From e7a4741b79c51d5a2f19823b4b2b68ac5d4ccd22 Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Wed, 17 Dec 2014 01:11:58 +0000 Subject: [PATCH] regen v9_9 --- doc/arm/Bv9ARM.ch04.html | 88 ++++++++++++++-------------- doc/arm/Bv9ARM.ch06.html | 28 +++++---- doc/arm/Bv9ARM.ch07.html | 12 ++-- doc/arm/Bv9ARM.ch08.html | 16 ++--- doc/arm/Bv9ARM.ch09.html | 48 ++++++++------- doc/arm/Bv9ARM.html | 76 ++++++++++++------------ doc/arm/man.arpaname.html | 6 +- doc/arm/man.ddns-confgen.html | 8 +-- doc/arm/man.dig.html | 18 +++--- doc/arm/man.dnssec-checkds.html | 8 +-- doc/arm/man.dnssec-coverage.html | 8 +-- doc/arm/man.dnssec-dsfromkey.html | 14 ++--- doc/arm/man.dnssec-keyfromlabel.html | 12 ++-- doc/arm/man.dnssec-keygen.html | 14 ++--- doc/arm/man.dnssec-revoke.html | 8 +-- doc/arm/man.dnssec-settime.html | 12 ++-- doc/arm/man.dnssec-signzone.html | 10 ++-- doc/arm/man.dnssec-verify.html | 8 +-- doc/arm/man.genrandom.html | 8 +-- doc/arm/man.host.html | 8 +-- doc/arm/man.isc-hmac-fixup.html | 8 +-- doc/arm/man.named-checkconf.html | 10 ++-- doc/arm/man.named-checkzone.html | 10 ++-- doc/arm/man.named-journalprint.html | 6 +- doc/arm/man.named.html | 14 ++--- doc/arm/man.nsec3hash.html | 8 +-- doc/arm/man.nsupdate.html | 12 ++-- doc/arm/man.rndc-confgen.html | 10 ++-- doc/arm/man.rndc.conf.html | 10 ++-- doc/arm/man.rndc.html | 12 ++-- doc/arm/notes.html | 4 ++ 31 files changed, 262 insertions(+), 252 deletions(-) diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 22900678f0..9bc4936124 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -70,33 +70,33 @@
DNSSEC, Dynamic Zones, and Automatic Signing
-
Converting from insecure to secure
-
Dynamic DNS update method
-
Fully automatic zone signing
+
Converting from insecure to secure
+
Dynamic DNS update method
+
Fully automatic zone signing
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
-
Validating Resolver
-
Authoritative Server
+
Validating Resolver
+
Authoritative Server
PKCS #11 (Cryptoki) support
-
Prerequisites
-
Building BIND 9 with PKCS#11
-
PKCS #11 Tools
-
Using the HSM
-
Specifying the engine on the command line
-
Running named with automatic zone re-signing
+
Prerequisites
+
Building BIND 9 with PKCS#11
+
PKCS #11 Tools
+
Using the HSM
+
Specifying the engine on the command line
+
Running named with automatic zone re-signing
IPv6 Support in BIND 9
@@ -1074,7 +1074,7 @@ options { from insecure to signed and back again. A secure zone can use either NSEC or NSEC3 chains.

-Converting from insecure to secure

+Converting from insecure to secure

Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

@@ -1100,7 +1100,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process.

-Dynamic DNS update method

+Dynamic DNS update method

To insert the keys via dynamic update:

         % nsupdate
@@ -1136,7 +1136,7 @@ options {
 
While the initial signing and NSEC/NSEC3 chain generation
   is happening, other updates are possible as well.

 

-Fully automatic zone signing

+Fully automatic zone signing
 
To enable automatic signing, add the 
   auto-dnssec option to the zone statement in 
   named.conf. 
@@ -1233,12 +1233,12 @@ options {
 

   

 

-DNSKEY rollovers

+DNSKEY rollovers
 
As with insecure-to-secure conversions, rolling DNSSEC
   keys can be done in two ways: using a dynamic DNS update, or the 
   auto-dnssec zone option.

 

-Dynamic DNS update method

+Dynamic DNS update method
 
 To perform key rollovers via dynamic update, you need to add
   the K* files for the new keys so that 
   named can find them. You can then add the new
@@ -1260,7 +1260,7 @@ options {
   named will clean out any signatures generated
   by the old key after the update completes.

 

-Automatic key rollovers

+Automatic key rollovers
 
When a new key reaches its activation date (as set by
   dnssec-keygen or dnssec-settime),
   if the auto-dnssec zone option is set to 
@@ -1275,27 +1275,27 @@ options {
   completes in 30 days, after which it will be safe to remove the
   old key from the DNSKEY RRset.

 

-NSEC3PARAM rollovers via UPDATE

+NSEC3PARAM rollovers via UPDATE
 
Add the new NSEC3PARAM record via dynamic update. When the
   new NSEC3 chain has been generated, the NSEC3PARAM flag field
   will be zero. At this point you can remove the old NSEC3PARAM
   record. The old chain will be removed after the update request
   completes.

 

-Converting from NSEC to NSEC3

+Converting from NSEC to NSEC3
 
To do this, you just need to add an NSEC3PARAM record. When
   the conversion is complete, the NSEC chain will have been removed
   and the NSEC3PARAM record will have a zero flag field. The NSEC3
   chain will be generated before the NSEC chain is
   destroyed.

 

-Converting from NSEC3 to NSEC

+Converting from NSEC3 to NSEC
 
To do this, use nsupdate to
   remove all NSEC3PARAM records with a zero flag
   field. The NSEC chain will be generated before the NSEC3 chain is
   removed.

 

-Converting from secure to insecure

+Converting from secure to insecure
 
To convert a signed zone to unsigned using dynamic DNS,
   delete all the DNSKEY records from the zone apex using
   nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1310,14 +1310,14 @@ options {
   allow instead (or it will re-sign).
   

 

-Periodic re-signing

+Periodic re-signing
 
In any secure zone which supports dynamic updates, named
   will periodically re-sign RRsets which have not been re-signed as
   a result of some update action. The signature lifetimes will be
   adjusted so as to spread the re-sign load over time rather than
   all at once.

 

-NSEC3 and OPTOUT

+NSEC3 and OPTOUT
 

   named only supports creating new NSEC3 chains
   where all the NSEC3 records in the zone have the same OPTOUT
@@ -1339,7 +1339,7 @@ options {
   configuration files.

 

 

-Validating Resolver

+Validating Resolver

 
To configure a validating resolver to use RFC 5011 to
     maintain a trust anchor, configure the trust anchor using a 
     managed-keys statement. Information about
@@ -1350,7 +1350,7 @@ options {
 
 

 

-Authoritative Server

+Authoritative Server

 
To set up an authoritative zone for RFC 5011 trust anchor
     maintenance, generate two (or more) key signing keys (KSKs) for
     the zone. Sign the zone with one of them; this is the "active"
@@ -1424,7 +1424,7 @@ $ dnssec-signzone -S -K keys example.net<
   Debian Linux, Solaris x86 and Windows Server 2003.

 

 

-Prerequisites

+Prerequisites

 
See the HSM vendor documentation for information about
     installing, initializing, testing and troubleshooting the
     HSM.

@@ -1557,7 +1557,7 @@ $ ./Configure solaris64-x86_64-cc \
 
 

 

-Building OpenSSL for SoftHSM

+Building OpenSSL for SoftHSM

 
SoftHSM is a software library provided by the OpenDNSSEC
       project (http://www.opendnssec.org) which provides a PKCS#11
       interface to a virtual HSM, implemented in the form of encrypted
@@ -1617,12 +1617,12 @@ $ ./Configure linux-x86_64 -pthread \
 
 

 

-Building BIND 9 with PKCS#11

+Building BIND 9 with PKCS#11

 
When building BIND 9, the location of the custom-built
     OpenSSL library must be specified via configure.

 

 

-Configuring BIND 9 for Linux with the AEP Keyper

+Configuring BIND 9 for Linux with the AEP Keyper

 
To link with the PKCS #11 provider, threads must be
       enabled in the BIND 9 build.

 
The PKCS #11 library for the AEP Keyper is currently
@@ -1638,7 +1638,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
 
 

 

-Configuring BIND 9 for Solaris with the SCA 6000

+Configuring BIND 9 for Solaris with the SCA 6000

 
To link with the PKCS #11 provider, threads must be
       enabled in the BIND 9 build.

 
@@ -1656,7 +1656,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
 
 

 

-Configuring BIND 9 for SoftHSM

+Configuring BIND 9 for SoftHSM

 
 $ cd ../bind9
 $ ./configure --enable-threads \
@@ -1673,7 +1673,7 @@ $ ./configure --enable-threads \
 
 

 

-PKCS #11 Tools

+PKCS #11 Tools

 
BIND 9 includes a minimal set of tools to operate the
     HSM, including 
     pkcs11-keygen to generate a new key pair
@@ -1691,7 +1691,7 @@ $ ./configure --enable-threads \
 
 

 

-Using the HSM

+Using the HSM

 
First, we must set up the runtime environment so the
     OpenSSL and PKCS #11 libraries can be loaded:

 
@@ -1779,7 +1779,7 @@ example.net.signed
 
 

 

-Specifying the engine on the command line

+Specifying the engine on the command line

 
The OpenSSL engine can be specified in 
     named and all of the BIND 
     dnssec-* tools by using the "-E
@@ -1800,7 +1800,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Running named with automatic zone re-signing

+Running named with automatic zone re-signing

 
If you want 
     named to dynamically re-sign zones using HSM
     keys, and/or to to sign new records inserted via nsupdate, then
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index ea7607946c..48a038466c 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -92,12 +92,12 @@
             Statement Grammar
 
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
+
Inverse Mapping in IPv4
Other Zone File Directives
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
@@ -5466,8 +5466,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query - is terminated and returns SERVFAIL. The default - is 50. + is terminated and returns SERVFAIL. Queries to + look up top level comains such as "com" and "net" + and the DNS root zone are exempt from this limitation. + The default is 50.

notify-delay
@@ -7552,7 +7554,7 @@ zone zone_name [

-Class

+Class

The zone's name may optionally be followed by a class. If a class is not specified, class IN (for Internet), @@ -7574,7 +7576,7 @@ zone zone_name [

-Zone Options

+Zone Options
allow-notify

@@ -8491,7 +8493,7 @@ example.com. NS ns2.example.net.

-Zone File

+Zone File

Types of Resource Records and When to Use Them

@@ -8504,7 +8506,7 @@ example.com. NS ns2.example.net.

-Resource Records

+Resource Records

A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -9241,7 +9243,7 @@ example.com. NS ns2.example.net.

-Textual expression of RRs

+Textual expression of RRs

RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -9444,7 +9446,7 @@ example.com. NS ns2.example.net.

-Discussion of MX Records

+Discussion of MX Records

As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -9699,7 +9701,7 @@ example.com. NS ns2.example.net.

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain @@ -10295,7 +10297,7 @@ HOST-127.EXAMPLE. MX 0 .

-Name Server Statistics Counters

+Name Server Statistics Counters
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index b321a2779d..20a96ab328 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -46,10 +46,10 @@

Table of Contents

Access Control Lists
-
Chroot and Setuid
+
Chroot and Setuid
-
The chroot Environment
-
Using the setuid Function
+
The chroot Environment
+
Using the setuid Function
Dynamic Update Security
@@ -114,7 +114,7 @@ zone "example.com" {

-Chroot and Setuid +Chroot and Setuid

On UNIX servers, it is possible to run BIND @@ -140,7 +140,7 @@ zone "example.com" {

-The chroot Environment

+The chroot Environment

In order for a chroot environment to @@ -168,7 +168,7 @@ zone "example.com" {

-Using the setuid Function

+Using the setuid Function

Prior to running the named daemon, use diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 326c62228f..c680ec5493 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -45,18 +45,18 @@

Table of Contents

-
Common Problems
-
It's not working; how can I figure out what's wrong?
-
Incrementing and Changing the Serial Number
-
Where Can I Get Help?
+
Common Problems
+
It's not working; how can I figure out what's wrong?
+
Incrementing and Changing the Serial Number
+
Where Can I Get Help?

-Common Problems

+Common Problems

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

The best solution to solving installation and configuration issues is to take preventative measures by setting @@ -68,7 +68,7 @@

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that @@ -95,7 +95,7 @@

-Where Can I Get Help?

+Where Can I Get Help?

The Internet Systems Consortium (ISC) offers a wide range diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index a096451405..62f0410b7e 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -45,7 +45,7 @@

Table of Contents

-
Release Notes for BIND Version 9.9.6
+
Release Notes for BIND Version 9.9.6
Introduction
Download
@@ -68,19 +68,19 @@
BIND 9 DNS Library Support
-
Prerequisite
-
Compilation
-
Installation
-
Known Defects/Restrictions
-
The dns.conf File
-
Sample Applications
-
Library References
+
Prerequisite
+
Compilation
+
Installation
+
Known Defects/Restrictions
+
The dns.conf File
+
Sample Applications
+
Library References

-Release Notes for BIND Version 9.9.6

+Release Notes for BIND Version 9.9.6

Introduction

@@ -252,6 +252,10 @@ A regression caused nsupdate to use the default recursive servers rather than the SOA MNAME server when sending the UPDATE.

+

  • + Adjusted max-recursion-queries to better accommodate empty + caches. +

    • @@ -854,7 +858,7 @@

    -Prerequisite

    +Prerequisite

    GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -863,7 +867,7 @@

    -Compilation

    +Compilation
     $ ./configure --enable-exportlib [other flags]
 $ make
@@ -878,7 +882,7 @@ $ make
 
 
    
 
    
-Installation
    
+Installation
    
 
     $ cd lib/export
 $ make install
@@ -900,7 +904,7 @@ $ make install
 
 
    
 
    
-Known Defects/Restrictions
    
+Known Defects/Restrictions
    
 
      
 
    • Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
@@ -940,7 +944,7 @@ $ make
 
    
 
    
 
    
-The dns.conf File
    
+The dns.conf File
    
 
    The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
@@ -958,14 +962,14 @@ $ make
 
 
    
 
    
-Sample Applications
    
+Sample Applications
    
 
    Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   
    
 
    
 
    
-sample: a simple stub resolver utility
    
+sample: a simple stub resolver utility
    
 
    
   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
@@ -1029,7 +1033,7 @@ $ make
 
 
    
 
    
-sample-async: a simple stub resolver, working asynchronously
    
+sample-async: a simple stub resolver, working asynchronously
    
 
    
   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
@@ -1070,7 +1074,7 @@ $ make
 
 
    
 
    
-sample-request: a simple DNS transaction client
    
+sample-request: a simple DNS transaction client
    
 
    
   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
@@ -1111,7 +1115,7 @@ $ make
 
 
    
 
    
-sample-gai: getaddrinfo() and getnameinfo() test code
    
+sample-gai: getaddrinfo() and getnameinfo() test code
    
 
    
   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -1128,7 +1132,7 @@ $ make
 
 
    
 
    
-sample-update: a simple dynamic update client program
    
+sample-update: a simple dynamic update client program
    
 
    
   It accepts a single update command as a
   command-line argument, sends an update request message to the
@@ -1223,7 +1227,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 
    
 
    
-nsprobe: domain/name server checker in terms of RFC 4074
    
+nsprobe: domain/name server checker in terms of RFC 4074
    
 
    
   It checks a set
   of domains to see the name servers of the domains behave
@@ -1280,7 +1284,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 
    
 
    
-Library References
    
+Library References
    
 
    As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 5c1185ed76..e377c82d2d 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -114,33 +114,33 @@
 
 
    DNSSEC, Dynamic Zones, and Automatic Signing
    
 
    
-
    Converting from insecure to secure
    
-
    Dynamic DNS update method
    
-
    Fully automatic zone signing
    
+
    Converting from insecure to secure
    
+
    Dynamic DNS update method
    
+
    Fully automatic zone signing
    
 
    Private-type records
    
-
    DNSKEY rollovers
    
-
    Dynamic DNS update method
    
-
    Automatic key rollovers
    
-
    NSEC3PARAM rollovers via UPDATE
    
-
    Converting from NSEC to NSEC3
    
-
    Converting from NSEC3 to NSEC
    
-
    Converting from secure to insecure
    
-
    Periodic re-signing
    
-
    NSEC3 and OPTOUT
    
+
    DNSKEY rollovers
    
+
    Dynamic DNS update method
    
+
    Automatic key rollovers
    
+
    NSEC3PARAM rollovers via UPDATE
    
+
    Converting from NSEC to NSEC3
    
+
    Converting from NSEC3 to NSEC
    
+
    Converting from secure to insecure
    
+
    Periodic re-signing
    
+
    NSEC3 and OPTOUT
    
 
    
 
    Dynamic Trust Anchor Management
    
 
    
-
    Validating Resolver
    
-
    Authoritative Server
    
+
    Validating Resolver
    
+
    Authoritative Server
    
 
    
 
    PKCS #11 (Cryptoki) support
    
 
    
-
    Prerequisites
    
-
    Building BIND 9 with PKCS#11
    
-
    PKCS #11 Tools
    
-
    Using the HSM
    
-
    Specifying the engine on the command line
    
-
    Running named with automatic zone re-signing
    
+
    Prerequisites
    
+
    Building BIND 9 with PKCS#11
    
+
    PKCS #11 Tools
    
+
    Using the HSM
    
+
    Specifying the engine on the command line
    
+
    Running named with automatic zone re-signing
    
 
    
 
    IPv6 Support in BIND 9
    
 
    
@@ -202,12 +202,12 @@
             Statement Grammar
 
    zone Statement Definition and Usage
    
 
    
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
+
    Inverse Mapping in IPv4
    
 
    Other Zone File Directives
    
 
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
@@ -218,23 +218,23 @@
 
    7. BIND 9 Security Considerations
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
 
    8. Troubleshooting
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    A. Appendices
    
 
    
-
    Release Notes for BIND Version 9.9.6
    
+
    Release Notes for BIND Version 9.9.6
    
 
    
 
    Introduction
    
 
    Download
    
@@ -257,13 +257,13 @@
 
    
 
    BIND 9 DNS Library Support
    
 
    
-
    Prerequisite
    
-
    Compilation
    
-
    Installation
    
-
    Known Defects/Restrictions
    
-
    The dns.conf File
    
-
    Sample Applications
    
-
    Library References
    
+
    Prerequisite
    
+
    Compilation
    
+
    Installation
    
+
    Known Defects/Restrictions
    
+
    The dns.conf File
    
+
    Sample Applications
    
+
    Library References
    
 
    
 
    
 
    I. Manual pages
    
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 6457619afc..a2cdb3f8bd 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -50,20 +50,20 @@
 
    arpaname  {ipaddress ...}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
       arpaname translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index f7593038d8..260ef83a5c 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -50,7 +50,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -77,7 +77,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -144,7 +144,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -152,7 +152,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index f8c60794d5..a435914a74 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -99,7 +99,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of dig looks like:
       
    
@@ -152,7 +152,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -260,7 +260,7 @@
     
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -618,7 +618,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
@@ -664,7 +664,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -678,14 +678,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    ${HOME}/.digrc
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    host(1),
       named(8),
       dnssec-keygen(8),
@@ -693,7 +693,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       There are probably too many query options.
     
    
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index fbc8469da5..fcfb2766a8 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -51,7 +51,7 @@
 
    dnssec-dsfromkey  [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-checkds
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f file
    
 
    
@@ -88,14 +88,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-dsfromkey(8),
       dnssec-keygen(8),
       dnssec-signzone(8),
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 74142c6ae6..ee4b0c2998 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -50,7 +50,7 @@
 
    dnssec-coverage  [-K directory] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [zone]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-coverage
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f file
    
 
    
@@ -168,7 +168,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       dnssec-checkds(8),
       dnssec-dsfromkey(8),
@@ -177,7 +177,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index a541cf7350..777bece2dc 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -52,14 +52,14 @@
 
    dnssec-dsfromkey  [-h] [-V]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -1
    
 
    
@@ -144,7 +144,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -159,7 +159,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -173,13 +173,13 @@
     
    
 
    
 
    
-
    CAVEAT
    
+
    CAVEAT
    
 
    
       A keyfile error can give a "file not found" even if the file exists.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -189,7 +189,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 7bc3ca8363..2b71a869c2 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -50,7 +50,7 @@
 
    dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -209,7 +209,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -281,7 +281,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -320,7 +320,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -328,7 +328,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 38ed427ed7..8cc4e67c00 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -50,7 +50,7 @@
 
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -278,7 +278,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -352,7 +352,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -398,7 +398,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -419,7 +419,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -428,7 +428,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 5087a37cdd..0fd5eacf1f 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -50,7 +50,7 @@
 
    dnssec-revoke  [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -100,14 +100,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index ee25d3c523..6266842feb 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -50,7 +50,7 @@
 
    dnssec-settime  [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -76,7 +76,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -122,7 +122,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -201,7 +201,7 @@
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -227,7 +227,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -235,7 +235,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 7e1e903255..818d9ee2be 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -50,7 +50,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -483,7 +483,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -513,14 +513,14 @@ db.example.com.signed
 %
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033, RFC 4641.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index 6446026615..bb141dcf61 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -50,7 +50,7 @@
 
    dnssec-verify  [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-verify
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -c class
    
 
    
@@ -124,7 +124,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -132,7 +132,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 4431f40ed2..d680d43fa7 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -50,7 +50,7 @@
 
    genrandom  [-n number] {size} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
       genrandom
       generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
     
    
 
    
 
    
-
    ARGUMENTS
    
+
    ARGUMENTS
    
 
    
 
    -n number
    
 
    
@@ -77,14 +77,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       rand(3),
       arc4random(3)
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 923a8369bf..0a9efb0f58 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -50,7 +50,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -206,7 +206,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -220,12 +220,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index aa8e8063eb..a472338970 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -50,7 +50,7 @@
 
    isc-hmac-fixup  {algorithm} {secret}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
     
    
 
    
 
    
-
    SECURITY CONSIDERATIONS
    
+
    SECURITY CONSIDERATIONS
    
 
    
       Secrets that have been converted by isc-hmac-fixup
       are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       BIND 9 Administrator Reference Manual,
       RFC 2104.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 0e75a44720..04bac59baa 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -50,7 +50,7 @@
 
    named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a
       named configuration file.  The file is parsed
@@ -70,7 +70,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -119,21 +119,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 2be45b7487..7942942965 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -288,14 +288,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -303,7 +303,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 4459bf91ef..c33a59be9c 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -50,7 +50,7 @@
 
    named-journalprint  {journal}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
       named-journalprint
       prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       named(8),
       nsupdate(8),
@@ -84,7 +84,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index c981d6ad7e..5f8c949df2 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -258,7 +258,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -279,7 +279,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -296,7 +296,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -309,7 +309,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -322,7 +322,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 089d12ad60..5dc351514b 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -48,7 +48,7 @@
 
    nsec3hash  {salt} {algorithm} {iterations} {domain}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
       nsec3hash generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
@@ -56,7 +56,7 @@
     
    
 
    
 
    
-
    ARGUMENTS
    
+
    ARGUMENTS
    
 
    
 
    salt
    
 
    
@@ -80,14 +80,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       BIND 9 Administrator Reference Manual,
       RFC 5155.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index fb70d6c983..69fd81cd4b 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -50,7 +50,7 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-V] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -220,7 +220,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -522,7 +522,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -576,7 +576,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -599,7 +599,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       RFC 2136,
       RFC 3007,
@@ -614,7 +614,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index ae519fe2e2..2b3a28e835 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -173,7 +173,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 8c920336aa..54dc88d43e 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 7d01aaea83..e9850f725f 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -145,7 +145,7 @@
 
    
 
    
 
    
-
    COMMANDS
    
+
    COMMANDS
    
 
    
       A list of commands supported by rndc can
       be seen by running rndc without arguments.
@@ -498,7 +498,7 @@
 
    
 
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    
       There is currently no way to provide the shared secret for a
       key_id without using the configuration file.
@@ -508,7 +508,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -518,7 +518,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index fb764f549d..92e5622ba1 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -233,6 +233,10 @@
 	  A regression caused nsupdate to use the default recursive servers
 	  rather than the SOA MNAME server when sending the UPDATE.
         
    
+
  • 
+	  Adjusted max-recursion-queries to better accommodate empty
+	  caches.
+        
    •