctx);
+/*%<
+ * Convert a string to a name and place it in target, allocating memory
+ * as necessary.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_name_fromtext() can return.
+ *
+ *\li	Any error that dns_name_dup() can return.
+ */
+
 isc_result_t
 dns_name_settotextfilter(dns_name_totextfilter_t proc);
 /*%<
diff --git a/lib/dns/name.c b/lib/dns/name.c
index f4ea3e9113..baf9cdb824 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.165 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: name.c,v 1.166 2009/03/11 07:02:34 each Exp $ */
 
 /*! \file */
 
@@ -34,6 +34,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 
@@ -2340,6 +2341,58 @@ dns_name_format(dns_name_t *name, char *cp, unsigned int size) {
 		snprintf(cp, size, "");
 }
 
+/*
+ * dns_name_tostring() -- similar to dns_name_format() but allocates its own
+ * memory.
+ */
+isc_result_t
+dns_name_tostring(dns_name_t *name, char **target, isc_mem_t *mctx) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	isc_region_t reg;
+	char *p, txt[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(VALID_NAME(name));
+        REQUIRE(target != NULL && *target == NULL);
+
+	isc_buffer_init(&buf, txt, sizeof(txt));
+	result = dns_name_totext(name, ISC_FALSE, &buf);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_buffer_usedregion(&buf, ®);
+	p = isc_mem_allocate(mctx, reg.length + 1);
+	memcpy(p, (char *) reg.base, (int) reg.length);
+	p[reg.length] = '\0';
+
+	*target = p;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * dns_name_fromstring() -- convert directly from a string to a name,
+ * allocating memory as needed
+ */
+isc_result_t
+dns_name_fromstring(dns_name_t *target, const char *src, isc_mem_t *mctx) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	dns_fixedname_t fn;
+	dns_name_t *name;
+
+	isc_buffer_init(&buf, src, strlen(src));
+	isc_buffer_add(&buf, strlen(src));
+	dns_fixedname_init(&fn);
+	name = dns_fixedname_name(&fn);
+
+	result = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_name_dup(name, mctx, target);
+	return (result);
+}
+
 isc_result_t
 dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target) {
 	unsigned char *ndata;

From b1dc6282fe2d34975c8cb0435b4583071b6d1158 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 11 Mar 2009 23:30:33 +0000
Subject: [PATCH 20/60] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 5fc2e5d52f..8b5e888687 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1703,7 +1703,7 @@
 ./lib/dns/master.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/masterdump.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/message.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
-./lib/dns/name.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008
+./lib/dns/name.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/ncache.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008
 ./lib/dns/nsec.c				C	1999,2000,2001,2003,2004,2005,2007,2008,2009
 ./lib/dns/nsec3.c				C	2006,2008

From 74f4bfde4abb36524e62bed2bbc27d775e67c0a9 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 11 Mar 2009 23:47:35 +0000
Subject: [PATCH 21/60] update copyright notice

---
 lib/dns/name.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/dns/name.c b/lib/dns/name.c
index baf9cdb824..c5c374042d 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.166 2009/03/11 07:02:34 each Exp $ */
+/* $Id: name.c,v 1.167 2009/03/11 23:47:35 tbox Exp $ */
 
 /*! \file */
 
@@ -2353,7 +2353,7 @@ dns_name_tostring(dns_name_t *name, char **target, isc_mem_t *mctx) {
 	char *p, txt[DNS_NAME_FORMATSIZE];
 
 	REQUIRE(VALID_NAME(name));
-        REQUIRE(target != NULL && *target == NULL);
+	REQUIRE(target != NULL && *target == NULL);
 
 	isc_buffer_init(&buf, txt, sizeof(txt));
 	result = dns_name_totext(name, ISC_FALSE, &buf);

From 56708c6fb441402e0568f8947cdf0ddda40532b1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 13 Mar 2009 01:35:18 +0000
Subject: [PATCH 22/60] 2576.   [bug]           NSEC record were not being
 correctly signed when                         a zone transitions from
 insecure to secure.                         Handle such incorrectly signed
 zones. [RET #19114]

---
 CHANGES           | 4 ++++
 bin/named/query.c | 6 +++++-
 lib/dns/zone.c    | 6 ++++--
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4d556dcba2..4b74fe17ef 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2576.	[bug]		NSEC record were not being correctly signed when
+			a zone transitions from insecure to secure.
+			Handle such incorrectly signed zones. [RET #19114]
+
 2575.	[func]		New functions dns_name_fromstring() and
 			dns_name_tostring(), to simplify conversion
 			of a string to a dns_name structure and vice
diff --git a/bin/named/query.c b/bin/named/query.c
index 2d6cfd9319..b0c74d3401 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.321 2009/03/03 01:36:17 marka Exp $ */
+/* $Id: query.c,v 1.322 2009/03/13 01:35:18 marka Exp $ */
 
 /*! \file */
 
@@ -2741,6 +2741,10 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node,
 		goto cleanup;
 	fname = query_newname(client, dbuf, &b);
 	dns_fixedname_init(&fixed);
+	if (dns_rdataset_isassociated(rdataset))
+		dns_rdataset_disassociate(rdataset);
+	if (dns_rdataset_isassociated(sigrdataset))
+		dns_rdataset_disassociate(sigrdataset);
 	query_findclosestnsec3(name, db, version, client, rdataset,
 			       sigrdataset, fname, ISC_TRUE,
 			       dns_fixedname_name(&fixed));
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 2b90b9e787..12ad3f0f56 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.487 2009/02/16 02:01:15 marka Exp $ */
+/* $Id: zone.c,v 1.488 2009/03/13 01:35:18 marka Exp $ */
 
 /*! \file */
 
@@ -4250,7 +4250,9 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 			goto next_rdataset;
 		if (is_ksk && rdataset.type != dns_rdatatype_dnskey)
 			goto next_rdataset;
-		if (*delegation && !dns_rdatatype_atparent(rdataset.type))
+		if (*delegation &&
+		    rdataset.type != dns_rdatatype_ds &&
+		    rdataset.type != dns_rdatatype_nsec)
 			goto next_rdataset;
 		if (signed_with_key(db, node, version, rdataset.type, key))
 			goto next_rdataset;

From d0e7c8712f25fff65f10d70dba519e9cacc4cc8f Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 13 Mar 2009 01:36:07 +0000
Subject: [PATCH 23/60] RET -> RT

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 4b74fe17ef..7e346ffbc2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,6 @@
 2576.	[bug]		NSEC record were not being correctly signed when
 			a zone transitions from insecure to secure.
-			Handle such incorrectly signed zones. [RET #19114]
+			Handle such incorrectly signed zones. [RT #19114]
 
 2575.	[func]		New functions dns_name_fromstring() and
 			dns_name_tostring(), to simplify conversion

From a142972ea9697b4ecaa5587fb6d9057e821d5339 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Fri, 13 Mar 2009 01:51:50 +0000
Subject: [PATCH 24/60] 2577.	[doc]		Clarified some statistics
 counters. [RT #19454]

---
 CHANGES                 |  2 ++
 doc/arm/Bv9ARM-book.xml | 22 +++++++++++++++++++---
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 7e346ffbc2..e368be02b2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2577.	[doc]		Clarified some statistics counters. [RT #19454]
+
 2576.	[bug]		NSEC record were not being correctly signed when
 			a zone transitions from insecure to secure.
 			Handle such incorrectly signed zones. [RT #19114]
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index f8e4f4b2e4..0c5215bbc7 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -7966,7 +7966,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      
 	    
 
-	    
+	    
 	      clients-per-query
 	      max-clients-per-query
               
@@ -12262,10 +12262,18 @@ HOST-127.EXAMPLE. MX 0 .
 		    
 		    
 		      
-			Queries for which the server
+			Recursive queries for which the server
 			discovered an excessive number of existing
 			recursive queries for the same name, type and
 			class and were subsequently dropped.
+			This is the number of dropped queries due to
+			the reason explained with the
+			clients-per-query
+			and
+			max-clients-per-query
+			options
+			(see the description about
+			.)
 			This corresponds to the
 			dropped counter
 			of previous versions of
@@ -12287,6 +12295,14 @@ HOST-127.EXAMPLE. MX 0 .
 			failure counter
 			of previous versions of
 			BIND 9.
+			Note: this counter is provided mainly for
+			backward compatibility with the previous versions.
+			Normally a more fine-grained counters such as
+			AuthQryRej and
+			RecQryRej
+			that would also fall into this counter are provided,
+			and so this counter would not be of much
+			interest in practice.
 		      
 		    
 		  

From ea21c734ff027f23f289f8c6507a4e79984e4830 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sat, 14 Mar 2009 01:12:26 +0000
Subject: [PATCH 25/60] regen

---
 doc/arm/Bv9ARM.ch06.html             |  90 ++++++++------
 doc/arm/Bv9ARM.ch07.html             |  14 +--
 doc/arm/Bv9ARM.ch08.html             |  18 +--
 doc/arm/Bv9ARM.ch09.html             | 180 +++++++++++++--------------
 doc/arm/Bv9ARM.html                  |  42 +++----
 doc/arm/man.dig.html                 |  20 +--
 doc/arm/man.dnssec-dsfromkey.html    |  16 +--
 doc/arm/man.dnssec-keyfromlabel.html |  12 +-
 doc/arm/man.dnssec-keygen.html       |  14 +--
 doc/arm/man.dnssec-signzone.html     |  12 +-
 doc/arm/man.host.html                |  10 +-
 doc/arm/man.named-checkconf.html     |  12 +-
 doc/arm/man.named-checkzone.html     |  12 +-
 doc/arm/man.named.html               |  16 +--
 doc/arm/man.nsupdate.html            |  14 +--
 doc/arm/man.rndc-confgen.html        |  12 +-
 doc/arm/man.rndc.conf.html           |  12 +-
 doc/arm/man.rndc.html                |  12 +-
 18 files changed, 267 insertions(+), 251 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 5ab9621e1e..f5322bb72a 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -78,25 +78,25 @@
 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -4638,7 +4638,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   file.
                 

 

-clients-per-query, max-clients-per-query
+clients-per-query, max-clients-per-query
 

 

 
These set the
@@ -5127,7 +5127,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 

 

 

-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage

 

           The statistics-channels statement
@@ -5178,7 +5178,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 

 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5187,7 +5187,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -5246,7 +5246,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -5512,10 +5512,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 

 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
@@ -5724,7 +5724,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5746,7 +5746,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
allow-notify

 

@@ -6321,7 +6321,7 @@ zone zone_name [
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -6334,7 +6334,7 @@ zone zone_name [
 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7071,7 +7071,7 @@ zone zone_name [
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7274,7 +7274,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -7530,7 +7530,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -7591,7 +7591,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -7606,7 +7606,7 @@ zone zone_name [
 

 

-The @ (at-sign)

+The @ (at-sign)

 

               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -7617,7 +7617,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -7646,7 +7646,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -7682,7 +7682,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -7701,7 +7701,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
@@ -8125,7 +8125,7 @@ HOST-127.EXAMPLE. MX 0 .
           

 

 

-Name Server Statistics Counters

+Name Server Statistics Counters

 

 
 

@@ -8542,10 +8542,18 @@ HOST-127.EXAMPLE. MX 0 .
                     
 
@@ -8666,7 +8682,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

 

 
 


                       

-                        Queries for which the server
+                        Recursive queries for which the server
                         discovered an excessive number of existing
                         recursive queries for the same name, type and
                         class and were subsequently dropped.
+                        This is the number of dropped queries due to
+                        the reason explained with the
+                        clients-per-query
+                        and
+                        max-clients-per-query
+                        options
+                        (see the description about
+                        clients-per-query.)
                         This corresponds to the
                         dropped counter
                         of previous versions of
@@ -8567,6 +8575,14 @@ HOST-127.EXAMPLE. MX 0 .
                         failure counter
                         of previous versions of
                         BIND 9.
+                        Note: this counter is provided mainly for
+                        backward compatibility with the previous versions.
+                        Normally a more fine-grained counters such as
+                        AuthQryRej and
+                        RecQryRej
+                        that would also fall into this counter are provided,
+                        and so this counter would not be of much
+                        interest in practice.
                       

                     		
 
@@ -8820,7 +8836,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Resolver Statistics Counters

+Resolver Statistics Counters

 

 
 

@@ -9196,7 +9212,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

 

               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9351,7 +9367,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

 

               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 881d076fc7..1f7f4e3663 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -119,7 +119,7 @@ zone "example.com" {
 
 

 

-Chroot and Setuid
+Chroot and Setuid
 

 

           On UNIX servers, it is possible to run BIND
@@ -145,7 +145,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

             In order for a chroot environment
             to
@@ -173,7 +173,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 6f21f57f0b..4d2c6a5955 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index a34b9cb726..ed67cb5474 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -250,17 +250,17 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

+
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

 

 

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

+
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

 

 

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 

 

 

@@ -268,42 +268,42 @@
 

 Proposed Standards

 

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 

 

 

-
[RFC2308] M. Andrews. Negative Caching of DNS
+
[RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 

 

 

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 

 

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 

 

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

 

 

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 

 

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 

 

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 

 

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

 

 

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

 

 

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

 

 

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 

 

@@ -312,19 +312,19 @@
 

 DNS Security Proposed Standards

 

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

 

 

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

 

 

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

 

 

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

 

 

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 

 

 
@@ -332,146 +332,146 @@
 
Other Important RFCs About DNS
                 Implementation

 

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 

 

 

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 

 

 

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

 

 

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 

 

 
 

 
Resource Record Types

 

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

 

 

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

 

 

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 

 

 

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 

 

 

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 

 

 

-
[RFC2163] A. Allocchio. Using the Internet DNS to
+
[RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 

 

 

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

 

 

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

 

 

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

 

 

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

 

 

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

 

 

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

 

 

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 

 

 

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

 

 

 

 

 DNS and the Internet

 

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 

 

 

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 

 

 

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

 

 

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

 

 

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

 

 

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

 

 

 

 

 DNS Operations

 

-
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

+
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

 

 

-
[RFC1537] P. Beertema. Common DNS Data File
+
[RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 

 

 

-
[RFC1912] D. Barr. Common DNS Operational and
+
[RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 

 

 

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

 

 

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 

 

 

 

 
Internationalized Domain Names

 

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 

 

 

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

 

 

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

 

 

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 

 

@@ -487,47 +487,47 @@
                 

 

 

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 

 

 

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

 

 

-
[RFC1794] T. Brisco. DNS Support for Load
+
[RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 

 

 

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

 

 

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

 

 

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

 

 

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

 

 

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 

 

 

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

 

 
 

 
Obsolete and Unimplemented Experimental RFC

 

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 

 

 

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

 

 

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 

 

 

@@ -541,39 +541,39 @@
                 

 
 

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

 

 

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

 

 

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

 

 

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 

 

 

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

 

 

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

 

 

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

 

 

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

 

 

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

 

 

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 

 

 

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

 

 
 
@@ -594,14 +594,14 @@
 
 

 

-Other Documents About BIND
+Other Documents About BIND
 

 

 

 

-Bibliography

+Bibliography

 

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 1a40109122..4b1476c106 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -157,25 +157,25 @@
 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -184,31 +184,31 @@
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index b63ac1d871..f7fd5ca15d 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -144,7 +144,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 42f56fd585..07bf300115 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
dnssec-dsfromkey  {-s} [-v level] [-1] [-2] [-a alg] [-c class] [-d dir] {dnsname}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -99,7 +99,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -114,7 +114,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -128,13 +128,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -143,7 +143,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index d37c245aea..81890d3275 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-a algorithm} {-l label} [-c class] [-f flag] [-k] [-n nametype] [-p protocol] [-t type] [-v level] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -131,7 +131,7 @@
 

 

 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -172,7 +172,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -182,7 +182,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 5a67b3ae63..16e0a15d2f 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 53eebb62b2..c048690c17 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -276,7 +276,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -305,14 +305,14 @@ db.example.com.signed
 %
 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 8afa9d396f..4a2b808a50 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index bf0d1adca3..2015f13e8e 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -92,21 +92,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 2e40e30830..f46b38e9a7 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -257,14 +257,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 71fdb1caa6..e0680fec09 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -238,7 +238,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -259,7 +259,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -268,7 +268,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -281,7 +281,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -294,7 +294,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 9841b5a302..f7feae0beb 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -187,7 +187,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -451,7 +451,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -505,7 +505,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -524,7 +524,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2136,
       RFC3007,
       RFC2104,
@@ -537,7 +537,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 603c8a7b10..bc12fb2650 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 7c761e9b02..ce0db08abc 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index eb487955cb..4662c60b6a 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -151,7 +151,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 


From ca23cf7e28b9799436c9950ea269953e29dfde16 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 16 Mar 2009 23:41:21 +0000
Subject: [PATCH 26/60] 2578.	[bug]		Changed default
 sig-signing-type to 65534, because 			65535 turns out to be
 reserved.  [RT #19477]

---
 CHANGES            | 3 +++
 bin/named/config.c | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index e368be02b2..24a79b384c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2578.	[bug]		Changed default sig-signing-type to 65534, because
+			65535 turns out to be reserved.  [RT #19477]
+
 2577.	[doc]		Clarified some statistics counters. [RT #19454]
 
 2576.	[bug]		NSEC record were not being correctly signed when
diff --git a/bin/named/config.c b/bin/named/config.c
index 532b0f944a..a5d70bee0c 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.95 2009/03/05 23:47:35 tbox Exp $ */
+/* $Id: config.c,v 1.96 2009/03/16 23:41:21 each Exp $ */
 
 /*! \file */
 
@@ -183,7 +183,7 @@ options {\n\
 	sig-validity-interval 30; /* days */\n\
 	sig-signing-nodes 100;\n\
 	sig-signing-signatures 10;\n\
-	sig-signing-type 65535;\n\
+	sig-signing-type 65534;\n\
 	zone-statistics false;\n\
 	max-journal-size unlimited;\n\
 	ixfr-from-differences false;\n\

From 72dbc7216aae3626a66e6154443be219f5edcaf0 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 17 Mar 2009 01:34:28 +0000
Subject: [PATCH 27/60] 2579.   [bug]           DNSSEC lookaside validation
 failed to handle unknown                         algorithms. [RT #19479]

---
 CHANGES             |  3 ++
 lib/dns/validator.c | 79 ++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 70 insertions(+), 12 deletions(-)

diff --git a/CHANGES b/CHANGES
index 24a79b384c..c043775db6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,7 @@
 2578.	[bug]		Changed default sig-signing-type to 65534, because
+2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
+			algorithms. [RT #19479]
+
 			65535 turns out to be reserved.  [RT #19477]
 
 2577.	[doc]		Clarified some statistics counters. [RT #19454]
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 0c9477de7d..de3ae35c9a 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.170 2009/03/01 02:45:38 each Exp $ */
+/* $Id: validator.c,v 1.171 2009/03/17 01:34:28 marka Exp $ */
 
 #include 
 
@@ -218,6 +218,37 @@ exit_check(dns_validator_t *val) {
 	return (ISC_TRUE);
 }
 
+/*
+ * Check that we have atleast one supported algorithm in the DLV RRset.
+ */
+static inline isc_boolean_t
+dlv_algorithm_supported(dns_validator_t *val) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_dlv_t dlv;
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(&val->dlv);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&val->dlv)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&val->dlv, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dlv, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.algorithm))
+			continue;
+
+		if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
+		    dlv.digest_type != DNS_DSDIGEST_SHA1)
+			continue;
+
+		return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
 /*%
  * Look in the NSEC record returned from a DS query to see if there is
  * a NS RRset at this name.  If it is found we are at a delegation point.
@@ -2963,19 +2994,36 @@ dlvfetched(isc_task_t *task, isc_event_t *event) {
 				sizeof(namebuf));
 		dns_rdataset_clone(&val->frdataset, &val->dlv);
 		val->havedlvsep = ISC_TRUE;
-		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
-		dlv_validator_start(val);
+		if (dlv_algorithm_supported(val)) {
+			validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
+				      namebuf);
+			dlv_validator_start(val);
+		} else {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "DLV %s found with no supported algorithms",
+				      namebuf);
+			markanswer(val);
+			validator_done(val, ISC_R_SUCCESS);
+		}
 	} else if (eresult == DNS_R_NXRRSET ||
 		   eresult == DNS_R_NXDOMAIN ||
 		   eresult == DNS_R_NCACHENXRRSET ||
 		   eresult == DNS_R_NCACHENXDOMAIN) {
-		   result = finddlvsep(val, ISC_TRUE);
+		result = finddlvsep(val, ISC_TRUE);
 		if (result == ISC_R_SUCCESS) {
-			dns_name_format(dns_fixedname_name(&val->dlvsep),
-					namebuf, sizeof(namebuf));
-			validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
-				      namebuf);
-			dlv_validator_start(val);
+			if (dlv_algorithm_supported(val)) {
+				dns_name_format(dns_fixedname_name(&val->dlvsep),
+						namebuf, sizeof(namebuf));
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "DLV %s found", namebuf);
+				dlv_validator_start(val);
+			} else {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "DLV %s found with no supported "
+					      "algorithms", namebuf);
+				markanswer(val);
+				validator_done(val, ISC_R_SUCCESS);
+			}
 		} else if (result == ISC_R_NOTFOUND) {
 			validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
 			markanswer(val);
@@ -3038,9 +3086,16 @@ startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
 	}
 	dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
 			sizeof(namebuf));
-	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
-	dlv_validator_start(val);
-	return (DNS_R_WAIT);
+	if (dlv_algorithm_supported(val)) {
+		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
+		dlv_validator_start(val);
+		return (DNS_R_WAIT);
+	} 
+	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
+		      "algorithms", namebuf);
+	markanswer(val);
+	validator_done(val, ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 /*%

From f2e6839b8afaf5ba545f1f978c770fba304bcd0a Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 17 Mar 2009 02:09:44 +0000
Subject: [PATCH 28/60] mis-aplied hunk

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index c043775db6..eaac2ef29d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,7 @@
-2578.	[bug]		Changed default sig-signing-type to 65534, because
 2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
 			algorithms. [RT #19479]
 
+2578.	[bug]		Changed default sig-signing-type to 65534, because
 			65535 turns out to be reserved.  [RT #19477]
 
 2577.	[doc]		Clarified some statistics counters. [RT #19454]

From 8e3d340655954c2331abc46c444986d5c93d98be Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 17 Mar 2009 23:48:02 +0000
Subject: [PATCH 29/60] update copyright notice

---
 lib/dns/validator.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index de3ae35c9a..26aa60c3b9 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.171 2009/03/17 01:34:28 marka Exp $ */
+/* $Id: validator.c,v 1.172 2009/03/17 23:48:02 tbox Exp $ */
 
 #include 
 
@@ -3090,7 +3090,7 @@ startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
 		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
 		dlv_validator_start(val);
 		return (DNS_R_WAIT);
-	} 
+	}
 	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
 		      "algorithms", namebuf);
 	markanswer(val);

From 3af7cd2661b84f1a27bfc78e55e2ab09d2133ac8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Wed, 18 Mar 2009 22:17:24 +0000
Subject: [PATCH 30/60] 2580.	[bug]		UpdateRej statistics counter
 could be incremented twice 			for one rejection. [RT #19476]

---
 CHANGES            | 3 +++
 bin/named/update.c | 5 +----
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index eaac2ef29d..92f58b6194 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2580.	[bug]		UpdateRej statistics counter could be incremented twice
+			for one rejection. [RT #19476]
+
 2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
 			algorithms. [RT #19479]
 
diff --git a/bin/named/update.c b/bin/named/update.c
index f5aa6f50e2..50268e9737 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.155 2009/01/27 22:29:58 jinmei Exp $ */
+/* $Id: update.c,v 1.156 2009/03/18 22:17:24 jinmei Exp $ */
 
 #include 
 
@@ -4126,9 +4126,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	goto common;
 
  failure:
-	if (result == DNS_R_REFUSED)
-		inc_stats(zone, dns_nsstatscounter_updaterej);
-
 	/*
 	 * The reason for failure should have been logged at this point.
 	 */

From a2b615f7e8e356138389c97577e552e4bd843b66 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 23 Mar 2009 14:45:35 +0000
Subject: [PATCH 31/60] new draft

---
 ...draft-ietf-dnsext-dnssec-rsasha256-12.txt} | 68 +++++++++----------
 1 file changed, 34 insertions(+), 34 deletions(-)
 rename doc/draft/{draft-ietf-dnsext-dnssec-rsasha256-11.txt => draft-ietf-dnsext-dnssec-rsasha256-12.txt} (86%)

diff --git a/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-11.txt b/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-12.txt
similarity index 86%
rename from doc/draft/draft-ietf-dnsext-dnssec-rsasha256-11.txt
rename to doc/draft/draft-ietf-dnsext-dnssec-rsasha256-12.txt
index 2abe832363..bda1bcce5a 100644
--- a/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-11.txt
+++ b/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-12.txt
@@ -3,13 +3,13 @@
 
 DNS Extensions working group                                   J. Jansen
 Internet-Draft                                                NLnet Labs
-Intended status: Standards Track                       February 27, 2009
-Expires: August 31, 2009
+Intended status: Standards Track                          March 23, 2009
+Expires: September 24, 2009
 
 
  Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records
                                for DNSSEC
-                 draft-ietf-dnsext-dnssec-rsasha256-11
+                 draft-ietf-dnsext-dnssec-rsasha256-12
 
 Status of this Memo
 
@@ -32,7 +32,7 @@ Status of this Memo
    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.
 
-   This Internet-Draft will expire on August 31, 2009.
+   This Internet-Draft will expire on September 24, 2009.
 
 Copyright Notice
 
@@ -52,9 +52,9 @@ Abstract
 
 
 
-Jansen                   Expires August 31, 2009                [Page 1]
+Jansen                 Expires September 24, 2009               [Page 1]
 
-Internet-Draft              DNSSEC RSA/SHA-2               February 2009
+Internet-Draft              DNSSEC RSA/SHA-2                  March 2009
 
 
    Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
@@ -108,9 +108,9 @@ Table of Contents
 
 
 
-Jansen                   Expires August 31, 2009                [Page 2]
+Jansen                 Expires September 24, 2009               [Page 2]
 
-Internet-Draft              DNSSEC RSA/SHA-2               February 2009
+Internet-Draft              DNSSEC RSA/SHA-2                  March 2009
 
 
 1.  Introduction
@@ -164,9 +164,9 @@ Internet-Draft              DNSSEC RSA/SHA-2               February 2009
 
 
 
-Jansen                   Expires August 31, 2009                [Page 3]
+Jansen                 Expires September 24, 2009               [Page 3]
 
-Internet-Draft              DNSSEC RSA/SHA-2               February 2009
+Internet-Draft              DNSSEC RSA/SHA-2                  March 2009
 
 
 2.2.  RSA/SHA-512 DNSKEY Resource Records
@@ -220,9 +220,9 @@ Internet-Draft              DNSSEC RSA/SHA-2               February 2009
 
 
 
-Jansen                   Expires August 31, 2009                [Page 4]
+Jansen                 Expires September 24, 2009               [Page 4]
 
-Internet-Draft              DNSSEC RSA/SHA-2               February 2009
+Internet-Draft              DNSSEC RSA/SHA-2                  March 2009
 
 
 3.2.  RSA/SHA-512 RRSIG Resource Records
@@ -250,8 +250,8 @@ Internet-Draft              DNSSEC RSA/SHA-2               February 2009
    In this family of signing algorithms, the size of signatures is
    related to the size of the key, and not the hashing algorithm used in
    the signing process.  Therefore, RRSIG resource records produced with
-   RSA/SHA256 or RSA/SHA512 will have the same size as those produced
-   with RSA/SHA1, if the keys have the same length.
+   RSA/SHA-256 or RSA/SHA-512 will have the same size as those produced
+   with RSA/SHA-1, if the keys have the same length.
 
 
 5.  Implementation Considerations
@@ -264,10 +264,10 @@ Internet-Draft              DNSSEC RSA/SHA-2               February 2009
 
 5.2.  Support for NSEC3 Denial of Existence
 
-   RFC5155 [RFC5155] defines new algorithm identifiers for existing
+   RFC 5155 [RFC5155] defines new algorithm identifiers for existing
    signing algorithms, to indicate that zones signed with these
-   algorithm identifiers use NSEC3 instead of NSEC records to provide
-   denial of existence.  That mechanism was chosen to protect
+   algorithm identifiers can use NSEC3 as well as NSEC records to
+   provide denial of existence.  That mechanism was chosen to protect
    implementations predating RFC5155 from encountering resource records
    they could not know about.  This document does not define such
    algorithm aliases, and support for NSEC3 denial of existence is
@@ -276,22 +276,22 @@ Internet-Draft              DNSSEC RSA/SHA-2               February 2009
 
 
 
-Jansen                   Expires August 31, 2009                [Page 5]
+Jansen                 Expires September 24, 2009               [Page 5]
 
-Internet-Draft              DNSSEC RSA/SHA-2               February 2009
+Internet-Draft              DNSSEC RSA/SHA-2                  March 2009
 
 
 5.2.1.  NSEC3 in Authoritative servers
 
    An authoritative server that does not implement NSEC3 MAY still serve
-   zones that use RSA/SHA2 with NSEC denial of existence.
+   zones that use RSA/SHA-2 with NSEC denial of existence.
 
 5.2.2.  NSEC3 in Validators
 
-   A DNSSEC validator that implements RSA/SHA2 MUST be able to handle
+   A DNSSEC validator that implements RSA/SHA-2 MUST be able to handle
    both NSEC and NSEC3 [RFC5155] negative answers.  If this is not the
-   case, the validator MUST treat a zone signed with RSA/SHA256 or RSA/
-   SHA512 as signed with an unknown algorithm, and thus as insecure.
+   case, the validator MUST treat a zone signed with RSA/SHA-256 or RSA/
+   SHA-512 as signed with an unknown algorithm, and thus as insecure.
 
 
 6.  IANA Considerations
@@ -301,11 +301,13 @@ Internet-Draft              DNSSEC RSA/SHA-2               February 2009
    (http://www.iana.org/assignments/dns-sec-alg-numbers).  The following
    entries are added to the registry:
 
-                                                     Zone
-   Value      Algorithm               Mnemonic    Signing  References
-   {TBA1}   RSA/SHA-256              RSASHA256          y {this memo}
-   {TBA2}   RSA/SHA-512              RSASHA512          y {this memo}
+                                           Zone  Trans.
+  Value   Description       Mnemonic    Signing    Sec.   References
+ {TBA1}   RSA/SHA-256      RSASHA256          y      *   {this memo}
+ {TBA2}   RSA/SHA-512      RSASHA512          y      *   {this memo}
 
+ * There has been no determination of standardization of the use of this
+   algorithm with Transaction Security.
 
 
 7.  Security Considerations
@@ -330,11 +332,9 @@ Internet-Draft              DNSSEC RSA/SHA-2               February 2009
 
 
 
-
-
-Jansen                   Expires August 31, 2009                [Page 6]
+Jansen                 Expires September 24, 2009               [Page 6]
 
-Internet-Draft              DNSSEC RSA/SHA-2               February 2009
+Internet-Draft              DNSSEC RSA/SHA-2                  March 2009
 
 
 7.2.  Signature Type Downgrade Attacks
@@ -388,9 +388,9 @@ Internet-Draft              DNSSEC RSA/SHA-2               February 2009
 
 
 
-Jansen                   Expires August 31, 2009                [Page 7]
+Jansen                 Expires September 24, 2009               [Page 7]
 
-Internet-Draft              DNSSEC RSA/SHA-2               February 2009
+Internet-Draft              DNSSEC RSA/SHA-2                  March 2009
 
 
 9.2.  Informative References
@@ -444,5 +444,5 @@ Author's Address
 
 
 
-Jansen                   Expires August 31, 2009                [Page 8]
+Jansen                 Expires September 24, 2009               [Page 8]
 

From 8c5482b3ea502276bff2ce66b3de7265c81e8b37 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 23 Mar 2009 21:59:56 +0000
Subject: [PATCH 32/60] Corrected install rule to install arpaname.1 not
 arpaname.8

---
 bin/tools/Makefile.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
index fa82cd8df4..e47fd0f197 100644
--- a/bin/tools/Makefile.in
+++ b/bin/tools/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4 2009/03/04 01:30:27 marka Exp $
+# $Id: Makefile.in,v 1.5 2009/03/23 21:59:56 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -78,7 +78,7 @@ install:: journalprint@EXEEXT@ nsec3hash@EXEEXT@ installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} journalprint@EXEEXT@ ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} genrandom@EXEEXT@ ${DESTDIR}${sbindir}
-	${INSTALL_DATA} ${srcdir}/arpaname.8 ${DESTDIR}${mandir}/man1
+	${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
 	${INSTALL_DATA} ${srcdir}/journalprint.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8

From 6b9728dde7c7ca15b19ea65ae35d9425c0d340ca Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 23 Mar 2009 22:30:57 +0000
Subject: [PATCH 33/60] ARM and log message changes to clarify "insecure
 response". [rt19400]

---
 doc/arm/Bv9ARM-book.xml | 58 +++++++++++++++++++++++++++++++++--------
 lib/dns/validator.c     |  4 +--
 2 files changed, 49 insertions(+), 13 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 0c5215bbc7..de2e3650bf 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -2445,14 +2445,17 @@ allow-update { key host1-host2. ;};
 	  To enable named to respond appropriately
 	  to DNS requests from DNSSEC aware clients,
 	  dnssec-enable must be set to yes.
+          (This is the default setting.)
         
 
 	
 	  To enable named to validate answers from
-	  other servers both dnssec-enable and
-	  dnssec-validation must be set and some
-	  trusted-keys must be configured
-	  into named.conf.
+	  other servers, the dnssec-enable and
+	  dnssec-validation options must both be
+          set to yes (the default setting in BIND 9.5
+          and later), and at least one trust anchor must be configured
+          with a trusted-keys statement in
+          named.conf.
         
 	  
 	
@@ -2531,6 +2534,41 @@ options {
 	  the root key is not valid.
 	
 
+	
+	  When DNSSEC validation is enabled and properly configured,
+	  the resolver will reject any answers from signed, secure zones
+	  which fail to validate, and will return SERVFAIL to the client.
+	
+
+	
+	  Responses may fail to validate for any of several reasons,
+	  including missing, expired, or invalid signatures, a key which
+	  does not match the DS RRset in the parent zone, or an insecure
+	  response from a zone which, according to its parent, should have
+	  been secure.  
+	
+
+	
+	  
+	    When the validator receives a response from an unsigned zone
+	    that has a signed parent, it must confirm with the parent
+	    that the zone was intentionally left unsigned.  It does
+	    this by verifying, via signed and validated NSEC/NSEC3 records,
+	    that the parent zone contains no DS records for the child.
+	  
+	  
+	    If the validator can prove that the zone
+	    is insecure, then the response is accepted.  However, if it
+	    cannot, then it must assume an insecure response to be a
+	    forgery; it rejects the response and logs an error.
+	  
+	  
+            The logged error reads "insecurity proof failed" and
+            "got insecure response; parent indicates it should be secure".
+	    (Prior to BIND 9.7, the logged error was "not insecure".
+            This referred to the zone, not the response.)
+	  
+	
       
 
     
@@ -2539,10 +2577,9 @@ options {
 
       
         BIND 9 fully supports all currently
-        defined forms of IPv6
-        name to address and address to name lookups.  It will also use
-        IPv6 addresses to make queries when running on an IPv6 capable
-        system.
+        defined forms of IPv6 name to address and address to name
+        lookups.  It will also use IPv6 addresses to make queries when
+        running on an IPv6 capable system.
       
 
       
@@ -4325,8 +4362,7 @@ category notify { null; };
                     
                       Lame servers.  These are misconfigurations
                       in remote servers, discovered by BIND 9 when trying to
-                      query
-                      those servers during resolution.
+                      query those servers during resolution.
                     
                   
                 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 26aa60c3b9..62cc7246f6 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.172 2009/03/17 23:48:02 tbox Exp $ */
+/* $Id: validator.c,v 1.173 2009/03/23 22:30:57 each Exp $ */
 
 #include 
 
@@ -3558,7 +3558,7 @@ validator_start(isc_task_t *task, isc_event_t *event) {
 		if (result != DNS_R_NOTINSECURE)
 			validator_log(val, ISC_LOG_INFO,
 				      "got insecure response; "
-				      "could not prove it was valid");
+				      "parent indicates it should be secure");
 	} else if (val->event->rdataset == NULL &&
 		   val->event->sigrdataset == NULL)
 	{

From cbf7f1435f332b31f51a98611ccbfcd07c42c032 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 24 Mar 2009 01:12:41 +0000
Subject: [PATCH 34/60] regen

---
 doc/arm/Bv9ARM.ch04.html             |  66 +++++++---
 doc/arm/Bv9ARM.ch05.html             |   6 +-
 doc/arm/Bv9ARM.ch06.html             | 153 +++++++++++------------
 doc/arm/Bv9ARM.ch07.html             |  14 +--
 doc/arm/Bv9ARM.ch08.html             |  18 +--
 doc/arm/Bv9ARM.ch09.html             | 180 +++++++++++++--------------
 doc/arm/Bv9ARM.html                  |  78 ++++++------
 doc/arm/man.dig.html                 |  20 +--
 doc/arm/man.dnssec-dsfromkey.html    |  16 +--
 doc/arm/man.dnssec-keyfromlabel.html |  12 +-
 doc/arm/man.dnssec-keygen.html       |  14 +--
 doc/arm/man.dnssec-signzone.html     |  12 +-
 doc/arm/man.host.html                |  10 +-
 doc/arm/man.named-checkconf.html     |  12 +-
 doc/arm/man.named-checkzone.html     |  12 +-
 doc/arm/man.named.html               |  16 +--
 doc/arm/man.nsupdate.html            |  14 +--
 doc/arm/man.rndc-confgen.html        |  12 +-
 doc/arm/man.rndc.conf.html           |  12 +-
 doc/arm/man.rndc.html                |  12 +-
 20 files changed, 362 insertions(+), 327 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index bbd3d22160..9408b9f565 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -68,10 +68,10 @@
 
Signing the Zone

 
Configuring Servers

 
-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 
 

@@ -857,13 +857,16 @@ allow-update { key host1-host2. ;};
           To enable named to respond appropriately
           to DNS requests from DNSSEC aware clients,
           dnssec-enable must be set to yes.
+          (This is the default setting.)
         

 

           To enable named to validate answers from
-          other servers both dnssec-enable and
-          dnssec-validation must be set and some
-          trusted-keys must be configured
-          into named.conf.
+          other servers, the dnssec-enable and
+          dnssec-validation options must both be
+          set to yes (the default setting in BIND 9.5
+          and later), and at least one trust anchor must be configured
+          with a trusted-keys statement in
+          named.conf.
         

 

           trusted-keys are copies of DNSKEY RRs
@@ -936,17 +939,50 @@ options {
           None of the keys listed in this example are valid.  In particular,
           the root key is not valid.
         
+

+          When DNSSEC validation is enabled and properly configured,
+          the resolver will reject any answers from signed, secure zones
+          which fail to validate, and will return SERVFAIL to the client.
+        

+

+          Responses may fail to validate for any of several reasons,
+          including missing, expired, or invalid signatures, a key which
+          does not match the DS RRset in the parent zone, or an insecure
+          response from a zone which, according to its parent, should have
+          been secure.  
+        

+

+
Note

+

+            When the validator receives a response from an unsigned zone
+            that has a signed parent, it must confirm with the parent
+            that the zone was intentionally left unsigned.  It does
+            this by verifying, via signed and validated NSEC/NSEC3 records,
+            that the parent zone contains no DS records for the child.
+          

+

+            If the validator can prove that the zone
+            is insecure, then the response is accepted.  However, if it
+            cannot, then it must assume an insecure response to be a
+            forgery; it rejects the response and logs an error.
+          

+

+            The logged error reads "insecurity proof failed" and
+            "got insecure response; parent indicates it should be secure".
+            (Prior to BIND 9.7, the logged error was "not insecure".
+            This referred to the zone, not the response.)
+          

+

 
 
 

 

-IPv6 Support in BIND 9

+IPv6 Support in BIND 9

 

         BIND 9 fully supports all currently
-        defined forms of IPv6
-        name to address and address to name lookups.  It will also use
-        IPv6 addresses to make queries when running on an IPv6 capable
-        system.
+        defined forms of IPv6 name to address and address to name
+        lookups.  It will also use IPv6 addresses to make queries when
+        running on an IPv6 capable system.
       

 

         For forward lookups, BIND 9 supports
@@ -979,7 +1015,7 @@ options {
       

 

 

-Address Lookups Using AAAA Records

+Address Lookups Using AAAA Records

 

           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -998,7 +1034,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 

 

-Address to Name Lookups Using Nibble Format

+Address to Name Lookups Using Nibble Format

 

           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 1a91b33f3c..f4edcbbc73 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,13 +45,13 @@
 

 
Table of Contents

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 

 

 

-The Lightweight Resolver Library

+The Lightweight Resolver Library

 

         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index f5322bb72a..16ead48b74 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,55 +48,55 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -461,7 +461,7 @@
 Address Match Lists
 

 

-Syntax

+Syntax

 
address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -470,7 +470,7 @@
 
 

 

-Definition and Usage

+Definition and Usage

 

             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -554,7 +554,7 @@
 
 

 

-Comment Syntax

+Comment Syntax

 

           The BIND 9 comment syntax allows for
           comments to appear
@@ -564,7 +564,7 @@
         

 

 

-Syntax

+Syntax

 

             

 
/* This is a BIND comment as in C */

@@ -579,7 +579,7 @@
 
 

 

-Definition and Usage

+Definition and Usage

 

             Comments may appear anywhere that whitespace may appear in
             a BIND configuration file.
@@ -820,7 +820,7 @@
       

 

 

-acl Statement Grammar

+acl Statement Grammar

 
acl acl-name {
     address_match_list
 };
@@ -902,7 +902,7 @@
 
 

 

-controls Statement Grammar

+controls Statement Grammar

 
controls {
    [ inet ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                 keys { key_list }; ]
@@ -1024,12 +1024,12 @@
 
 

 

-include Statement Grammar

+include Statement Grammar

 
include filename;

 
 

 

-include Statement Definition and
+include Statement Definition and
           Usage

 

           The include statement inserts the
@@ -1044,7 +1044,7 @@
 

 

 

-key Statement Grammar

+key Statement Grammar

 
key key_id {
     algorithm string;
     secret string;
@@ -1053,7 +1053,7 @@
 
 

 

-key Statement Definition and Usage

+key Statement Definition and Usage

 

           The key statement defines a shared
           secret key for use with TSIG (see the section called “TSIG”)
@@ -1100,7 +1100,7 @@
 
 

 

-logging Statement Grammar

+logging Statement Grammar

 
logging {
    [ channel channel_name {
      ( file path_name
@@ -1124,7 +1124,7 @@
 
 

 

-logging Statement Definition and
+logging Statement Definition and
           Usage

 

           The logging statement configures a
@@ -1158,7 +1158,7 @@
         

 

 

-The channel Phrase

+The channel Phrase

 

             All log output goes to one or more channels;
             you can make as many of them as you want.
@@ -1667,8 +1667,7 @@ category notify { null; };
                     

                       Lame servers.  These are misconfigurations
                       in remote servers, discovered by BIND 9 when trying to
-                      query
-                      those servers during resolution.
+                      query those servers during resolution.
                     

                   
 
@@ -1725,7 +1724,7 @@ category notify { null; };
 
 

 

-The query-errors Category

+The query-errors Category

 

             The query-errors category is
             specifically intended for debugging purposes: To identify
@@ -1945,7 +1944,7 @@ category notify { null; };
 
 

 

-lwres Statement Grammar

+lwres Statement Grammar

 

            This is the grammar of the lwres
           statement in the named.conf file:
@@ -1960,7 +1959,7 @@ category notify { null; };
 
 

 

-lwres Statement Definition and Usage

+lwres Statement Definition and Usage

 

           The lwres statement configures the
           name
@@ -2011,14 +2010,14 @@ category notify { null; };
 
 

 

-masters Statement Grammar

+masters Statement Grammar

 
 masters name [port ip_port] { ( masters_list | ip_addr [port ip_port] [key key] ) ; [...] };
 

 
 

 

-masters Statement Definition and
+masters Statement Definition and
           Usage

 
masters
           lists allow for a common set of masters to be easily used by
@@ -2027,7 +2026,7 @@ category notify { null; };
 

 

 

-options Statement Grammar

+options Statement Grammar

 

           This is the grammar of the options
           statement in the named.conf file:
@@ -3252,7 +3251,7 @@ options {
 
 

 

-Forwarding

+Forwarding

 

             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3296,7 +3295,7 @@ options {
 
 

 

-Dual-stack Servers

+Dual-stack Servers

 

             Dual-stack servers are used as servers of last resort to work
             around
@@ -3493,7 +3492,7 @@ options {
 
 

 

-Interfaces

+Interfaces

 

             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -3945,7 +3944,7 @@ avoid-v6-udp-ports {};
 
 

 

-UDP Port Lists

+UDP Port Lists

 

             use-v4-udp-ports,
             avoid-v4-udp-ports,
@@ -3987,7 +3986,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 

             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -4149,7 +4148,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 

@@ -5127,7 +5126,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 

 

 

-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage

 

           The statistics-channels statement
@@ -5178,7 +5177,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 

 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5187,7 +5186,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -5246,7 +5245,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -5512,10 +5511,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 

 
 

@@ -5724,7 +5723,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5746,7 +5745,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
allow-notify

 

@@ -6321,7 +6320,7 @@ zone zone_name [
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -6334,7 +6333,7 @@ zone zone_name [
 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7071,7 +7070,7 @@ zone zone_name [
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7274,7 +7273,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -7530,7 +7529,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -7591,7 +7590,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -7606,7 +7605,7 @@ zone zone_name [
 

 

-The @ (at-sign)

+The @ (at-sign)

 

               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -7617,7 +7616,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -7646,7 +7645,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -7682,7 +7681,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -7701,7 +7700,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
@@ -8125,7 +8124,7 @@ HOST-127.EXAMPLE. MX 0 .
           

 

 

-Name Server Statistics Counters

+Name Server Statistics Counters

 

 
 

@@ -8682,7 +8681,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

 

 
 

@@ -8836,7 +8835,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Resolver Statistics Counters

+Resolver Statistics Counters

 

 
 

@@ -9212,7 +9211,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

 

               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9367,7 +9366,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

 

               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 1f7f4e3663..05f6b4495a 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -119,7 +119,7 @@ zone "example.com" {
 
 

 

-Chroot and Setuid
+Chroot and Setuid
 

 

           On UNIX servers, it is possible to run BIND
@@ -145,7 +145,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

             In order for a chroot environment
             to
@@ -173,7 +173,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 4d2c6a5955..459a1b1ac2 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index ed67cb5474..b645b77cd2 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -250,17 +250,17 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

+
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

 

 

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

+
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

 

 

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 

 

 

@@ -268,42 +268,42 @@
 

 Proposed Standards

 

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 

 

 

-
[RFC2308] M. Andrews. Negative Caching of DNS
+
[RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 

 

 

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 

 

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 

 

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

 

 

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 

 

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 

 

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 

 

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

 

 

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

 

 

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

 

 

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 

 

@@ -312,19 +312,19 @@
 

 DNS Security Proposed Standards

 

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

 

 

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

 

 

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

 

 

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

 

 

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 

 

 
@@ -332,146 +332,146 @@
 
Other Important RFCs About DNS
                 Implementation

 

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 

 

 

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 

 

 

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

 

 

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 

 

 
 

 
Resource Record Types

 

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

 

 

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

 

 

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 

 

 

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 

 

 

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 

 

 

-
[RFC2163] A. Allocchio. Using the Internet DNS to
+
[RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 

 

 

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

 

 

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

 

 

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

 

 

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

 

 

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

 

 

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

 

 

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 

 

 

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

 

 

 

 

 DNS and the Internet

 

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 

 

 

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 

 

 

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

 

 

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

 

 

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

 

 

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

 

 

 

 

 DNS Operations

 

-
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

+
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

 

 

-
[RFC1537] P. Beertema. Common DNS Data File
+
[RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 

 

 

-
[RFC1912] D. Barr. Common DNS Operational and
+
[RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 

 

 

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

 

 

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 

 

 

 

 
Internationalized Domain Names

 

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 

 

 

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

 

 

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

 

 

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 

 

@@ -487,47 +487,47 @@
                 

 

 

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 

 

 

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

 

 

-
[RFC1794] T. Brisco. DNS Support for Load
+
[RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 

 

 

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

 

 

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

 

 

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

 

 

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

 

 

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 

 

 

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

 

 
 

 
Obsolete and Unimplemented Experimental RFC

 

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 

 

 

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

 

 

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 

 

 

@@ -541,39 +541,39 @@
                 

 
 

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

 

 

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

 

 

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

 

 

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 

 

 

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

 

 

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

 

 

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

 

 

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

 

 

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

 

 

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 

 

 

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

 

 
 
@@ -594,14 +594,14 @@
 
 

 

-Other Documents About BIND
+Other Documents About BIND
 

 

 

 

-Bibliography

+Bibliography

 

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 4b1476c106..73d490bb7f 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -111,15 +111,15 @@
 
Signing the Zone

 
Configuring Servers

 
-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 
 
5. The BIND 9 Lightweight Resolver

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 
6. BIND 9 Configuration Reference

@@ -127,55 +127,55 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -184,31 +184,31 @@
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index f7fd5ca15d..51c1bd19ec 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -144,7 +144,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 07bf300115..917a1e697c 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
dnssec-dsfromkey  {-s} [-v level] [-1] [-2] [-a alg] [-c class] [-d dir] {dnsname}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -99,7 +99,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -114,7 +114,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -128,13 +128,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -143,7 +143,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 81890d3275..01432ce472 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-a algorithm} {-l label} [-c class] [-f flag] [-k] [-n nametype] [-p protocol] [-t type] [-v level] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -131,7 +131,7 @@
 

 

 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -172,7 +172,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -182,7 +182,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 16e0a15d2f..fd5e8fa6d0 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index c048690c17..3fc0df4fa0 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -276,7 +276,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -305,14 +305,14 @@ db.example.com.signed
 %
 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 4a2b808a50..7f0cf0e515 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 2015f13e8e..076b908505 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -92,21 +92,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index f46b38e9a7..be326ed682 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -257,14 +257,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index e0680fec09..ab306026e3 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -238,7 +238,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -259,7 +259,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -268,7 +268,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -281,7 +281,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -294,7 +294,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index f7feae0beb..91e0a323d5 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -187,7 +187,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -451,7 +451,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -505,7 +505,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -524,7 +524,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2136,
       RFC3007,
       RFC2104,
@@ -537,7 +537,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index bc12fb2650..9b72438eef 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index ce0db08abc..787c7dc895 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 4662c60b6a..139b2e6aec 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -151,7 +151,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 


From 9384dc16a1f2c3022f50f2e1ce18a28204baaef7 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 26 Mar 2009 17:40:15 +0000
Subject: [PATCH 35/60] 2581.   [contrib]       dlz/mysql set
 MYSQL_OPT_RECONNECT option on connection.                         Requires
 MySQL 5.0.19 or later. [RT #19084]

---
 CHANGES                                |  3 +++
 contrib/dlz/drivers/dlz_mysql_driver.c | 14 ++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/CHANGES b/CHANGES
index 92f58b6194..ecbe7988fe 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
+			Requires MySQL 5.0.19 or later. [RT #19084]
+
 2580.	[bug]		UpdateRej statistics counter could be incremented twice
 			for one rejection. [RT #19476]
 
diff --git a/contrib/dlz/drivers/dlz_mysql_driver.c b/contrib/dlz/drivers/dlz_mysql_driver.c
index ea32d39ec6..5d2739b1dd 100644
--- a/contrib/dlz/drivers/dlz_mysql_driver.c
+++ b/contrib/dlz/drivers/dlz_mysql_driver.c
@@ -792,6 +792,9 @@ mysql_create(const char *dlzname, unsigned int argc, char *argv[],
 	char *endp;
 	int j;
 	unsigned int flags = 0;
+#ifdef MYSQL_OPT_RECONNECT
+        my_bool auto_reconnect = 1;
+#endif
 
 	UNUSED(driverarg);
 	UNUSED(dlzname);
@@ -923,6 +926,17 @@ mysql_create(const char *dlzname, unsigned int argc, char *argv[],
 	pass = getParameterValue(argv[1], "pass=");
 	socket = getParameterValue(argv[1], "socket=");
 
+#ifdef MYSQL_OPT_RECONNECT
+	/* enable automatic reconnection. */
+        if (mysql_options((MYSQL *) dbi->dbconn, MYSQL_OPT_RECONNECT,
+			  &auto_reconnect) != 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_WARNING,
+			      "mysql driver failed to set "
+			      "MYSQL_OPT_RECONNECT option, continuing");
+	}
+#endif
+
 	for (j=0; dbc == NULL && j < 4; j++)
 		dbc = mysql_real_connect((MYSQL *) dbi->dbconn, host,
 					 user, pass, dbname, port, socket,

From 64e161a7f7f7f1692ccdf2400a81b471cf6ac508 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 26 Mar 2009 22:51:54 +0000
Subject: [PATCH 36/60] 2582.   [bug]           Don't emit warning log message
 when we attempt to                         remove non-existant journal. [RT
 #19516]

---
 CHANGES        | 3 +++
 lib/dns/zone.c | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index ecbe7988fe..05e0a1f48f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2582.	[bug]		Don't emit warning log message when we attempt to
+			remove non-existant journal. [RT #19516]
+
 2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
 			Requires MySQL 5.0.19 or later. [RT #19084]
 
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 12ad3f0f56..f8f44939fc 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.488 2009/03/13 01:35:18 marka Exp $ */
+/* $Id: zone.c,v 1.489 2009/03/26 22:51:54 marka Exp $ */
 
 /*! \file */
 
@@ -9560,7 +9560,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
 				      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
 				      "removing journal file");
-			if (remove(zone->journal) < 0) {
+			if (remove(zone->journal) < 0 && errno != ENOENT) {
 				char strbuf[ISC_STRERRORSIZE];
 				isc__strerror(errno, strbuf, sizeof(strbuf));
 				isc_log_write(dns_lctx,

From f36bdaf5a7cbb029a8fe035fa9ade140bae98087 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 26 Mar 2009 23:30:36 +0000
Subject: [PATCH 37/60] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 8b5e888687..d1ae72b925 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -960,7 +960,7 @@
 ./contrib/dlz/drivers/dlz_drivers.c		X	2005
 ./contrib/dlz/drivers/dlz_filesystem_driver.c	X	2005
 ./contrib/dlz/drivers/dlz_ldap_driver.c		X	2005
-./contrib/dlz/drivers/dlz_mysql_driver.c	X	2005,2007
+./contrib/dlz/drivers/dlz_mysql_driver.c	X	2005,2007,2009
 ./contrib/dlz/drivers/dlz_odbc_driver.c		X	2005
 ./contrib/dlz/drivers/dlz_postgres_driver.c	X	2005,2007
 ./contrib/dlz/drivers/dlz_stub_driver.c		X	2005

From 784d4017da5de015b18329630ac61d80fe472606 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 30 Mar 2009 21:41:19 +0000
Subject: [PATCH 38/60] new draft

---
 ... => draft-ietf-dnsext-axfr-clarify-11.txt} | 396 ++++++++++--------
 1 file changed, 216 insertions(+), 180 deletions(-)
 rename doc/draft/{draft-ietf-dnsext-axfr-clarify-10.txt => draft-ietf-dnsext-axfr-clarify-11.txt} (76%)

diff --git a/doc/draft/draft-ietf-dnsext-axfr-clarify-10.txt b/doc/draft/draft-ietf-dnsext-axfr-clarify-11.txt
similarity index 76%
rename from doc/draft/draft-ietf-dnsext-axfr-clarify-10.txt
rename to doc/draft/draft-ietf-dnsext-axfr-clarify-11.txt
index 59f7c65435..5278587ddb 100644
--- a/doc/draft/draft-ietf-dnsext-axfr-clarify-10.txt
+++ b/doc/draft/draft-ietf-dnsext-axfr-clarify-11.txt
@@ -1,36 +1,38 @@
-DNS Extensions Working Group                                Edward Lewis
-INTERNET-DRAFT                                             NeuStar, Inc.
-Expires: July 1, 2009                                       January 2009
+DNS Extensions Working Group                               Edward Lewis
+INTERNET-DRAFT                                            NeuStar, Inc.
+Expires: Octopber 1, 2009                                  April 2009
 Updates: 1034, 1035 (if approved)
 Intended status: Standards Track
 
                     DNS Zone Transfer Protocol (AXFR)
-                  draft-ietf-dnsext-axfr-clarify-10.txt
+                  draft-ietf-dnsext-axfr-clarify-11.txt
 
 Status of this Memo
 
-   This Internet-Draft is submitted to IETF in full conformance with the
-   provisions of BCP 78 and BCP 79.
+  This Internet-Draft is submitted to IETF in full conformance with the
+  provisions of BCP 78 and BCP 79.
 
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
+  Internet-Drafts are working documents of the Internet Engineering
+  Task Force (IETF), its areas, and its working groups.  Note that
+  other groups may also distribute working documents as Internet-
+  Drafts.
 
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
+  Internet-Drafts are draft documents valid for a maximum of six months
+  and may be updated, replaced, or obsoleted by other documents at any
+  time.  It is inappropriate to use Internet-Drafts as reference
+  material or to cite them other than as "work in progress."
 
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
+  The list of current Internet-Drafts can be accessed at
+  http://www.ietf.org/1id-abstracts.html
 
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
+  The list of Internet-Draft Shadow Directories can be accessed at
+  http://www.ietf.org/shadow.html
+
+  This Internet-Draft will expire on October 1, 2009.
 
 Copyright Notice
 
-   Copyright (c) 2008 IETF Trust and the persons identified as the
+   Copyright (c) 2009 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
@@ -127,16 +129,6 @@ appeared on the access to an entire zone's contents.  In this document,
 the basic mechanisms will be discussed separately from the permission
 to use these mechanisms.
 
-1.4 Coverage
-
-This document concentrates on just the definition of AXFR.  Any effort
-to update the IXFR or NOTIFY mechanisms would be done in different
-documents.  This is not strictly a clarification of the definition in
-RFC 1034 and RFC 1035.  This document will update those sections, and
-invalidate at least one part of that definition.  The goal of this
-document is to define AXFR as it exists, or is supposed to exist,
-currently.
-
 1.4 Coverage and Relationship to Original AXFR Specification
  
 This document concentrates on just the definition of AXFR.  Any effort
@@ -149,13 +141,14 @@ depicts the scenario for which AXFR has been designed.  Section 4.3.5
 of RFC 1034 describes the zone synchronization strategies in general
 and rules for the invocation of a full zone transfer via AXFR; the
 fifth paragraph of that section contains a very short sketch of the
-AXFR protocol.  Section 3.2.3 of RFC 1035 has assigned the code point
-for the AXFR QTYPE (see section 2.1.2 below for more details).
-Section 4.2 of RFC 1035 discusses the transport layer use of DNS and
-shortly explains why UDP transport is deemed inappropriate for AXFR;
-the last paragraph of Section 4.2.2 gives details for the TCP
-connection management with AXFR.  Finally, the second paragraph of
-Section 6.3 in RFC 1035 mandates server behavior when zone data
+AXFR protocol; Section 5.5 of RFC 2181 has corrected a significant
+flaw in that specification.  Section 3.2.3 of RFC 1035 has assigned
+the code point for the AXFR QTYPE (see section 2.1.2 below for more
+details).  Section 4.2 of RFC 1035 discusses the transport layer use
+of DNS and shortly explains why UDP transport is deemed inappropriate
+for AXFR; the last paragraph of Section 4.2.2 gives details for the
+TCP connection management with AXFR.  Finally, the second paragraph
+of Section 6.3 in RFC 1035 mandates server behavior when zone data
 changes occur during an ongoing zone transfer using AXFR.
 
 This document will update the specification of AXFR in fully
@@ -169,12 +162,12 @@ define AXFR as it exists, or is supposed to exist, currently.
 
 2 AXFR Messages
 
-An AXFR session consists of an exchange of a AXFR query message and a
-set of AXFR response messages.  In this document, the AXFR client is
-the sender of the AXFR query and the AXFR server is the responder. 
-(Use of terms such as master, slave, primary, secondary are not
-important to defining AXFR.)  The use of the word "session" without
-qualification refers to an AXFR session.
+An AXFR session consists of an AXFR query message and the sequence of
+AXFR response messages returned for it.  In this document, the AXFR
+client is the sender of the AXFR query and the AXFR server is the
+responder.  (Use of terms such as master, slave, primary, secondary
+are not important to defining AXFR.)  The use of the word "session"
+without qualification refers to an AXFR session.
 
 An important aspect to keep in mind is that the definition of AXFR is
 restricted to TCP [RFC0793].  The design of the AXFR process has
@@ -185,13 +178,26 @@ RFC 1035, Section 4 ("MESSAGES") [RFC1035], updated by the following:
 - "A Mechanism for Prompt Notification of Zone Changes (...)" [RFC1996]
 - "Domain Name System (DNS) IANA Considerations" [RFC5395]
 - "Dynamic Updates in the Domain Name System (DNS UPDATE)" [RFC2136]
+- "Clarifications to the DNS Specification" [RFC2181]
 - "Extension Mechanisms for DNS (EDNS0)" [RFC2671]
 - "Secret Key Transaction Authentication for DNS (TSIG)" [RFC2845]
 - "Secret Key Establishment for DNS (TKEY RR)" [RFC2930]
 - "Obsoleting IQUERY" [RFC3425]
 - "Handling of Unknown DNS Resource Record (RR) Types" [RFC3597]
+- "Resource Records for the DNS Security Extensions" [RFC4034]
 - "Protocol Modifications for the DNS Security Extensions" [RFC4035]
+- "Use of SHA-256 in DNSSEC ... (DS) ... (RRs)" [RFC4509]
 - "HMAC SHA TSIG Algorithm Identifiers" [RFC4635]
+- "... (DNSSEC) Hashed Authenticated Denial of Existence" [RFC5155]
+
+For completeness, the following, in process, documents contain
+information about the DNS message.  These documents ought not interfere
+with AXFR but these documents are helpful in understanding what will
+be carried via AXFR.
+
+- "Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource
+  Records for DNSSEC" [DRAFT1]
+- "Clarifications and Implementation Notes for DNSSECbis" [DRAFT2]
 
 The upper limit on the permissible size of a DNS message over TCP is
 only restricted by the TCP framing defined in RFC 1035, section 4.2.2
@@ -199,6 +205,8 @@ which specifies a two-octet message length field, understood to be
 unsigned, and thus causing a limit of 65535 octets.  Unlike DNS
 messages over UDP, this limit is not changed by EDNS0.
 
+Note that the TC (truncation) bit is never set by an AXFR server nor
+considered/read by an AXFR client.
 
 Field names used in this document will correspond to the names as they
 appear in the IANA registry for DNS Header Flags [DNSFLGS].
@@ -209,6 +217,12 @@ An AXFR query is sent by a client whenever there is a reason to ask.
 This might be because of zone maintenance activities or as a result of
 a command line request, say for debugging.
 
+An AXFR query is sent by a client whenever there is a reason to ask.
+This might be because of scheduled or triggered zone maintenance
+activities (see section 4.3.5 of RFC 1034 and DNS NOTIFY [RFC1996],
+respectively) or as a result of a command line request, say for
+debugging.
+
 2.1.1 Header Values
 
 These are the DNS message header values for an AXFR query.
@@ -324,16 +338,14 @@ message's query section.  Subsequent messages MAY do the same.
 
 An AXFR response that is indicating an error MUST consist of a single
 DNS message with the return code set to the appropriate value for the
-condition encountered - once the error condition is detected.  Such
-a message MUST copy the AXFR query Query Section into its Query
-Section.  The inclusion of the terminating SOA resource record is not
-necessary.
+condition encountered - once the error condition is detected. Such
+a message MUST terminate the AXFR session; it MUST copy the Query
+Section from the AXFR query into its Query Section, but the inclusion
+of the terminating SOA resource record is not necessary.
 
 An AXFR client might receive a number of AXFR response messages
 free of an error condition before the message indicating an error
-is received.  But once an error is reported, the AXFR client can
-assume that the error reporting message is the last message sent by
-the AXFR server in the current AXFR session.
+is received.
 
 2.2.1 "0 Message" Response
 
@@ -415,6 +427,14 @@ documents:
 - "DNS Security Introduction and Requirements" [RFC4033]
 - "Resource Records for the DNS Security Extensions" [RFC4034]
 - "Protocol Modifications for the DNS Security Extensions" [RFC4035]
+- "Use of SHA-256 in DNSSEC Delegation Signer RRs" [RFC4509]
+- "DNS Security Hashed Authenticated Denial of Existence" [RFC5155]
+
+as well pending documents, such as these:
+
+- "Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource
+  Records for DNSSEC" [DRAFT1]
+- "Clarifications and Implementation Notes for DNSSECbis" [DRAFT2]
 
 Note 2.2.2.f In the absence of an error, the server MUST set the value
 of this field to NoError.  If a server is not authoritative for the
@@ -423,8 +443,8 @@ consult the appropriate IANA registry [DNSVALS].)  If a client
 receives any other value in response, it MUST act according to the
 error.  For example, a malformed AXFR query or the presence of an EDNS0
 OPT resource record sent to an old server will garner a FormErr value.
-This value is not set as part of the AXFR response processing.  The
-same is true for other error-indicating values.
+This value is not set as part of the AXFR-specific response processing.
+The same is true for other error-indicating values.
 
 Note 2.2.2.g The count of answer records MUST equal the number of
 resource records in the AXFR Answer Section.  When a server is aware
@@ -433,8 +453,9 @@ message, then the value MUST be 1.  A server MAY be made aware of a
 client's limitations via configuration data.
 
 Note 2.2.2.h The client MUST set this field to be the number of
-resource records appearing in the additional section.  See Section
-2.1.5 "Additional Section" for details.
+resource records appearing in the additional section.  The
+considerations in Note 2.1.1.d above apply equally; see Section
+2.2.6 "Additional Section" below for more details.
 
 2.2.3 Query Section
 
@@ -444,9 +465,6 @@ query or it MAY be empty.  The content of this section MAY be used to
 determine the context of the message, that is, the name of the zone
 being transferred.
 
->|  [...].  In subsequent messages, this section MAY be copied from the
->|  query, or it MAY be empty.  [...]
-
 2.2.4 Answer Section
 
 MUST be populated with the zone contents.  See later section on
@@ -462,13 +480,6 @@ The contents of this section MUST follow the guidelines for EDNS0,
 TSIG, SIG(0), or what ever other future record is possible here.  The
 contents of section 2.1.5 apply here as well.
 
-Note that TSIG and SIG(0), if in use, will treat each individual
-AXFR response message within a session as a unit of data.  That is,
-each message will have a TSIG or SIG(0) (if in use) and the
-cryptographic check will cover just that message.  The same rule
-will apply to future alternatives and documents covering them ought
-to consider the impact on AXFR response messages.
-
 2.3 TCP Connection Aborts
 
 If an AXFR client sends a query on a TCP connection and the connection
@@ -491,32 +502,32 @@ that the AXFR client is attempting abusive behavior.
 3 Zone Contents
 
 The objective of the AXFR session is to request and transfer the
-contents of a zone.  The objective is to permit the client to
+contents of a zone.  The objective is to permit the AXFR client to
 reconstruct the zone as it exists at the server for the given zone
-serial number.  Over time the definition of a zone has evolved from a
-static set of records to a dynamically updated set of records to a
-continually regenerated set of records.
+serial number.  Over time the definition of a zone has evolved from
+denoting a static set of records to also cover a dynamically updated
+set of records, and then a potentially continually regenerated set of
+records as well.
 
 3.1 Records to Include
 
 In the answer section of AXFR response messages the resource records
 within a zone for the given serial number MUST appear.  The definition
 of what belongs in a zone is described in RFC 1034, Section 4.2, "How
-the database is divided into zones", and in particular, section 4.2.1,
-"Technical considerations".
+the database is divided into zones", in particular, section 4.2.1,
+"Technical considerations", and it has been clarified in Section 6 of
+RFC 2181.
 
-Unless the AXFR server knows that the AXFR client expects just one
-resource record per AXFR response message, an AXFR server SHOULD
-populate an AXFR response message with as many complete resource
-records as will fit within a DNS message.
+Unless the AXFR server knows that the AXFR client is old and expects
+just one resource record per AXFR response message, an AXFR server
+SHOULD populate an AXFR response message with as many complete
+resource record sets as will fit within a DNS message.
 
 Zones for which it is impractical to list the entire zones for a serial
-number (because changes happen too quickly) are not suitable for AXFR
-retrieval.  A typical (but not limiting) description of such a zone
-is a zone consisting of responses generated via other database lookups
-and/or computed based upon ever changing data.  In essence, if the
-zone changes (on average) more frequently than and AXFR session can be
-finished, the zone is not a good candidate for AXFR.
+number are not suitable for AXFR retrieval.  A typical (but not
+limiting) description of such a zone is a zone consisting of responses
+generated via other database lookups and/or computed based upon ever
+changing data.
 
 3.2 Delegation Records
 
@@ -528,14 +539,38 @@ over this statement and the impact on which NS resource records are
 included in a zone transfer.
 
 The phrase "that describe cuts" is a reference to the NS set and
-applicable glue records.  It does not mean that the cut points and the
-apex resource records are identical.  For example, the SOA resource
-record is only found at the apex, as well as DNSSEC resource records.
-The is even a DNSSEC resource record found only at the zone cut and not
-at the corresponding apex.  There are also some DNSSEC resource record
-sets that are explicitly different between the cut point and the apex. 
-The discussion here is restricted to just the NS resource record set
-and glue as these "describe cuts."
+applicable glue records.  It does not mean that the cut point and apex
+resource records are identical.  For example, the SOA resource record
+is only found at the apex.  The discussion here is restricted to just
+the NS resource record set and glue as these "describe cuts".
+
+DNSSEC resource records have special specifications regarding their
+occurrence at a zone cut and the apex of a zone.  This has for the
+first time been described in Sections 5.3 ff. and 6.2 of RFC 2181
+(for the initial specification of DNSSEC), which now is historical.
+The current DNSSEC core document set (see Note 2.2.2.e above) gives
+the full details for DNSSEC(bis) resource record placement, and
+Section 3.1.5 of RFC 4035 normatively specifies their treatment during
+AXFR; the alternate NSEC3 resource record defined later in RFC 5155
+behaves identically as the NSEC RR, for the purpose of AXFR.
+
+Informally:
+o  The DS RRSet only occurs at the parental side of a zone cut and is
+   authoritative data in the parent zone, not the secure child zone.
+o  The DNSKEY RRSet only occurs at the APEX of a signed zone and is
+   authoritative part of the zone it serves.
+o  Independent RRSIG RRSets occur at the signed parent side and of a
+   zone cut and at the apex of a signed zone; they are authoritative
+   part of the respective zone; simple queries for RRSIG resource
+   records may return bth RRSets at once if the same server is
+   authoritative for the parent zone and the child zone (Section
+   3.1.5 of RFC 4035 describes how to distinguish these RRs); this
+   seeming ambiguity does not occur for AXFR, since each such RRSIG
+   RRset belongs to a single zone.
+o  Different NSEC [RFC4034] or NSEC3 [RFC5155] resource records
+   equally may occur at the parental siede of a zone cut and at the
+   apex of a zone; each such resource record belongs to exactly one
+   of these zones and is to be included in the AXFR of that zone.
 
 The issue is that in operations there are times when the NS resource
 records for a zone might be different at a cut point in the parent and
@@ -585,16 +620,26 @@ authoritative set, concealing the error.)
 3) The inconsistent NS resource record set might indicate a problem
 in a registration database.
 
-4) Beginning with an error state of two servers for a zone having
-inconsistent zone contents for a given zone serial number, if a client
-requests and receives an IXFR transfer from one server followed by 
-another IXFR transfer from the other server, the client can encounter
-an IXFR protocol error state where an attempt is made to incrementally
-add a record that already exists or to delete a record that does not
-exist.
+4) This requirement is necessary to ensure that retrieving a given
+(zone,serial) pair by AXFR yields the exact same set of resource
+records no matter which of the zone's authoritative servers is
+chosen as the source of the transfer.
 
-(Editorial note, the 4th reason was suggested, but I don't see how
-it relates.  A nudge for updated text on this.)
+If an AXFR server were allowed to respond with the authoritative
+NS RRset of a child zone instead of a glue NS RRset in the zone
+being transferred, the set of records returned could vary depending
+on whether or not the server happens to also be authoritative for 
+the child zone.
+
+The property that a given (zone,serial) pair corresponds to a
+single, well-defined set of records is necessary for the correct
+operation of incremental transfer protocols such as IXFR
+[RFC1995].  For example, a client may retrieve a zone by AXFR from
+one server, and then apply an incremental change obtained by IXFR
+from a different server.  If the two servers have different ideas
+of the zone contents, the client can end up attempting to
+incrementally add records that already exist or to delete records
+that do not exist.
 
 3.3 Glue Records
 
@@ -635,12 +680,13 @@ Compression."
 
 3.5 Occluded Names
 
-Dynamic Update [RFC2136] (and including DNAME [RFC2672]) operations can
-have a side effect of occluding names in a zone.  The addition of a
-delegation point via dynamic update will render all subordinate domain
-names to be in a limbo, still part of the zone but not available
-to the lookup process.  The addition of a DNAME resource record has the
-same impact.  The subordinate names are said to be "occluded."
+Dynamic Update [RFC2136] operations, and in particular its interaction
+with DNAME [RFC2672], can have a side effect of occluding names in a
+zone.  The addition of a delegation point via dynamic update will
+render all subordinate domain names to be in a limbo, still part of
+the zone but not available to the lookup process.  The addition of a
+DNAME resource record has the same impact.  The subordinate names are
+said to be "occluded."
 
 Occluded names MUST be included in AXFR responses.  An AXFR client MUST
 be able to identify and handle occluded names.  The rationale for this
@@ -662,7 +708,7 @@ query for the zone's SOA resource record first, and so on.  Note that
 this is documented as a most common scenario.
 
 The assumption that a TCP connection is dedicated to the single AXFR
-session is incorrect, this as has led to implementation choices that
+session is incorrect, this has led to implementation choices that
 prevent either multiple concurrent zone transfers or the use of the
 open connection for other queries.
 
@@ -680,8 +726,8 @@ multiple concurrent AXFR sessions.
 
 With the addition of EDNS0 and applications which require many
 small zones such as in web hosting and some ENUM scenarios, AXFR
-sessions on UDP are now possible and desirable.  However, there
-are still some aspects of the AXFR session that are not easily
+sessions on UDP would now be possible and seem desirable.  However,
+there are still some aspects of the AXFR session that are not easily
 translated to UDP.  This document leaves AXFR over UDP undefined.
 
 4.1 TCP
@@ -698,14 +744,14 @@ The guidance given here is intended to enable better performance of
 the AXFR exchange as well as guidelines on interactions with older
 software.  Better performance includes being able to multiplex DNS
 message exchanges including zone transfer sessions.  Guidelines for
-interacting with older software are generally applicable to AXFR
-clients as reversing the situation, older AXFR client and newer
-AXFR server ought to induce the server to operate within the
-specification for an older server.
+interacting with older software are generally applicable to new AXFR
+clients.  In the reverse situation, older AXFR client and newer AXFR
+server ought to induce the server to operate within the specification
+for an older server.
 
 4.1.1 AXFR client TCP
 
-An AXFR client MAY request an connection to an AXFR server for any
+An AXFR client MAY request a connection to an AXFR server for any
 reason.  An AXFR client SHOULD close the connection when there is
 no apparent need to use the connection for some time period. The
 AXFR server ought not have to maintain idle connections, the burden
@@ -723,16 +769,17 @@ an AXFR response can be cancelled.
 
 When a TCP connection is closed remotely (relative to the client),
 whether by the AXFR server or due to a network event, the AXFR client
-MUST cancel all outstanding sessions.  Recovery from this situation
-is not straightforward.  If the disruption was a spurious event,
-attempting to restart the connection would be proper.  If the
-disruption was caused by a medium or long term disruption, the AXFR
-client would be wise to not spend too many resources trying to rebuild
-the connection.  Finally, if the connection was dropped because of a
-policy at the AXFR server (as can be the case with older AXFR servers),
-the AXFR client would be wise to not retry the connection. 
-Unfortunately, knowing which of the three cases above applies is not
-clear (momentary disruption, failure, policy).
+MUST cancel all outstanding sessions and non-AXFR transactions. 
+Recovery from this situation is not straightforward.  If the disruption
+was a spurious event, attempting to restart the connection would be
+proper.  If the disruption was caused by a medium or long term
+disruption, the AXFR client would be wise to not spend too many
+resources trying to rebuild the connection.  Finally, if the connection
+was dropped because of a policy at the AXFR server (as can be the case
+with older AXFR servers), the AXFR client would be wise to not retry
+the connection.  Unfortunately, knowing which of the three cases above
+(momentary disruption, failure, policy) applies is not possible with
+certainty, and can only be assessed by heuristics.
 
 An AXFR client MAY use an already opened TCP connection to start an
 AXFR session.  Using an existing open connection is RECOMMENDED over
@@ -748,14 +795,15 @@ protocol).
 4.1.2  AXFR server TCP
 
 An AXFR server MUST be able to handle multiple AXFR sessions on a
-single TCP connection, as well as handle other query/response sessions.
+single TCP connection, as well as handle other query/response 
+transactions.
 
 If a TCP connection is closed remotely, the AXFR server MUST cancel
-all AXFR sessions in place.  No retry activity is necessary, that is
+all AXFR sessions in place.  No retry activity is necessary; that is
 initiated by the AXFR client.
 
 Local policy MAY dictate that a TCP connection is to be closed.  Such
-as action SHOULD be in reaction to limits such as those placed on
+an action SHOULD be in reaction to limits such as those placed on
 the number of outstanding open connections.  Closing a connection in
 response to a suspected security event SHOULD be done only in extreme
 cases, when the server is certain the action is warranted.  An
@@ -798,7 +846,8 @@ AXFR query to be granted.
 
 A general purpose implementation SHOULD NOT have a default policy
 for AXFR requests to be "open to all."  For example, a default could
-be to restrict transfers to loopback address(es) and such.
+be to restrict transfers to addresses selected by the DNS
+administrator(s) for zones on the server.
 
 6 Zone Integrity
 
@@ -820,8 +869,11 @@ if it did before.  The externally visible behavior of an AXFR client
 implementation MUST be equivalent to that of this two-stage model.
 
 If a server rejects data contained in an AXFR session, the server
-SHOULD remember the serial number and not attempt to retrieve the
-same zone version again.
+SHOULD remember the serial number and MAY attempt to retrieve the
+same zone version again.  The reason the same retrieval could make
+sense is that the reason for the rejection could be rooted in an
+implementation detail of one AXFR server used for the zone and not
+in another AXFR server used for the zone.
 
 Ensuring that an AXFR client does not accept a forged copy of a zone is
 important to the security of a zone.  If a zone operator has the
@@ -830,49 +882,22 @@ or virtual via a VPN among the authoritative servers.  But there are
 instances in which zone operators have no choice but to run AXFR
 sessions over the global public Internet.
 
-Besides best attempts at securing TCP sessions, DNS implementations
+Besides best attempts at securing TCP connections, DNS implementations
 SHOULD provide means to make use of "Secret Key Transaction
 Authentication for DNS" [RFC2845] and/or "DNS Request and Transaction
 Signatures ( SIG(0)s )" [RFC2931] to allow AXFR clients to verify the
 contents.  These techniques MAY also be used for authorization.
 
-7 Zone Expiry Timer
-
-Section 4.3.5 of RFC 1034 contains the following paragraph:
-
-"The periodic polling of the secondary servers is controlled by
-parameters in the SOA RR for the zone, which set the minimum acceptable
-polling intervals.  The parameters are called REFRESH, RETRY, and
-EXPIRE.  Whenever a new zone is loaded in a secondary, the secondary
-waits REFRESH seconds before checking with the primary for a new serial.
-If this check cannot be completed, new checks are started every RETRY
-seconds.  The check is a simple query to the primary for the SOA RR of
-the zone.  If the serial field in the secondary's zone copy is equal to
-the serial returned by the primary, then no changes have occurred, and
-the REFRESH interval wait is restarted.  If the secondary finds it
-impossible to perform a serial check for the EXPIRE interval, it must
-assume that its copy of the zone is obsolete an discard it."
-
-Perhaps what is not clear in the paragraph regarding the EXPIRE
-interval timer is that it is only reset to the EXPIRE parameter when
-a new zone is loaded.  A new zone means a zone with a higher serial
-number than the most recently loaded zone.  The EXPIRE interval timer
-is not reset automatically as a result of a zone transfer as a zone
-could be (mistakenly) transferred with the same or lower serial number.
-
-I.e., successively transferring a zone from server to server does not
-permit the zone to avoid expiration.
-
-8 Backwards Compatibility
+7 Backwards Compatibility
 
 Describing backwards compatibility is difficult because of the lack of
 specifics in the original definition.  In this section some hints at
 building in backwards compatibility are given, mostly repeated from the
 earlier sections.
 
-Backwards compatibility is not necessary, but the greater extent of an
-implementation's compatibility increases it's interoperability.  For
-turnkey implementations this is not usually a concern.  For general
+Backwards compatibility is not necessary, but the greater the extent of
+an implementation's compatibility the greater it's interoperability. 
+For turnkey implementations this is not usually a concern.  For general
 purpose implementations this takes on varying levels of importance
 depending on the implementer's desire to maintain interoperability.
 
@@ -882,7 +907,7 @@ implementation SHOULD, in it's documentation, encourage operators to
 periodically review AXFR clients and servers it has made notes about as
 old software periodically gets updated.
 
-8.1 Server
+7.1 Server
 
 An AXFR server has the luxury of being able to react to an AXFR
 client's abilities with the exception of knowing if the client can
@@ -890,38 +915,41 @@ accept multiple resource records per AXFR response message.  The
 knowledge that a client is so restricted apparently cannot be
 discovered, hence it has to be set by configuration.
 
-An implementation of an AXFR server SHOULD permit configuring, on a per
+An implementation of an AXFR server MAY permit configuring, on a per
 AXFR client basis, a need to revert to single resource record per
-message.  The default SHOULD be to use multiple records per message.
+message; in that case, the default SHOULD be to use multiple records
 
-8.2 Client
+7.2 Client
 
-An AXFR client has the opportunity to try extensions when querying
-an AXFR server.
+An AXFR client has the opportunity to try other features (i.e., those
+not defined by this document) when querying an AXFR server.
 
 Attempting to issue multiple DNS queries over a TCP transport for an
-AXFR session SHOULD be aborted if it interrupts the original request
+AXFR session SHOULD be aborted if it interrupts the original request,
 and SHOULD take into consideration whether the AXFR server intends to
 close the connection immediately upon completion of the original
 (connection-causing) zone transfer.
 
-9 Security Considerations
+8 Security Considerations
 
 Concerns regarding authorization, traffic flooding, and message
 integrity are mentioned in "Authorization" (section 5), "TCP" (section
 4.2) and "Zone Integrity" (section 6).
 
-10 IANA Considerations
+9 IANA Considerations
 
 No new registries or new registrations are included in this document.
 
-11 Internationalization Considerations
+10 Internationalization Considerations
 
-It is assumed that supporting of international domain names has been
+The AXFR protocol is transparent to the parts of DNS zone content that
+can possibly be subject to Internationalization considerations.
+It is assumed that for DNS labels and domain names, the issue has been
 solved via "Internationalizing Domain Names in Applications (IDNA)"
 [RFC3490].
 
-12 Acknowledgements
+
+11 Acknowledgements
 
 Earlier editions of this document have been edited by Andreas
 Gustafsson. In his latest version, this acknowledgement appeared.
@@ -935,9 +963,9 @@ and Brian Wellington."
 Comments since the -05 version have come from these individuals:
 Alfred Hoenes, Mark Andrews, Paul Vixie, Wouter Wijngaards, Iain
 Calder, Tony Finch, Ian Jackson, Andreas Gustafsson, Brian Wellington,
-...
+and other participants of the DNSEXT working group.
 
-13 References
+12 References
 
 All references prefixed by "RFC" can be obtained from the RFC Editor
 web site at the URLs:   http://rfc-editor.org/rfc.html
@@ -945,7 +973,7 @@ or                      http://rfc-editor.org/rfcsearch.html ;
 information regarding this organization can be found at the following
 URL:                    http://rfc-editor.org/
 
-13.1 Normative
+12.1 Normative
 
 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC 793,
           September 1981.
@@ -964,6 +992,8 @@ URL:                    http://rfc-editor.org/
 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
           "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC
           2136, April 1997.
+[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
+          Specification", RFC 2181, July 1997.
 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
           August 1999.
 [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", RFC 2672,
@@ -986,6 +1016,11 @@ URL:                    http://rfc-editor.org/
 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
           Rose, "Resource Records for the DNS Security Extensions",
           RFC 4034, March 2005.
+[RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
+          (DS) Resource Records (RRs)", RFC 4509, May 2006
+[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+          Security (DNSSEC) Hashed Authenticated Denial of Existence",
+          RFC 5155, March 2008
 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
           Rose, "Protocol Modifications for the DNS Security
           Extensions", RFC 4035, March 2005.
@@ -995,7 +1030,7 @@ URL:                    http://rfc-editor.org/
 [DNSFLGS] http://www.iana.org/assignments/dns-header-flags
 [DNSVALS] http://www.iana.org/assignments/dns-parameters
 
-13.2 Informative
+12.2 Informative
 
 [BCP14]   Bradner, S., "Key words for use in RFCs to Indicate
           Requirement Levels", BCP 14, RFC 2119, March 1997.
@@ -1007,16 +1042,17 @@ URL:                    http://rfc-editor.org/
 [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
           "Internationalizing Domain Names in Applications (IDNA)", RFC
           3490, March 2003.
+[DRAFT1]  Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY and
+          RRSIG Resource Records for DNSSEC",
+          draft-ietf-dnsext-dnssec-rsasha256-12, work in progress.
+[DRAFT2]  Weiler, S., and D. Blacka, "Clarifications and Implementation
+          Notes for DNSSECbis",
+          draft-ietf-dnsext-dnssec-bis-updates-08, work in progress.
 
-14 Editor's Address
+13 Editor's Address
 
 Edward Lewis
 46000 Center Oak Plaza
 Sterling, VA, 22033, US
 +1-571-434-5468
 ed.lewis@neustar.biz
-
-Acknowledgment
-
-Funding for the RFC Editor function is provided by the IETF
-Administrative Support Activity (IASA).

From 00c8156b24a3a80edf855190eabb8ac14ce9cc9c Mon Sep 17 00:00:00 2001
From: Jeremy Reed 
Date: Thu, 2 Apr 2009 15:44:20 +0000
Subject: [PATCH 39/60] Update my 2562 doc ARM entry.

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 05e0a1f48f..309b597f44 100644
--- a/CHANGES
+++ b/CHANGES
@@ -75,7 +75,7 @@
 2563.	[bug]		Dig could leak a socket causing it to wait forever
 			to exit. [RT #19359]
 
-2562.	[doc]		ARM: miscellaneous improvements and reorganization
+2562.	[doc]		ARM: miscellaneous improvements, reorganization,
 			and some new content.
 
 2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]

From b9636a8e43f791e093baa0fcbd7797f4ad2979de Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 3 Apr 2009 19:55:59 +0000
Subject: [PATCH 40/60] 2583.   [port]          netbsd: provide a control to
 not add the compile                         date to the version string,
 -DNO_VERSION_DATE.

---
 CHANGES          | 3 +++
 bin/named/main.c | 8 ++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 309b597f44..68da028c2e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2583.	[port]		netbsd: provide a control to not add the compile
+			date to the version string, -DNO_VERSION_DATE.
+
 2582.	[bug]		Don't emit warning log message when we attempt to
 			remove non-existant journal. [RT #19516]
 
diff --git a/bin/named/main.c b/bin/named/main.c
index 8cb54ab02d..8256282212 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.c,v 1.170 2009/03/05 03:13:55 marka Exp $ */
+/* $Id: main.c,v 1.171 2009/04/03 19:55:59 marka Exp $ */
 
 /*! \file */
 
@@ -885,10 +885,10 @@ main(int argc, char *argv[]) {
 	 * strings named.core | grep "named version:"
 	 */
 	strlcat(version,
-#ifdef __DATE__
-		"named version: BIND " VERSION " (" __DATE__ ")",
-#else
+#if defined(NO_VERSION_DATE) || !defined(__DATE__)
 		"named version: BIND " VERSION,
+#else
+		"named version: BIND " VERSION " (" __DATE__ ")",
 #endif
 		sizeof(version));
 	result = isc_file_progname(*argv, program_name, sizeof(program_name));

From 3dc1cb7e96eaa0dc4590d45663937c9f6b195554 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 7 Apr 2009 02:49:37 +0000
Subject: [PATCH 41/60] wording fix for cpp error message (rt #19569)

---
 lib/dns/rbtdb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 5b5882611a..c6d7f66fed 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.274 2009/03/05 04:54:33 marka Exp $ */
+/* $Id: rbtdb.c,v 1.275 2009/04/07 02:49:37 jinmei Exp $ */
 
 /*! \file */
 
@@ -344,7 +344,7 @@ struct acachectl {
  */
 #ifdef DNS_RBTDB_CACHE_NODE_LOCK_COUNT
 #if DNS_RBTDB_CACHE_NODE_LOCK_COUNT <= 1
-#error "DNS_RBTDB_CACHE_NODE_LOCK_COUNT must be larger 1"
+#error "DNS_RBTDB_CACHE_NODE_LOCK_COUNT must be larger than 1"
 #else
 #define DEFAULT_CACHE_NODE_LOCK_COUNT DNS_RBTDB_CACHE_NODE_LOCK_COUNT
 #endif

From af2e2f5ed750530aaf479f5ab24e1fa8a8d0a482 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Wed, 8 Apr 2009 05:46:22 +0000
Subject: [PATCH 42/60] 2584.	[bug]		alpha: gcc optimization could
 break atomic operations. 			[RT #19227]

---
 CHANGES                            |  3 +++
 lib/isc/alpha/include/isc/atomic.h | 34 +++++++++++++++++++++---------
 2 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index 68da028c2e..c7845ba319 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2584.	[bug]		alpha: gcc optimization could break atomic operations.
+			[RT #19227]
+
 2583.	[port]		netbsd: provide a control to not add the compile
 			date to the version string, -DNO_VERSION_DATE.
 
diff --git a/lib/isc/alpha/include/isc/atomic.h b/lib/isc/alpha/include/isc/atomic.h
index 056d5fc314..2da2c7f97b 100644
--- a/lib/isc/alpha/include/isc/atomic.h
+++ b/lib/isc/alpha/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: atomic.h,v 1.6 2009/04/08 05:46:22 jinmei Exp $ */
 
 /*
  * This code was written based on FreeBSD's kernel source whose copyright
@@ -62,16 +62,20 @@
 
 /*
  * This routine atomically increments the value stored in 'p' by 'val', and
- * returns the previous value.
+ * returns the previous value.  Memory access ordering around this function
+ * can be critical, so we add explicit memory block instructions at the
+ * beginning and the end of it (same for other functions).
  */
 static inline isc_int32_t 
 isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
-	return (asm("1:"
+	return (asm("mb;"
+		    "1:"
 		    "ldl_l %t0, 0(%a0);"	/* load old value */
 		    "mov %t0, %v0;"		/* copy the old value */
 		    "addl %t0, %a1, %t0;"	/* calculate new value */
 		    "stl_c %t0, 0(%a0);"	/* attempt to store */
-		    "beq %t0, 1b;",		/* spin if failed */
+		    "beq %t0, 1b;"		/* spin if failed */
+		    "mb;",
 		    p, val));
 }
 
@@ -80,11 +84,13 @@ isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
  */
 static inline void
 isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
-	(void)asm("1:"
+	(void)asm("mb;"
+		  "1:"
 		  "ldl_l %t0, 0(%a0);"		/* load old value */
 		  "mov %a1, %t0;"		/* value to store */
 		  "stl_c %t0, 0(%a0);"		/* attempt to store */
-		  "beq %t0, 1b;",		/* spin if failed */
+		  "beq %t0, 1b;"		/* spin if failed */
+		  "mb;",
 		  p, val);
 }
 
@@ -96,7 +102,8 @@ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
 static inline isc_int32_t
 isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
 
-	return(asm("1:"
+	return(asm("mb;"
+		   "1:"
 		   "ldl_l %t0, 0(%a0);"		/* load old value */
 		   "mov %t0, %v0;"		/* copy the old value */
 		   "cmpeq %t0, %a1, %t0;"	/* compare */
@@ -104,7 +111,8 @@ isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
 		   "mov %a2, %t0;"		/* value to store */
 		   "stl_c %t0, 0(%a0);"		/* attempt to store */
 		   "beq %t0, 1b;"		/* if it failed, spin */
-		   "2:",
+		   "2:"
+		   "mb;",
 		   p, cmpval, val));
 }
 #elif defined (ISC_PLATFORM_USEGCCASM)
@@ -113,13 +121,15 @@ isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
 	isc_int32_t temp, prev;
 
 	__asm__ volatile(
+		"mb;"
 		"1:"
 		"ldl_l %0, %1;"			/* load old value */
 		"mov %0, %2;"			/* copy the old value */
 		"addl %0, %3, %0;"		/* calculate new value */
 		"stl_c %0, %1;"			/* attempt to store */
 		"beq %0, 1b;"			/* spin if failed */
-		: "=&r"(temp), "+m"(*p), "=r"(prev)
+		"mb;"
+		: "=&r"(temp), "+m"(*p), "=&r"(prev)
 		: "r"(val)
 		: "memory");
 
@@ -131,11 +141,13 @@ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
 	isc_int32_t temp;
 
 	__asm__ volatile(
+		"mb;"
 		"1:"
 		"ldl_l %0, %1;"			/* load old value */
 		"mov %2, %0;"			/* value to store */
 		"stl_c %0, %1;"			/* attempt to store */
 		"beq %0, 1b;"			/* if it failed, spin */
+		"mb;"
 		: "=&r"(temp), "+m"(*p)
 		: "r"(val)
 		: "memory");
@@ -146,6 +158,7 @@ isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
 	isc_int32_t temp, prev;
 
 	__asm__ volatile(
+		"mb;"
 		"1:"
 		"ldl_l %0, %1;"			/* load old value */
 		"mov %0, %2;"			/* copy the old value */
@@ -155,7 +168,8 @@ isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
 		"stl_c %0, %1;"			/* attempt to store */
 		"beq %0, 1b;"			/* if it failed, spin */
 		"2:"
-		: "=&r"(temp), "+m"(*p), "=r"(prev)
+		"mb;"
+		: "=&r"(temp), "+m"(*p), "=&r"(prev)
 		: "r"(cmpval), "r"(val)
 		: "memory");
 

From 603cf17f33da24d460616389ec40d6f2a6e110a0 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 8 Apr 2009 06:44:48 +0000
Subject: [PATCH 43/60] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index d1ae72b925..aa1e278546 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1884,7 +1884,7 @@
 ./lib/isc/alpha/include/Makefile.in		MAKE	2007
 ./lib/isc/alpha/include/isc/.cvsignore		X	2007
 ./lib/isc/alpha/include/isc/Makefile.in		MAKE	2007
-./lib/isc/alpha/include/isc/atomic.h		C	2005,2007
+./lib/isc/alpha/include/isc/atomic.h		C	2005,2007,2009
 ./lib/isc/api					X	1999,2000,2001,2006,2008
 ./lib/isc/assertions.c				C	1997,1998,1999,2000,2001,2004,2005,2007,2008
 ./lib/isc/base32.c				C	2008,2009

From cc0f37ba1766199e715677a1a4abdf5c678c36af Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 8 Apr 2009 06:48:23 +0000
Subject: [PATCH 44/60] update copyright notice

---
 lib/isc/alpha/include/isc/atomic.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/isc/alpha/include/isc/atomic.h b/lib/isc/alpha/include/isc/atomic.h
index 2da2c7f97b..a6232ada6f 100644
--- a/lib/isc/alpha/include/isc/atomic.h
+++ b/lib/isc/alpha/include/isc/atomic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.6 2009/04/08 05:46:22 jinmei Exp $ */
+/* $Id: atomic.h,v 1.7 2009/04/08 06:48:23 tbox Exp $ */
 
 /*
  * This code was written based on FreeBSD's kernel source whose copyright
@@ -66,7 +66,7 @@
  * can be critical, so we add explicit memory block instructions at the
  * beginning and the end of it (same for other functions).
  */
-static inline isc_int32_t 
+static inline isc_int32_t
 isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
 	return (asm("mb;"
 		    "1:"
@@ -116,7 +116,7 @@ isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
 		   p, cmpval, val));
 }
 #elif defined (ISC_PLATFORM_USEGCCASM)
-static inline isc_int32_t 
+static inline isc_int32_t
 isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
 	isc_int32_t temp, prev;
 

From a9f215a87e31c7c95acddfdc577b91a7d862dabd Mon Sep 17 00:00:00 2001
From: Jeremy Reed 
Date: Wed, 8 Apr 2009 20:06:06 +0000
Subject: [PATCH 45/60] Replace some tabs with spaces within a 
 output. No change in our generated files, but makes a difference with
 dblatex.

---
 doc/arm/Bv9ARM-book.xml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index de2e3650bf..4b0bded1bd 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -4816,12 +4816,12 @@ category notify { null; };
      listen-on-v6  port ip_port  { address_match_list }; 
      query-source ( ( ip4_addr | * )
          port ( ip_port | * )  |
-	 address ( ip4_addr | * ) 
-	 port ( ip_port | * )  ) ; 
+         address ( ip4_addr | * ) 
+         port ( ip_port | * )  ) ; 
      query-source-v6 ( ( ip6_addr | * )
-	 port ( ip_port | * )  | 
-	 address ( ip6_addr | * )  
-	 port ( ip_port | * )  ) ; 
+         port ( ip_port | * )  | 
+         address ( ip6_addr | * )  
+         port ( ip_port | * )  ) ; 
      use-queryport-pool yes_or_no; 
      queryport-pool-ports number; 
      queryport-pool-interval number; 

From 8ee776c51b1c7e77bdde29dedd2b50ff48a0d002 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 9 Apr 2009 01:12:31 +0000
Subject: [PATCH 46/60] regen

---
 doc/arm/Bv9ARM.ch06.html         |  14 +--
 doc/arm/Bv9ARM.ch07.html         |   6 +-
 doc/arm/Bv9ARM.ch09.html         | 172 +++++++++++++++----------------
 doc/arm/Bv9ARM.html              |   8 +-
 doc/arm/man.dig.html             |   4 +-
 doc/arm/man.dnssec-keygen.html   |  14 +--
 doc/arm/man.dnssec-signzone.html |  12 +--
 doc/arm/man.host.html            |  10 +-
 doc/arm/man.named-checkzone.html |   8 +-
 doc/arm/man.named.html           |  16 +--
 doc/arm/man.nsupdate.html        |  14 +--
 doc/arm/man.rndc-confgen.html    |  12 +--
 doc/arm/man.rndc.conf.html       |  12 +--
 doc/arm/man.rndc.html            |  12 +--
 14 files changed, 157 insertions(+), 157 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 16ead48b74..24b0dad59b 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -92,7 +92,7 @@
 
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

 
Inverse Mapping in IPv4

 
Other Zone File Directives

@@ -7273,7 +7273,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -8681,7 +8681,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

 

 
 

@@ -8835,7 +8835,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Resolver Statistics Counters

+Resolver Statistics Counters

 

 
 

@@ -9211,7 +9211,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

 

               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9366,7 +9366,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

 

               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 05f6b4495a..4148334715 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,7 +46,7 @@
 
Table of Contents

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

 
The chroot Environment

 
Using the setuid Function

@@ -119,7 +119,7 @@ zone "example.com" {
 
 

 

-Chroot and Setuid
+Chroot and Setuid
 

 

           On UNIX servers, it is possible to run BIND
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index b645b77cd2..54dfab1f6b 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -53,7 +53,7 @@
 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
@@ -250,17 +250,17 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

+
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

 

 

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

+
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

 

 

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 

 

 

@@ -268,42 +268,42 @@
 

 Proposed Standards

 

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 

 

 

-
[RFC2308] M. Andrews. Negative Caching of DNS
+
[RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 

 

 

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 

 

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 

 

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

 

 

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 

 

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 

 

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 

 

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

 

 

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

 

 

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

 

 

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 

 

@@ -312,19 +312,19 @@
 

 DNS Security Proposed Standards

 

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

 

 

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

 

 

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

 

 

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

 

 

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 

 

 
@@ -332,146 +332,146 @@
 
Other Important RFCs About DNS
                 Implementation

 

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 

 

 

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 

 

 

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

 

 

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 

 

 
 

 
Resource Record Types

 

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

 

 

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

 

 

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 

 

 

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 

 

 

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 

 

 

-
[RFC2163] A. Allocchio. Using the Internet DNS to
+
[RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 

 

 

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

 

 

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

 

 

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

 

 

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

 

 

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

 

 

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

 

 

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 

 

 

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

 

 

 

 

 DNS and the Internet

 

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 

 

 

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 

 

 

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

 

 

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

 

 

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

 

 

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

 

 

 

 

 DNS Operations

 

-
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

+
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

 

 

-
[RFC1537] P. Beertema. Common DNS Data File
+
[RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 

 

 

-
[RFC1912] D. Barr. Common DNS Operational and
+
[RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 

 

 

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

 

 

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 

 

 

 

 
Internationalized Domain Names

 

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 

 

 

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

 

 

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

 

 

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 

 

@@ -487,47 +487,47 @@
                 

 

 

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 

 

 

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

 

 

-
[RFC1794] T. Brisco. DNS Support for Load
+
[RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 

 

 

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

 

 

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

 

 

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

 

 

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

 

 

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 

 

 

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

 

 
 

 
Obsolete and Unimplemented Experimental RFC

 

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 

 

 

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

 

 

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 

 

 

@@ -541,39 +541,39 @@
                 

 
 

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

 

 

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

 

 

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

 

 

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 

 

 

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

 

 

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

 

 

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

 

 

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

 

 

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

 

 

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 

 

 

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

 

 
 
@@ -594,14 +594,14 @@
 
 

 

-Other Documents About BIND
+Other Documents About BIND
 

 

 

 

-Bibliography

+Bibliography

 

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 73d490bb7f..29e9fc5eb0 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -171,7 +171,7 @@
 
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

 
Inverse Mapping in IPv4

 
Other Zone File Directives

@@ -184,7 +184,7 @@
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

 
The chroot Environment

 
Using the setuid Function

@@ -208,7 +208,7 @@
 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 51c1bd19ec..78aec2a5a1 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 
 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index fd5e8fa6d0..26bfc61f32 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 3fc0df4fa0..b02938fbac 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -276,7 +276,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -305,14 +305,14 @@ db.example.com.signed
 %
 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 7f0cf0e515..2e6c632a07 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index be326ed682..e2f9f51e93 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -257,14 +257,14 @@
 

 
 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index ab306026e3..9f03d11015 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -238,7 +238,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -259,7 +259,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -268,7 +268,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -281,7 +281,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -294,7 +294,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 91e0a323d5..9c25ced00a 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -187,7 +187,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -451,7 +451,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -505,7 +505,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -524,7 +524,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2136,
       RFC3007,
       RFC2104,
@@ -537,7 +537,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 9b72438eef..6677f5cc21 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 787c7dc895..ca4b0b04a0 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 139b2e6aec..5eae8b469c 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -151,7 +151,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 


From b5c626626364def4a66413c617ebd24914f10f57 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 9 Apr 2009 06:37:10 +0000
Subject: [PATCH 47/60] new draft

---
 .../draft-dolmatov-dnsext-dnssec-gost-00.txt  | 370 ++++++++++++++++++
 1 file changed, 370 insertions(+)
 create mode 100644 doc/draft/draft-dolmatov-dnsext-dnssec-gost-00.txt

diff --git a/doc/draft/draft-dolmatov-dnsext-dnssec-gost-00.txt b/doc/draft/draft-dolmatov-dnsext-dnssec-gost-00.txt
new file mode 100644
index 0000000000..3e08247f69
--- /dev/null
+++ b/doc/draft/draft-dolmatov-dnsext-dnssec-gost-00.txt
@@ -0,0 +1,370 @@
+DNS Extensions working group                               V.Dolmatov, Ed.  
+Internet-Draft                                             Cryptocom Ltd.    
+Intended status: Standards Track                           April 8, 2009
+Expires: December 31, 2009                                 
+
+
+ Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records
+                               for DNSSEC
+                 draft-dolmatov-dnsext-dnssec-gost-00
+
+Status of this Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on 31 December 2009.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+Abstract
+
+   This document describes how to produce GOST signature and hash algorithms
+   DNSKEY and RRSIG resource records for use in the Domain Name System
+   Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
+
+
+Table of Contents
+
+   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 
+   2.  DNSKEY Resource Records . . . . . . . . . . . . . . . . . . . . 
+     2.1.  Using a public key with existing cryptographic libraries. .
+     2.2.  GOST DNSKEY RR Example  . . . . . . . . . . . . . . . . . .
+   3.  RRSIG Resource Records  . . . . . . . . . . . . . . . . . . . . 
+   4.  DS Resource Records . . . . . . . . . . . . . . . . . . . . . .
+   5.  NSEC3 Resource Records  . . . . . . . . . . . . . . . . . . . .
+   6.  Deployment Considerations . . . . . . . . . . . . . . . . . . . 
+     6.1.  Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . 
+     6.2.  Signature Sizes . . . . . . . . . . . . . . . . . . . . . . 
+     6.3.  Digest Sizes  . . . . . . . . . . . . . . . . . . . . . . .
+   7.  Implementation Considerations . . . . . . . . . . . . . . . . . 
+     7.1.  Support for GOST signatures . . . . . . . . . . . . . . . . 
+     7.2.  Support for NSEC3 Denial of Existence . . . . . . . . . . . 
+       7.2.1.  NSEC3 in Authoritative servers  . . . . . . . . . . . . 
+       7.2.2.  NSEC3 in Validators . . . . . . . . . . . . . . . . . . 
+   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 
+   9.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 
+   10.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 
+     10.1.  Normative References  . . . . . . . . . . . . . . . . . . . 
+     10.2.  Informative References  . . . . . . . . . . . . . . . . . . 
+   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 
+
+
+1.  Introduction
+
+   The Domain Name System (DNS) is the global hierarchical distributed
+   database for Internet Naming.  The DNS has been extended to use
+   cryptographic keys and digital signatures for the verification of the
+   authenticity and integrity of its data.  RFC 4033 [RFC4033], RFC 4034
+   [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security
+   Extensions, called DNSSEC.
+
+   RFC 4034 describes how to store DNSKEY and RRSIG resource records,
+   and specifies a list of cryptographic algorithms to use.  This
+   document extends that list with the signature and hash algorithms 
+   GOST [GOST3410, GOST3411],
+   and specifies how to store DNSKEY data and how to produce
+   RRSIG resource records with these hash algorithms.
+
+   Familiarity with DNSSEC  and GOST signature and hash
+   algorithms is assumed in this document.
+
+   The term "GOST" is not officially defined, but is usually used to
+   refer to the collection of the Russian cryptographic algorithms
+   GOST R 34.10-2001, GOST R 34.11-94, GOST 28147-89. Since GOST 28147-89
+   is not used in DNSSEC, GOST will only refer to GOST R 34.10-2001 
+   (signatire algorithm) and GOST R 34.11-94 (hash algorithm) in this
+   document.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+
+2.  DNSKEY Resource Records
+
+   The format of the DNSKEY RR can be found in RFC 4034 [RFC4034].
+
+   GOST R 34.10-2001 public keys are stored with the algorithm number {TBA1}.
+   
+   The public key parameters are those identified by
+   id-GostR3410-2001-CryptoPro-A-ParamSet (1.2.643.2.2.35.1) [RFC4357].
+   The digest parameters for signature are those identified by
+   id-GostR3411-94-CryptoProParamSet (1.2.643.2.2.30.1) [RFC4357].
+   
+   The wire format of the public key is compatible with RFC 4491 [RFC4491]:
+
+   According to [GOSTR341001], a public key is a point on the elliptic
+   curve Q = (x,y).
+
+   The wire representation of a public key MUST contain 64 octets, where the
+   first 32 octets contain the little-endian representation of x and the
+   second 32 octets contain the little-endian representation of y.  This
+   corresponds to the binary representation of (256||256) from
+   [GOSTR341001], ch.  5.3.
+
+2.1.  Using a public key with existing cryptographic libraries
+
+   Existing GOST-aware cryptographic libraries at time of this document
+   writing are capable to read GOST public keys via generic X509 API if the
+   key is encoded according to RFC 4491 [RFC4491], section 2.3.2.
+
+   To make this encoding from the wire format of a GOST public key, prepend
+   a key data with the following 37-byte sequence:
+
+   0x30 0x63 0x30 0x1c 0x06 0x06 0x2a 0x85 0x03 0x02 0x02 0x13 0x30 0x12
+   0x06 0x07 0x2a 0x85 0x03 0x02 0x02 0x23 0x01 0x06 0x07 0x2a 0x85 0x03
+   0x02 0x02 0x1e 0x01 0x03 0x43 0x00 0x04 0x40
+  
+2.2.  GOST DNSKEY RR Example
+
+   The following DNSKEY RR stores a DNS zone key for example.com
+
+   example.com. 86400 IN DNSKEY 256 3 {TBA1} ( RamuUwTG1r4RUqsgXu/xF6B+Y
+                                               tJLzZEykiZ4C2Fa1gV1pI/8GA
+                                               el2Wm69Cz5h1T9eYAQKFAGwzW
+                                               m4Lke0E26aw== )
+
+3.  RRSIG Resource Records
+
+   The value of the signature field in the RRSIG RR follows the RFC 4490
+   [RFC4490] and is calculated as follows.  The values for the RDATA fields
+   that precede the signature data are specified in RFC 4034 [RFC4034].
+
+   hash = GOSTR3411(data)
+
+   where "data" is the wire format data of the resource record set that is
+   signed, as specified in RFC 4034 [RFC4034].  Hash MUST be calculated with
+   GOST R 34.11-94 parameters identified by
+   id-GostR3411-94-CryptoProParamSet [RFC4357].
+
+   Signature is calculated from the hash according to the GOST R 34.10-2001
+   standard and its wire format is compatible with RFC 4490 [RFC4490].
+   Quoting RFC 4490:
+
+   "The signature algorithm GOST R 34.10-2001 generates a digital
+   signature in the form of two 256-bit numbers, r and s.  Its octet
+   string representation consists of 64 octets, where the first 32
+   octets contain the big-endian representation of s and the second 32
+   octets contain the big-endian representation of r."
+
+4.  DS Resource Records
+
+   GOST R 34.11-94 digest algorithm is denoted in DS RR by the digest type
+   {TBA2}.  The wire format of a digest value is compatible with RFC 4490
+   [RFC4490].  Quoting RFC 4490: 
+   
+   "A 32-byte digest in little-endian representation."
+
+   The digest MUST always be calculated with GOST R 34.11-94 parameters
+   identified by id-GostR3411-94-CryptoProParamSet [RFC4357].
+
+5.  NSEC3 Resource Records
+
+   GOST R 34.11-94 digest algorithm is denoted in NSEC3 RR by the digest type
+   {TBA2}.  The wire format of a digest value is compatible with RFC 4490
+   [RFC4490].  Quoting RFC 4490: 
+   
+   "A 32-byte digest in little-endian representation."
+
+   The digest MUST always be calculated with GOST R 34.11-94 parameters
+   identified by id-GostR3411-94-CryptoProParamSet [RFC4357].
+
+6.  Deployment Considerations
+
+6.1.  Key Sizes
+
+   According to RFC4357 [RFC4357] key size of GOST public keys MUST 
+   be 512 bits.
+
+6.2.  Signature Sizes
+
+   According to GOST signature algorithm [GOST3410] size of GOST signature 
+   is 512 bit.
+
+6.3.  Digest Sizes
+
+   According to GOST R 34.11-94 [GOST3411] size of GOST digest is 256 bit.
+
+7.  Implementation Considerations
+
+7.1.  Support for GOST signatures
+
+   DNSSEC aware implementations SHOULD be able to support RRSIG and
+   DNSKEY resource records created with the GOST algorithms as
+   defined in this document.
+
+7.2.  Support for NSEC3 Denial of Existence
+
+   RFC5155 [RFC5155] defines new algorithm identifiers for existing
+   signing algorithms, to indicate that zones signed with these
+   algorithm identifiers use NSEC3 instead of NSEC records to provide
+   denial of existence.  That mechanism was chosen to protect
+   implementations predating RFC5155 from encountering resource records
+   they could not know about.  This document does not define such
+   algorithm aliases, and support for NSEC3 denial of existence is
+   implicitly signaled with support for one of the algorithms defined in
+   this document.
+
+7.2.1.  NSEC3 in Authoritative servers
+
+   An authoritative server that does not implement NSEC3 MAY still serve
+   zones that use GOST with NSEC denial of existence.
+
+7.2.2.  NSEC3 in Validators
+
+   A DNSSEC validator that implements GOST MUST be able to handle
+   both NSEC and NSEC3 [RFC5155] negative answers.  If this is not the
+   case, the validator MUST treat a zone signed with GOST
+   as signed with an unknown algorithm, and thus as insecure.
+
+
+8.  IANA Considerations
+
+   This document updates the IANA registry "DNS SECURITY ALGORITHM
+   NUMBERS -- per [RFC4035] "
+   (http://www.iana.org/assignments/dns-sec-alg-numbers).  The following
+   entries are added to the registry:
+                                        Zone     Trans.
+   Value   Algorithm          Mnemonic  Signing  Sec.   References   Status
+   {TBA1}  GOST R 34.10-2001  GOST      Y        *      (this memo)  OPTIONAL
+
+   This document updates the RFC 4034 [RFC4034] Digest Types assignment
+   (RFC 4034, section A.2):
+
+   Value   Algorithm        Status
+   {TBA2}  GOST R 34.11-94  OPTIONAL
+
+9. Acknowledgments
+
+   This document is a minor extension to RFC 4034 [RFC4034].  Also, we
+   try to follow the documents RFC 3110 [RFC3110], RFC 4509 [RFC4509]
+   and RFC 4357 [RFC4357] for consistency. The authors of and 
+   contributors to these documents are gratefully acknowledged for 
+   their hard work.
+
+   The following people provided additional feedback and text: Dmitry 
+   Burkov, Jaap Akkerhuis, Jelte Jansen and Wouter Wijngaards.
+
+
+10.  References
+
+10.1.  Normative References
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", RFC 2119, March 1997.
+
+   [RFC3110]  Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
+              Name System (DNS)", RFC 3110, May 2001.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "DNS Security Introduction and Requirements",
+              RFC 4033, March 2005.
+
+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Resource Records for the DNS Security Extensions",
+              RFC 4034, March 2005.
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+   [GOST3410] "Information technology.  Cryptographic data security.
+              Signature and verification processes of [electronic]
+              digital signature.", GOST R 34.10-2001, Gosudarstvennyi
+              Standard of Russian Federation, Government Committee of
+              the Russia for Standards, 2001.  (In Russian)
+
+   [GOST3411] "Information technology.  Cryptographic Data Security.
+              Hashing function.", GOST R 34.11-94, Gosudarstvennyi
+              Standard of Russian Federation, Government Committee of
+              the Russia for Standards, 1994.  (In Russian)
+
+   [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional
+             Cryptographic Algorithms for Use with GOST 28147-89,
+             GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
+             Algorithms", RFC 4357, January 2006.
+
+   [RFC4490] S. Leontiev and G. Chudov, "Using the GOST 28147-89, 
+	     GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001 
+             Algorithms with Cryptographic Message Syntax (CMS)",
+             RFC 4490, May 2006.
+
+   [RFC4491] S. Leontiev and D. Shefanovski, "Using the GOST 
+             R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 
+             Algorithms with the Internet X.509 Public Key 
+             Infrastructure Certificate and CRL Profile", RFC 4491,
+             May 2006. 
+
+
+
+10.2.  Informative References
+
+   [NIST800-57]
+              Barker, E., Barker, W., Burr, W., Polk, W., and M. Smid,
+              "Recommendations for Key Management", NIST SP 800-57,
+              March 2007.
+
+   [RFC3447]  Jonsson, J. and B. Kaliski, "Public-Key Cryptography
+              Standards (PKCS) #1: RSA Cryptography Specifications
+              Version 2.1", RFC 3447, February 2003.
+
+   [RFC4509]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
+              (DS) Resource Records (RRs)", RFC 4509, May 2006.
+
+   [RFC5155]  Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+              Security (DNSSEC) Hashed Authenticated Denial of
+              Existence", RFC 5155, March 2008.
+
+Authors' Addresses
+
+
+Vasily Dolmatov, Ed.
+Cryptocom Ltd.
+Bolotnikovskaya, 23
+Moscow, 117303, Russian Federation
+
+EMail: dol@cryptocom.ru
+
+Artem Chuprina
+Cryptocom Ltd.
+Bolotnikovskaya, 23
+Moscow, 117303, Russian Federation
+
+EMail: ran@cryptocom.ru
+
+Igor Ustinov
+Cryptocom Ltd.
+Bolotnikovskaya, 23
+Moscow, 117303, Russian Federation
+
+EMail: igus@cryptocom.ru
+
+                  Expires December 31, 2009                [Page ]
+
+

From f60f4a412cc0e45f248cfc5b2844e49d69770468 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sat, 11 Apr 2009 23:18:31 +0000
Subject: [PATCH 48/60] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index b18a719064..feccea54db 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -206,6 +206,7 @@ rt19369				new	jinmei	// 2009-02-19 00:40 +0000
 rt19384				new	marka	// 2009-02-23 03:32 +0000
 rt19387				new	jinmei	// 2009-03-05 19:37 +0000
 rt19495				new	marka	// 2009-01-19 01:19 +0000
+rt19563				new	jinmei	// 2009-04-11 02:39 +0000
 shane_dbbackend			open	
 skan				open	explorer
 skan-metazones1			private	explorer

From 7f69908ff840677a5f02b5a60bf32af467b4de7d Mon Sep 17 00:00:00 2001
From: Jeremy Reed 
Date: Thu, 16 Apr 2009 18:05:30 +0000
Subject: [PATCH 49/60] Further explain "mismatch" counter per support ticket
 2449.

---
 doc/arm/Bv9ARM-book.xml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 4b0bded1bd..81e4a52df7 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -12748,6 +12748,13 @@ HOST-127.EXAMPLE. MX 0 .
 		    
 		      
 			Mismatch responses received.
+			The DNS ID, response's source address,
+			and/or the response's source port does not
+			match what was expected.
+			(The port must be 53 or as defined by
+			the port option.)
+			This may be an indication of a cache
+			poisoning attempt.
 		      
 		    
 		  

From 65e9adc0e8185883d0de6690683ef4c2a0cc968b Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 17 Apr 2009 01:12:43 +0000
Subject: [PATCH 50/60] regen

---
 doc/arm/Bv9ARM.ch06.html             |  13 +-
 doc/arm/Bv9ARM.ch07.html             |  14 +--
 doc/arm/Bv9ARM.ch08.html             |  18 +--
 doc/arm/Bv9ARM.ch09.html             | 180 +++++++++++++--------------
 doc/arm/Bv9ARM.html                  |  22 ++--
 doc/arm/man.dig.html                 |  20 +--
 doc/arm/man.dnssec-dsfromkey.html    |  16 +--
 doc/arm/man.dnssec-keyfromlabel.html |  12 +-
 doc/arm/man.dnssec-keygen.html       |  14 +--
 doc/arm/man.dnssec-signzone.html     |  12 +-
 doc/arm/man.host.html                |  10 +-
 doc/arm/man.named-checkconf.html     |  12 +-
 doc/arm/man.named-checkzone.html     |  12 +-
 doc/arm/man.named.html               |  16 +--
 doc/arm/man.nsupdate.html            |  14 +--
 doc/arm/man.rndc-confgen.html        |  12 +-
 doc/arm/man.rndc.conf.html           |  12 +-
 doc/arm/man.rndc.html                |  12 +-
 18 files changed, 214 insertions(+), 207 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 24b0dad59b..3aeca492f4 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -8987,6 +8987,13 @@ HOST-127.EXAMPLE. MX 0 .
 

@@ -9211,7 +9218,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

 

               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9366,7 +9373,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

 

               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 4148334715..fb82c4c5aa 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -119,7 +119,7 @@ zone "example.com" {
 
 

 

-Chroot and Setuid
+Chroot and Setuid
 

 

           On UNIX servers, it is possible to run BIND
@@ -145,7 +145,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

             In order for a chroot environment
             to
@@ -173,7 +173,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 459a1b1ac2..0bc3f853b0 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 54dfab1f6b..58b55e8dce 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -250,17 +250,17 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

+
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

 

 

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

+
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

 

 

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 

 

 

@@ -268,42 +268,42 @@
 

 Proposed Standards

 

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 

 

 

-
[RFC2308] M. Andrews. Negative Caching of DNS
+
[RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 

 

 

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 

 

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 

 

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

 

 

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 

 

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 

 

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 

 

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

 

 

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

 

 

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

 

 

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 

 

@@ -312,19 +312,19 @@
 

 DNS Security Proposed Standards

 

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

 

 

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

 

 

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

 

 

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

 

 

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 

 

 
@@ -332,146 +332,146 @@
 
Other Important RFCs About DNS
                 Implementation

 

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 

 

 

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 

 

 

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

 

 

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 

 

 
 

 
Resource Record Types

 

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

 

 

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

 

 

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 

 

 

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 

 

 

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 

 

 

-
[RFC2163] A. Allocchio. Using the Internet DNS to
+
[RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 

 

 

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

 

 

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

 

 

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

 

 

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

 

 

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

 

 

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

 

 

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 

 

 

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

 

 

 

 

 DNS and the Internet

 

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 

 

 

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 

 

 

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

 

 

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

 

 

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

 

 

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

 

 

 

 

 DNS Operations

 

-
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

+
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

 

 

-
[RFC1537] P. Beertema. Common DNS Data File
+
[RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 

 

 

-
[RFC1912] D. Barr. Common DNS Operational and
+
[RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 

 

 

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

 

 

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 

 

 

 

 
Internationalized Domain Names

 

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 

 

 

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

 

 

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

 

 

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 

 

@@ -487,47 +487,47 @@
                 

 

 

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 

 

 

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

 

 

-
[RFC1794] T. Brisco. DNS Support for Load
+
[RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 

 

 

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

 

 

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

 

 

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

 

 

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

 

 

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 

 

 

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

 

 
 

 
Obsolete and Unimplemented Experimental RFC

 

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 

 

 

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

 

 

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 

 

 

@@ -541,39 +541,39 @@
                 

 
 

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

 

 

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

 

 

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

 

 

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 

 

 

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

 

 

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

 

 

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

 

 

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

 

 

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

 

 

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 

 

 

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

 

 
 
@@ -594,14 +594,14 @@
 
 

 

-Other Documents About BIND
+Other Documents About BIND
 

 

 

 

-Bibliography

+Bibliography

 

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 29e9fc5eb0..8e16f61af1 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -184,31 +184,31 @@
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 78aec2a5a1..143fab2d38 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -144,7 +144,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 917a1e697c..0a6bb5661b 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
dnssec-dsfromkey  {-s} [-v level] [-1] [-2] [-a alg] [-c class] [-d dir] {dnsname}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -99,7 +99,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -114,7 +114,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -128,13 +128,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -143,7 +143,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 01432ce472..1a081801eb 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-a algorithm} {-l label} [-c class] [-f flag] [-k] [-n nametype] [-p protocol] [-t type] [-v level] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -131,7 +131,7 @@
 

 

 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -172,7 +172,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -182,7 +182,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 26bfc61f32..8266ac4d84 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index b02938fbac..53a64a7fa8 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -276,7 +276,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -305,14 +305,14 @@ db.example.com.signed
 %
 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 2e6c632a07..83915737c8 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 076b908505..a8c56b452a 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -92,21 +92,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index e2f9f51e93..1103f7b4f0 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -257,14 +257,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 9f03d11015..68754b5afe 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -238,7 +238,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -259,7 +259,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -268,7 +268,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -281,7 +281,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -294,7 +294,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 9c25ced00a..3b5f87df8e 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -187,7 +187,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -451,7 +451,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -505,7 +505,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -524,7 +524,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2136,
       RFC3007,
       RFC2104,
@@ -537,7 +537,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 6677f5cc21..461a95e7ef 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index ca4b0b04a0..222aec1bb9 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 5eae8b469c..91671b568b 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -151,7 +151,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 


From cda7c783c3e65ab022a8b5806cf63ce021abd33e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Sat, 18 Apr 2009 01:28:17 +0000
Subject: [PATCH 51/60] 2585.	[bug]		Uninitialized socket name
 could be referenced via a 			statistics channel, triggering
 an assertion failure in 			XML rendering. [RT #19427]

---
 CHANGES               |  4 ++++
 lib/isc/unix/socket.c | 11 +++++++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index c7845ba319..37fecb8997 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2585.	[bug]		Uninitialized socket name could be referenced via a
+			statistics channel, triggering an assertion failure in
+			XML rendering. [RT #19427]
+
 2584.	[bug]		alpha: gcc optimization could break atomic operations.
 			[RT #19227]
 
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 8062e9b980..4955b78656 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.317 2009/03/05 03:13:55 marka Exp $ */
+/* $Id: socket.c,v 1.318 2009/04/18 01:28:17 jinmei Exp $ */
 
 /*! \file */
 
@@ -1885,6 +1885,9 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 			goto error;
 	}
 
+	memset(sock->name, 0, sizeof(sock->name));
+	sock->tag = NULL;
+
 	/*
 	 * set up list of readers and writers to be initially empty
 	 */
@@ -2324,9 +2327,6 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		return (result);
 	}
 
-	memset(sock->name, 0, sizeof(sock->name));
-	sock->tag = NULL;
-
 	sock->references = 1;
 	*socketp = sock;
 
@@ -2532,11 +2532,14 @@ isc_socket_close(isc_socket_t *sock) {
 	type = sock->type;
 	fd = sock->fd;
 	sock->fd = -1;
+	memset(sock->name, 0, sizeof(sock->name));
+	sock->tag = NULL;
 	sock->listener = 0;
 	sock->connected = 0;
 	sock->connecting = 0;
 	sock->bound = 0;
 	isc_sockaddr_any(&sock->peer_address);
+
 	UNLOCK(&sock->lock);
 
 	closesocket(manager, sock, fd);

From b1b0dca1464a11b8a63623e8567e744dccfbcb41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 21 Apr 2009 00:41:02 +0000
Subject: [PATCH 52/60] 2586.	[bug]		Missing cleanup of SIG
 rdataset in searching a DLZ DB 			or SDB. [RT #19577]

---
 CHANGES        | 3 +++
 lib/dns/sdb.c  | 7 +++++--
 lib/dns/sdlz.c | 7 +++++--
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 37fecb8997..1ecb87cf49 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
+			or SDB. [RT #19577]
+
 2585.	[bug]		Uninitialized socket name could be referenced via a
 			statistics channel, triggering an assertion failure in
 			XML rendering. [RT #19427]
diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
index f141a102f2..a49357a288 100644
--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.c,v 1.66 2008/09/24 03:16:58 tbox Exp $ */
+/* $Id: sdb.c,v 1.67 2009/04/21 00:41:02 jinmei Exp $ */
 
 /*! \file */
 
@@ -880,9 +880,12 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				{
 					result = DNS_R_ZONECUT;
 					dns_rdataset_disassociate(rdataset);
-					if (sigrdataset != NULL)
+					if (sigrdataset != NULL &&
+					    dns_rdataset_isassociated
+						        (sigrdataset)) {
 						dns_rdataset_disassociate
 								(sigrdataset);
+					}
 				} else
 					result = DNS_R_DELEGATION;
 				break;
diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
index ec82c3e51c..b4099ed996 100644
--- a/lib/dns/sdlz.c
+++ b/lib/dns/sdlz.c
@@ -50,7 +50,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdlz.c,v 1.18 2008/09/24 02:46:22 marka Exp $ */
+/* $Id: sdlz.c,v 1.19 2009/04/21 00:41:02 jinmei Exp $ */
 
 /*! \file */
 
@@ -844,9 +844,12 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				{
 					result = DNS_R_ZONECUT;
 					dns_rdataset_disassociate(rdataset);
-					if (sigrdataset != NULL)
+					if (sigrdataset != NULL &&
+					    dns_rdataset_isassociated
+					    		(sigrdataset)) {
 						dns_rdataset_disassociate
 							(sigrdataset);
+					}
 				} else
 					result = DNS_R_DELEGATION;
 				break;

From 9f4f6472f976ae6fb3a42c2ac7cc383604092f80 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 21 Apr 2009 23:30:34 +0000
Subject: [PATCH 53/60] newcopyrights

---
 util/copyrights | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index aa1e278546..6d4ebf675f 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1844,8 +1844,8 @@
 ./lib/dns/resolver.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/result.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2007,2008,2009
 ./lib/dns/rootns.c				C	1999,2000,2001,2002,2004,2005,2007,2008
-./lib/dns/sdb.c					C	2000,2001,2003,2004,2005,2006,2007,2008
-./lib/dns/sdlz.c				C.PORTION	1999,2000,2001,2005,2006,2007,2008
+./lib/dns/sdb.c					C	2000,2001,2003,2004,2005,2006,2007,2008,2009
+./lib/dns/sdlz.c				C.PORTION	1999,2000,2001,2005,2006,2007,2008,2009
 ./lib/dns/soa.c					C	2000,2001,2004,2005,2007
 ./lib/dns/spnego.asn1				X	2006
 ./lib/dns/spnego.c				C	2006,2007,2008,2009

From ab381c1e22e0ed732170428937d20d13146d863a Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 21 Apr 2009 23:48:04 +0000
Subject: [PATCH 54/60] update copyright notice

---
 lib/dns/sdb.c  | 6 +++---
 lib/dns/sdlz.c | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
index a49357a288..2777ca359e 100644
--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.c,v 1.67 2009/04/21 00:41:02 jinmei Exp $ */
+/* $Id: sdb.c,v 1.68 2009/04/21 23:48:04 tbox Exp $ */
 
 /*! \file */
 
@@ -882,7 +882,7 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 					dns_rdataset_disassociate(rdataset);
 					if (sigrdataset != NULL &&
 					    dns_rdataset_isassociated
-						        (sigrdataset)) {
+							(sigrdataset)) {
 						dns_rdataset_disassociate
 								(sigrdataset);
 					}
diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
index b4099ed996..163791a928 100644
--- a/lib/dns/sdlz.c
+++ b/lib/dns/sdlz.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2005-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005-2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -50,7 +50,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdlz.c,v 1.19 2009/04/21 00:41:02 jinmei Exp $ */
+/* $Id: sdlz.c,v 1.20 2009/04/21 23:48:04 tbox Exp $ */
 
 /*! \file */
 
@@ -846,7 +846,7 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 					dns_rdataset_disassociate(rdataset);
 					if (sigrdataset != NULL &&
 					    dns_rdataset_isassociated
-					    		(sigrdataset)) {
+							(sigrdataset)) {
 						dns_rdataset_disassociate
 							(sigrdataset);
 					}

From b7296c802ffde9918a9b3ffc2d50fcf9399eb337 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 24 Apr 2009 23:18:01 +0000
Subject: [PATCH 55/60] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index feccea54db..49518357d5 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -207,6 +207,7 @@ rt19384				new	marka	// 2009-02-23 03:32 +0000
 rt19387				new	jinmei	// 2009-03-05 19:37 +0000
 rt19495				new	marka	// 2009-01-19 01:19 +0000
 rt19563				new	jinmei	// 2009-04-11 02:39 +0000
+rt19625				new	fdupont	// 2009-04-24 08:59 +0000
 shane_dbbackend			open	
 skan				open	explorer
 skan-metazones1			private	explorer

From f20f19de1995fb65f0b7184b2e596a0e9da9acb3 Mon Sep 17 00:00:00 2001
From: Jeremy Reed 
Date: Tue, 28 Apr 2009 12:48:35 +0000
Subject: [PATCH 56/60] 2587.	[func]		Improve logging by reporting
 serial numbers for 			when zone serial has gone backwards or
 unchanged. 			[RT #19506]

---
 CHANGES        | 4 ++++
 lib/dns/zone.c | 9 +++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 1ecb87cf49..2c0969c74a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2587.	[func]		Improve logging by reporting serial numbers for
+			when zone serial has gone backwards or unchanged.
+			[RT #19506]
+
 2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
 			or SDB. [RT #19577]
 
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index f8f44939fc..78e2f3ac13 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.489 2009/03/26 22:51:54 marka Exp $ */
+/* $Id: zone.c,v 1.490 2009/04/28 12:48:34 jreed Exp $ */
 
 /*! \file */
 
@@ -2562,12 +2562,13 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 				goto cleanup;
 			} else if (!isc_serial_ge(serial, zone->serial))
 				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone serial has gone backwards");
+					     "zone serial (%u/%u) has gone "
+				 	     "backwards", serial, zone->serial);
 			else if (serial == zone->serial && !hasinclude)
 				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone serial unchanged. "
+					     "zone serial (%u) unchanged. "
 					     "zone may fail to transfer "
-					     "to slaves.");
+					     "to slaves.", serial);
 		}
 
 		if (zone->type == dns_zone_master &&

From 089f456eb39d614cb6904107d4a9580ed4f3f296 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 28 Apr 2009 21:39:00 +0000
Subject: [PATCH 57/60] 2588.	[bug]		SO_REUSEADDR could be set
 unconditionally after failure 			of bind(2) call.  This should
 be rare and mostly 			harmless, but may cause interference
 with other 			processes that happen to use the same port.
 [RT #19642]

---
 CHANGES            | 5 +++++
 lib/dns/dispatch.c | 5 +++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2c0969c74a..4d99258441 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
+			of bind(2) call.  This should be rare and mostly
+			harmless, but may cause interference with other
+			processes that happen to use the same port. [RT #19642]
+
 2587.	[func]		Improve logging by reporting serial numbers for
 			when zone serial has gone backwards or unchanged.
 			[RT #19506]
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index a0b7be70b1..9103dd69d9 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.c,v 1.162 2009/01/31 00:37:04 marka Exp $ */
+/* $Id: dispatch.c,v 1.163 2009/04/28 21:39:00 jinmei Exp $ */
 
 /*! \file */
 
@@ -808,7 +808,7 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 	dispsocket_t *dispsock;
 	unsigned int nports;
 	in_port_t *ports;
-	unsigned int bindoptions = 0;
+	unsigned int bindoptions;
 	dispportentry_t *portentry = NULL;
 
 	if (isc_sockaddr_pf(&disp->local) == AF_INET) {
@@ -858,6 +858,7 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 		bucket = dns_hash(qid, dest, 0, port);
 		if (socket_search(qid, dest, port, bucket) != NULL)
 			continue;
+		bindoptions = 0;
 		portentry = port_search(disp, port);
 		if (portentry != NULL)
 			bindoptions |= ISC_SOCKET_REUSEADDRESS;

From d76bbb6c40bd1dc44dcc84875779a94268ece963 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 28 Apr 2009 23:48:01 +0000
Subject: [PATCH 58/60] update copyright notice

---
 lib/dns/zone.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 78e2f3ac13..61e872ceed 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.490 2009/04/28 12:48:34 jreed Exp $ */
+/* $Id: zone.c,v 1.491 2009/04/28 23:48:01 tbox Exp $ */
 
 /*! \file */
 
@@ -2563,7 +2563,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 			} else if (!isc_serial_ge(serial, zone->serial))
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "zone serial (%u/%u) has gone "
-				 	     "backwards", serial, zone->serial);
+					     "backwards", serial, zone->serial);
 			else if (serial == zone->serial && !hasinclude)
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "zone serial (%u) unchanged. "

From 1e18f761a7f406c5c472ddefea9513c80a67efac Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 29 Apr 2009 03:16:05 +0000
Subject: [PATCH 59/60] 5507:   Design Choices When Expanding the DNS

---
 doc/rfc/index       |    1 +
 doc/rfc/rfc5507.txt | 1011 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 1012 insertions(+)
 create mode 100644 doc/rfc/rfc5507.txt

diff --git a/doc/rfc/index b/doc/rfc/index
index a1450d06b8..684b135cae 100644
--- a/doc/rfc/index
+++ b/doc/rfc/index
@@ -118,3 +118,4 @@
          Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR)
 5155:	DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
 5295:	Host Identity Protocol (HIP) Domain Name System (DNS) Extension
+5507:	Design Choices When Expanding the DNS
diff --git a/doc/rfc/rfc5507.txt b/doc/rfc/rfc5507.txt
new file mode 100644
index 0000000000..a286d90854
--- /dev/null
+++ b/doc/rfc/rfc5507.txt
@@ -0,0 +1,1011 @@
+
+
+
+
+
+
+Network Working Group                                                IAB
+Request for Comments: 5507                             P. Faltstrom, Ed.
+Category: Informational                                  R. Austein, Ed.
+                                                            P. Koch, Ed.
+                                                              April 2009
+
+
+                 Design Choices When Expanding the DNS
+
+Status of This Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+
+Abstract
+
+   This note discusses how to extend the DNS with new data for a new
+   application.  DNS extension discussions too often focus on reuse of
+   the TXT Resource Record Type.  This document lists different
+   mechanisms to extend the DNS, and concludes that the use of a new DNS
+   Resource Record Type is the best solution.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+IAB, et al.                  Informational                      [Page 1]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+Table of Contents
+
+   1. Introduction ....................................................3
+   2. Background ......................................................4
+   3. Extension Mechanisms ............................................5
+      3.1. Place Selectors inside the RDATA of Existing
+           Resource Record Types ......................................5
+      3.2. Add a Prefix to the Owner Name .............................6
+      3.3. Add a Suffix to the Owner Name .............................7
+      3.4. Add a New Class ............................................8
+      3.5. Add a New Resource Record Type .............................8
+   4. Zone Boundaries are Invisible to Applications ...................9
+   5. Why Adding a New Resource Record Type Is the Preferred
+      Solution .......................................................10
+   6. Conclusion and Recommendation ..................................14
+   7. Creating a New Resource Record Type ............................14
+   8. Security Considerations ........................................15
+   9. Acknowledgements ...............................................15
+   10. IAB Members at the Time of This Writing .......................16
+   11. References ....................................................16
+      11.1. Normative References .....................................16
+      11.2. Informative References ...................................16
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+IAB, et al.                  Informational                      [Page 2]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+1.  Introduction
+
+   The DNS stores multiple categories of data.  The two most commonly
+   used categories are infrastructure data for the DNS system itself (NS
+   and SOA Resource Records) and data that have to do with mappings
+   between domain names and IP addresses (A, AAAA, and PTR Resource
+   Records).  There are other categories as well, some of which are tied
+   to specific applications like email (MX Resource Records), while
+   others are generic Resource Record Types used to convey information
+   for multiple protocols (SRV and NAPTR Resource Records).
+
+   When storing data in the DNS for a new application, the goal must be
+   to store data in such a way that the application can query for the
+   data it wants, while minimizing both the impact on existing
+   applications and the amount of extra data transferred to the client.
+   This implies that a number of design choices have to be made, where
+   the most important is to ensure that a precise selection of what data
+   to return must be made already in the query.  A query consists of a
+   triple: {Owner (or name), Resource Record Class, Resource Record
+   Type}.
+
+   Historically, extending the DNS to store application data tied to a
+   domain name has been done in different ways at different times.  MX
+   Resource Records were created as a new Resource Record Type
+   specifically designed to support electronic mail.  SRV records are a
+   generic type that use a prefixing scheme in combination with a base
+   domain name.  NAPTR records add selection data inside the RDATA.  It
+   is clear that the methods used to add new data types to the DNS have
+   been inconsistent, and the purpose of this document is to attempt to
+   clarify the implications of each of these methods, both for the
+   applications that use them and for the rest of the DNS.
+
+   This document talks extensively about use of DNS wildcards.  Many
+   people might think use of wildcards is not something that happens
+   today.  In reality though, wildcards are in use, especially for
+   certain application-specific data such as MX Resource Records.
+   Because of this, the choice has to be made with the existence of
+   wildcards in mind.
+
+   Another overall issue that must be taken into account is what the new
+   data in the DNS are to describe.  In some cases, they might be
+   completely new data.  In other cases, they might be metadata tied to
+   data that already exist in the DNS.  Examples of new data are key
+   information for the Secure SHell (SSH) Protocol and data used for
+   authenticating the sender of email messages (metadata tied to MX
+   Resource Records).  If the new data are tied to data that already
+   exist in the DNS, an analysis should be made as to whether having
+   (for example) address records and SSH key information in different
+
+
+
+IAB, et al.                  Informational                      [Page 3]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+   DNS zones is a problem or if it is a bonus, and if it is a problem,
+   whether the specification must require all of the related data to be
+   in the same zone.  One specific difference between having the records
+   in the same zone or not has to do with maintenance of the records.
+   If they are in the same zone, the same maintainer (from a DNS
+   perspective) manages the two records.  Specifically, they must be
+   signed with the same DNSSEC keys if DNSSEC is in use.
+
+   This document does not talk about what one should store in the DNS.
+   It also doesn't discuss whether the DNS should be used for service
+   discovery, or whether the DNS should be used for storage of data
+   specific to the service.  In general, the DNS is a protocol that,
+   apart from holding metadata that makes the DNS itself function (NS,
+   SOA, DNSSEC Resource Record Types, etc.), only holds references to
+   service locations (SRV, NAPTR, A, AAAA Resource Record Types) --
+   though there are exceptions, such as MX Resource Records.
+
+2.  Background
+
+   See RFC 5395 [RFC5395] for a brief summary of the DNS query
+   structure.  Readers interested in the full story should start with
+   the base DNS specification in RFC 1035 [RFC1035] and continue with
+   the various documents that update, clarify, and extend the base
+   specification.
+
+   When composing a DNS query, the parameters used by the protocol are a
+   {owner, class, type} triple.  Every Resource Record matching such a
+   triple is said to belong to the same Resource Record Set (RRSet), and
+   the whole RRSet is always returned to the client that queries for it.
+   Splitting an RRSet is a protocol violation (sending a partial RRSet,
+   not truncating the DNS response), because it can result in coherency
+   problems with the DNS caching mechanism.  See Section 5 of [RFC2181]
+   for more information.
+
+   Some discussions around extensions to the DNS include arguments
+   around MTU size.  Note that most discussions about DNS and MTU size
+   are about the size of the whole DNS packet, not about the size of a
+   single RRSet.
+
+   Almost all DNS query traffic is carried over UDP, where a DNS message
+   must fit within a single UDP packet.  DNS response messages are
+   almost always larger than DNS query messages, so message size issues
+   are almost always about responses, not queries.  The base DNS
+   specification limits DNS messages over UDP to 512 octets; EDNS0
+   [RFC2671] specifies a mechanism by which a client can signal its
+   willingness to receive larger responses, but deployment of EDNS0 is
+   not universal, in part because of firewalls that block fragmented UDP
+   packets or EDNS0.  If a response message won't fit in a single
+
+
+
+IAB, et al.                  Informational                      [Page 4]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+   packet, the name server returns a truncated response, at which point
+   the client may retry using TCP.  DNS queries over TCP are not subject
+   to this length limitation, but TCP imposes significantly higher per-
+   query overhead on name servers than UDP.  It is also the case that
+   the policies in deployed firewalls far too often are such that they
+   block DNS over TCP, so using TCP might not in reality be an option.
+   There are also risks (although possibly small) that a change of
+   routing while a TCP flow is open creates problems when the DNS
+   servers are deployed in an anycast environment.
+
+3.  Extension Mechanisms
+
+   The DNS protocol is intended to be extensible to support new kinds of
+   data.  This section examines the various ways in which this sort of
+   extension can be accomplished.
+
+3.1.  Place Selectors inside the RDATA of Existing Resource Record Types
+
+   For a given query name, one might choose to have a single RRSet (all
+   Resource Records sharing the same {owner, class, type} triple) shared
+   by multiple applications, and have the different applications use
+   selectors within the Resource Record data (RDATA) to determine which
+   records are intended for which applications.  This sort of selector
+   mechanism is usually referred to "subtyping", because it is in effect
+   creating an additional type subsystem within a single DNS Resource
+   Record Type.
+
+   Examples of subtyping include NAPTR Resource Records [RFC3761] and
+   the original DNSSEC KEY Resource Record Type [RFC2535] (which was
+   later updated by RFC 3445 [RFC3445], and obsoleted by RFC 4033
+   [RFC4033], RFC 4034 [RFC4034] and RFC 4035 [RFC4035]).
+
+   All DNS subtyping schemes share a common weakness: with subtyping
+   schemes, it is impossible for a client to query for just the data it
+   wants.  Instead, the client must fetch the entire RRSet, then select
+   the Resource Records in which it is interested.  Furthermore, since
+   DNSSEC signatures operate on complete RRSets, the entire RRSet must
+   be re-signed if any Resource Record in it changes.  As a result, each
+   application that uses a subtyped Resource Record incurs higher
+   overhead than any of the applications would have incurred had they
+   not been using a subtyping scheme.  The fact the RRSet is always
+   passed around as an indivisible unit increases the risk the RRSet
+   will not fit in a UDP packet, which in turn increases the risk that
+   the client will have to retry the query with TCP, which substantially
+   increases the load on the name server.  More precisely: having one
+   query fail over to TCP is not a big deal, but since the typical ratio
+
+
+
+
+
+IAB, et al.                  Informational                      [Page 5]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+   of clients to servers in today's deployed DNS is very high, having a
+   substantial number of DNS messages fail over to TCP may cause the
+   queried name servers to be overloaded by TCP overhead.
+
+   Because of the size limitations, using a subtyping scheme to list a
+   large number of services for a single domain name risks triggering
+   truncation and fallback to TCP, which may in turn force the zone
+   administrator to announce only a subset of available services.
+
+3.2.  Add a Prefix to the Owner Name
+
+   By adding an application-specific prefix to a domain name, we get a
+   different {owner, class, type} triple, and therefore a different
+   RRSet.  One problem with adding prefixes has to do with wildcards,
+   especially if one has records like:
+
+   *.example.com. IN MX 1 mail.example.com.
+
+   and one wants records tied to those names.  Suppose one creates the
+   prefix "_mail".  One would then have to say something like:
+
+   _mail.*.example.com. IN X-FOO A B C D
+
+   but DNS wildcards only work with the "*" as the leftmost token in the
+   domain name (see also RFC 4592 [RFC4592]).
+
+   There have been proposals to deal with the problem that DNS wildcards
+   are always terminal records.  These proposals introduce an additional
+   set of trade-offs that would need to be taken into account when
+   assessing which extension mechanism to choose.  Aspects of extra
+   response time needed to perform the extra queries, costs of pre-
+   calculation of possible answers, or the costs induced to the system
+   as a whole come to mind.  At the time of writing, none of these
+   proposals has been published as Standards Track RFCs.
+
+   Even when a specific prefix is chosen, the data will still have to be
+   stored in some Resource Record Type.  This Resource Record Type can
+   be either a new Resource Record Type or an existing Resource Record
+   Type that has an appropriate format to store the data.  One also
+   might need some other selection mechanism, such as the ability to
+   distinguish between the records in an RRSet, given they have the same
+   Resource Record Type.  Because of this, one needs to both register a
+   unique prefix and define what Resource Record Type is to be used for
+   this specific service.
+
+
+
+
+
+
+
+IAB, et al.                  Informational                      [Page 6]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+   If the record has some relationship with another record in the zone,
+   the fact that the two records can be in different zones might have
+   implications on the trust the application has in the records.  For
+   example:
+
+   example.com.      IN MX    10 mail.example.com.
+   _foo.example.com. IN X-BAR "metadata for the mail service"
+
+   In this example, the two records might be in two different zones, and
+   as a result might be administered by two different organizations, and
+   signed by two different entities when using DNSSEC.  For these two
+   reasons, using a prefix has recently become a very interesting
+   solution for many protocol designers.  In some cases, e.g.,
+   DomainKeys Identified Mail Signatures [RFC4871], TXT records have
+   been used.  In others, such as SRV, entirely new Resource Record
+   Types have been added.
+
+3.3.  Add a Suffix to the Owner Name
+
+   Adding a suffix to a domain name changes the {owner, class, type}
+   triple, and therefore the RRSet.  In this case, since the query name
+   can be set to exactly the data one wants, the size of the RRSet is
+   minimized.  The problem with adding a suffix is that it creates a
+   parallel tree within the IN class.  Further, there is no technical
+   mechanism to ensure that the delegation for "example.com" and
+   "example.com._bar" are made to the same organization.  Furthermore,
+   data associated with a single entity will now be stored in two
+   different zones, such as "example.com" and "example.com._bar", which,
+   depending on who controls "_bar", can create new synchronization and
+   update authorization issues.
+
+   One way of solving the administrative issues is by using the DNAME
+   Resource Record Type specified in RFC 2672 [RFC2672].
+
+   Even when using a different name, the data will still have to be
+   stored in some Resource Record Type that has an appropriate format to
+   store the data.  This implies that one might have to mix the prefix
+   based selection mechanism with some other mechanism so that the right
+   Resource Record can be found out of many in a potential larger RRSet.
+
+   In RFC 2163 [RFC2163] an infix token is inserted directly below the
+   Top-Level Domain (TLD), but the result is equivalent to adding a
+   suffix to the owner name (instead of creating a TLD, one is creating
+   a second level domain).
+
+
+
+
+
+
+
+IAB, et al.                  Informational                      [Page 7]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+3.4.  Add a New Class
+
+   DNS zones are class-specific in the sense that all the records in
+   that zone share the same class as the zone's SOA record and the
+   existence of a zone in one class does not guarantee the existence of
+   the zone in any other class.  In practice, only the IN class has ever
+   seen widespread deployment, and the administrative overhead of
+   deploying an additional class would almost certainly be prohibitive.
+
+   Nevertheless, one could, in theory, use the DNS class mechanism to
+   distinguish between different kinds of data.  However, since the DNS
+   delegation tree (represented by NS Resource Records) is itself tied
+   to a specific class, attempting to resolve a query by crossing a
+   class boundary may produce unexpected results because there is no
+   guarantee that the name servers for the zone in the new class will be
+   the same as the name servers in the IN class.  The MIT Hesiod system
+   [Dyer87] used a scheme like this for storing data in the HS class,
+   but only on a very small scale (within a single institution), and
+   with an administrative fiat requiring that the delegation trees for
+   the IN and HS trees be identical.  The use of the HS class for such
+   storage of non-sensitive data was, over time, replaced by use of the
+   Lightweight Directory Access Protocol (LDAP) [RFC4511].
+
+   Even when using a different class, the data will still have to be
+   stored in some Resource Record Type that has an appropriate format.
+
+3.5.  Add a New Resource Record Type
+
+   When adding a new Resource Record Type to the system, entities in
+   four different roles have to be able to handle the new Type:
+
+   1.  There must be a way to insert the new Resource Records into the
+       zone at the Primary Master name server.  For some server
+       implementations, the user interface only accepts Resource Record
+       Types that it understands (perhaps so that the implementation can
+       attempt to validate the data).  Other implementations allow the
+       zone administrator to enter an integer for the Resource Record
+       Type code and the RDATA in Base64 or hexadecimal encoding (or
+       even as raw data).  RFC 3597 [RFC3597] specifies a standard
+       generic encoding for this purpose.
+
+   2.  A slave authoritative name server must be able to do a zone
+       transfer, receive the data from some other authoritative name
+       server, and serve data from the zone even though the zone
+       includes records of unknown Resource Record Types.  Historically,
+       some implementations have had problems parsing stored copies of
+       the zone file after restarting, but those problems have not been
+       seen for a few years.  Some implementations use an alternate
+
+
+
+IAB, et al.                  Informational                      [Page 8]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+       mechanism (e.g., LDAP) to transfer Resource Records in a zone,
+       and are primarily used within corporate environments; in this
+       case, name servers must be able to transfer new Resource Record
+       Types using whatever mechanism is used.  However, today this
+       alternative mechanism may not support unknown Resource Record
+       Types.  Hence, in Internet environments, unknown Resource Record
+       Types are supported, but in corporate environments they are
+       problematic.
+
+   3.  A caching resolver (most commonly a recursive name server) will
+       cache the records that are responses to queries.  As mentioned in
+       RFC 3597 [RFC3597], there are various pitfalls where a recursive
+       name server might end up having problems.
+
+   4.  The application must be able to get the RRSet with a new Resource
+       Record Type.  The application itself may understand the RDATA,
+       but the resolver library might not.  Support for a generic
+       interface for retrieving arbitrary DNS Resource Record Types has
+       been a requirement since 1989 (see Section 6.1.4.2 of [RFC1123]).
+       Some stub resolver library implementations neglect to provide
+       this functionality and cannot handle unknown Resource Record
+       Types, but implementation of a new stub resolver library is not
+       particularly difficult, and open source libraries that already
+       provide this functionality are available.
+
+   Historically, adding a new Resource Record Type has been very
+   problematic.  The review process has been cumbersome, DNS servers
+   have not been able to handle new Resource Record Types, and firewalls
+   have dropped queries or responses with Resource Record Types that are
+   unknown to the firewall.  This is, for example, one of the reasons
+   the ENUM standard reuses the NAPTR Resource Record, a decision that
+   today might have gone to creating a new Resource Record Type instead.
+
+   Today, there is a requirement that DNS software handle unknown
+   Resource Record Types, and investigations have shown that software
+   that is deployed, in general, does support it, except in some
+   alternate mechanisms for transferring Resource Records such as LDAP,
+   as noted above.  Also, the approval process for new Resource Record
+   Types has been updated [RFC5395] so the effort that is needed for
+   various Resource Record Types is more predictable.
+
+4.  Zone Boundaries are Invisible to Applications
+
+   Regardless of the possible choices above, we have seen a number of
+   cases where the application made assumptions about the structure of
+   the namespace and the location where specific information resides.
+   We take a small sidestep to argue against such approaches.
+
+
+
+
+IAB, et al.                  Informational                      [Page 9]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+   The DNS namespace is a hierarchy, technically speaking.  However,
+   this only refers to the way names are built from multiple labels.
+   DNS hierarchy neither follows nor implies administrative hierarchy.
+   Because of that, it cannot be assumed that data attached to a node in
+   the DNS tree is valid for the whole subtree.  Technically, there are
+   zone boundaries partitioning the namespace, and administrative
+   boundaries (or policy boundaries) may even exist elsewhere.
+
+   The false assumption has lead to an approach called "tree climbing",
+   where a query that does not receive a positive response (either the
+   requested RRSet was missing or the name did not exist) is retried by
+   repeatedly stripping off the leftmost label (climbing towards the
+   root) until the root domain is reached.  Sometimes these proposals
+   try to avoid the query for the root or the TLD level, but still this
+   approach has severe drawbacks:
+
+   o  Technically, the DNS was built as a query-response tool without
+      any search capability [RFC3467].  Adding the search mechanism
+      imposes additional burden on the technical infrastructure, in the
+      worst case on TLD and root name servers.
+
+   o  For reasons similar to those outlined in RFC 1535 [RFC1535],
+      querying for information in a domain outside the control of the
+      intended entity may lead to incorrect results and may also put
+      security at risk.  Finding the exact policy boundary is impossible
+      without an explicit marker, which does not exist at present.  At
+      best, software can detect zone boundaries (e.g., by looking for
+      SOA Resource Records), but some TLD registries register names
+      starting at the second level (e.g., CO.UK), and there are various
+      other "registry" types at second, third, or other level domains
+      that cannot be identified as such without policy knowledge
+      external to the DNS.
+
+   To restate, the zone boundary is purely a boundary that exists in the
+   DNS for administrative purposes, and applications should be careful
+   not to draw unwarranted conclusions from zone boundaries.  A
+   different way of stating this is that the DNS does not support
+   inheritance, e.g., an MX RRSet for a TLD will not be valid for any
+   subdomain of that particular TLD.
+
+5.  Why Adding a New Resource Record Type Is the Preferred Solution
+
+   By now, the astute reader might be wondering what conclusions to draw
+   from the issues presented so far.  We will now attempt to clear up
+   the reader's confusion by following the thought processes of a
+   typical application designer who wishes to store data in the DNS.
+   We'll show how such a designer almost inevitably hits upon the idea
+   of just using a TXT Resource Record, why this is a bad thing, and why
+
+
+
+IAB, et al.                  Informational                     [Page 10]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+   a new Resource Record Type should be allocated instead.  We'll also
+   explain how the reuse of an existing Resource Record, including TXT,
+   can be made less harmful.
+
+   The overall problem with most solutions has to do with two main
+   issues:
+
+   o  No semantics to prevent collision with other use
+
+   o  Space considerations in the DNS message
+
+   A typical application designer is not interested in the DNS for its
+   own sake, but rather regards it as a distributed database in which
+   application data can be stored.  As a result, the designer of a new
+   application is usually looking for the easiest way to add whatever
+   new data the application needs to the DNS in a way that naturally
+   associates the data with a DNS name and does not require major
+   changes to DNS servers.
+
+   As explained in Section 3.4, using the DNS class system as an
+   extension mechanism is not really an option, and in fact, most users
+   of the system don't even realize that the mechanism exists.  As a
+   practical matter, therefore any extension is likely to be within the
+   IN class.
+
+   Adding a new Resource Record Type is the technically correct answer
+   from the DNS protocol standpoint (more on this below), but doing so
+   requires some DNS expertise, due to the issues listed in Section 3.5.
+   Consequently, this option is often rejected.  Note that according to
+   RFC 5395 [RFC5395], some Types require IETF Consensus, while others
+   only require a specification.
+
+   There is a drawback to defining new RR types that is worth
+   mentioning.  The Resource Record Type (RRTYPE) is a 16-bit value and
+   hence is a limited resource.  In order to prevent hoarding the
+   registry has a review-based allocation policy [RFC5395]; however,
+   this may not be sufficient if extension of the DNS by addition of new
+   RR types takes up significantly and the registry starts nearing
+   completion.  In that case, the trade-offs with respect to choosing an
+   extension mechanism may need to change.
+
+   The application designer is thus left with the prospect of reusing
+   some existing DNS Types within the IN class, but when the designer
+   looks at the existing Types, almost all of them have well-defined
+   semantics, none of which quite match the needs of the new
+   application.  This has not completely prevented proposals from
+
+
+
+
+
+IAB, et al.                  Informational                     [Page 11]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+   reusing existing Resource Record Types in ways incompatible with
+   their defined semantics, but it does tend to steer application
+   designers away from this approach.
+
+   For example, Resource Record Type 40 was registered for the SINK
+   Resource Record Type.  This Resource Record Type was discussed in the
+   DNSIND working group of the IETF, and it was decided at the 46th IETF
+   to not move the I-D forward to become an RFC because of the risk of
+   encouraging application designers to use the SINK Resource Record
+   Type instead of registering a new Resource Record Type, which would
+   result in infeasibly large SINK RRsets.
+
+   Eliminating all of the above leaves the TXT Resource Record Type in
+   the IN class.  The TXT RDATA format is free form text, and there are
+   no existing semantics to get in the way.  Some attempts have been
+   made, for example, in [DNSEXT-DNS-SD], to specify a structured format
+   for TXT Resource Record Types, but no such attempt has reached RFC
+   status.  Furthermore, the TXT Resource Record can obviously just be
+   used as a bucket in which to carry around data to be used by some
+   higher-level parser, perhaps in some human-readable programming or
+   markup language.  Thus, for many applications, TXT Resource Records
+   are the "obvious" choice.  Unfortunately, this conclusion, while
+   understandable, is also problematic, for several reasons.
+
+   The first reason why TXT Resource Records are not well suited to such
+   use is precisely what makes them so attractive: the lack of pre-
+   defined common syntax or structure.  As a result, each application
+   that uses them creates its own syntax/structure, and that makes it
+   difficult to reliably distinguish one application's record from
+   others, and for its parser to avoid problems when it encounters other
+   TXT records.
+
+   Arguably, the TXT Resource Record is misnamed, and should have been
+   called the Local Container record, because a TXT Resource Record
+   means only what the data producer says it means.  This is fine, so
+   long as TXT Resource Records are being used by human beings or by
+   private agreement between data producer and data consumer.  However,
+   it becomes a problem once one starts using them for standardized
+   protocols in which there is no prior relationship between data
+   producer and data consumer.  If TXT records are used without one of
+   the naming modifications discussed earlier (and in some cases even if
+   one uses such naming mechanisms), there is nothing to prevent
+   collisions with some other incompatible use of TXT Resource Records.
+
+   This is even worse than the general subtyping problem described in
+   Section 3.1 because TXT Resource Records don't even have a
+   standardized selector field in which to store the subtype.  RFC 1464
+   [RFC1464] tried, but it was not a success.  At best, a definition of
+
+
+
+IAB, et al.                  Informational                     [Page 12]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+   a subtype is reduced to hoping that whatever scheme one has come up
+   with will not accidently conflict with somebody else's subtyping
+   scheme, and that it will not be possible to mis-parse one
+   application's use of TXT Resource Records as data intended for a
+   different application.  Any attempt to impose a standardized format
+   within the TXT Resource Record format would be at least fifteen years
+   too late, even if it were put into effect immediately; at best, one
+   can restrict the syntax that a particular application uses within a
+   TXT Resource Record and accept the risk that unrelated TXT Resource
+   Record uses will collide with it.
+
+   Using one of the naming modifications discussed in Section 3.2 and
+   Section 3.3 would address the subtyping problem, (and have been used
+   in combinations with reuse of TXT record, such as for the dns/txt
+   lookup mechanism in Domain Keys Identified Mail (DKIM)) but each of
+   these approaches brings in new problems of its own.  The prefix
+   approach (that for example SRV Resource Records use) does not work
+   well with wildcards, which is a particular problem for mail-related
+   applications, since MX Resource Records are probably the most common
+   use of DNS wildcards.  The suffix approach doesn't have wildcard
+   issues, but, as noted previously, it does have synchronization and
+   update authorization issues, since it works by creating a second
+   subtree in a different part of the global DNS namespace.
+
+   The next reason why TXT Resource Records are not well suited to
+   protocol use has to do with the limited data space available in a DNS
+   message.  As alluded to briefly in Section 3.1, typical DNS query
+   traffic patterns involve a very large number of DNS clients sending
+   queries to a relatively small number of DNS servers.  Normal path MTU
+   discovery schemes do little good here because, from the server's
+   perspective, there isn't enough repeat traffic from any one client
+   for it to be worth retaining state.  UDP-based DNS is an idempotent
+   query, whereas TCP-based DNS requires the server to keep state (in
+   the form of TCP connection state, usually in the server's kernel) and
+   roughly triples the traffic load.  Thus, there's a strong incentive
+   to keep DNS messages short enough to fit in a UDP datagram,
+   preferably a UDP datagram short enough not to require IP
+   fragmentation.
+
+   Subtyping schemes are therefore again problematic because they
+   produce larger Resource RRSets than necessary, but verbose text
+   encodings of data are also wasteful since the data they hold can
+   usually be represented more compactly in a Resource Record designed
+   specifically to support the application's particular data needs.  If
+   the data that need to be carried are so large that there is no way to
+   make them fit comfortably into the DNS regardless of encoding, it is
+   probably better to move the data somewhere else, and just use the DNS
+   as a pointer to the data, as with NAPTR.
+
+
+
+IAB, et al.                  Informational                     [Page 13]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+6.  Conclusion and Recommendation
+
+   Given the problems detailed in Section 5, it is worth reexamining the
+   oft-jumped-to conclusion that specifying a new Resource Record Type
+   is hard.  Historically, this was indeed the case, but recent surveys
+   suggest that support for unknown Resource Record Types [RFC3597] is
+   now widespread in the public Internet, and because of that, the DNS
+   infrastructure can handle new Resource Record Types.  The lack of
+   support for unknown Types remains an issue for relatively old
+   provisioning software and in corporate environments.
+
+   Of all the issues detailed in Section 3.5, provisioning the data is
+   in some respects the most difficult.  Investigations with zone
+   transfers show that the problem is less difficult for the
+   authoritative name servers themselves than the front-end systems used
+   to enter (and perhaps validate) the data.  Hand editing does not work
+   well for maintenance of large zones, so some sort of tool is
+   necessary, and the tool may not be tightly coupled to the name server
+   implementation itself.  Note, however, that this provisioning problem
+   exists to some degree with any new form of data to be stored in the
+   DNS, regardless of data format, Resource Record type (even if TXT
+   Resource Record Types are in use), or naming scheme.  Adapting front-
+   end systems to support a new Resource Record Type may be a bit more
+   difficult than reusing an existing type, but this appears to be a
+   minor difference in degree rather than a difference in kind.
+
+   Given the various issues described in this note, we believe that:
+
+   o  there is no magic solution that allows a completely painless
+      addition of new data to the DNS, but
+
+   o  on the whole, the best solution is still to use the DNS Resource
+      Record Type mechanism designed for precisely this purpose,
+      whenever possible, and
+
+   o  of all the alternate solutions, the "obvious" approach of using
+      TXT Resource Records for arbitrary names is almost certainly the
+      worst, especially for the two reasons outlined above (lack of
+      semantics and its implementations, and size leading to the need to
+      use TCP).
+
+7.  Creating a New Resource Record Type
+
+   The process for creating a new Resource Record Type is specified in
+   RFC 5395 [RFC5395].
+
+
+
+
+
+
+IAB, et al.                  Informational                     [Page 14]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+8.  Security Considerations
+
+   DNS RRSets can be signed using DNSSEC.  DNSSEC is almost certainly
+   necessary for any application mechanism that stores authorization
+   data in the DNS.  DNSSEC signatures significantly increase the size
+   of the messages transported, and because of this, the DNS message
+   size issues discussed in Sections 3.1 and 5 are more serious than
+   they might at first appear.
+
+   Adding new Resource Record Types (as discussed in Section 3.5) can
+   create two different kinds of problems: in the DNS software and in
+   applications.  In the DNS software, it might conceivably trigger bugs
+   and other bad behavior in software that is not compliant with RFC
+   3597 [RFC3597], but most such DNS software is old enough and insecure
+   enough that it should be updated for other reasons in any case.  In
+   applications and provisioning software, the changes for the new
+   features that need the new data in the DNS can be updated to
+   understand the structure of the new data format (regardless of
+   whether a new Resource Record Type is used or some other mechanism is
+   chosen).  Basic API support for retrieving arbitrary Resource Record
+   Types has been a requirement since 1989 [RFC1123].
+
+   Any new protocol that proposes to use the DNS to store data used to
+   make authorization decisions would be well advised not only to use
+   DNSSEC but also to encourage upgrades to DNS server software recent
+   enough not to be riddled with well-known exploitable bugs.
+
+9.  Acknowledgements
+
+   This document has been created over a number of years, with input
+   from many people.  The question on how to expand and use the DNS is
+   sensitive, and a document like this can not please everyone.  The
+   goal is instead to describe the architecture and tradeoffs, and make
+   some recommendations about best practices.
+
+   People that have helped include: Dean Anderson, Mark Andrews, John
+   Angelmo, Roy Badami, Dan Bernstein, Alex Bligh, Nathaniel Borenstein,
+   Stephane Bortzmeyer, Brian Carpenter, Leslie Daigle, Elwyn Davies,
+   Mark Delany, Richard Draves, Martin Duerst, Donald Eastlake, Robert
+   Elz, Jim Fenton, Tony Finch, Jim Gilroy, Olafur Gudmundsson, Eric
+   Hall, Phillip Hallam-Baker, Ted Hardie, Bob Hinden, Paul Hoffman,
+   Geoff Houston, Christian Huitema, Johan Ihren, John Klensin, Ben
+   Laurie, William Leibzon, John Levine, Edward Lewis, David MacQuigg,
+   Allison Mankin, Bill Manning, David Meyer, Pekka Nikander, Mans
+   Nilsson, Masataka Ohta, Douglas Otis, Michael Patton, Jonathan
+   Rosenberg, Anders Rundgren, Miriam Sapiro, Carsten Strotmann, Pekka
+   Savola, Chip Sharp, James Snell, Michael Thomas, Paul Vixie, Sam
+   Weiler, Florian Weimer, Bert Wijnen, and Dan Wing.
+
+
+
+IAB, et al.                  Informational                     [Page 15]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+10.  IAB Members at the Time of This Writing
+
+   Loa Andersson
+   Gonzalo Camarillo
+   Stuart Cheshire
+   Russ Housley
+   Olaf Kolkman
+   Gregory Lebovitz
+   Barry Leiba
+   Kurtis Lindqvist
+   Andrew Malis
+   Danny McPherson
+   David Oran
+   Dave Thaler
+   Lixia Zhang
+
+11.  References
+
+11.1.  Normative References
+
+   [RFC1035]        Mockapetris, P., "Domain names - implementation and
+                    specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1464]        Rosenbaum, R., "Using the Domain Name System To
+                    Store Arbitrary String Attributes", RFC 1464,
+                    May 1993.
+
+   [RFC2535]        Eastlake, D., "Domain Name System Security
+                    Extensions", RFC 2535, March 1999.
+
+   [RFC2671]        Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
+                    RFC 2671, August 1999.
+
+   [RFC3597]        Gustafsson, A., "Handling of Unknown DNS Resource
+                    Record (RR) Types", RFC 3597, September 2003.
+
+   [RFC5395]        Eastlake, D., "Domain Name System (DNS) IANA
+                    Considerations", BCP 42, RFC 5395, November 2008.
+
+11.2.  Informative References
+
+   [DNSEXT-DNS-SD]  Cheshire, S. and M. Krochmal, "DNS-Based Service
+                    Discovery", Work in Progress, September 2008.
+
+   [Dyer87]         Dyer, S. and F. Hsu, "Hesiod, Project Athena
+                    Technical Plan - Name Service", Version 1.9,
+                    April 1987.
+
+
+
+
+IAB, et al.                  Informational                     [Page 16]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+   [RFC1123]        Braden, R., "Requirements for Internet Hosts -
+                    Application and Support", STD 3, RFC 1123,
+                    October 1989.
+
+   [RFC1535]        Gavron, E., "A Security Problem and Proposed
+                    Correction With Widely Deployed DNS Software",
+                    RFC 1535, October 1993.
+
+   [RFC2163]        Allocchio, C., "Using the Internet DNS to Distribute
+                    MIXER Conformant Global Address Mapping (MCGAM)",
+                    RFC 2163, January 1998.
+
+   [RFC2181]        Elz, R. and R. Bush, "Clarifications to the DNS
+                    Specification", RFC 2181, July 1997.
+
+   [RFC2672]        Crawford, M., "Non-Terminal DNS Name Redirection",
+                    RFC 2672, August 1999.
+
+   [RFC3445]        Massey, D. and S. Rose, "Limiting the Scope of the
+                    KEY Resource Record (RR)", RFC 3445, December 2002.
+
+   [RFC3467]        Klensin, J., "Role of the Domain Name System (DNS)",
+                    RFC 3467, February 2003.
+
+   [RFC3761]        Faltstrom, P. and M. Mealling, "The E.164 to Uniform
+                    Resource Identifiers (URI) Dynamic Delegation
+                    Discovery System (DDDS) Application (ENUM)",
+                    RFC 3761, April 2004.
+
+   [RFC4033]        Arends, R., Austein, R., Larson, M., Massey, D., and
+                    S. Rose, "DNS Security Introduction and
+                    Requirements", RFC 4033, March 2005.
+
+   [RFC4034]        Arends, R., Austein, R., Larson, M., Massey, D., and
+                    S. Rose, "Resource Records for the DNS Security
+                    Extensions", RFC 4034, March 2005.
+
+   [RFC4035]        Arends, R., Austein, R., Larson, M., Massey, D., and
+                    S. Rose, "Protocol Modifications for the DNS
+                    Security Extensions", RFC 4035, March 2005.
+
+   [RFC4511]        Sermersheim, J., "Lightweight Directory Access
+                    Protocol (LDAP): The Protocol", RFC 4511, June 2006.
+
+   [RFC4592]        Lewis, E., "The Role of Wildcards in the Domain Name
+                    System", RFC 4592, July 2006.
+
+
+
+
+
+IAB, et al.                  Informational                     [Page 17]
+
+RFC 5507         Design Choices When Expanding the DNS        April 2009
+
+
+   [RFC4871]        Allman, E., Callas, J., Delany, M., Libbey, M.,
+                    Fenton, J., and M. Thomas, "DomainKeys Identified
+                    Mail (DKIM) Signatures", RFC 4871, May 2007.
+
+Authors' Addresses
+
+   Internet Architecture Board
+
+   EMail: iab@iab.org
+
+
+   Patrik Faltstrom (editor)
+
+   EMail: paf@cisco.com
+
+
+   Rob Austein (editor)
+
+   EMail: sra@isc.org
+
+
+   Peter Koch (editor)
+
+   EMail: pk@denic.de
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+IAB, et al.                  Informational                     [Page 18]
+

From a8a268bb816db2a83e579ccbbec3a83e9c87b693 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 29 Apr 2009 04:10:36 +0000
Subject: [PATCH 60/60] new draft

---
 doc/draft/draft-ietf-dnsext-dnsproxy-05.txt | 728 ++++++++++++++++++++
 1 file changed, 728 insertions(+)
 create mode 100644 doc/draft/draft-ietf-dnsext-dnsproxy-05.txt

diff --git a/doc/draft/draft-ietf-dnsext-dnsproxy-05.txt b/doc/draft/draft-ietf-dnsext-dnsproxy-05.txt
new file mode 100644
index 0000000000..c5858c00ad
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dnsproxy-05.txt
@@ -0,0 +1,728 @@
+
+
+
+DNSEXT                                                         R. Bellis
+Internet-Draft                                                Nominet UK
+Intended status: BCP                                      April 23, 2009
+Expires: October 25, 2009
+
+
+                  DNS Proxy Implementation Guidelines
+                     draft-ietf-dnsext-dnsproxy-05
+
+Status of this Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on October 25, 2009.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+Abstract
+
+   This document provides guidelines for the implementation of DNS
+   proxies, as found in broadband gateways and other similar network
+   devices.
+
+
+
+Bellis                  Expires October 25, 2009                [Page 1]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+
+   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
+
+   3.  The Transparency Principle . . . . . . . . . . . . . . . . . .  3
+
+   4.  Protocol Conformance . . . . . . . . . . . . . . . . . . . . .  4
+     4.1.  Unexpected Flags and Data  . . . . . . . . . . . . . . . .  4
+     4.2.  Label Compression  . . . . . . . . . . . . . . . . . . . .  4
+     4.3.  Unknown Resource Record Types  . . . . . . . . . . . . . .  5
+     4.4.  Packet Size Limits . . . . . . . . . . . . . . . . . . . .  5
+       4.4.1.  TCP Transport  . . . . . . . . . . . . . . . . . . . .  6
+       4.4.2.  Extension Mechanisms for DNS (EDNS0) . . . . . . . . .  6
+       4.4.3.  IP Fragmentation . . . . . . . . . . . . . . . . . . .  6
+     4.5.  Secret Key Transaction Authentication for DNS (TSIG) . . .  7
+
+   5.  DHCP's Interaction with DNS  . . . . . . . . . . . . . . . . .  7
+     5.1.  Domain Name Server (DHCP Option 6) . . . . . . . . . . . .  8
+     5.2.  Domain Name (DHCP Option 15) . . . . . . . . . . . . . . .  8
+     5.3.  DHCP Leases  . . . . . . . . . . . . . . . . . . . . . . .  8
+
+   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  9
+     6.1.  Forgery Resilience . . . . . . . . . . . . . . . . . . . .  9
+     6.2.  Interface Binding  . . . . . . . . . . . . . . . . . . . . 10
+     6.3.  Packet Filtering . . . . . . . . . . . . . . . . . . . . . 10
+
+   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
+
+   8.  Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 11
+
+   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
+
+   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
+     10.1. Normative References . . . . . . . . . . . . . . . . . . . 12
+     10.2. Informative References . . . . . . . . . . . . . . . . . . 13
+
+   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13
+
+
+
+
+
+
+
+
+
+
+
+
+Bellis                  Expires October 25, 2009                [Page 2]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+1.  Introduction
+
+   Research has found ([SAC035], [DOTSE]) that many commonly-used
+   broadband gateways (and similar devices) contain DNS proxies which
+   are incompatible in various ways with current DNS standards.
+
+   These proxies are usually simple DNS forwarders, but typically do not
+   have any caching capabilities.  The proxy serves as a convenient
+   default DNS resolver for clients on the LAN, but relies on an
+   upstream resolver (e.g. at an ISP) to perform recursive DNS lookups.
+
+   Note that to ensure full DNS protocol interoperability it is
+   preferred that client stub resolvers should communicate directly with
+   full-feature upstream recursive resolvers wherever possible.
+
+   That notwithstanding, this document describes the incompatibilities
+   that have been discovered and offers guidelines to implementors on
+   how to provide better interoperability in those cases where the
+   client must use the broadband gateway's DNS proxy.
+
+
+2.  Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+
+3.  The Transparency Principle
+
+   It is not considered practical for a simple DNS proxy to implement
+   all current and future DNS features.
+
+   There are several reasons why this is the case:
+
+   o  broadband gateways usually have limited hardware resources
+   o  firmware upgrade cycles are long, and many users do not routinely
+      apply upgrades when they become available
+   o  no-one knows what those future DNS features will be, nor how they
+      might be implemented
+   o  it would substantially complicate the configuration UI of the
+      device
+
+   Furthermore some modern DNS protocol extensions (see e.g.  EDNS0,
+   below) are intended to be used as "hop-by-hop" mechanisms.  If the
+   DNS proxy is considered to be such a "hop" in the resolution chain,
+   then for it to function correctly, it would need to be fully
+   compliant with all such mechanisms.
+
+
+
+Bellis                  Expires October 25, 2009                [Page 3]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   [SAC035] shows that the more actively a proxy participates in the DNS
+   protocol then the more likely it is that it will somehow interfere
+   with the flow of messages between the DNS client and the upstream
+   recursive resolvers.
+
+   The role of the proxy should therefore be no more and no less than to
+   receive DNS requests from clients on the LAN side, forward those
+   verbatim to one of the known upstream recursive resolvers on the WAN
+   side, and ensure that the whole response is returned verbatim to the
+   original client.
+
+   It is RECOMMENDED that proxies should be as transparent as possible,
+   such that any "hop-by-hop" mechanisms or newly introduced protocol
+   extensions operate as if the proxy were not there.
+
+   Except when required to enforce an active security or network policy
+   (such as maintaining a pre-authentication "walled garden"), end-users
+   SHOULD be able to send their DNS queries to specified upstream
+   resolvers, thereby bypassing the proxy altogether.  In this case, the
+   gateway SHOULD NOT modify the DNS request or response packets in any
+   way.
+
+
+4.  Protocol Conformance
+
+4.1.  Unexpected Flags and Data
+
+   The Transparency Principle above, when combined with Postel's
+   Robustness Principle [RFC0793], suggests that DNS proxies should not
+   arbitrarily reject or otherwise drop requests or responses based on
+   perceived non-compliance with standards.
+
+   For example, some proxies have been observed to drop any packet
+   containing either the "Authentic Data" (AD) or "Checking Disabled"
+   (CD) bits from DNSSEC [RFC4035].  This may be because [RFC1035]
+   originally specified that these unused "Z" flag bits "MUST" be zero.
+   However these flag bits were always intended to be reserved for
+   future use, so refusing to proxy any packet containing these flags
+   (now that uses for those flags have indeed been defined) is not
+   appropriate.
+
+   Therefore it is RECOMMENDED that proxies SHOULD ignore any unknown
+   DNS flags and proxy those packets as usual.
+
+4.2.  Label Compression
+
+   Compression of labels as per Section 4.1.4 of [RFC1035] is optional.
+
+
+
+
+Bellis                  Expires October 25, 2009                [Page 4]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   Proxies MUST forward packets regardless of the presence or absence of
+   compressed labels therein.
+
+4.3.  Unknown Resource Record Types
+
+   [RFC3597] requires that resolvers MUST handle Resource Records (RRs)
+   of unknown type transparently.
+
+   All requests and responses MUST be proxied regardless of the values
+   of the QTYPE and QCLASS fields.
+
+   Similarly all responses MUST be proxied regardless of the values of
+   the TYPE and CLASS fields of any Resource Record therein.
+
+4.4.  Packet Size Limits
+
+   [RFC1035] specifies that the maximum size of the DNS payload in a UDP
+   packet is 512 octets.  Where the required portions of a response
+   would not fit inside that limit the DNS server MUST set the
+   "TrunCation" (TC) bit in the DNS response header to indicate that
+   truncation has occurred.  There are however two standard mechanisms
+   (described in Section 4.4.1 and Section 4.4.2) for transporting
+   responses larger than 512 octets.
+
+   Many proxies have been observed to truncate all responses at 512
+   octets, and others at a packet size related to the WAN MTU, in either
+   case doing so without correctly setting the TC bit.
+
+   Other proxies have been observed to remove the TC bit in server
+   responses which correctly had the TC bit set by the server.
+
+   If a DNS response is truncated but the TC bit is not set then client
+   failures may result.  In particular a naive DNS client library might
+   suffer crashes due to reading beyond the end of the data actually
+   received.
+
+   Since UDP packets larger than 512 octets are now expected in normal
+   operation, proxies SHOULD NOT truncate UDP packets that exceed that
+   size.  See Section 4.4.3 for recommendations for packet sizes
+   exceeding the WAN MTU.
+
+   If a proxy must unilaterally truncate a response then the proxy MUST
+   set the TC bit.  Similarly, proxies MUST NOT remove the TC bit from
+   responses.
+
+
+
+
+
+
+
+Bellis                  Expires October 25, 2009                [Page 5]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+4.4.1.  TCP Transport
+
+   Should a UDP query fail because of truncation, the standard fail-over
+   mechanism is to retry the query using TCP, as described in section
+   6.1.3.2 of [RFC1123].
+
+   DNS proxies SHOULD therefore be prepared to receive and forward
+   queries over TCP.
+
+   Note that it is unlikely that a client would send a request over TCP
+   unless it had already received a truncated UDP response.  Some
+   "smart" proxies have been observed to first forward any request
+   received over TCP to an upstream resolver over UDP, only for the
+   response to be truncated, causing the proxy to retry over TCP.  Such
+   behaviour increases network traffic and causes delay in DNS
+   resolution since the initial UDP request is doomed to fail.
+
+   Therefore whenever a proxy receives a request over TCP, the proxy
+   SHOULD forward the query over TCP and SHOULD NOT attempt the same
+   query over UDP first.
+
+4.4.2.  Extension Mechanisms for DNS (EDNS0)
+
+   The Extension Mechanism for DNS [RFC2671] was introduced to allow the
+   transport of larger DNS packets over UDP and also to allow for
+   additional request and response flags.
+
+   A client may send an OPT Resource Record (OPT RR) in the Additional
+   Section of a request to indicate that it supports a specific receive
+   buffer size.  The OPT RR also includes the "DNSSEC OK" (DO) flag used
+   by DNSSEC to indicate that DNSSEC-related RRs should be returned to
+   the client.
+
+   However some proxies have been observed to either reject (with a
+   FORMERR response code) or black-hole any packet containing an OPT RR.
+   As per Section 4.1 proxies SHOULD NOT refuse to proxy such packets.
+
+4.4.3.  IP Fragmentation
+
+   Support for UDP packet sizes exceeding the WAN MTU depends on the
+   gateway's algorithm for handling fragmented IP packets.  Several
+   methods are possible:
+
+   1.  fragments are dropped
+   2.  fragments are forwarded individually as they're received
+   3.  complete packets are reassembled on the gateway, and then re-
+       fragmented (if necessary) as they're forwarded to the client
+
+
+
+
+Bellis                  Expires October 25, 2009                [Page 6]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   Method 1 above will cause compatibility problems with EDNS0 unless
+   the DNS client is configured to advertise an EDNS0 buffer size
+   limited to the WAN MTU less the size of the IP header.  Note that RFC
+   2671 does recommend that the path MTU should be taken into account
+   when using EDNS0.
+
+   Also, whilst the EDNS0 specification allows for a buffer size of up
+   to 65535 octets, most common DNS server implementations do not
+   support a buffer size above 4096 octets.
+
+   Therefore (irrespective of which of the methods above is in use)
+   proxies SHOULD be capable of forwarding UDP packets up to a payload
+   size of at least 4096 octets.
+
+   NB: in theory IP fragmentation may also occur if the LAN MTU is
+   smaller than the WAN MTU, although the author has not observed such a
+   configuration in use on any residential broadband service.
+
+4.5.  Secret Key Transaction Authentication for DNS (TSIG)
+
+   [RFC2845] defines TSIG, which is a mechanism for authenticating DNS
+   requests and responses at the packet level.
+
+   Any modifications made to the DNS portions of a TSIG-signed query or
+   response packet (with the exception of the Query ID) will cause a
+   TSIG authentication failure.
+
+   DNS proxies MUST implement Section 4.7 of [RFC2845] and either
+   forward packets unchanged (as recommended above) or fully implement
+   TSIG.
+
+   As per Section 4.3, DNS proxies MUST be capable of proxying packets
+   containing TKEY [RFC2930] Resource Records.
+
+   NB: any DNS proxy (such as those commonly found in WiFi hotspot
+   "walled gardens") which transparently intercepts all DNS queries, and
+   which returns unsigned responses to signed queries, will also cause
+   TSIG authentication failures.
+
+
+5.  DHCP's Interaction with DNS
+
+   Whilst this document is primarily about DNS proxies, most consumers
+   rely on DHCP [RFC2131] to obtain network configuration settings.
+   Such settings include the client machine's IP address, subnet mask
+   and default gateway, but also include DNS related settings.
+
+   It is therefore appropriate to examine how DHCP affects client DNS
+
+
+
+Bellis                  Expires October 25, 2009                [Page 7]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   configuration.
+
+5.1.  Domain Name Server (DHCP Option 6)
+
+   Most gateways default to supplying their own IP address in the DHCP
+   "Domain Name Server" option [RFC2132].  The net result is that
+   without explicit re-configuration many DNS clients will by default
+   send queries to the gateway's DNS proxy.  This is understandable
+   behaviour given that the correct upstream settings are not usually
+   known at boot time.
+
+   Most gateways learn their own DNS settings via values supplied by an
+   ISP via DHCP or PPP over the WAN interface.  However whilst many
+   gateways do allow the device administrator to override those values,
+   some gateways only use those supplied values to affect the proxy's
+   own forwarding function, and do not offer these values via DHCP.
+
+   When using such a device the only way to avoid using the DNS proxy is
+   to hard-code the required values in the client operating system.
+   This may be acceptable for a desktop system but it is inappropriate
+   for mobile devices which are regularly used on many different
+   networks.
+
+   As per Section 3, end-users SHOULD be able to send their DNS queries
+   directly to specified upstream resolvers, ideally without hard-coding
+   those settings in their stub resolver.
+
+   It is therefore RECOMMENDED that gateways SHOULD support device
+   administrator configuration of values for the "Domain Name Server"
+   DHCP option.
+
+5.2.  Domain Name (DHCP Option 15)
+
+   A significant amount of traffic to the DNS Root Name Servers is for
+   invalid top-level domain names, and some of that traffic can be
+   attributed to particular equipment vendors whose firmware defaults
+   this DHCP option to specific values.
+
+   Since no standard exists for a "local" scoped domain name suffix it
+   is RECOMMENDED that the default value for this option SHOULD be
+   empty, and that this option MUST NOT be sent to clients when no value
+   is configured.
+
+5.3.  DHCP Leases
+
+   It is noted that some DHCP servers in broadband gateways by default
+   offer their own IP address for the "Domain Name Server" option (as
+   described above) but then automatically start offering the upstream
+
+
+
+Bellis                  Expires October 25, 2009                [Page 8]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   servers' addresses once they've been learnt over the WAN interface.
+
+   In general this behaviour is highly desirable, but the effect for the
+   end-user is that the settings used depend on whether the DHCP lease
+   was obtained before or after the WAN link was established.
+
+   If the DHCP lease is obtained whilst the WAN link is down then the
+   DHCP client (and hence the DNS client) will not receive the correct
+   values until the DHCP lease is renewed.
+
+   Whilst no specific recommendations are given here, vendors may wish
+   to give consideration to the length of DHCP leases, and whether some
+   mechanism for forcing a DHCP lease renewal might be appropriate.
+
+   Another possibility is that the learnt upstream values might be
+   persisted in non-volatile memory such that on reboot the same values
+   can be automatically offered via DHCP.  However this does run the
+   risk that incorrect values are initially offered if the device is
+   moved or connected to another ISP.
+
+   Alternatively, the DHCP server might only issue very short (i.e. 60
+   second) leases while the WAN link is down, only reverting to more
+   typical lease lengths once the WAN link is up and the upstream DNS
+   servers are known.  Indeed with such a configuration it may be
+   possible to avoid the need to implement a DNS proxy function in the
+   broadband gateway at all.
+
+
+6.  Security Considerations
+
+   This document introduces no new protocols.  However there are some
+   security related recommendations for vendors that are listed here.
+
+6.1.  Forgery Resilience
+
+   Whilst DNS proxies are not usually full-feature resolvers they
+   nevertheless share some characteristics with them.
+
+   Notwithstanding the recommendations above about transparency many DNS
+   proxies are observed to pick a new Query ID for outbound requests to
+   ensure that responses are directed to the correct client.
+
+   NB: Changing the Query ID is acceptable and compatible with proxying
+   TSIG-signed packets since the TSIG signature calculation is based on
+   the original message ID which is carried in the TSIG RR.
+
+   It has been standard guidance for many years that each DNS query
+   should use a randomly generated Query ID.  However many proxies have
+
+
+
+Bellis                  Expires October 25, 2009                [Page 9]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   been observed picking sequential Query IDs for successive requests.
+
+   It is strongly RECOMMENDED that DNS proxies follow the relevant
+   recommendations in [RFC5452], particularly those in Section 9.2
+   relating to randomisation of Query IDs and source ports.  This also
+   applies to source port selection within any NAT function.
+
+   If a DNS proxy is running on a broadband gateway with NAT that is
+   compliant with [RFC4787] then it SHOULD also follow the
+   recommendations in Section 10 of [RFC5452] concerning how long DNS
+   state is kept.
+
+6.2.  Interface Binding
+
+   Some gateways have been observed to have their DNS proxy listening on
+   both internal (LAN) and external (WAN) interfaces.  In this
+   configuration it is possible for the proxy to be used to mount
+   reflector attacks as described in [RFC5358].
+
+   The DNS proxy in a gateway SHOULD NOT by default be accessible from
+   the WAN interfaces of the device.
+
+6.3.  Packet Filtering
+
+   The Transparency and Robustness Principles are not entirely
+   compatible with the deep packet inspection features of security
+   appliances such as firewalls which are intended to protect systems on
+   the inside of a network from rogue traffic.
+
+   However a clear distinction may be made between traffic that is
+   intrinsically malformed and that which merely contains unexpected
+   data.
+
+   Examples of malformed packets which MAY be dropped include:
+
+   o  invalid compression pointers (i.e. those that point outside of the
+      current packet, or which might cause a parsing loop).
+   o  incorrect counts for the Question, Answer, Authority and
+      Additional Sections (although care should be taken where
+      truncation is a possibility).
+
+   Since dropped packets will cause the client to repeatedly retransmit
+   the original request, it is RECOMMENDED that proxies SHOULD instead
+   return a suitable DNS error response to the client (i.e.  SERVFAIL)
+   instead of dropping the packet completely.
+
+
+
+
+
+
+Bellis                  Expires October 25, 2009               [Page 10]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+7.  IANA Considerations
+
+   This document requests no IANA actions.
+
+
+8.  Change Log
+
+   NB: to be removed by the RFC Editor before publication.
+
+   draft-ietf-dnsproxy-05
+      Removed specific reference to 28 byte IP headers (from Mark
+      Andrews)
+
+   draft-ietf-dnsproxy-04 - post WGLC
+      Introduction expanded
+      Section 5.2 - changed SHOULD to MUST
+      Section 4.5 - changed SHOULD to MUST (Alex Bligh)
+      Editorial nits (from Andrew Sullivan, Alfred Hones)
+      Clarificaton on end-user vs device administrator (Alan Barrett,
+      Paul Selkirk)
+
+   draft-ietf-dnsproxy-03
+      Editorial nits and mention of LAN MTU (from Alex Bligh)
+
+   draft-ietf-dnsproxy-02
+      Changed "router" to "gateway" throughout (David Oran)
+      Updated forgery resilience reference
+      Elaboration on bypassability (from Nicholas W.)
+      Elaboration on NAT source port randomisation (from Nicholas W.)
+      Mention of using short DHCP leases while the WAN link is down
+      (from Ralph Droms)
+      Further clarification on permissibility of altering QID when using
+      TSIG
+
+   draft-ietf-dnsproxy-01
+      Strengthened recommendations about truncation (from Shane Kerr)
+      New TSIG text (with help from Olafur)
+      Additional forgery resilience text (from Olafur)
+      Compression support (from Olafur)
+      Correction of text re: QID changes and compatibility with TSIG
+
+   draft-ietf-dnsproxy-00
+      Changed recommended DPI error to SERVFAIL (from Jelte)
+      Changed example for invalid compression pointers (from Wouter).
+      Note about TSIG implications of changing Query ID (from Wouter).
+      Clarified TC-bit text (from Wouter)
+
+
+
+
+
+Bellis                  Expires October 25, 2009               [Page 11]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+      Extra text about proxy bypass (Nicholas W.)
+
+   draft-bellis-dnsproxy-00
+      Initial draft
+
+
+9.  Acknowledgements
+
+   The author would particularly like to acknowledge the assistance of
+   Lisa Phifer of Core Competence.  In addition the author is grateful
+   for the feedback from the members of the DNSEXT Working Group.
+
+
+10.  References
+
+10.1.  Normative References
+
+   [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
+              RFC 793, September 1981.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1123]  Braden, R., "Requirements for Internet Hosts - Application
+              and Support", STD 3, RFC 1123, October 1989.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2131]  Droms, R., "Dynamic Host Configuration Protocol",
+              RFC 2131, March 1997.
+
+   [RFC2132]  Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
+              Extensions", RFC 2132, March 1997.
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
+              RFC 2671, August 1999.
+
+   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D., and B.
+              Wellington, "Secret Key Transaction Authentication for DNS
+              (TSIG)", RFC 2845, May 2000.
+
+   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
+              RR)", RFC 2930, September 2000.
+
+   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
+              (RR) Types", RFC 3597, September 2003.
+
+
+
+
+Bellis                  Expires October 25, 2009               [Page 12]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+   [RFC4787]  Audet, F. and C. Jennings, "Network Address Translation
+              (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
+              RFC 4787, January 2007.
+
+   [RFC5358]  Damas, J. and F. Neves, "Preventing Use of Recursive
+              Nameservers in Reflector Attacks", BCP 140, RFC 5358,
+              October 2008.
+
+   [RFC5452]  Hubert, A. and R. van Mook, "Measures for Making DNS More
+              Resilient against Forged Answers", RFC 5452, January 2009.
+
+10.2.  Informative References
+
+   [DOTSE]    Ahlund and Wallstrom, "DNSSEC Tests of Consumer Broadband
+              Routers", February 2008,
+              .
+
+   [SAC035]   Bellis, R. and L. Phifer, "Test Report: DNSSEC Impact on
+              Broadband Routers and Firewalls", September 2008,
+              .
+
+
+Author's Address
+
+   Ray Bellis
+   Nominet UK
+   Edmund Halley Road
+   Oxford  OX4 4DQ
+   United Kingdom
+
+   Phone: +44 1865 332211
+   Email: ray.bellis@nominet.org.uk
+   URI:   http://www.nominet.org.uk/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bellis                  Expires October 25, 2009               [Page 13]
+


 
 


                       

                         Mismatch responses received.
+                        The DNS ID, response's source address,
+                        and/or the response's source port does not
+                        match what was expected.
+                        (The port must be 53 or as defined by
+                        the port option.)
+                        This may be an indication of a cache
+                        poisoning attempt.