diff --git a/CHANGES b/CHANGES
index 707b22d188..2dd61440d7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,11 @@
+4873.	[doc]		Grammars for named.conf included in the ARM are now
+			automatically generated by the configuration parser
+			itself.  As a side effect of the work needed to
+			separate zone type grammars from each other, this
+			also makes checking of zone statements in
+			named-checkconf more correct and consistent.
+			[RT #36957]
+
 4872.	[bug]		Don't permit loading meta RR types such as TKEY
 			from master files. [RT #47009]
 
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index b91a77a493..3e9c63bd4d 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,12 +10,12 @@
 .\"     Title: named.conf
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2017-04-25
+.\"      Date: 2018-01-08
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "NAMED\&.CONF" "5" "2017\-04\-25" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2018\-01\-08" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -181,10 +181,6 @@ masters \fIstring\fR [ port \fIinteger\fR ] [ dscp
 .\}
 .nf
 options {
-	acache\-cleaning\-interval \fIinteger\fR;
-	acache\-enable \fIboolean\fR;
-	additional\-from\-auth \fIboolean\fR;
-	additional\-from\-cache \fIboolean\fR;
 	allow\-new\-zones \fIboolean\fR;
 	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
@@ -221,8 +217,9 @@ options {
 	check\-integrity \fIboolean\fR;
 	check\-mx ( fail | warn | ignore );
 	check\-mx\-cname ( fail | warn | ignore );
-	check\-names ( master | slave | response
-	    ) ( fail | warn | ignore );
+	check\-names ( primary | master |
+	    secondary | slave | response ) (
+	    fail | warn | ignore );
 	check\-sibling \fIboolean\fR;
 	check\-spf ( warn | ignore );
 	check\-srv\-cname ( fail | warn | ignore );
@@ -254,6 +251,8 @@ options {
 	};
 	dns64\-contact \fIstring\fR;
 	dns64\-server \fIstring\fR;
+	dnsrps\-enable \fIboolean\fR;
+	dnsrps\-options { \fIunspecified\-text\fR };
 	dnssec\-accept\-expired \fIboolean\fR;
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	dnssec\-enable \fIboolean\fR;
@@ -302,12 +301,14 @@ options {
 	fstrm\-set\-output\-queue\-size \fIinteger\fR;
 	fstrm\-set\-reopen\-interval \fIinteger\fR;
 	geoip\-directory ( \fIquoted_string\fR | none );
-	geoip\-use\-ecs ( \fIquoted_string\fR | none );
+	geoip\-use\-ecs \fIboolean\fR;
+	glue\-cache \fIboolean\fR;
 	heartbeat\-interval \fIinteger\fR;
 	hostname ( \fIquoted_string\fR | none );
 	inline\-signing \fIboolean\fR;
 	interface\-interval \fIinteger\fR;
-	ixfr\-from\-differences ( master | slave | \fIboolean\fR );
+	ixfr\-from\-differences ( primary | master | secondary | slave |
+	    \fIboolean\fR );
 	keep\-response\-order { \fIaddress_match_element\fR; \&.\&.\&. };
 	key\-directory \fIquoted_string\fR;
 	lame\-ttl \fIttlval\fR;
@@ -323,11 +324,10 @@ options {
 	masterfile\-format ( map | raw | text );
 	masterfile\-style ( full | relative );
 	match\-mapped\-addresses \fIboolean\fR;
-	max\-acache\-size ( unlimited | \fIsizeval\fR );
 	max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
 	max\-cache\-ttl \fIinteger\fR;
 	max\-clients\-per\-query \fIinteger\fR;
-	max\-journal\-size ( unlimited | \fIsizeval\fR );
+	max\-journal\-size ( default | unlimited | \fIsizeval\fR );
 	max\-ncache\-ttl \fIinteger\fR;
 	max\-records \fIinteger\fR;
 	max\-recursion\-depth \fIinteger\fR;
@@ -335,6 +335,7 @@ options {
 	max\-refresh\-time \fIinteger\fR;
 	max\-retry\-time \fIinteger\fR;
 	max\-rsa\-exponent\-size \fIinteger\fR;
+	max\-stale\-ttl \fIttlval\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
 	max\-transfer\-idle\-out \fIinteger\fR;
 	max\-transfer\-time\-in \fIinteger\fR;
@@ -349,6 +350,7 @@ options {
 	minimal\-any \fIboolean\fR;
 	minimal\-responses ( no\-auth | no\-auth\-recursive | \fIboolean\fR );
 	multi\-master \fIboolean\fR;
+	new\-zones\-directory \fIquoted_string\fR;
 	no\-case\-compress { \fIaddress_match_element\fR; \&.\&.\&. };
 	nocookie\-udp\-size \fIinteger\fR;
 	notify ( explicit | master\-only | \fIboolean\fR );
@@ -359,7 +361,6 @@ options {
 	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
 	    [ dscp \fIinteger\fR ];
 	notify\-to\-soa \fIboolean\fR;
-	nsec3\-test\-zone \fIboolean\fR; // test only
 	nta\-lifetime \fIttlval\fR;
 	nta\-recheck \fIttlval\fR;
 	nxdomain\-redirect \fIstring\fR;
@@ -375,7 +376,7 @@ options {
 	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv6_address\fR | * ) ]
 	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
 	querylog \fIboolean\fR;
-	random\-device \fIquoted_string\fR;
+	random\-device ( \fIquoted_string\fR | none );
 	rate\-limit {
 		all\-per\-second \fIinteger\fR;
 		errors\-per\-second \fIinteger\fR;
@@ -401,17 +402,23 @@ options {
 	request\-nsid \fIboolean\fR;
 	require\-server\-cookie \fIboolean\fR;
 	reserved\-sockets \fIinteger\fR;
+	resolver\-nonbackoff\-tries \fIinteger\fR;
 	resolver\-query\-timeout \fIinteger\fR;
+	resolver\-retry\-interval \fIinteger\fR;
 	response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
 	    \fIinteger\fR;
 	response\-policy { zone \fIquoted_string\fR [ log \fIboolean\fR ] [
 	    max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
 	    policy ( cname | disabled | drop | given | no\-op | nodata |
 	    nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
-	    recursive\-only \fIboolean\fR ]; \&.\&.\&. } [ break\-dnssec \fIboolean\fR ] [
+	    recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
+	    nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ break\-dnssec \fIboolean\fR ] [
 	    max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
 	    min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [
-	    qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ];
+	    qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ] [
+	    nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ] [
+	    dnsrps\-enable \fIboolean\fR ] [ dnsrps\-options { \fIunspecified\-text\fR
+	    } ];
 	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
 	rrset\-order { [ class \fIstring\fR ] [ type \fIstring\fR ] [ name
 	    \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&. };
@@ -430,6 +437,8 @@ options {
 	sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
 	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
 	stacksize ( default | unlimited | \fIsizeval\fR );
+	stale\-answer\-enable \fIboolean\fR;
+	stale\-answer\-ttl \fIttlval\fR;
 	startup\-notify\-rate \fIinteger\fR;
 	statistics\-file \fIquoted_string\fR;
 	synth\-from\-dnssec \fIboolean\fR;
@@ -545,10 +554,6 @@ trusted\-keys { \fIstring\fR \fIinteger\fR \fIinteger\fR
 .\}
 .nf
 view \fIstring\fR [ \fIclass\fR ] {
-	acache\-cleaning\-interval \fIinteger\fR;
-	acache\-enable \fIboolean\fR;
-	additional\-from\-auth \fIboolean\fR;
-	additional\-from\-cache \fIboolean\fR;
 	allow\-new\-zones \fIboolean\fR;
 	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
@@ -580,8 +585,9 @@ view \fIstring\fR [ \fIclass\fR ] {
 	check\-integrity \fIboolean\fR;
 	check\-mx ( fail | warn | ignore );
 	check\-mx\-cname ( fail | warn | ignore );
-	check\-names ( master | slave | response
-	    ) ( fail | warn | ignore );
+	check\-names ( primary | master |
+	    secondary | slave | response ) (
+	    fail | warn | ignore );
 	check\-sibling \fIboolean\fR;
 	check\-spf ( warn | ignore );
 	check\-srv\-cname ( fail | warn | ignore );
@@ -612,6 +618,8 @@ view \fIstring\fR [ \fIclass\fR ] {
 	};
 	dns64\-contact \fIstring\fR;
 	dns64\-server \fIstring\fR;
+	dnsrps\-enable \fIboolean\fR;
+	dnsrps\-options { \fIunspecified\-text\fR };
 	dnssec\-accept\-expired \fIboolean\fR;
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	dnssec\-enable \fIboolean\fR;
@@ -643,8 +651,10 @@ view \fIstring\fR [ \fIclass\fR ] {
 	forward ( first | only );
 	forwarders [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fIipv4_address\fR
 	    | \fIipv6_address\fR ) [ port \fIinteger\fR ] [ dscp \fIinteger\fR ]; \&.\&.\&. };
+	glue\-cache \fIboolean\fR;
 	inline\-signing \fIboolean\fR;
-	ixfr\-from\-differences ( master | slave | \fIboolean\fR );
+	ixfr\-from\-differences ( primary | master | secondary | slave |
+	    \fIboolean\fR );
 	key \fIstring\fR {
 		algorithm \fIstring\fR;
 		secret \fIstring\fR;
@@ -660,17 +670,17 @@ view \fIstring\fR [ \fIclass\fR ] {
 	match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
 	match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. };
 	match\-recursive\-only \fIboolean\fR;
-	max\-acache\-size ( unlimited | \fIsizeval\fR );
 	max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
 	max\-cache\-ttl \fIinteger\fR;
 	max\-clients\-per\-query \fIinteger\fR;
-	max\-journal\-size ( unlimited | \fIsizeval\fR );
+	max\-journal\-size ( default | unlimited | \fIsizeval\fR );
 	max\-ncache\-ttl \fIinteger\fR;
 	max\-records \fIinteger\fR;
 	max\-recursion\-depth \fIinteger\fR;
 	max\-recursion\-queries \fIinteger\fR;
 	max\-refresh\-time \fIinteger\fR;
 	max\-retry\-time \fIinteger\fR;
+	max\-stale\-ttl \fIttlval\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
 	max\-transfer\-idle\-out \fIinteger\fR;
 	max\-transfer\-time\-in \fIinteger\fR;
@@ -683,6 +693,7 @@ view \fIstring\fR [ \fIclass\fR ] {
 	minimal\-any \fIboolean\fR;
 	minimal\-responses ( no\-auth | no\-auth\-recursive | \fIboolean\fR );
 	multi\-master \fIboolean\fR;
+	new\-zones\-directory \fIquoted_string\fR;
 	no\-case\-compress { \fIaddress_match_element\fR; \&.\&.\&. };
 	nocookie\-udp\-size \fIinteger\fR;
 	notify ( explicit | master\-only | \fIboolean\fR );
@@ -692,7 +703,6 @@ view \fIstring\fR [ \fIclass\fR ] {
 	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
 	    [ dscp \fIinteger\fR ];
 	notify\-to\-soa \fIboolean\fR;
-	nsec3\-test\-zone \fIboolean\fR; // test only
 	nta\-lifetime \fIttlval\fR;
 	nta\-recheck \fIttlval\fR;
 	nxdomain\-redirect \fIstring\fR;
@@ -727,17 +737,23 @@ view \fIstring\fR [ \fIclass\fR ] {
 	request\-ixfr \fIboolean\fR;
 	request\-nsid \fIboolean\fR;
 	require\-server\-cookie \fIboolean\fR;
+	resolver\-nonbackoff\-tries \fIinteger\fR;
 	resolver\-query\-timeout \fIinteger\fR;
+	resolver\-retry\-interval \fIinteger\fR;
 	response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
 	    \fIinteger\fR;
 	response\-policy { zone \fIquoted_string\fR [ log \fIboolean\fR ] [
 	    max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
 	    policy ( cname | disabled | drop | given | no\-op | nodata |
 	    nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
-	    recursive\-only \fIboolean\fR ]; \&.\&.\&. } [ break\-dnssec \fIboolean\fR ] [
+	    recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
+	    nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ break\-dnssec \fIboolean\fR ] [
 	    max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
 	    min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [
-	    qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ];
+	    qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ] [
+	    nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ] [
+	    dnsrps\-enable \fIboolean\fR ] [ dnsrps\-options { \fIunspecified\-text\fR
+	    } ];
 	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
 	rrset\-order { [ class \fIstring\fR ] [ type \fIstring\fR ] [ name
 	    \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&. };
@@ -783,6 +799,8 @@ view \fIstring\fR [ \fIclass\fR ] {
 	sig\-signing\-type \fIinteger\fR;
 	sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
 	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
+	stale\-answer\-enable \fIboolean\fR;
+	stale\-answer\-ttl \fIttlval\fR;
 	synth\-from\-dnssec \fIboolean\fR;
 	transfer\-format ( many\-answers | one\-answer );
 	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
@@ -849,7 +867,7 @@ view \fIstring\fR [ \fIclass\fR ] {
 		    | \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [
 		    port \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
 		max\-ixfr\-log\-size ( default | unlimited |
-		max\-journal\-size ( unlimited | \fIsizeval\fR );
+		max\-journal\-size ( default | unlimited | \fIsizeval\fR );
 		max\-records \fIinteger\fR;
 		max\-refresh\-time \fIinteger\fR;
 		max\-retry\-time \fIinteger\fR;
@@ -868,7 +886,6 @@ view \fIstring\fR [ \fIclass\fR ] {
 		notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR
 		    | * ) ] [ dscp \fIinteger\fR ];
 		notify\-to\-soa \fIboolean\fR;
-		nsec3\-test\-zone \fIboolean\fR; // test only
 		pubkey \fIinteger\fR
 		    \fIinteger\fR
 		    \fIinteger\fR
@@ -887,8 +904,9 @@ view \fIstring\fR [ \fIclass\fR ] {
 		transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port (
 		    \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
 		try\-tcp\-refresh \fIboolean\fR;
-		type ( delegation\-only | forward | hint | master | redirect
-		    | slave | static\-stub | stub );
+		type ( primary | master | secondary | slave |
+		    delegation\-only | forward | hint | redirect |
+		    static\-stub | stub );
 		update\-check\-ksk \fIboolean\fR;
 		update\-policy ( local | { ( deny | grant ) \fIstring\fR (
 		    6to4\-self | external | krb5\-self | krb5\-subdomain |
@@ -957,7 +975,7 @@ zone \fIstring\fR [ \fIclass\fR ] {
 	masters [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR |
 	    \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port
 	    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
-	max\-journal\-size ( unlimited | \fIsizeval\fR );
+	max\-journal\-size ( default | unlimited | \fIsizeval\fR );
 	max\-records \fIinteger\fR;
 	max\-refresh\-time \fIinteger\fR;
 	max\-retry\-time \fIinteger\fR;
@@ -976,7 +994,6 @@ zone \fIstring\fR [ \fIclass\fR ] {
 	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
 	    [ dscp \fIinteger\fR ];
 	notify\-to\-soa \fIboolean\fR;
-	nsec3\-test\-zone \fIboolean\fR; // test only
 	pubkey \fIinteger\fR \fIinteger\fR
 	request\-expire \fIboolean\fR;
 	request\-ixfr \fIboolean\fR;
@@ -993,8 +1010,8 @@ zone \fIstring\fR [ \fIclass\fR ] {
 	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
 	    ] [ dscp \fIinteger\fR ];
 	try\-tcp\-refresh \fIboolean\fR;
-	type ( delegation\-only | forward | hint | master | redirect | slave
-	    | static\-stub | stub );
+	type ( primary | master | secondary | slave | delegation\-only |
+	    forward | hint | redirect | static\-stub | stub );
 	update\-check\-ksk \fIboolean\fR;
 	update\-policy ( local | { ( deny | grant ) \fIstring\fR ( 6to4\-self |
 	    external | krb5\-self | krb5\-subdomain | ms\-self | ms\-subdomain
@@ -1024,5 +1041,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 9ffae9fa3d..adc1e7e9df 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2018 Internet Systems Consortium, Inc. ("ISC")
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 
 <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
   <info>
-    <date>2017-04-25</date>
+    <date>2018-01-22</date>
   </info>
   <refentryinfo>
     <corpname>ISC</corpname>
@@ -44,6 +44,7 @@
       <year>2015</year>
       <year>2016</year>
       <year>2017</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -86,14 +87,14 @@ acl <replaceable>string</replaceable> { <replaceable>address_match_element</repl
     <literallayout class="normal">
 controls {
 	inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> |
-	    * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> allow
-	    { <replaceable>address_match_element</replaceable>; ... } <optional>
-	    keys { <replaceable>string</replaceable>; ... } </optional> <optional> read-only
-	    <replaceable>boolean</replaceable> </optional>;
+	    * ) [ port ( <replaceable>integer</replaceable> | * ) ] allow
+	    { <replaceable>address_match_element</replaceable>; ... } [
+	    keys { <replaceable>string</replaceable>; ... } ] [ read-only
+	    <replaceable>boolean</replaceable> ];
 	unix <replaceable>quoted_string</replaceable> perm <replaceable>integer</replaceable>
-	    owner <replaceable>integer</replaceable> group <replaceable>integer</replaceable> <optional>
-	    keys { <replaceable>string</replaceable>; ... } </optional> <optional> read-only
-	    <replaceable>boolean</replaceable> </optional>;
+	    owner <replaceable>integer</replaceable> group <replaceable>integer</replaceable> [
+	    keys { <replaceable>string</replaceable>; ... } ] [ read-only
+	    <replaceable>boolean</replaceable> ];
 };
 </literallayout>
   </refsection>
@@ -133,20 +134,21 @@ logging {
 	category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
 	channel <replaceable>string</replaceable> {
 		buffered <replaceable>boolean</replaceable>;
-		file <replaceable>quoted_string</replaceable> <optional> versions ( unlimited | <replaceable>integer</replaceable> ) </optional>
-		    <optional> size <replaceable>size</replaceable> </optional> <optional> suffix ( increment | timestamp ) </optional>;
+		file <replaceable>quoted_string</replaceable> [ versions ( unlimited | <replaceable>integer</replaceable> ) ]
+		    [ size <replaceable>size</replaceable> ] [ suffix ( increment | timestamp ) ];
 		null;
 		print-category <replaceable>boolean</replaceable>;
 		print-severity <replaceable>boolean</replaceable>;
 		print-time ( iso8601 | iso8601-utc | local | <replaceable>boolean</replaceable> );
 		severity <replaceable>log_severity</replaceable>;
 		stderr;
-		syslog <optional> <replaceable>syslog_facility</replaceable> </optional>;
+		syslog [ <replaceable>syslog_facility</replaceable> ];
 	};
 };
 </literallayout>
   </refsection>
 
+
   <refsection><info><title>MANAGED-KEYS</title></info>
 
     <literallayout class="normal">
@@ -158,10 +160,10 @@ managed-keys { <replaceable>string</replaceable> <replaceable>string</replaceabl
   <refsection><info><title>MASTERS</title></info>
 
     <literallayout class="normal">
-masters <replaceable>string</replaceable> <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp
-    <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>
-    port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
-    <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... };
+masters <replaceable>string</replaceable> [ port <replaceable>integer</replaceable> ] [ dscp
+    <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [
+    port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
+    <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
 </literallayout>
   </refsection>
 
@@ -169,10 +171,6 @@ masters <replaceable>string</replaceable> <optional> port <replaceable>integer</
 
     <literallayout class="normal">
 options {
-	acache-cleaning-interval <replaceable>integer</replaceable>;
-	acache-enable <replaceable>boolean</replaceable>;
-	additional-from-auth <replaceable>boolean</replaceable>;
-	additional-from-cache <replaceable>boolean</replaceable>;
 	allow-new-zones <replaceable>boolean</replaceable>;
 	allow-notify { <replaceable>address_match_element</replaceable>; ... };
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
@@ -184,13 +182,13 @@ options {
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-	also-notify <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> |
-	    <replaceable>ipv4_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
-	    <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... };
-	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
-	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
-	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> |
-	    * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
+	also-notify [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> |
+	    <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
+	    <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
+	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
+	    ] [ dscp <replaceable>integer</replaceable> ];
+	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> |
+	    * ) ] [ dscp <replaceable>integer</replaceable> ];
 	attach-cache <replaceable>string</replaceable>;
 	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
 	auto-dnssec ( allow | maintain | off );
@@ -200,17 +198,18 @@ options {
 	bindkeys-file <replaceable>quoted_string</replaceable>;
 	blackhole { <replaceable>address_match_element</replaceable>; ... };
 	cache-file <replaceable>quoted_string</replaceable>;
-	catalog-zones { zone <replaceable>quoted_string</replaceable> <optional> default-masters <optional> port
-	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>
-	    port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> ) <optional> key
-	    <replaceable>string</replaceable> </optional>; ... } </optional> <optional> zone-directory <replaceable>quoted_string</replaceable> </optional> <optional>
-	    in-memory <replaceable>boolean</replaceable> </optional> <optional> min-update-interval <replaceable>integer</replaceable> </optional>; ... };
+	catalog-zones { zone <replaceable>quoted_string</replaceable> [ default-masters [ port
+	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [
+	    port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key
+	    <replaceable>string</replaceable> ]; ... } ] [ zone-directory <replaceable>quoted_string</replaceable> ] [
+	    in-memory <replaceable>boolean</replaceable> ] [ min-update-interval <replaceable>integer</replaceable> ]; ... };
 	check-dup-records ( fail | warn | ignore );
 	check-integrity <replaceable>boolean</replaceable>;
 	check-mx ( fail | warn | ignore );
 	check-mx-cname ( fail | warn | ignore );
-	check-names ( master | slave | response
-	    ) ( fail | warn | ignore );
+	check-names ( primary | master |
+	    secondary | slave | response ) (
+	    fail | warn | ignore );
 	check-sibling <replaceable>boolean</replaceable>;
 	check-spf ( warn | ignore );
 	check-srv-cname ( fail | warn | ignore );
@@ -221,10 +220,10 @@ options {
 	cookie-secret <replaceable>string</replaceable>;
 	coresize ( default | unlimited | <replaceable>sizeval</replaceable> );
 	datasize ( default | unlimited | <replaceable>sizeval</replaceable> );
-	deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } <optional>
-	    except-from { <replaceable>quoted_string</replaceable>; ... } </optional>;
-	deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } <optional> except-from {
-	    <replaceable>quoted_string</replaceable>; ... } </optional>;
+	deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } [
+	    except-from { <replaceable>quoted_string</replaceable>; ... } ];
+	deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } [ except-from {
+	    <replaceable>quoted_string</replaceable>; ... } ];
 	dialup ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
 	directory <replaceable>quoted_string</replaceable>;
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>;
@@ -242,6 +241,8 @@ options {
 	};
 	dns64-contact <replaceable>string</replaceable>;
 	dns64-server <replaceable>string</replaceable>;
+	dnsrps-enable <replaceable>boolean</replaceable>;
+	dnsrps-options { <replaceable>unspecified-text</replaceable> };
 	dnssec-accept-expired <replaceable>boolean</replaceable>;
 	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
 	dnssec-enable <replaceable>boolean</replaceable>;
@@ -253,35 +254,35 @@ options {
 	dnssec-update-mode ( maintain | no-resign );
 	dnssec-validation ( yes | no | auto );
 	dnstap { ( all | auth | client | forwarder |
-	    resolver ) <optional> ( query | response ) </optional>; ... };
+	    resolver ) [ ( query | response ) ]; ... };
 	dnstap-identity ( <replaceable>quoted_string</replaceable> | none |
 	    hostname );
-	dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> <optional>
-	    size ( unlimited | <replaceable>size</replaceable> ) </optional> <optional> versions (
-	    unlimited | <replaceable>integer</replaceable> ) </optional> <optional> suffix ( increment
-	    | timestamp ) </optional>;
+	dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> [
+	    size ( unlimited | <replaceable>size</replaceable> ) ] [ versions (
+	    unlimited | <replaceable>integer</replaceable> ) ] [ suffix ( increment
+	    | timestamp ) ];
 	dnstap-version ( <replaceable>quoted_string</replaceable> | none );
 	dscp <replaceable>integer</replaceable>;
-	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>quoted_string</replaceable> <optional> port
-	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> | <replaceable>ipv4_address</replaceable> <optional> port
-	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
-	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> ); ... };
+	dual-stack-servers [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
+	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv4_address</replaceable> [ port
+	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
+	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] ); ... };
 	dump-file <replaceable>quoted_string</replaceable>;
 	edns-udp-size <replaceable>integer</replaceable>;
 	empty-contact <replaceable>string</replaceable>;
 	empty-server <replaceable>string</replaceable>;
 	empty-zones-enable <replaceable>boolean</replaceable>;
 	fetch-quota-params <replaceable>integer</replaceable> <replaceable>fixedpoint</replaceable> <replaceable>fixedpoint</replaceable> <replaceable>fixedpoint</replaceable>;
-	fetches-per-server <replaceable>integer</replaceable> <optional> ( drop | fail ) </optional>;
-	fetches-per-zone <replaceable>integer</replaceable> <optional> ( drop | fail ) </optional>;
+	fetches-per-server <replaceable>integer</replaceable> [ ( drop | fail ) ];
+	fetches-per-zone <replaceable>integer</replaceable> [ ( drop | fail ) ];
 	files ( default | unlimited | <replaceable>sizeval</replaceable> );
 	filter-aaaa { <replaceable>address_match_element</replaceable>; ... };
 	filter-aaaa-on-v4 ( break-dnssec | <replaceable>boolean</replaceable> );
 	filter-aaaa-on-v6 ( break-dnssec | <replaceable>boolean</replaceable> );
 	flush-zones-on-shutdown <replaceable>boolean</replaceable>;
 	forward ( first | only );
-	forwarders <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable>
-	    | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional>; ... };
+	forwarders [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable>
+	    | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
 	fstrm-set-buffer-hint <replaceable>integer</replaceable>;
 	fstrm-set-flush-timeout <replaceable>integer</replaceable>;
 	fstrm-set-input-queue-size <replaceable>integer</replaceable>;
@@ -290,20 +291,22 @@ options {
 	fstrm-set-output-queue-size <replaceable>integer</replaceable>;
 	fstrm-set-reopen-interval <replaceable>integer</replaceable>;
 	geoip-directory ( <replaceable>quoted_string</replaceable> | none );
-	geoip-use-ecs ( <replaceable>quoted_string</replaceable> | none );
+	geoip-use-ecs <replaceable>boolean</replaceable>;
+	glue-cache <replaceable>boolean</replaceable>;
 	heartbeat-interval <replaceable>integer</replaceable>;
 	hostname ( <replaceable>quoted_string</replaceable> | none );
 	inline-signing <replaceable>boolean</replaceable>;
 	interface-interval <replaceable>integer</replaceable>;
-	ixfr-from-differences ( master | slave | <replaceable>boolean</replaceable> );
+	ixfr-from-differences ( primary | master | secondary | slave |
+	    <replaceable>boolean</replaceable> );
 	keep-response-order { <replaceable>address_match_element</replaceable>; ... };
 	key-directory <replaceable>quoted_string</replaceable>;
 	lame-ttl <replaceable>ttlval</replaceable>;
-	listen-on <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp
-	    <replaceable>integer</replaceable> </optional> {
+	listen-on [ port <replaceable>integer</replaceable> ] [ dscp
+	    <replaceable>integer</replaceable> ] {
 	    <replaceable>address_match_element</replaceable>; ... };
-	listen-on-v6 <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp
-	    <replaceable>integer</replaceable> </optional> {
+	listen-on-v6 [ port <replaceable>integer</replaceable> ] [ dscp
+	    <replaceable>integer</replaceable> ] {
 	    <replaceable>address_match_element</replaceable>; ... };
 	lmdb-mapsize <replaceable>sizeval</replaceable>;
 	lock-file ( <replaceable>quoted_string</replaceable> | none );
@@ -311,11 +314,10 @@ options {
 	masterfile-format ( map | raw | text );
 	masterfile-style ( full | relative );
 	match-mapped-addresses <replaceable>boolean</replaceable>;
-	max-acache-size ( unlimited | <replaceable>sizeval</replaceable> );
 	max-cache-size ( default | unlimited | <replaceable>sizeval</replaceable> | <replaceable>percentage</replaceable> );
 	max-cache-ttl <replaceable>integer</replaceable>;
 	max-clients-per-query <replaceable>integer</replaceable>;
-	max-journal-size ( unlimited | <replaceable>sizeval</replaceable> );
+	max-journal-size ( default | unlimited | <replaceable>sizeval</replaceable> );
 	max-ncache-ttl <replaceable>integer</replaceable>;
 	max-records <replaceable>integer</replaceable>;
 	max-recursion-depth <replaceable>integer</replaceable>;
@@ -323,6 +325,7 @@ options {
 	max-refresh-time <replaceable>integer</replaceable>;
 	max-retry-time <replaceable>integer</replaceable>;
 	max-rsa-exponent-size <replaceable>integer</replaceable>;
+	max-stale-ttl <replaceable>ttlval</replaceable>;
 	max-transfer-idle-in <replaceable>integer</replaceable>;
 	max-transfer-idle-out <replaceable>integer</replaceable>;
 	max-transfer-time-in <replaceable>integer</replaceable>;
@@ -337,33 +340,33 @@ options {
 	minimal-any <replaceable>boolean</replaceable>;
 	minimal-responses ( no-auth | no-auth-recursive | <replaceable>boolean</replaceable> );
 	multi-master <replaceable>boolean</replaceable>;
+	new-zones-directory <replaceable>quoted_string</replaceable>;
 	no-case-compress { <replaceable>address_match_element</replaceable>; ... };
 	nocookie-udp-size <replaceable>integer</replaceable>;
 	notify ( explicit | master-only | <replaceable>boolean</replaceable> );
 	notify-delay <replaceable>integer</replaceable>;
 	notify-rate <replaceable>integer</replaceable>;
-	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
-	    dscp <replaceable>integer</replaceable> </optional>;
-	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>
-	    <optional> dscp <replaceable>integer</replaceable> </optional>;
+	notify-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
+	    dscp <replaceable>integer</replaceable> ];
+	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ]
+	    [ dscp <replaceable>integer</replaceable> ];
 	notify-to-soa <replaceable>boolean</replaceable>;
-	nsec3-test-zone <replaceable>boolean</replaceable>; // test only
 	nta-lifetime <replaceable>ttlval</replaceable>;
 	nta-recheck <replaceable>ttlval</replaceable>;
 	nxdomain-redirect <replaceable>string</replaceable>;
 	pid-file ( <replaceable>quoted_string</replaceable> | none );
 	port <replaceable>integer</replaceable>;
 	preferred-glue <replaceable>string</replaceable>;
-	prefetch <replaceable>integer</replaceable> <optional> <replaceable>integer</replaceable> </optional>;
+	prefetch <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
 	provide-ixfr <replaceable>boolean</replaceable>;
-	query-source ( ( <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) <optional> port (
-	    <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) </optional>
-	    port ( <replaceable>integer</replaceable> | * ) ) ) <optional> dscp <replaceable>integer</replaceable> </optional>;
-	query-source-v6 ( ( <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) <optional> port (
-	    <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) </optional>
-	    port ( <replaceable>integer</replaceable> | * ) ) ) <optional> dscp <replaceable>integer</replaceable> </optional>;
+	query-source ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
+	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
+	    port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
+	query-source-v6 ( ( [ address ] ( <replaceable>ipv6_address</replaceable> | * ) [ port (
+	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv6_address</replaceable> | * ) ]
+	    port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
 	querylog <replaceable>boolean</replaceable>;
-	random-device <replaceable>quoted_string</replaceable>;
+	random-device ( <replaceable>quoted_string</replaceable> | none );
 	rate-limit {
 		all-per-second <replaceable>integer</replaceable>;
 		errors-per-second <replaceable>integer</replaceable>;
@@ -389,20 +392,26 @@ options {
 	request-nsid <replaceable>boolean</replaceable>;
 	require-server-cookie <replaceable>boolean</replaceable>;
 	reserved-sockets <replaceable>integer</replaceable>;
+	resolver-nonbackoff-tries <replaceable>integer</replaceable>;
 	resolver-query-timeout <replaceable>integer</replaceable>;
+	resolver-retry-interval <replaceable>integer</replaceable>;
 	response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
 	    <replaceable>integer</replaceable>;
-	response-policy { zone <replaceable>quoted_string</replaceable> <optional> log <replaceable>boolean</replaceable> </optional> <optional>
-	    max-policy-ttl <replaceable>integer</replaceable> </optional> <optional> min-update-interval <replaceable>integer</replaceable> </optional> <optional>
+	response-policy { zone <replaceable>quoted_string</replaceable> [ log <replaceable>boolean</replaceable> ] [
+	    max-policy-ttl <replaceable>integer</replaceable> ] [ min-update-interval <replaceable>integer</replaceable> ] [
 	    policy ( cname | disabled | drop | given | no-op | nodata |
-	    nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) </optional> <optional>
-	    recursive-only <replaceable>boolean</replaceable> </optional>; ... } <optional> break-dnssec <replaceable>boolean</replaceable> </optional> <optional>
-	    max-policy-ttl <replaceable>integer</replaceable> </optional> <optional> min-update-interval <replaceable>integer</replaceable> </optional> <optional>
-	    min-ns-dots <replaceable>integer</replaceable> </optional> <optional> nsip-wait-recurse <replaceable>boolean</replaceable> </optional> <optional>
-	    qname-wait-recurse <replaceable>boolean</replaceable> </optional> <optional> recursive-only <replaceable>boolean</replaceable> </optional>;
-	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
-	rrset-order { <optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional> <optional> name
-	    <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
+	    nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
+	    recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
+	    nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ break-dnssec <replaceable>boolean</replaceable> ] [
+	    max-policy-ttl <replaceable>integer</replaceable> ] [ min-update-interval <replaceable>integer</replaceable> ] [
+	    min-ns-dots <replaceable>integer</replaceable> ] [ nsip-wait-recurse <replaceable>boolean</replaceable> ] [
+	    qname-wait-recurse <replaceable>boolean</replaceable> ] [ recursive-only <replaceable>boolean</replaceable> ] [
+	    nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
+	    dnsrps-enable <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
+	    } ];
+	root-delegation-only [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
+	rrset-order { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
+	    <replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
 	secroots-file <replaceable>quoted_string</replaceable>;
 	send-cookie <replaceable>boolean</replaceable>;
 	serial-query-rate <replaceable>integer</replaceable>;
@@ -415,9 +424,11 @@ options {
 	sig-signing-nodes <replaceable>integer</replaceable>;
 	sig-signing-signatures <replaceable>integer</replaceable>;
 	sig-signing-type <replaceable>integer</replaceable>;
-	sig-validity-interval <replaceable>integer</replaceable> <optional> <replaceable>integer</replaceable> </optional>;
+	sig-validity-interval <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
 	sortlist { <replaceable>address_match_element</replaceable>; ... };
 	stacksize ( default | unlimited | <replaceable>sizeval</replaceable> );
+	stale-answer-enable <replaceable>boolean</replaceable>;
+	stale-answer-ttl <replaceable>ttlval</replaceable>;
 	startup-notify-rate <replaceable>integer</replaceable>;
 	statistics-file <replaceable>quoted_string</replaceable>;
 	synth-from-dnssec <replaceable>boolean</replaceable>;
@@ -433,10 +444,10 @@ options {
 	tkey-gssapi-keytab <replaceable>quoted_string</replaceable>;
 	transfer-format ( many-answers | one-answer );
 	transfer-message-size <replaceable>integer</replaceable>;
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
-	    dscp <replaceable>integer</replaceable> </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
-	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
+	transfer-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
+	    dscp <replaceable>integer</replaceable> ];
+	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
+	    ] [ dscp <replaceable>integer</replaceable> ];
 	transfers-in <replaceable>integer</replaceable>;
 	transfers-out <replaceable>integer</replaceable>;
 	transfers-per-ns <replaceable>integer</replaceable>;
@@ -465,18 +476,18 @@ server <replaceable>netprefix</replaceable> {
 	edns-version <replaceable>integer</replaceable>;
 	keys <replaceable>server_key</replaceable>;
 	max-udp-size <replaceable>integer</replaceable>;
-	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
-	    dscp <replaceable>integer</replaceable> </optional>;
-	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>
-	    <optional> dscp <replaceable>integer</replaceable> </optional>;
+	notify-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
+	    dscp <replaceable>integer</replaceable> ];
+	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ]
+	    [ dscp <replaceable>integer</replaceable> ];
 	padding <replaceable>integer</replaceable>;
 	provide-ixfr <replaceable>boolean</replaceable>;
-	query-source ( ( <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) <optional> port (
-	    <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) </optional>
-	    port ( <replaceable>integer</replaceable> | * ) ) ) <optional> dscp <replaceable>integer</replaceable> </optional>;
-	query-source-v6 ( ( <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) <optional> port (
-	    <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) </optional>
-	    port ( <replaceable>integer</replaceable> | * ) ) ) <optional> dscp <replaceable>integer</replaceable> </optional>;
+	query-source ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
+	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
+	    port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
+	query-source-v6 ( ( [ address ] ( <replaceable>ipv6_address</replaceable> | * ) [ port (
+	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv6_address</replaceable> | * ) ]
+	    port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
 	request-expire <replaceable>boolean</replaceable>;
 	request-ixfr <replaceable>boolean</replaceable>;
 	request-nsid <replaceable>boolean</replaceable>;
@@ -484,10 +495,10 @@ server <replaceable>netprefix</replaceable> {
 	tcp-keepalive <replaceable>boolean</replaceable>;
 	tcp-only <replaceable>boolean</replaceable>;
 	transfer-format ( many-answers | one-answer );
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
-	    dscp <replaceable>integer</replaceable> </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
-	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
+	transfer-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
+	    dscp <replaceable>integer</replaceable> ];
+	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
+	    ] [ dscp <replaceable>integer</replaceable> ];
 	transfers <replaceable>integer</replaceable>;
 };
 </literallayout>
@@ -498,9 +509,9 @@ server <replaceable>netprefix</replaceable> {
     <literallayout class="normal">
 statistics-channels {
 	inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> |
-	    * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
+	    * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
 	    allow { <replaceable>address_match_element</replaceable>; ...
-	    } </optional>;
+	    } ];
 };
 </literallayout>
   </refsection>
@@ -516,11 +527,7 @@ trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceab
   <refsection><info><title>VIEW</title></info>
 
     <literallayout class="normal">
-view <replaceable>string</replaceable> <optional> <replaceable>class</replaceable> </optional> {
-	acache-cleaning-interval <replaceable>integer</replaceable>;
-	acache-enable <replaceable>boolean</replaceable>;
-	additional-from-auth <replaceable>boolean</replaceable>;
-	additional-from-cache <replaceable>boolean</replaceable>;
+view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	allow-new-zones <replaceable>boolean</replaceable>;
 	allow-notify { <replaceable>address_match_element</replaceable>; ... };
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
@@ -532,38 +539,39 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-	also-notify <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> |
-	    <replaceable>ipv4_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
-	    <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... };
-	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
-	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
-	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> |
-	    * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
+	also-notify [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> |
+	    <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
+	    <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
+	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
+	    ] [ dscp <replaceable>integer</replaceable> ];
+	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> |
+	    * ) ] [ dscp <replaceable>integer</replaceable> ];
 	attach-cache <replaceable>string</replaceable>;
 	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
 	auto-dnssec ( allow | maintain | off );
 	cache-file <replaceable>quoted_string</replaceable>;
-	catalog-zones { zone <replaceable>quoted_string</replaceable> <optional> default-masters <optional> port
-	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>
-	    port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> ) <optional> key
-	    <replaceable>string</replaceable> </optional>; ... } </optional> <optional> zone-directory <replaceable>quoted_string</replaceable> </optional> <optional>
-	    in-memory <replaceable>boolean</replaceable> </optional> <optional> min-update-interval <replaceable>integer</replaceable> </optional>; ... };
+	catalog-zones { zone <replaceable>quoted_string</replaceable> [ default-masters [ port
+	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [
+	    port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key
+	    <replaceable>string</replaceable> ]; ... } ] [ zone-directory <replaceable>quoted_string</replaceable> ] [
+	    in-memory <replaceable>boolean</replaceable> ] [ min-update-interval <replaceable>integer</replaceable> ]; ... };
 	check-dup-records ( fail | warn | ignore );
 	check-integrity <replaceable>boolean</replaceable>;
 	check-mx ( fail | warn | ignore );
 	check-mx-cname ( fail | warn | ignore );
-	check-names ( master | slave | response
-	    ) ( fail | warn | ignore );
+	check-names ( primary | master |
+	    secondary | slave | response ) (
+	    fail | warn | ignore );
 	check-sibling <replaceable>boolean</replaceable>;
 	check-spf ( warn | ignore );
 	check-srv-cname ( fail | warn | ignore );
 	check-wildcard <replaceable>boolean</replaceable>;
 	cleaning-interval <replaceable>integer</replaceable>;
 	clients-per-query <replaceable>integer</replaceable>;
-	deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } <optional>
-	    except-from { <replaceable>quoted_string</replaceable>; ... } </optional>;
-	deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } <optional> except-from {
-	    <replaceable>quoted_string</replaceable>; ... } </optional>;
+	deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } [
+	    except-from { <replaceable>quoted_string</replaceable>; ... } ];
+	deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } [ except-from {
+	    <replaceable>quoted_string</replaceable>; ... } ];
 	dialup ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>;
 	    ... };
@@ -584,6 +592,8 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 	};
 	dns64-contact <replaceable>string</replaceable>;
 	dns64-server <replaceable>string</replaceable>;
+	dnsrps-enable <replaceable>boolean</replaceable>;
+	dnsrps-options { <replaceable>unspecified-text</replaceable> };
 	dnssec-accept-expired <replaceable>boolean</replaceable>;
 	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
 	dnssec-enable <replaceable>boolean</replaceable>;
@@ -595,11 +605,11 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 	dnssec-update-mode ( maintain | no-resign );
 	dnssec-validation ( yes | no | auto );
 	dnstap { ( all | auth | client | forwarder |
-	    resolver ) <optional> ( query | response ) </optional>; ... };
-	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>quoted_string</replaceable> <optional> port
-	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> | <replaceable>ipv4_address</replaceable> <optional> port
-	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
-	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> ); ... };
+	    resolver ) [ ( query | response ) ]; ... };
+	dual-stack-servers [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
+	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv4_address</replaceable> [ port
+	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
+	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] ); ... };
 	dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
 	    <replaceable>unspecified-text</replaceable> };
 	edns-udp-size <replaceable>integer</replaceable>;
@@ -607,16 +617,18 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 	empty-server <replaceable>string</replaceable>;
 	empty-zones-enable <replaceable>boolean</replaceable>;
 	fetch-quota-params <replaceable>integer</replaceable> <replaceable>fixedpoint</replaceable> <replaceable>fixedpoint</replaceable> <replaceable>fixedpoint</replaceable>;
-	fetches-per-server <replaceable>integer</replaceable> <optional> ( drop | fail ) </optional>;
-	fetches-per-zone <replaceable>integer</replaceable> <optional> ( drop | fail ) </optional>;
+	fetches-per-server <replaceable>integer</replaceable> [ ( drop | fail ) ];
+	fetches-per-zone <replaceable>integer</replaceable> [ ( drop | fail ) ];
 	filter-aaaa { <replaceable>address_match_element</replaceable>; ... };
 	filter-aaaa-on-v4 ( break-dnssec | <replaceable>boolean</replaceable> );
 	filter-aaaa-on-v6 ( break-dnssec | <replaceable>boolean</replaceable> );
 	forward ( first | only );
-	forwarders <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable>
-	    | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional>; ... };
+	forwarders [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable>
+	    | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
+	glue-cache <replaceable>boolean</replaceable>;
 	inline-signing <replaceable>boolean</replaceable>;
-	ixfr-from-differences ( master | slave | <replaceable>boolean</replaceable> );
+	ixfr-from-differences ( primary | master | secondary | slave |
+	    <replaceable>boolean</replaceable> );
 	key <replaceable>string</replaceable> {
 		algorithm <replaceable>string</replaceable>;
 		secret <replaceable>string</replaceable>;
@@ -632,17 +644,17 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 	match-clients { <replaceable>address_match_element</replaceable>; ... };
 	match-destinations { <replaceable>address_match_element</replaceable>; ... };
 	match-recursive-only <replaceable>boolean</replaceable>;
-	max-acache-size ( unlimited | <replaceable>sizeval</replaceable> );
 	max-cache-size ( default | unlimited | <replaceable>sizeval</replaceable> | <replaceable>percentage</replaceable> );
 	max-cache-ttl <replaceable>integer</replaceable>;
 	max-clients-per-query <replaceable>integer</replaceable>;
-	max-journal-size ( unlimited | <replaceable>sizeval</replaceable> );
+	max-journal-size ( default | unlimited | <replaceable>sizeval</replaceable> );
 	max-ncache-ttl <replaceable>integer</replaceable>;
 	max-records <replaceable>integer</replaceable>;
 	max-recursion-depth <replaceable>integer</replaceable>;
 	max-recursion-queries <replaceable>integer</replaceable>;
 	max-refresh-time <replaceable>integer</replaceable>;
 	max-retry-time <replaceable>integer</replaceable>;
+	max-stale-ttl <replaceable>ttlval</replaceable>;
 	max-transfer-idle-in <replaceable>integer</replaceable>;
 	max-transfer-idle-out <replaceable>integer</replaceable>;
 	max-transfer-time-in <replaceable>integer</replaceable>;
@@ -655,28 +667,28 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 	minimal-any <replaceable>boolean</replaceable>;
 	minimal-responses ( no-auth | no-auth-recursive | <replaceable>boolean</replaceable> );
 	multi-master <replaceable>boolean</replaceable>;
+	new-zones-directory <replaceable>quoted_string</replaceable>;
 	no-case-compress { <replaceable>address_match_element</replaceable>; ... };
 	nocookie-udp-size <replaceable>integer</replaceable>;
 	notify ( explicit | master-only | <replaceable>boolean</replaceable> );
 	notify-delay <replaceable>integer</replaceable>;
-	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
-	    dscp <replaceable>integer</replaceable> </optional>;
-	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>
-	    <optional> dscp <replaceable>integer</replaceable> </optional>;
+	notify-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
+	    dscp <replaceable>integer</replaceable> ];
+	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ]
+	    [ dscp <replaceable>integer</replaceable> ];
 	notify-to-soa <replaceable>boolean</replaceable>;
-	nsec3-test-zone <replaceable>boolean</replaceable>; // test only
 	nta-lifetime <replaceable>ttlval</replaceable>;
 	nta-recheck <replaceable>ttlval</replaceable>;
 	nxdomain-redirect <replaceable>string</replaceable>;
 	preferred-glue <replaceable>string</replaceable>;
-	prefetch <replaceable>integer</replaceable> <optional> <replaceable>integer</replaceable> </optional>;
+	prefetch <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
 	provide-ixfr <replaceable>boolean</replaceable>;
-	query-source ( ( <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) <optional> port (
-	    <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) </optional>
-	    port ( <replaceable>integer</replaceable> | * ) ) ) <optional> dscp <replaceable>integer</replaceable> </optional>;
-	query-source-v6 ( ( <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) <optional> port (
-	    <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) </optional>
-	    port ( <replaceable>integer</replaceable> | * ) ) ) <optional> dscp <replaceable>integer</replaceable> </optional>;
+	query-source ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
+	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
+	    port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
+	query-source-v6 ( ( [ address ] ( <replaceable>ipv6_address</replaceable> | * ) [ port (
+	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv6_address</replaceable> | * ) ]
+	    port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
 	rate-limit {
 		all-per-second <replaceable>integer</replaceable>;
 		errors-per-second <replaceable>integer</replaceable>;
@@ -699,20 +711,26 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 	request-ixfr <replaceable>boolean</replaceable>;
 	request-nsid <replaceable>boolean</replaceable>;
 	require-server-cookie <replaceable>boolean</replaceable>;
+	resolver-nonbackoff-tries <replaceable>integer</replaceable>;
 	resolver-query-timeout <replaceable>integer</replaceable>;
+	resolver-retry-interval <replaceable>integer</replaceable>;
 	response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
 	    <replaceable>integer</replaceable>;
-	response-policy { zone <replaceable>quoted_string</replaceable> <optional> log <replaceable>boolean</replaceable> </optional> <optional>
-	    max-policy-ttl <replaceable>integer</replaceable> </optional> <optional> min-update-interval <replaceable>integer</replaceable> </optional> <optional>
+	response-policy { zone <replaceable>quoted_string</replaceable> [ log <replaceable>boolean</replaceable> ] [
+	    max-policy-ttl <replaceable>integer</replaceable> ] [ min-update-interval <replaceable>integer</replaceable> ] [
 	    policy ( cname | disabled | drop | given | no-op | nodata |
-	    nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) </optional> <optional>
-	    recursive-only <replaceable>boolean</replaceable> </optional>; ... } <optional> break-dnssec <replaceable>boolean</replaceable> </optional> <optional>
-	    max-policy-ttl <replaceable>integer</replaceable> </optional> <optional> min-update-interval <replaceable>integer</replaceable> </optional> <optional>
-	    min-ns-dots <replaceable>integer</replaceable> </optional> <optional> nsip-wait-recurse <replaceable>boolean</replaceable> </optional> <optional>
-	    qname-wait-recurse <replaceable>boolean</replaceable> </optional> <optional> recursive-only <replaceable>boolean</replaceable> </optional>;
-	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
-	rrset-order { <optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional> <optional> name
-	    <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
+	    nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
+	    recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
+	    nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ break-dnssec <replaceable>boolean</replaceable> ] [
+	    max-policy-ttl <replaceable>integer</replaceable> ] [ min-update-interval <replaceable>integer</replaceable> ] [
+	    min-ns-dots <replaceable>integer</replaceable> ] [ nsip-wait-recurse <replaceable>boolean</replaceable> ] [
+	    qname-wait-recurse <replaceable>boolean</replaceable> ] [ recursive-only <replaceable>boolean</replaceable> ] [
+	    nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
+	    dnsrps-enable <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
+	    } ];
+	root-delegation-only [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
+	rrset-order { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
+	    <replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
 	send-cookie <replaceable>boolean</replaceable>;
 	serial-update-method ( date | increment | unixtime );
 	server <replaceable>netprefix</replaceable> {
@@ -722,20 +740,20 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 		edns-version <replaceable>integer</replaceable>;
 		keys <replaceable>server_key</replaceable>;
 		max-udp-size <replaceable>integer</replaceable>;
-		notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | *
-		    ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
-		notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable>
-		    | * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
+		notify-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | *
+		    ) ] [ dscp <replaceable>integer</replaceable> ];
+		notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable>
+		    | * ) ] [ dscp <replaceable>integer</replaceable> ];
 		padding <replaceable>integer</replaceable>;
 		provide-ixfr <replaceable>boolean</replaceable>;
-		query-source ( ( <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) <optional> port
-		    ( <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> (
-		    <replaceable>ipv4_address</replaceable> | * ) </optional> port ( <replaceable>integer</replaceable> | * ) ) ) <optional>
-		    dscp <replaceable>integer</replaceable> </optional>;
-		query-source-v6 ( ( <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) <optional>
-		    port ( <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> (
-		    <replaceable>ipv6_address</replaceable> | * ) </optional> port ( <replaceable>integer</replaceable> | * ) ) ) <optional>
-		    dscp <replaceable>integer</replaceable> </optional>;
+		query-source ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port
+		    ( <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] (
+		    <replaceable>ipv4_address</replaceable> | * ) ] port ( <replaceable>integer</replaceable> | * ) ) ) [
+		    dscp <replaceable>integer</replaceable> ];
+		query-source-v6 ( ( [ address ] ( <replaceable>ipv6_address</replaceable> | * ) [
+		    port ( <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] (
+		    <replaceable>ipv6_address</replaceable> | * ) ] port ( <replaceable>integer</replaceable> | * ) ) ) [
+		    dscp <replaceable>integer</replaceable> ];
 		request-expire <replaceable>boolean</replaceable>;
 		request-ixfr <replaceable>boolean</replaceable>;
 		request-nsid <replaceable>boolean</replaceable>;
@@ -743,24 +761,26 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 		tcp-keepalive <replaceable>boolean</replaceable>;
 		tcp-only <replaceable>boolean</replaceable>;
 		transfer-format ( many-answers | one-answer );
-		transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> |
-		    * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
-		transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port (
-		    <replaceable>integer</replaceable> | * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
+		transfer-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> |
+		    * ) ] [ dscp <replaceable>integer</replaceable> ];
+		transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port (
+		    <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
 		transfers <replaceable>integer</replaceable>;
 	};
 	servfail-ttl <replaceable>ttlval</replaceable>;
 	sig-signing-nodes <replaceable>integer</replaceable>;
 	sig-signing-signatures <replaceable>integer</replaceable>;
 	sig-signing-type <replaceable>integer</replaceable>;
-	sig-validity-interval <replaceable>integer</replaceable> <optional> <replaceable>integer</replaceable> </optional>;
+	sig-validity-interval <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
 	sortlist { <replaceable>address_match_element</replaceable>; ... };
+	stale-answer-enable <replaceable>boolean</replaceable>;
+	stale-answer-ttl <replaceable>ttlval</replaceable>;
 	synth-from-dnssec <replaceable>boolean</replaceable>;
 	transfer-format ( many-answers | one-answer );
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
-	    dscp <replaceable>integer</replaceable> </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
-	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
+	transfer-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
+	    dscp <replaceable>integer</replaceable> ];
+	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
+	    ] [ dscp <replaceable>integer</replaceable> ];
 	trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
 	trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
 	    <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>;
@@ -771,21 +791,21 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 	v6-bias <replaceable>integer</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
-	zone <replaceable>string</replaceable> <optional> <replaceable>class</replaceable> </optional> {
+	zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 		allow-notify { <replaceable>address_match_element</replaceable>; ... };
 		allow-query { <replaceable>address_match_element</replaceable>; ... };
 		allow-query-on { <replaceable>address_match_element</replaceable>; ... };
 		allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 		allow-update { <replaceable>address_match_element</replaceable>; ... };
 		allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-		also-notify <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { (
-		    <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> |
-		    <replaceable>ipv6_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>;
+		also-notify [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { (
+		    <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] |
+		    <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ];
 		    ... };
-		alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port (
-		    <replaceable>integer</replaceable> | * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
-		alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port (
-		    <replaceable>integer</replaceable> | * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
+		alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * ) [ port (
+		    <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+		alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port (
+		    <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
 		auto-dnssec ( allow | maintain | off );
 		check-dup-records ( fail | warn | ignore );
 		check-integrity <replaceable>boolean</replaceable>;
@@ -807,9 +827,9 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 		dnssec-update-mode ( maintain | no-resign );
 		file <replaceable>quoted_string</replaceable>;
 		forward ( first | only );
-		forwarders <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { (
-		    <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional> <optional>
-		    dscp <replaceable>integer</replaceable> </optional>; ... };
+		forwarders [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { (
+		    <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [
+		    dscp <replaceable>integer</replaceable> ]; ... };
 		in-view <replaceable>string</replaceable>;
 		inline-signing <replaceable>boolean</replaceable>;
 		ixfr-from-differences <replaceable>boolean</replaceable>;
@@ -817,11 +837,11 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 		key-directory <replaceable>quoted_string</replaceable>;
 		masterfile-format ( map | raw | text );
 		masterfile-style ( full | relative );
-		masters <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable>
-		    | <replaceable>ipv4_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional>
-		    port <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... };
+		masters [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable>
+		    | <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [
+		    port <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
 		max-ixfr-log-size ( default | unlimited |
-		max-journal-size ( unlimited | <replaceable>sizeval</replaceable> );
+		max-journal-size ( default | unlimited | <replaceable>sizeval</replaceable> );
 		max-records <replaceable>integer</replaceable>;
 		max-refresh-time <replaceable>integer</replaceable>;
 		max-retry-time <replaceable>integer</replaceable>;
@@ -835,38 +855,38 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 		multi-master <replaceable>boolean</replaceable>;
 		notify ( explicit | master-only | <replaceable>boolean</replaceable> );
 		notify-delay <replaceable>integer</replaceable>;
-		notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | *
-		    ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
-		notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable>
-		    | * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
+		notify-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | *
+		    ) ] [ dscp <replaceable>integer</replaceable> ];
+		notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable>
+		    | * ) ] [ dscp <replaceable>integer</replaceable> ];
 		notify-to-soa <replaceable>boolean</replaceable>;
-		nsec3-test-zone <replaceable>boolean</replaceable>; // test only
 		pubkey <replaceable>integer</replaceable>
 		    <replaceable>integer</replaceable>
 		    <replaceable>integer</replaceable>
 		request-expire <replaceable>boolean</replaceable>;
 		request-ixfr <replaceable>boolean</replaceable>;
 		serial-update-method ( date | increment | unixtime );
-		server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional>
-		    port <replaceable>integer</replaceable> </optional>; ... };
+		server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [
+		    port <replaceable>integer</replaceable> ]; ... };
 		server-names { <replaceable>quoted_string</replaceable>; ... };
 		sig-signing-nodes <replaceable>integer</replaceable>;
 		sig-signing-signatures <replaceable>integer</replaceable>;
 		sig-signing-type <replaceable>integer</replaceable>;
-		sig-validity-interval <replaceable>integer</replaceable> <optional> <replaceable>integer</replaceable> </optional>;
-		transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> |
-		    * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
-		transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port (
-		    <replaceable>integer</replaceable> | * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
+		sig-validity-interval <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
+		transfer-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> |
+		    * ) ] [ dscp <replaceable>integer</replaceable> ];
+		transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port (
+		    <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
 		try-tcp-refresh <replaceable>boolean</replaceable>;
-		type ( delegation-only | forward | hint | master | redirect
-		    | slave | static-stub | stub );
+		type ( primary | master | secondary | slave |
+		    delegation-only | forward | hint | redirect |
+		    static-stub | stub );
 		update-check-ksk <replaceable>boolean</replaceable>;
 		update-policy ( local | { ( deny | grant ) <replaceable>string</replaceable> (
 		    6to4-self | external | krb5-self | krb5-subdomain |
 		    ms-self | ms-subdomain | name | self | selfsub |
 		    selfwild | subdomain | tcp-self | wildcard | zonesub )
-		    <optional> <replaceable>string</replaceable> </optional> <replaceable>rrtypelist</replaceable>; ... };
+		    [ <replaceable>string</replaceable> ] <replaceable>rrtypelist</replaceable>; ... };
 		use-alt-transfer-source <replaceable>boolean</replaceable>;
 		zero-no-soa-ttl <replaceable>boolean</replaceable>;
 		zone-statistics ( full | terse | none | <replaceable>boolean</replaceable> );
@@ -879,20 +899,20 @@ view <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
   <refsection><info><title>ZONE</title></info>
 
     <literallayout class="normal">
-zone <replaceable>string</replaceable> <optional> <replaceable>class</replaceable> </optional> {
+zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	allow-notify { <replaceable>address_match_element</replaceable>; ... };
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
 	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-	also-notify <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> |
-	    <replaceable>ipv4_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
-	    <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... };
-	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
-	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
-	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> |
-	    * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
+	also-notify [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> |
+	    <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
+	    <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
+	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
+	    ] [ dscp <replaceable>integer</replaceable> ];
+	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> |
+	    * ) ] [ dscp <replaceable>integer</replaceable> ];
 	auto-dnssec ( allow | maintain | off );
 	check-dup-records ( fail | warn | ignore );
 	check-integrity <replaceable>boolean</replaceable>;
@@ -913,8 +933,8 @@ zone <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 	dnssec-update-mode ( maintain | no-resign );
 	file <replaceable>quoted_string</replaceable>;
 	forward ( first | only );
-	forwarders <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable>
-	    | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional>; ... };
+	forwarders [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable>
+	    | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
 	in-view <replaceable>string</replaceable>;
 	inline-signing <replaceable>boolean</replaceable>;
 	ixfr-from-differences <replaceable>boolean</replaceable>;
@@ -922,10 +942,10 @@ zone <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 	key-directory <replaceable>quoted_string</replaceable>;
 	masterfile-format ( map | raw | text );
 	masterfile-style ( full | relative );
-	masters <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> |
-	    <replaceable>ipv4_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
-	    <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... };
-	max-journal-size ( unlimited | <replaceable>sizeval</replaceable> );
+	masters [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> |
+	    <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
+	    <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
+	max-journal-size ( default | unlimited | <replaceable>sizeval</replaceable> );
 	max-records <replaceable>integer</replaceable>;
 	max-refresh-time <replaceable>integer</replaceable>;
 	max-retry-time <replaceable>integer</replaceable>;
@@ -939,35 +959,34 @@ zone <replaceable>string</replaceable> <optional> <replaceable>class</replaceabl
 	multi-master <replaceable>boolean</replaceable>;
 	notify ( explicit | master-only | <replaceable>boolean</replaceable> );
 	notify-delay <replaceable>integer</replaceable>;
-	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
-	    dscp <replaceable>integer</replaceable> </optional>;
-	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>
-	    <optional> dscp <replaceable>integer</replaceable> </optional>;
+	notify-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
+	    dscp <replaceable>integer</replaceable> ];
+	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ]
+	    [ dscp <replaceable>integer</replaceable> ];
 	notify-to-soa <replaceable>boolean</replaceable>;
-	nsec3-test-zone <replaceable>boolean</replaceable>; // test only
 	pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable>
 	request-expire <replaceable>boolean</replaceable>;
 	request-ixfr <replaceable>boolean</replaceable>;
 	serial-update-method ( date | increment | unixtime );
-	server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port
-	    <replaceable>integer</replaceable> </optional>; ... };
+	server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port
+	    <replaceable>integer</replaceable> ]; ... };
 	server-names { <replaceable>quoted_string</replaceable>; ... };
 	sig-signing-nodes <replaceable>integer</replaceable>;
 	sig-signing-signatures <replaceable>integer</replaceable>;
 	sig-signing-type <replaceable>integer</replaceable>;
-	sig-validity-interval <replaceable>integer</replaceable> <optional> <replaceable>integer</replaceable> </optional>;
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
-	    dscp <replaceable>integer</replaceable> </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
-	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
+	sig-validity-interval <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
+	transfer-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
+	    dscp <replaceable>integer</replaceable> ];
+	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
+	    ] [ dscp <replaceable>integer</replaceable> ];
 	try-tcp-refresh <replaceable>boolean</replaceable>;
-	type ( delegation-only | forward | hint | master | redirect | slave
-	    | static-stub | stub );
+	type ( primary | master | secondary | slave | delegation-only |
+	    forward | hint | redirect | static-stub | stub );
 	update-check-ksk <replaceable>boolean</replaceable>;
 	update-policy ( local | { ( deny | grant ) <replaceable>string</replaceable> ( 6to4-self |
 	    external | krb5-self | krb5-subdomain | ms-self | ms-subdomain
 	    | name | self | selfsub | selfwild | subdomain | tcp-self |
-	    wildcard | zonesub ) <optional> <replaceable>string</replaceable> </optional> <replaceable>rrtypelist</replaceable>; ... };
+	    wildcard | zonesub ) [ <replaceable>string</replaceable> ] <replaceable>rrtypelist</replaceable>; ... };
 	use-alt-transfer-source <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zone-statistics ( full | terse | none | <replaceable>boolean</replaceable> );
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index b28cde1ccf..ce280a92fc 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -71,14 +71,14 @@ acl
     <div class="literallayout"><p><br>
 controls {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
-	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] allow<br>
-	    { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
-	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
-	    <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	    * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] allow<br>
+	    { <em class="replaceable"><code>address_match_element</code></em>; ... } [<br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } ] [ read-only<br>
+	    <em class="replaceable"><code>boolean</code></em> ];<br>
 	unix <em class="replaceable"><code>quoted_string</code></em> perm <em class="replaceable"><code>integer</code></em><br>
-	    owner <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [<span class="optional"><br>
-	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
-	    <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	    owner <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [<br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } ] [ read-only<br>
+	    <em class="replaceable"><code>boolean</code></em> ];<br>
 };<br>
 </p></div>
   </div>
@@ -122,20 +122,21 @@ logging
 	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
 	channel <em class="replaceable"><code>string</code></em> {<br>
 		buffered <em class="replaceable"><code>boolean</code></em>;<br>
-		file <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> versions ( unlimited | <em class="replaceable"><code>integer</code></em> ) </span>]<br>
-		    [<span class="optional"> size <em class="replaceable"><code>size</code></em> </span>] [<span class="optional"> suffix ( increment | timestamp ) </span>];<br>
+		file <em class="replaceable"><code>quoted_string</code></em> [ versions ( unlimited | <em class="replaceable"><code>integer</code></em> ) ]<br>
+		    [ size <em class="replaceable"><code>size</code></em> ] [ suffix ( increment | timestamp ) ];<br>
 		null;<br>
 		print-category <em class="replaceable"><code>boolean</code></em>;<br>
 		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
 		print-time ( iso8601 | iso8601-utc | local | <em class="replaceable"><code>boolean</code></em> );<br>
 		severity <em class="replaceable"><code>log_severity</code></em>;<br>
 		stderr;<br>
-		syslog [<span class="optional"> <em class="replaceable"><code>syslog_facility</code></em> </span>];<br>
+		syslog [ <em class="replaceable"><code>syslog_facility</code></em> ];<br>
 	};<br>
 };<br>
 </p></div>
   </div>
 
+
   <div class="refsection">
 <a name="id-1.14"></a><h2>MANAGED-KEYS</h2>
 
@@ -149,10 +150,10 @@ managed-keys
 <a name="id-1.15"></a><h2>MASTERS</h2>
 
     <div class="literallayout"><p><br>
-masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
-    <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
-    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
+    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
+    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
 </p></div>
   </div>
 
@@ -161,10 +162,6 @@ masters
 
     <div class="literallayout"><p><br>
 options {<br>
-	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
 	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -176,13 +173,13 @@ options
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
-	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	also-notify [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	attach-cache <em class="replaceable"><code>string</code></em>;<br>
 	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
 	auto-dnssec ( allow | maintain | off );<br>
@@ -192,17 +189,18 @@ options
 	bindkeys-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
-	    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
-	    <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
-	    in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [ default-masters [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
+	    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
+	    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 	check-dup-records ( fail | warn | ignore );<br>
 	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
 	check-mx ( fail | warn | ignore );<br>
 	check-mx-cname ( fail | warn | ignore );<br>
-	check-names ( master | slave | response<br>
-	    ) ( fail | warn | ignore );<br>
+	check-names ( primary | master |<br>
+	    secondary | slave | response ) (<br>
+	    fail | warn | ignore );<br>
 	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
 	check-spf ( warn | ignore );<br>
 	check-srv-cname ( fail | warn | ignore );<br>
@@ -213,10 +211,10 @@ options
 	cookie-secret <em class="replaceable"><code>string</code></em>;<br>
 	coresize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	datasize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
-	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
-	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
-	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [ except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
 	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
 	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
@@ -234,6 +232,8 @@ options
 	};<br>
 	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
 	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnsrps-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
@@ -245,35 +245,35 @@ options
 	dnssec-update-mode ( maintain | no-resign );<br>
 	dnssec-validation ( yes | no | auto );<br>
 	dnstap { ( all | auth | client | forwarder |<br>
-	    resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
+	    resolver ) [ ( query | response ) ]; ... };<br>
 	dnstap-identity ( <em class="replaceable"><code>quoted_string</code></em> | none |<br>
 	    hostname );<br>
-	dnstap-output ( file | unix ) <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"><br>
-	    size ( unlimited | <em class="replaceable"><code>size</code></em> ) </span>] [<span class="optional"> versions (<br>
-	    unlimited | <em class="replaceable"><code>integer</code></em> ) </span>] [<span class="optional"> suffix ( increment<br>
-	    | timestamp ) </span>];<br>
+	dnstap-output ( file | unix ) <em class="replaceable"><code>quoted_string</code></em> [<br>
+	    size ( unlimited | <em class="replaceable"><code>size</code></em> ) ] [ versions (<br>
+	    unlimited | <em class="replaceable"><code>integer</code></em> ) ] [ suffix ( increment<br>
+	    | timestamp ) ];<br>
 	dnstap-version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	dscp <em class="replaceable"><code>integer</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	dual-stack-servers [ port <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>quoted_string</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] ); ... };<br>
 	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
 	empty-contact <em class="replaceable"><code>string</code></em>;<br>
 	empty-server <em class="replaceable"><code>string</code></em>;<br>
 	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
-	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
-	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];<br>
 	files ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
 	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
 	flush-zones-on-shutdown <em class="replaceable"><code>boolean</code></em>;<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
-	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	forwarders [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 	fstrm-set-buffer-hint <em class="replaceable"><code>integer</code></em>;<br>
 	fstrm-set-flush-timeout <em class="replaceable"><code>integer</code></em>;<br>
 	fstrm-set-input-queue-size <em class="replaceable"><code>integer</code></em>;<br>
@@ -282,20 +282,22 @@ options
 	fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
 	fstrm-set-reopen-interval <em class="replaceable"><code>integer</code></em>;<br>
 	geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	geoip-use-ecs ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	geoip-use-ecs <em class="replaceable"><code>boolean</code></em>;<br>
+	glue-cache <em class="replaceable"><code>boolean</code></em>;<br>
 	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
 	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
 	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
-	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
+	ixfr-from-differences ( primary | master | secondary | slave |<br>
+	    <em class="replaceable"><code>boolean</code></em> );<br>
 	keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	listen-on [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
+	    <em class="replaceable"><code>integer</code></em> ] {<br>
 	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	listen-on-v6 [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
+	    <em class="replaceable"><code>integer</code></em> ] {<br>
 	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
 	lock-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
@@ -303,11 +305,10 @@ options
 	masterfile-format ( map | raw | text );<br>
 	masterfile-style ( full | relative );<br>
 	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
-	max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
 	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
-	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
@@ -315,6 +316,7 @@ options
 	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-rsa-exponent-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-stale-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
@@ -329,33 +331,33 @@ options
 	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
 	minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+	new-zones-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
 	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
 	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
 	notify-rate <em class="replaceable"><code>integer</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
+	    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
 	nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
 	nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
 	nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
 	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	port <em class="replaceable"><code>integer</code></em>;<br>
 	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
 	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
-	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
-	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
-	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	query-source-v6 ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) ]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	querylog <em class="replaceable"><code>boolean</code></em>;<br>
-	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
+	random-device ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	rate-limit {<br>
 		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
 		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
@@ -381,20 +383,26 @@ options
 	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
 	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
 	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-nonbackoff-tries <em class="replaceable"><code>integer</code></em>;<br>
 	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
 	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
 	    <em class="replaceable"><code>integer</code></em>;<br>
-	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
 	    policy ( cname | disabled | drop | given | no-op | nodata |<br>
-	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"><br>
-	    recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
-	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
-	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em><br>
+	    } ];<br>
+	root-delegation-only [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+	rrset-order { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
 	secroots-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
 	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
@@ -407,9 +415,11 @@ options
 	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
 	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	stale-answer-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	stale-answer-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	startup-notify-rate <em class="replaceable"><code>integer</code></em>;<br>
 	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
@@ -425,10 +435,10 @@ options
 	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
 	transfer-format ( many-answers | one-answer );<br>
 	transfer-message-size <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
 	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
 	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
@@ -458,18 +468,18 @@ server
 	edns-version <em class="replaceable"><code>integer</code></em>;<br>
 	keys <em class="replaceable"><code>server_key</code></em>;<br>
 	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
+	    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	padding <em class="replaceable"><code>integer</code></em>;<br>
 	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
-	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
-	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
-	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	query-source-v6 ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) ]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
@@ -477,10 +487,10 @@ server
 	tcp-keepalive <em class="replaceable"><code>boolean</code></em>;<br>
 	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
 	transfer-format ( many-answers | one-answer );<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	transfers <em class="replaceable"><code>integer</code></em>;<br>
 };<br>
 </p></div>
@@ -492,9 +502,9 @@ server
     <div class="literallayout"><p><br>
 statistics-channels {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
-	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
 	    allow { <em class="replaceable"><code>address_match_element</code></em>; ...<br>
-	    } </span>];<br>
+	    } ];<br>
 };<br>
 </p></div>
   </div>
@@ -512,11 +522,7 @@ trusted-keys
 <a name="id-1.20"></a><h2>VIEW</h2>
 
     <div class="literallayout"><p><br>
-view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
-	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
+view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -528,38 +534,39 @@ view
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
-	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	also-notify [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	attach-cache <em class="replaceable"><code>string</code></em>;<br>
 	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
 	auto-dnssec ( allow | maintain | off );<br>
 	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
-	    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
-	    <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
-	    in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [ default-masters [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
+	    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
+	    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 	check-dup-records ( fail | warn | ignore );<br>
 	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
 	check-mx ( fail | warn | ignore );<br>
 	check-mx-cname ( fail | warn | ignore );<br>
-	check-names ( master | slave | response<br>
-	    ) ( fail | warn | ignore );<br>
+	check-names ( primary | master |<br>
+	    secondary | slave | response ) (<br>
+	    fail | warn | ignore );<br>
 	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
 	check-spf ( warn | ignore );<br>
 	check-srv-cname ( fail | warn | ignore );<br>
 	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
 	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
-	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
-	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
-	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [ except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
 	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
 	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
 	    ... };<br>
@@ -580,6 +587,8 @@ view
 	};<br>
 	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
 	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnsrps-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
@@ -591,11 +600,11 @@ view
 	dnssec-update-mode ( maintain | no-resign );<br>
 	dnssec-validation ( yes | no | auto );<br>
 	dnstap { ( all | auth | client | forwarder |<br>
-	    resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	    resolver ) [ ( query | response ) ]; ... };<br>
+	dual-stack-servers [ port <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>quoted_string</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] ); ... };<br>
 	dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
 	    <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
@@ -603,16 +612,18 @@ view
 	empty-server <em class="replaceable"><code>string</code></em>;<br>
 	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
-	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
-	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];<br>
 	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
 	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
-	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	forwarders [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };<br>
+	glue-cache <em class="replaceable"><code>boolean</code></em>;<br>
 	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
-	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
+	ixfr-from-differences ( primary | master | secondary | slave |<br>
+	    <em class="replaceable"><code>boolean</code></em> );<br>
 	key <em class="replaceable"><code>string</code></em> {<br>
 		algorithm <em class="replaceable"><code>string</code></em>;<br>
 		secret <em class="replaceable"><code>string</code></em>;<br>
@@ -628,17 +639,17 @@ view
 	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-	max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
 	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
-	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
 	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-stale-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
@@ -651,28 +662,28 @@ view
 	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
 	minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+	new-zones-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
 	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
 	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
+	    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
 	nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
 	nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
 	nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
 	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
 	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
-	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
-	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
-	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	query-source-v6 ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) ]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	rate-limit {<br>
 		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
 		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
@@ -695,20 +706,26 @@ view
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
 	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	resolver-nonbackoff-tries <em class="replaceable"><code>integer</code></em>;<br>
 	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
 	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
 	    <em class="replaceable"><code>integer</code></em>;<br>
-	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
 	    policy ( cname | disabled | drop | given | no-op | nodata |<br>
-	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"><br>
-	    recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
-	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
-	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em><br>
+	    } ];<br>
+	root-delegation-only [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+	rrset-order { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
 	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
 	serial-update-method ( date | increment | unixtime );<br>
 	server <em class="replaceable"><code>netprefix</code></em> {<br>
@@ -718,20 +735,20 @@ view
 		edns-version <em class="replaceable"><code>integer</code></em>;<br>
 		keys <em class="replaceable"><code>server_key</code></em>;<br>
 		max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
-		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
-		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 		padding <em class="replaceable"><code>integer</code></em>;<br>
 		provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-		query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port<br>
-		    ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
-		    <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
-		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-		query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"><br>
-		    port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
-		    <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
-		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port<br>
+		    ( <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | * ) ] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<br>
+		    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+		query-source-v6 ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<br>
+		    port ( <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] (<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> | * ) ] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<br>
+		    dscp <em class="replaceable"><code>integer</code></em> ];<br>
 		request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 		request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
@@ -739,24 +756,26 @@ view
 		tcp-keepalive <em class="replaceable"><code>boolean</code></em>;<br>
 		tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
 		transfer-format ( many-answers | one-answer );<br>
-		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 		transfers <em class="replaceable"><code>integer</code></em>;<br>
 	};<br>
 	servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
 	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	stale-answer-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	stale-answer-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
 	transfer-format ( many-answers | one-answer );<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
 	trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
 	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
@@ -767,21 +786,21 @@ view
 	v6-bias <em class="replaceable"><code>integer</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 		allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 		allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 		allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 		allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 		allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 		allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-		also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
-		    <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] |<br>
-		    <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>];<br>
+		also-notify [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { (<br>
+		    <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] |<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ];<br>
 		    ... };<br>
-		alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
-		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-		alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+		alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 		auto-dnssec ( allow | maintain | off );<br>
 		check-dup-records ( fail | warn | ignore );<br>
 		check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
@@ -803,9 +822,9 @@ view
 		dnssec-update-mode ( maintain | no-resign );<br>
 		file <em class="replaceable"><code>quoted_string</code></em>;<br>
 		forward ( first | only );<br>
-		forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
-		    <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
-		    dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		forwarders [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [<br>
+		    dscp <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 		in-view <em class="replaceable"><code>string</code></em>;<br>
 		inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
 		ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
@@ -813,11 +832,11 @@ view
 		key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 		masterfile-format ( map | raw | text );<br>
 		masterfile-style ( full | relative );<br>
-		masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em><br>
-		    | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"><br>
-		    port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+		masters [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em><br>
+		    | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [<br>
+		    port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
 		max-ixfr-log-size ( default | unlimited |<br>
-		max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+		max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 		max-records <em class="replaceable"><code>integer</code></em>;<br>
 		max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 		max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
@@ -831,38 +850,38 @@ view
 		multi-master <em class="replaceable"><code>boolean</code></em>;<br>
 		notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
 		notify-delay <em class="replaceable"><code>integer</code></em>;<br>
-		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
-		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
-		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 		notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-		nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
 		pubkey <em class="replaceable"><code>integer</code></em><br>
 		    <em class="replaceable"><code>integer</code></em><br>
 		    <em class="replaceable"><code>integer</code></em><br>
 		request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 		serial-update-method ( date | increment | unixtime );<br>
-		server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"><br>
-		    port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<br>
+		    port <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 		server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 		sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
 		sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
 		sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-		sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
-		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		sig-validity-interval <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 		try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-		type ( delegation-only | forward | hint | master | redirect<br>
-		    | slave | static-stub | stub );<br>
+		type ( primary | master | secondary | slave |<br>
+		    delegation-only | forward | hint | redirect |<br>
+		    static-stub | stub );<br>
 		update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
 		update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> (<br>
 		    6to4-self | external | krb5-self | krb5-subdomain |<br>
 		    ms-self | ms-subdomain | name | self | selfsub |<br>
 		    selfwild | subdomain | tcp-self | wildcard | zonesub )<br>
-		    [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+		    [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
 		use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
 		zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 		zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
@@ -876,20 +895,20 @@ view
 <a name="id-1.21"></a><h2>ZONE</h2>
 
     <div class="literallayout"><p><br>
-zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
-	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	also-notify [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	auto-dnssec ( allow | maintain | off );<br>
 	check-dup-records ( fail | warn | ignore );<br>
 	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
@@ -910,8 +929,8 @@ zone
 	dnssec-update-mode ( maintain | no-resign );<br>
 	file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
-	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	forwarders [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 	in-view <em class="replaceable"><code>string</code></em>;<br>
 	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
 	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
@@ -919,10 +938,10 @@ zone
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	masterfile-format ( map | raw | text );<br>
 	masterfile-style ( full | relative );<br>
-	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
-	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
-	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	masters [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
+	max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
@@ -936,35 +955,34 @@ zone
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
 	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
 	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
+	    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
 	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
 	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 	serial-update-method ( date | increment | unixtime );<br>
-	server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 	server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	type ( delegation-only | forward | hint | master | redirect | slave<br>
-	    | static-stub | stub );<br>
+	type ( primary | master | secondary | slave | delegation-only |<br>
+	    forward | hint | redirect | static-stub | stub );<br>
 	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
 	update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self |<br>
 	    external | krb5-self | krb5-subdomain | ms-self | ms-subdomain<br>
 	    | name | self | selfsub | selfwild | subdomain | tcp-self |<br>
-	    wildcard | zonesub ) [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+	    wildcard | zonesub ) [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
 	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
diff --git a/bin/tests/cfg_test.c b/bin/tests/cfg_test.c
index ce43b3329e..d2401823e7 100644
--- a/bin/tests/cfg_test.c
+++ b/bin/tests/cfg_test.c
@@ -20,6 +20,7 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <isccfg/grammar.h>
 #include <isccfg/namedconf.h>
 
 #include <dns/log.h>
@@ -64,6 +65,7 @@ main(int argc, char **argv) {
 	isc_boolean_t grammar = ISC_FALSE;
 	isc_boolean_t memstats = ISC_FALSE;
 	char *filename = NULL;
+	unsigned int zonetype = 0;
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
@@ -97,6 +99,36 @@ main(int argc, char **argv) {
 	while (argc > 1) {
 		if (strcmp(argv[1], "--grammar") == 0) {
 			grammar = ISC_TRUE;
+		} else if (strcmp(argv[1], "--zonegrammar") == 0) {
+			argv++, argc--;
+			if (argc <= 1)  {
+				usage();
+			}
+			if (strcmp(argv[1], "master") == 0 ||
+			    strcmp(argv[1], "primary") == 0)
+			{
+				zonetype = CFG_ZONE_MASTER;
+			} else if (strcmp(argv[1], "slave") == 0 ||
+				   strcmp(argv[1], "seconary") == 0)
+			{
+				zonetype = CFG_ZONE_SLAVE;
+			} else if (strcmp(argv[1], "stub") == 0) {
+				zonetype = CFG_ZONE_STUB;
+			} else if (strcmp(argv[1], "static-stub") == 0) {
+				zonetype = CFG_ZONE_STATICSTUB;
+			} else if (strcmp(argv[1], "hint") == 0) {
+				zonetype = CFG_ZONE_HINT;
+			} else if (strcmp(argv[1], "forward") == 0) {
+				zonetype = CFG_ZONE_FORWARD;
+			} else if (strcmp(argv[1], "redirect") == 0) {
+				zonetype = CFG_ZONE_REDIRECT;
+			} else if (strcmp(argv[1], "delegation-only") == 0) {
+				zonetype = CFG_ZONE_DELEGATION;
+			} else if (strcmp(argv[1], "in-view") == 0) {
+				zonetype = CFG_ZONE_INVIEW;
+			} else {
+				usage();
+			}
 		} else if (strcmp(argv[1], "--memstats") == 0) {
 			memstats = ISC_TRUE;
 		} else if (strcmp(argv[1], "--named") == 0) {
@@ -115,6 +147,8 @@ main(int argc, char **argv) {
 		if (type == NULL)
 			usage();
 		cfg_print_grammar(type, output, NULL);
+	} else if (zonetype != 0) {
+		cfg_print_zonegrammar(zonetype, output, NULL);
 	} else {
 		if (type == NULL || filename == NULL)
 			usage();
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 4f7fdae530..f764ae3c0f 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -3259,12 +3259,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
       </para>
 
       <section xml:id="acl_grammar"><info><title><command>acl</command> Statement Grammar</title></info>
-
-<programlisting><command>acl</command> <replaceable>acl-name</replaceable> <command>{</command>
-    <replaceable>address_match_list</replaceable>
-<command>};</command>
-</programlisting>
-
+	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="acl.grammar.xml"/>
       </section>
       <section xml:id="acl"><info><title><command>acl</command> Statement Definition and
 	  Usage</title></info>
@@ -3342,18 +3337,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	</informaltable>
       </section>
       <section xml:id="controls_grammar"><info><title><command>controls</command> Statement Grammar</title></info>
-
-<programlisting><command>controls {</command>
-  [ <command>inet</command> ( <replaceable>ip_addr</replaceable> | <command>*</command> ) [ <command>port</command> <replaceable>ip_port</replaceable> ] <command>allow {</command> <replaceable>address_match_list</replaceable> <command>}</command>
-      [ <command>keys {</command> <replaceable>key_list</replaceable> <command>}</command> ]
-      [ <command>read-only</command> <replaceable>yes_or_no</replaceable> ] <command>;</command> ]
-  [ <command>unix</command> <replaceable>path</replaceable> <command>perm</command> <replaceable>number</replaceable> <command>owner</command> <replaceable>number</replaceable> <command>group</command> <replaceable>number</replaceable>
-      [ <command>keys {</command> <replaceable>key_list</replaceable> <command>}</command> ]
-      [ <command>read-only</command> <replaceable>yes_or_no</replaceable> ] <command>;</command> ]
-   [ ...; ]
-<command>};</command>
-</programlisting>
-
+	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="controls.grammar.xml"/>
       </section>
 
       <section xml:id="controls_statement_definition_and_usage"><info><title><command>controls</command> Statement Definition and
@@ -3505,13 +3489,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
       </section>
       <section xml:id="key_grammar"><info><title><command>key</command> Statement Grammar</title></info>
-
-<programlisting><command>key</command> <replaceable>key_id</replaceable> <command>{</command>
-    <command>algorithm</command> <replaceable>algorithm_id</replaceable><command>;</command>
-    <command>secret</command> <replaceable>secret_string</replaceable><command>;</command>
-<command>};</command>
-</programlisting>
-
+	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="key.grammar.xml"/>
       </section>
 
       <section xml:id="key_statement"><info><title><command>key</command> Statement Definition and Usage</title></info>
@@ -3561,30 +3539,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
       </section>
       <section xml:id="logging_grammar"><info><title><command>logging</command> Statement Grammar</title></info>
-
-<programlisting><command>logging {</command>
-  [ <command>channel</command> <replaceable>channel_name</replaceable> <command>{</command>
-    ( ( <command>file</command> <replaceable>path_name</replaceable>
-	  [ <command>versions</command> ( <replaceable>number</replaceable> | <option>unlimited</option> ) ]
-	  [ <command>size</command> <replaceable>size_spec</replaceable> ]
-	  [ <command>suffix</command> ( <option>increment</option> | <option>timestamp</option> ) )
-      | <command>syslog</command> <replaceable>syslog_facility</replaceable>
-      | <command>stderr</command>
-      | <command>null</command> ) <command>;</command>
-      [ <command>severity</command> ( <option>critical</option> | <option>error</option> | <option>warning</option> | <option>notice</option> |
-		   <option>info</option> | <option>debug</option> [ <replaceable>level</replaceable> ] | <option>dynamic</option> ) <command>;</command> ]
-      [ <command>print-category</command> <replaceable>yes_or_no</replaceable> <command>;</command> ]
-      [ <command>print-severity</command> <replaceable>yes_or_no</replaceable> <command>;</command> ]
-      [ <command>print-time</command> ( <option>yes</option> | <option>no</option> | <option>local</option> | <option>iso8601</option> | <option>iso8601-utc</option> ) ;
-      [ <command>buffered</command> <replaceable>yes_or_no</replaceable> <command>;</command> ]
-    <command>};</command> ]
-  [ <command>category</command> <replaceable>category_name</replaceable> <command>{</command>
-     <replaceable>channel_name</replaceable> <command>;</command> ...
-    <command>};</command> ]
-    ...
-<command>};</command>
-</programlisting>
-
+	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="logging.grammar.xml"/>
       </section>
 
       <section xml:id="logging_statement"><info><title><command>logging</command> Statement Definition and Usage</title></info>
@@ -4217,15 +4172,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
       </section>
 
       <section xml:id="masters_grammar"><info><title><command>masters</command> Statement Grammar</title></info>
-
-<programlisting>
-<command>masters</command> <replaceable>name</replaceable> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] <command>{</command>
-  ( <replaceable>masters_list</replaceable> <command>;</command> ) |
-  ( <replaceable>ip_addr</replaceable> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>key</command> <replaceable>key</replaceable> ] <command>;</command> )
-    ...
-<command>};</command>
-</programlisting>
-
+	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="masters.grammar.xml"/>
       </section>
 
       <section xml:id="masters_statement"><info><title><command>masters</command> Statement Definition and
@@ -4244,318 +4191,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	  This is the grammar of the <command>options</command>
 	  statement in the <filename>named.conf</filename> file:
 	</para>
-
-<programlisting><command>options {</command>
-  [ <command>attach-cache</command> <replaceable>cache_name</replaceable> ; ]
-  [ <command>version</command> <replaceable>version_string</replaceable> ; ]
-  [ <command>hostname</command> <replaceable>hostname_string</replaceable> ; ]
-  [ <command>server-id</command> <replaceable>server_id_string</replaceable> ; ]
-  [ <command>directory</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>dnstap {</command> <replaceable>message_type</replaceable> ; ... <command>}</command> ; ]
-  [ <command>dnstap-output</command> ( <option>file</option> | <option>unix</option> ) <replaceable>path_name</replaceable> [ <command>size</command> <replaceable>size_spec</replaceable> ] [ <command>versions</command> ( <replaceable>number</replaceable> | <option>unlimited</option> ) ] ; ]
-  [ <command>dnstap-identity</command> ( <replaceable>string</replaceable> | <option>hostname</option> | <option>none</option> ) ; ]
-  [ <command>dnstap-version</command> ( <replaceable>string</replaceable> | <option>none</option> ) ; ]
-  [ <command>fstrm-set-buffer-hint</command> <replaceable>number</replaceable> ; ]
-  [ <command>fstrm-set-flush-timeout</command> <replaceable>number</replaceable> ; ]
-  [ <command>fstrm-set-input-queue-size</command> <replaceable>number</replaceable> ; ]
-  [ <command>fstrm-set-output-notify-threshold</command> <replaceable>number</replaceable> ; ]
-  [ <command>fstrm-set-output-queue-model</command> ( <option>mpsc</option> | <option>spsc</option> ) ; ]
-  [ <command>fstrm-set-output-queue-size</command> <replaceable>number</replaceable> ; ]
-  [ <command>fstrm-set-reopen-interval</command> <replaceable>number</replaceable> ; ]
-  [ <command>geoip-directory</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>key-directory</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>managed-keys-directory</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>new-zones-directory</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>named-xfer</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>tkey-gssapi-keytab</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>tkey-gssapi-credential</command> <replaceable>principal</replaceable> ; ]
-  [ <command>tkey-domain</command> <replaceable>domain_name</replaceable> ; ]
-  [ <command>tkey-dhkey</command> <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable> ; ]
-  [ <command>cache-file</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>dump-file</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>bindkeys-file</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>lock-file</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>secroots-file</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>session-keyfile</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>session-keyname</command> <replaceable>key_name</replaceable> ; ]
-  [ <command>session-keyalg</command> <replaceable>algorithm_id</replaceable> ; ]
-  [ <command>memstatistics</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>memstatistics-file</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>pid-file</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>recursing-file</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>statistics-file</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>zone-statistics</command> ( <option>full</option> | <option>terse</option> | <option>none</option> ) ; ]
-  [ <command>auth-nxdomain</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>nxdomain-redirect</command> <replaceable>string</replaceable> ; ]
-  [ <command>deallocate-on-exit</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>dialup</command> <replaceable>dialup_option</replaceable> ; ]
-  [ <command>fake-iquery</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>fetch-glue</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>flush-zones-on-shutdown</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>has-old-clients</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>host-statistics</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>host-statistics-max</command> <replaceable>number</replaceable> ; ]
-  [ <command>glue-cache</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>minimal-any</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>minimal-responses</command> ( <replaceable>yes_or_no</replaceable> | <option>no-auth</option> | <option>no-auth-recursive</option> ) ; ]
-  [ <command>multiple-cnames</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>notify</command> ( <replaceable>yes_or_no</replaceable> | <option>explicit</option> | <option>master-only</option> ) ; ]
-  [ <command>recursion</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>send-cookie</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>require-server-cookie</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>cookie-algorithm</command> <replaceable>algorithm_id</replaceable> ; ]
-  [ <command>cookie-secret</command> <replaceable>secret_string</replaceable> ; ]
-  [ <command>nocookie-udp-size</command> <replaceable>number</replaceable> ; ]
-  [ <command>request-nsid</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>rfc2308-type1</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>use-id-pool</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>maintain-ixfr-base</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>ixfr-from-differences</command> ( <replaceable>yes_or_no</replaceable> | <option>master</option> | <option>slave</option> ) ; ]
-  [ <command>auto-dnssec</command> ( <option>allow</option> | <option>maintain</option> | <option>off</option> ) ; ]
-  [ <command>inline-signing</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>dnssec-enable</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>dnssec-validation</command> ( <replaceable>yes_or_no</replaceable> | <option>auto</option> ) ; ]
-  [ <command>dnssec-lookaside</command> ( <option>auto</option> | <option>no</option> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> ) ; ]
-  [ <command>dnssec-must-be-secure</command> <replaceable>domain yes_or_no</replaceable> ; ]
-  [ <command>dnssec-accept-expired</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>forward</command> ( <option>only</option> | <option>first</option> ) ; ]
-  [ <command>forwarders {</command>
-      ( <replaceable>ip_addr</replaceable> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; )
-	...
-    <command>}</command> ; ]
-  [ <command>dual-stack-servers</command> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] <command>{</command>
-      ( ( <replaceable>domain_name</replaceable> | <replaceable>ip_addr</replaceable> ) [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; )
-	...
-    <command>}</command> ; ]
-  [ <command>check-names</command> ( <option>master</option> | <option>slave</option> | <option>response</option> )
-		( <option>warn</option> | <option>fail</option> | <option>ignore</option> ) ; ]
-  [ <command>check-dup-records</command> ( <option>warn</option> | <option>fail</option> | <option>ignore</option> ) ; ]
-  [ <command>check-mx</command> ( <option>warn</option> | <option>fail</option> | <option>ignore</option> ) ; ]
-  [ <command>check-wildcard</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>check-integrity</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>check-mx-cname</command> ( <option>warn</option> | <option>fail</option> | <option>ignore</option> ) ; ]
-  [ <command>check-srv-cname</command> ( <option>warn</option> | <option>fail</option> | <option>ignore</option> ) ; ]
-  [ <command>check-sibling</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>check-spf</command> ( <option>warn</option> | <option>ignore</option> ) ; ]
-  [ <command>allow-new-zones</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>allow-notify {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-query {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-query-on {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-query-cache {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-query-cache-on {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-transfer {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-recursion {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-recursion-on {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-update {</command> <replaceable>address_match_list</replaceable> <command>}</command> ]
-  [ <command>allow-update-forwarding {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>automatic-interface-scan</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>geoip-use-ecs</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>update-check-ksk</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>dnssec-update-mode</command> ( <option>maintain</option> | <option>no-resign</option> ) ; ]
-  [ <command>dnssec-dnskey-kskonly</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>dnssec-loadkeys-interval</command> <replaceable>number</replaceable> ; ]
-  [ <command>dnssec-secure-to-insecure</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>try-tcp-refresh</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>allow-v6-synthesis {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>blackhole {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>keep-response-order {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>no-case-compress {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>message-compression</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>use-v4-udp-ports {</command> <replaceable>port_list</replaceable> <command>}</command> ; ]
-  [ <command>avoid-v4-udp-ports {</command> <replaceable>port_list</replaceable> <command>}</command> ; ]
-  [ <command>use-v6-udp-ports {</command> <replaceable>port_list</replaceable> <command>}</command> ; ]
-  [ <command>avoid-v6-udp-ports {</command> <replaceable>port_list</replaceable> <command>}</command> ; ]
-  [ <command>listen-on</command> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>listen-on-v6</command> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>query-source</command> ( [ <command>address</command> ] ( <replaceable>ip4_addr</replaceable> | <option>*</option> ) )
-      [ <command>port</command> ( <replaceable>ip_port</replaceable> | <option>*</option> ) ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ] ;
-  [ <command>query-source-v6</command> ( [ <command>address</command> ] ( <replaceable>ip6_addr</replaceable> | <option>*</option> ) )
-      [ <command>port</command> ( <replaceable>ip_port</replaceable> | <option>*</option> ) ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ] ;
-  [ <command>use-queryport-pool</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>queryport-pool-ports</command> <replaceable>number</replaceable> ; ]
-  [ <command>queryport-pool-updateinterval</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-records</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-transfer-time-in</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-transfer-time-out</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-transfer-idle-in</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-transfer-idle-out</command> <replaceable>number</replaceable> ; ]
-  [ <command>reserved-sockets</command> <replaceable>number</replaceable> ; ]
-  [ <command>recursive-clients</command> <replaceable>number</replaceable> ; ]
-  [ <command>tcp-clients</command> <replaceable>number</replaceable> ; ]
-  [ <command>clients-per-query</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-clients-per-query</command> <replaceable>number</replaceable> ; ]
-  [ <command>fetches-per-server</command> <replaceable>number</replaceable> [ ( <option>drop</option> | <option>fail</option> ) ] ; ]
-  [ <command>fetches-per-zone</command> <replaceable>number</replaceable> [ ( <option>drop</option> | <option>fail</option> ) ] ; ]
-  [ <command>fetch-quota-params</command> <replaceable>number fixedpoint fixedpoint fixedpoint</replaceable> ; ]
-  [ <command>notify-rate</command> <replaceable>number</replaceable> ; ]
-  [ <command>startup-notify-rate</command> <replaceable>number</replaceable> ; ]
-  [ <command>serial-query-rate</command> <replaceable>number</replaceable> ; ]
-  [ <command>serial-queries</command> <replaceable>number</replaceable> ; ]
-  [ <command>tcp-listen-queue</command> <replaceable>number</replaceable> ; ]
-  [ <command>tcp-initial-timeout</command> <replaceable>number</replaceable>; ]
-  [ <command>tcp-idle-timeout</command> <replaceable>number</replaceable>; ]
-  [ <command>tcp-keepalive-timeout</command> <replaceable>number</replaceable>; ]
-  [ <command>tcp-advertised-timeout</command> <replaceable>number</replaceable>; ]
-  [ <command>transfer-format</command> ( <option>one-answer</option> | <option>many-answers</option> ) ; ]
-  [ <command>transfer-message-size</command>  <replaceable>number</replaceable> ; ]
-  [ <command>transfers-in</command>  <replaceable>number</replaceable> ; ]
-  [ <command>transfers-out</command> <replaceable>number</replaceable> ; ]
-  [ <command>transfers-per-ns</command> <replaceable>number</replaceable> ; ]
-  [ <command>transfer-source</command> ( <replaceable>ip4_addr</replaceable> | <option>*</option> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>transfer-source-v6</command> ( <replaceable>ip6_addr</replaceable> | <option>*</option> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>alt-transfer-source</command> ( <replaceable>ip4_addr</replaceable> | <option>*</option> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>alt-transfer-source-v6</command> ( <replaceable>ip6_addr</replaceable> | <option>*</option> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>use-alt-transfer-source</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>notify-delay</command> <replaceable>seconds</replaceable> ; ]
-  [ <command>notify-source</command> ( <replaceable>ip4_addr</replaceable> | <option>*</option> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>notify-source-v6</command> ( <replaceable>ip6_addr</replaceable> | <option>*</option> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>notify-to-soa</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>also-notify</command> [ <command>port</command> <replaceable>ip_port</replaceable>] [ <command>dscp</command> <replaceable>ip_dscp</replaceable>] <command>{</command>
-      ( <replaceable>masters</replaceable> | <replaceable>ip_addr</replaceable> [ <command>port</command> <replaceable>ip_port</replaceable> ] ) [ <command>key</command> <replaceable>key_name</replaceable> ] ;
-	...
-    <command>}</command> ; ]
-  [ <command>max-ixfr-log-size</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-journal-size</command> <replaceable>size_spec</replaceable> ; ]
-  [ <command>coresize</command> <replaceable>size_spec</replaceable> ; ]
-  [ <command>datasize</command> <replaceable>size_spec</replaceable> ; ]
-  [ <command>files</command> <replaceable>size_spec</replaceable> ; ]
-  [ <command>stacksize</command> <replaceable>size_spec</replaceable> ; ]
-  [ <command>cleaning-interval</command> <replaceable>number</replaceable> ; ]
-  [ <command>heartbeat-interval</command> <replaceable>number</replaceable> ; ]
-  [ <command>interface-interval</command> <replaceable>number</replaceable> ; ]
-  [ <command>statistics-interval</command> <replaceable>number</replaceable> ; ]
-  [ <command>topology {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>sortlist {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>rrset-order {</command> <replaceable>order_spec</replaceable> ; ... <command>}</command> ; ]
-  [ <command>lame-ttl</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-ncache-ttl</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-cache-ttl</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-stale-ttl</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-zone-ttl</command> ( <option>unlimited</option> | <replaceable>number</replaceable> ) ; ]
-  [ <command>stale-answer-enable</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>stale-answer-ttl</command> <replaceable>number</replaceable> ; ]
-  [ <command>serial-update-method</command> ( <option>increment</option> | <option>unixtime</option> | <option>date</option> ) ; ]
-  [ <command>servfail-ttl</command> <replaceable>number</replaceable> ; ]
-  [ <command>sig-validity-interval</command> <replaceable>number</replaceable> [<replaceable>number</replaceable>] ; ]
-  [ <command>sig-signing-nodes</command> <replaceable>number</replaceable> ; ]
-  [ <command>sig-signing-signatures</command> <replaceable>number</replaceable> ; ]
-  [ <command>sig-signing-type</command> <replaceable>number</replaceable> ; ]
-  [ <command>min-roots</command> <replaceable>number</replaceable> ; ]
-  [ <command>use-ixfr</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>provide-ixfr</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>request-ixfr</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>request-expire</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>treat-cr-as-space</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>min-refresh-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-refresh-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>min-retry-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-retry-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>nta-lifetime</command> <replaceable>duration</replaceable> ; ]
-  [ <command>nta-recheck</command> <replaceable>duration</replaceable> ; ]
-  [ <command>port</command> <replaceable>ip_port</replaceable> ; ]
-  [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ; ]
-  [ <command>random-device</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>max-cache-size</command> <replaceable>size_or_percent</replaceable> ; ]
-  [ <command>match-mapped-addresses</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>filter-aaaa-on-v4</command> ( <replaceable>yes_or_no</replaceable> | <option>break-dnssec</option> ) ; ]
-  [ <command>filter-aaaa-on-v6</command> ( <replaceable>yes_or_no</replaceable> | <option>break-dnssec</option> ) ; ]
-  [ <command>filter-aaaa {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>dns64</command> <replaceable>ipv6-prefix</replaceable> <command>{</command>
-      [ <command>clients {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-      [ <command>mapped {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-      [ <command>exclude {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-      [ <command>suffix</command> <replaceable>ip6-address</replaceable> ; ]
-      [ <command>recursive-only</command> <replaceable>yes_or_no</replaceable> ; ]
-      [ <command>break-dnssec</command> <replaceable>yes_or_no</replaceable> ; ]
-    <command>}</command> ; ]
-  [ <command>dns64-server</command> <replaceable>name</replaceable> ]
-  [ <command>dns64-contact</command> <replaceable>name</replaceable> ]
-  [ <command>preferred-glue</command> ( <option>A</option> | <option>AAAA</option> | <option>none</option> ); ]
-  [ <command>edns-udp-size</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-udp-size</command> <replaceable>number</replaceable> ; ]
-  [ <command>response-padding</command> { <replaceable>address_match_list</replaceable> } block-size <replaceable>number</replaceable> ; ]
-  [ <command>max-rsa-exponent-size</command> <replaceable>number</replaceable> ; ]
-  [ <command>root-delegation-only</command> [ <command>exclude {</command> <replaceable>namelist</replaceable> <command>}</command> ] ; ]
-  [ <command>querylog</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>disable-algorithms</command> <replaceable>domain</replaceable> <command>{</command> <replaceable>algorithm</replaceable> ; ... <command>}</command> ; ]
-  [ <command>disable-ds-digests</command> <replaceable>domain</replaceable> <command>{</command> <replaceable>digest_type</replaceable> ; ... <command>}</command> ; ]
-  [ <command>max-recursion-depth</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-recursion-queries</command> <replaceable>number</replaceable> ; ]
-  [ <command>masterfile-format</command> ( <option>text</option> | <option>raw</option> | <option>map</option> ) ; ]
-  [ <command>masterfile-style</command> ( <option>relative</option> | <option>full</option> ) ; ]
-  [ <command>empty-server</command> <replaceable>name</replaceable> ; ]
-  [ <command>empty-contact</command> <replaceable>name</replaceable> ; ]
-  [ <command>empty-zones-enable</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>disable-empty-zone</command> <replaceable>zone_name</replaceable> ; ]
-  [ <command>zero-no-soa-ttl</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>zero-no-soa-ttl-cache</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>resolver-query-timeout</command> <replaceable>number</replaceable> ; ]
-  [ <command>deny-answer-addresses {</command> <replaceable>address_match_list</replaceable> <command>}</command>
-      [ <command>except-from {</command> <replaceable>namelist</replaceable> <command>}</command> ] ; ]
-  [ <command>deny-answer-aliases {</command> <replaceable>namelist</replaceable> <command>}</command>
-      [ <command>except-from {</command> <replaceable>namelist</replaceable> <command>}</command> ] ; ]
-  [ <command>prefetch</command> <replaceable>number</replaceable> [ <replaceable>number</replaceable> ] ; ]
-  [ <command>rate-limit {</command>
-      [ <command>responses-per-second</command> <replaceable>number</replaceable> ; ]
-      [ <command>referrals-per-second</command> <replaceable>number</replaceable> ; ]
-      [ <command>nodata-per-second</command> <replaceable>number</replaceable> ; ]
-      [ <command>nxdomains-per-second</command> <replaceable>number</replaceable> ; ]
-      [ <command>errors-per-second</command> <replaceable>number</replaceable> ; ]
-      [ <command>all-per-second</command> <replaceable>number</replaceable> ; ]
-      [ <command>window</command> <replaceable>number</replaceable> ; ]
-      [ <command>log-only</command> <replaceable>yes_or_no</replaceable> ; ]
-      [ <command>qps-scale</command> <replaceable>number</replaceable> ; ]
-      [ <command>ipv4-prefix-length</command> <replaceable>number</replaceable> ; ]
-      [ <command>ipv6-prefix-length</command> <replaceable>number</replaceable> ; ]
-      [ <command>slip</command> <replaceable>number</replaceable> ; ]
-      [ <command>exempt-clients {</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-      [ <command>max-table-size</command> <replaceable>number</replaceable> ; ]
-      [ <command>min-table-size</command> <replaceable>number</replaceable> ; ]
-    <command>}</command> ; ]
-  [ <command>response-policy {</command>
-	<command>zone</command> <replaceable>zone_name</replaceable>
-      [ <command>policy</command> ( given | disabled | passthru | drop |
-		 tcp-only | nxdomain | nodata | cname <replaceable>domain</replaceable> ) ]
-      [ <command>recursive-only</command> <replaceable>yes_or_no</replaceable> ]
-      [ <command>log</command> <replaceable>yes_or_no</replaceable> ]
-      [ <command>max-policy-ttl</command> <replaceable>number</replaceable> ]
-      [ <command>min-update-interval</command> <replaceable>number</replaceable> ]
-      [ <command>nsip-enable</command> <replaceable>yes_or_no</replaceable> ]
-      [ <command>nsdname-enable</command> <replaceable>yes_or_no</replaceable> ] ;
-	 ...
-    <command>}</command> [ <command>recursive-only</command> <replaceable>yes_or_no</replaceable> ]
-      [ <command>max-policy-ttl</command> <replaceable>number</replaceable> ]
-      [ <command>min-update-interval</command> <replaceable>number</replaceable> ]
-      [ <command>break-dnssec</command> <replaceable>yes_or_no</replaceable> ]
-      [ <command>min-ns-dots</command> <replaceable>number</replaceable> ]
-      [ <command>nsip-wait-recurse</command> <replaceable>yes_or_no</replaceable> ]
-      [ <command>qname-wait-recurse</command> <replaceable>yes_or_no</replaceable> ]
-      [ <command>nsip-enable</command> <replaceable>yes_or_no</replaceable> ]
-      [ <command>nsdname-enable</command> <replaceable>yes_or_no</replaceable> ]
-      [ <command>dnsrps-enable</command> <replaceable>yes_or_no</replaceable> ]
-      [ <command>dnsrps-options</command> { <replaceable>parameters</replaceable> } ] ; ]
-  [ <command>catalog-zones {</command>
-	<command>zone</command> <replaceable>quoted_string</replaceable>
-	  [ <option>default-masters</option> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] <command>{</command>
-	      ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> [<command>port</command> <replaceable>ip_port</replaceable>] [ <command>key</command> <replaceable>key_name</replaceable>] ) ;
-		...
-	    <command>}</command> ]
-	  [ <command>zone-directory</command> <replaceable>path_name</replaceable> ]
-	  [ <command>in-memory</command> <replaceable>yes_or_no</replaceable> ]
-	  [ <command>min-update-interval</command> <replaceable>interval</replaceable> ] ;
-	...
-    <command>}</command> ; ]
-  [ <command>v6-bias</command> <replaceable>number</replaceable> ; ]
-  [ <command>trust-anchor-telemetry</command> <replaceable>yes_or_no</replaceable> ; ]
-<command>}</command> ; ]
-</programlisting>
-
+	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="options.grammar.xml"/>
       </section>
 
       <section xml:id="options"><info><title><command>options</command> Statement Definition and
@@ -10899,42 +10535,7 @@ example.com                 CNAME   rpz-tcp-only.
       </section>
 
       <section xml:id="server_statement_grammar"><info><title><command>server</command> Statement Grammar</title></info>
-
-<programlisting><command>server</command> ( <replaceable>ip_addr</replaceable> | <replaceable>ip_prefix</replaceable> ) <command>{</command>
-  [ <command>bogus</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>provide-ixfr</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>request-ixfr</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>request-expire</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>request-nsid</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>send-cookie</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>edns</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>edns-udp-size</command> <replaceable>number</replaceable> ; ]
-  [ <command>edns-version</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-udp-size</command> <replaceable>number</replaceable> ; ]
-  [ <command>padding</command> <replaceable>number</replaceable> ; ]
-  [ <command>tcp-only</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>tcp-keepalive</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>transfers</command> <replaceable>number</replaceable> ; ]
-  [ <command>transfer-format</command> ( one-answer | many-answers ) ; ]
-  [ <command>keys</command> <command>{</command> <replaceable>key_id</replaceable> <command>}</command> ; ]
-  [ <command>transfer-source</command> ( <replaceable>ip4_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>transfer-source-v6</command> ( <replaceable>ip6_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>notify-source</command> ( <replaceable>ip4_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>notify-source-v6</command> ( <replaceable>ip6_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>query-source</command> ( [ <command>address</command> ] ( <replaceable>ip_addr</replaceable> | <constant>*</constant> ) )
-      [ <command>port</command> ( <replaceable>ip_port</replaceable> | <constant>*</constant> ) ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>query-source-v6</command> ( [ <command>address</command> ] ( <replaceable>ip_addr</replaceable> | <constant>*</constant> ) )
-      [ <command>port</command> ( <replaceable>ip_port</replaceable> | <constant>*</constant> ) ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>use-queryport-pool</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>queryport-pool-ports</command> <replaceable>number</replaceable> ; ]
-  [ <command>queryport-pool-updateinterval</command> <replaceable>number</replaceable> ; ]
-<command>}</command> ;
-</programlisting>
-
+	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="server.grammar.xml"/>
 	</section>
 
 	<section xml:id="server_statement_definition_and_usage"><info><title><command>server</command> Statement Definition and
@@ -11201,13 +10802,7 @@ example.com                 CNAME   rpz-tcp-only.
 	</section>
 
       <section xml:id="statschannels"><info><title><command>statistics-channels</command> Statement Grammar</title></info>
-
-<programlisting><command>statistics-channels {</command>
-  [ <command>inet</command> ( <replaceable>ip_addr</replaceable> | <constant>*</constant> ) [ <command>port</command> <replaceable>ip_port</replaceable> ]
-      [ <command>allow { </command><replaceable> address_match_list </replaceable> <command>}</command> ] ; ]
-    ...
-<command>}</command>;
-</programlisting>
+	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="statistics-channels.grammar.xml"/>
       </section>
 
       <section xml:id="statistics_channels"><info><title><command>statistics-channels</command> Statement Definition and
@@ -11331,13 +10926,7 @@ example.com                 CNAME   rpz-tcp-only.
       </section>
 
 	<section xml:id="trusted-keys"><info><title><command>trusted-keys</command> Statement Grammar</title></info>
-
-<programlisting><command>trusted-keys {</command>
-  ( <replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key_data</replaceable> ; )
-    ...
-<command>}</command> ;
-</programlisting>
-
+	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="trusted-keys.grammar.xml"/>
 	</section>
 	<section xml:id="trusted_keys"><info><title><command>trusted-keys</command> Statement Definition
 	    and Usage</title></info>
@@ -11384,13 +10973,7 @@ example.com                 CNAME   rpz-tcp-only.
 	</section>
 
 	<section xml:id="managed_keys"><info><title><command>managed-keys</command> Statement Grammar</title></info>
-
-<programlisting><command>managed-keys {</command>
-  ( <replaceable>domain_name</replaceable> <replaceable>initial_key</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key_data</replaceable> ; )
-    ...
-<command>}</command> ;
-</programlisting>
-
+	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="managed-keys.grammar.xml"/>
 	</section>
 	<section xml:id="managed-keys"><info><title><command>managed-keys</command> Statement Definition
 	    and Usage</title></info>
@@ -11656,217 +11239,15 @@ view "external" {
 	<section xml:id="zone_statement_grammar"><info><title><command>zone</command>
 	    Statement Grammar</title></info>
 
-<programlisting><command>zone</command> <replaceable>zone_name</replaceable> [ <replaceable>class</replaceable> ] <command>{</command>
-    <command>type</command> master ;
-  [ <command>allow-query</command> <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-query-on</command> <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-transfer</command> <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-update</command> <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>update-check-ksk</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>dnssec-dnskey-kskonly</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>dnssec-loadkeys-interval</command> <replaceable>number</replaceable> ; ]
-  [ <command>update-policy</command> <option>local</option> | <command>{</command> <replaceable>update_policy_rule</replaceable> ; ...  <command>}</command> ; ]
-  [ <command>also-notify</command> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] <command>{</command>
-      ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> [ <command>port</command> <replaceable>ip_port</replaceable> ] ) [ <command>key</command> <replaceable>key_name</replaceable> ] ;
-	...
-    <command>}</command> ; ]
-  [ <command>check-names</command> ( <option>warn</option> | <option>fail</option> | <option>ignore</option> ) ; ]
-  [ <command>check-mx</command> ( <option>warn</option> | <option>fail</option> | <option>ignore</option> ) ; ]
-  [ <command>check-wildcard</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>check-spf</command> ( <option>warn</option> | <option>ignore</option> ); ]
-  [ <command>check-integrity</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>dialup</command> <replaceable>dialup_option</replaceable> ; ]
-  [ <command>file</command> <replaceable>string</replaceable> ; ]
-  [ <command>masterfile-format</command> ( <option>text</option> | <option>raw</option> | <option>map</option> ) ; ]
-  [ <command>journal</command> <replaceable>string</replaceable> ; ]
-  [ <command>max-journal-size</command> <replaceable>size_spec</replaceable> ; ]
-  [ <command>forward</command> ( <option>only</option> | <option>first</option> ) ; ]
-  [ <command>forwarders</command> <command>{</command> [ <replaceable>ip_addr</replaceable> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ... ] <command>}</command> ; ]
-  [ <command>ixfr-base</command> <replaceable>string</replaceable> ; ]
-  [ <command>ixfr-from-differences</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>ixfr-tmp-file</command> <replaceable>string</replaceable> ; ]
-  [ <command>maintain-ixfr-base</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>max-ixfr-log-size</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-transfer-idle-out</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-transfer-time-out</command> <replaceable>number</replaceable> ; ]
-  [ <command>notify</command> <replaceable>yes_or_no</replaceable> | <option>explicit</option> | <option>master-only</option> ; ]
-  [ <command>notify-delay</command> <replaceable>seconds</replaceable> ; ]
-  [ <command>notify-to-soa</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>pubkey</command> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; ]
-  [ <command>notify-source</command> ( <replaceable>ip4_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>notify-source-v6</command> ( <replaceable>ip6_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>zone-statistics</command> ( <option>full</option> | <option>terse</option> | <option>none</option> ) ; ]
-  [ <command>sig-validity-interval</command> <replaceable>number</replaceable> [ <replaceable>number</replaceable> ] ; ]
-  [ <command>sig-signing-nodes</command> <replaceable>number</replaceable> ; ]
-  [ <command>sig-signing-signatures</command> <replaceable>number</replaceable> ; ]
-  [ <command>sig-signing-type</command> <replaceable>number</replaceable> ; ]
-  [ <command>database</command> <replaceable>string</replaceable> ; ]
-  [ <command>min-refresh-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-refresh-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>min-retry-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-retry-time</command> <replaceable>number</replaceable> ; ]
-  [ <command></command><command>key-directory</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>auto-dnssec</command> ( <option>allow</option> | <option>maintain</option> | <option>off</option> ) ; ]
-  [ <command>inline-signing</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>zero-no-soa-ttl</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>serial-update-method</command> ( <option>increment</option> | <option>unixtime</option> | <option>date</option> ) ; ]
-  [ <command>max-zone-ttl</command> <replaceable>number</replaceable> ; ]
-<command>}</command> ;
-
-<command>zone</command> <replaceable>zone_name</replaceable> [ <replaceable>class</replaceable> ] <command>{</command>
-    <command>type</command> slave ;
-  [ <command>allow-notify</command> <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-query</command> <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-query-on</command> <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-transfer</command> <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-update-forwarding</command> <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>dnssec-update-mode</command> ( <option>maintain</option> | <option>no-resign</option> ); ]
-  [ <command>update-check-ksk</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>dnssec-dnskey-kskonly</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>dnssec-loadkeys-interval</command> <replaceable>number</replaceable> ; ]
-  [ <command>dnssec-secure-to-insecure</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>try-tcp-refresh</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>also-notify</command> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] <command>{</command>
-      ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> [ <command>port</command> <replaceable>ip_port</replaceable> ] ) [ <command>key</command> <replaceable>key_name</replaceable> ] ;
-	...
-    <command>}</command> ; ]
-  [ <command>check-names</command> ( <option>warn</option> | <option>fail</option> | <option>ignore</option> ) ; ]
-  [ <command>dialup</command> <replaceable>dialup_option</replaceable> ; ]
-  [ <command>file</command> <replaceable>string</replaceable> ; ]
-  [ <command>masterfile-format</command> ( <option>text</option> | <option>raw</option> | <option>map</option> ) ; ]
-  [ <command>journal</command> <replaceable>string</replaceable> ; ]
-  [ <command>max-journal-size</command> <replaceable>size_spec</replaceable> ; ]
-  [ <command>forward</command> ( <option>only</option> | <option>first</option> ) ; ]
-  [ <command>forwarders</command> <command>{</command> [ <replaceable>ip_addr</replaceable> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ... <command>}</command> ; ]
-  [ <command>ixfr-base</command> <replaceable>string</replaceable> ; ]
-  [ <command>ixfr-from-differences</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>ixfr-tmp-file</command> <replaceable>string</replaceable> ; ]
-  [ <command>request-ixfr</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>maintain-ixfr-base</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>masters</command> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] <command>{</command>
-      ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> [ <command>port</command> <replaceable>ip_port</replaceable> ] ) [ <command>key</command> <replaceable>key_name</replaceable> ] ;
-	...
-    <command>}</command> ; ]
-  [ <command>max-ixfr-log-size</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-transfer-idle-in</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-transfer-idle-out</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-transfer-time-in</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-transfer-time-out</command> <replaceable>number</replaceable> ; ]
-  [ <command>notify</command> ( <replaceable>yes_or_no</replaceable> | <option>explicit</option> | <option>master-only</option> ) ; ]
-  [ <command>notify-delay</command> <replaceable>seconds</replaceable> ; ]
-  [ <command>notify-to-soa</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>pubkey</command> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; ]
-  [ <command>transfer-source</command> ( <replaceable>ip4_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>transfer-source-v6</command> ( <replaceable>ip6_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>alt-transfer-source</command> ( <replaceable>ip4_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>alt-transfer-source-v6</command> ( <replaceable>ip6_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>use-alt-transfer-source</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>notify-source</command> ( <replaceable>ip4_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>notify-source-v6</command> ( <replaceable>ip6_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>zone-statistics</command> ( <option>full</option> | <option>terse</option> | <option>none</option> ) ; ]
-  [ <command>sig-validity-interval</command> <replaceable>number</replaceable> [ <replaceable>number</replaceable> ] ; ]
-  [ <command>sig-signing-nodes</command> <replaceable>number</replaceable> ; ]
-  [ <command>sig-signing-signatures</command> <replaceable>number</replaceable> ; ]
-  [ <command>sig-signing-type</command> <replaceable>number</replaceable> ; ]
-  [ <command>database</command> <replaceable>string</replaceable> ; ]
-  [ <command>min-refresh-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-refresh-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>min-retry-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-retry-time</command> <replaceable>number</replaceable> ; ]
-  [ <command></command><command>key-directory</command> <replaceable>path_name</replaceable> ; ]
-  [ <command>auto-dnssec</command> ( <option>allow</option> | <option>maintain</option> | <option>off</option> ) ; ]
-  [ <command>inline-signing</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>multi-master</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>zero-no-soa-ttl</command> <replaceable>yes_or_no</replaceable> ; ]
-<command>}</command> ;
-
-<command>zone</command> <replaceable>zone_name</replaceable> [ <replaceable>class</replaceable> ] <command>{</command>
-    <command>type</command> hint;
-    <command>file</command> <replaceable>string</replaceable> ;
-  [ <command>delegation-only</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>check-names</command> ( <option>warn</option> | <option>fail</option> | <option>ignore</option> ) ; ] // Not Implemented.
-<command>}</command> ;
-
-<command>zone</command> <replaceable>zone_name</replaceable> [ <replaceable>class</replaceable> ] <command>{</command>
-    <command>type</command> stub;
-  [ <command>allow-query</command> <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>allow-query-on</command> <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>check-names</command> ( <option>warn</option> | <option>fail</option> | <option>ignore</option> ) ; ]
-  [ <command>dialup</command> <replaceable>dialup_option</replaceable> ; ]
-  [ <command>delegation-only</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>file</command> <replaceable>string</replaceable> ; ]
-  [ <command>masterfile-format</command> ( <option>text</option> | <option>raw</option> | <option>map</option> ) ; ]
-  [ <command>forward</command> ( <option>only</option> | <option>first</option> ) ; ]
-  [ <command>forwarders</command> <command>{</command> [ <replaceable>ip_addr</replaceable> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ... ] <command>}</command> ; ]
-  [ <command>masters</command> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] <command>{</command>
-      ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> [ <command>port</command> <replaceable>ip_port</replaceable> ] ) [ <command>key</command> <replaceable>key_name</replaceable> ] ;
-	...
-    <command>}</command> ; ]
-  [ <command>max-transfer-idle-in</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-transfer-time-in</command> <replaceable>number</replaceable> ; ]
-  [ <command>pubkey</command> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; ]
-  [ <command>transfer-source</command> ( <replaceable>ip4_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>transfer-source-v6</command> ( <replaceable>ip6_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>alt-transfer-source</command> ( <replaceable>ip4_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>alt-transfer-source-v6</command> ( <replaceable>ip6_addr</replaceable> | <constant>*</constant> )
-      [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ]
-  [ <command>use-alt-transfer-source</command> <replaceable>yes_or_no</replaceable> ; ]
-  [ <command>zone-statistics</command> ( <option>full</option> | <option>terse</option> | <option>none</option> ) ; ]
-  [ <command>database</command> <replaceable>string</replaceable> ; ]
-  [ <command>min-refresh-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-refresh-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>min-retry-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>max-retry-time</command> <replaceable>number</replaceable> ; ]
-  [ <command>multi-master</command> <replaceable>yes_or_no</replaceable> ; ]
-<command>}</command> ;
-
-<command>zone</command> <replaceable>zone_name</replaceable> [ <replaceable>class</replaceable> ] <command>{</command>
-    <command>type</command> static-stub;
-  [ <command>allow-query</command> <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>server-addresses</command> <command>{</command> [ <replaceable>ip_addr</replaceable> ; ... <command>}</command> ; ]
-  [ <command>server-names</command> <command>{</command> [ <replaceable>namelist</replaceable> ] <command>}</command> ; ]
-  [ <command>zone-statistics</command> ( <option>full</option> | <option>terse</option> | <option>none</option> ) ; ]
-<command>}</command> ;
-
-<command>zone</command> <replaceable>zone_name</replaceable> [ <replaceable>class</replaceable> ] <command>{</command>
-    <command>type</command> forward;
-  [ <command>forward</command> ( <option>only</option> | <option>first</option> ) ; ]
-  [ <command>forwarders</command> <command>{</command> [ <replaceable>ip_addr</replaceable> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] ; ... <command>}</command> ; ]
-  [ <command>delegation-only</command> <replaceable>yes_or_no</replaceable> ; ]
-<command>}</command> ;
-
-<command>zone</command> <replaceable>"."</replaceable> [ <replaceable>class</replaceable> ] <command>{</command>
-    <command>type</command> redirect;
-  [ <command>file</command> <replaceable>string</replaceable> ; ]
-  [ <command>masters</command> [ <command>port</command> <replaceable>ip_port</replaceable> ] [ <command>dscp</command> <replaceable>ip_dscp</replaceable> ] <command>{</command>
-      ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> [ <command>port</command> <replaceable>ip_port</replaceable> ] ) [ <command>key</command> <replaceable>key_name</replaceable> ] ;
-	...
-    <command>}</command> ; ]
-  [ <command>masterfile-format</command> ( <option>text</option> | <option>raw</option> | <option>map</option> ) ; ]
-  [ <command>allow-query</command> <command>{</command> <replaceable>address_match_list</replaceable> <command>}</command> ; ]
-  [ <command>max-zone-ttl</command> <replaceable>number</replaceable> ; ]
-<command>}</command> ;
-
-<command>zone</command> <replaceable>zone_name</replaceable> [ <replaceable>class</replaceable> ] <command>{</command>
-    <command>type</command> delegation-only;
-<command>}</command> ;
-
-<command>zone</command> <replaceable>zone_name</replaceable> [ <replaceable>class</replaceable> ] <command>{</command>
-  [ <command>in-view</command> <replaceable>string</replaceable> ; ]
-<command>}</command> ;
-
-</programlisting>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="master.zoneopt.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="slave.zoneopt.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="hint.zoneopt.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="stub.zoneopt.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="static-stub.zoneopt.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="forward.zoneopt.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="redirect.zoneopt.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="delegation-only.zoneopt.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="in-view.zoneopt.xml"/>
 
 	</section>
 	<section xml:id="zone_statement"><info><title><command>zone</command> Statement Definition and Usage</title></info>
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 3ca88d0da0..d3ff16458d 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -935,12 +935,9 @@
       <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="acl_grammar"></a><span class="command"><strong>acl</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>acl</strong></span> <em class="replaceable"><code>acl-name</code></em> <span class="command"><strong>{</strong></span>
-    <em class="replaceable"><code>address_match_list</code></em>
-<span class="command"><strong>};</strong></span>
+        <pre class="programlisting">
+<span class="command"><strong>acl</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };
 </pre>
-
       </div>
       <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -1024,18 +1021,19 @@
       <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="controls_grammar"></a><span class="command"><strong>controls</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>controls {</strong></span>
-  [ <span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ip_addr</code></em> | <span class="command"><strong>*</strong></span> ) [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] <span class="command"><strong>allow {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span>
-      [ <span class="command"><strong>keys {</strong></span> <em class="replaceable"><code>key_list</code></em> <span class="command"><strong>}</strong></span> ]
-      [ <span class="command"><strong>read-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ] <span class="command"><strong>;</strong></span> ]
-  [ <span class="command"><strong>unix</strong></span> <em class="replaceable"><code>path</code></em> <span class="command"><strong>perm</strong></span> <em class="replaceable"><code>number</code></em> <span class="command"><strong>owner</strong></span> <em class="replaceable"><code>number</code></em> <span class="command"><strong>group</strong></span> <em class="replaceable"><code>number</code></em>
-      [ <span class="command"><strong>keys {</strong></span> <em class="replaceable"><code>key_list</code></em> <span class="command"><strong>}</strong></span> ]
-      [ <span class="command"><strong>read-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ] <span class="command"><strong>;</strong></span> ]
-   [ ...; ]
-<span class="command"><strong>};</strong></span>
+        <pre class="programlisting">
+<span class="command"><strong>controls</strong></span> {
+	<span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |
+	    * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] allow
+	    { <em class="replaceable"><code>address_match_element</code></em>; ... } [
+	    <span class="command"><strong>keys</strong></span> { <em class="replaceable"><code>string</code></em>; ... } ] [ read-only
+	    <em class="replaceable"><code>boolean</code></em> ];
+	<span class="command"><strong>unix</strong></span> <em class="replaceable"><code>quoted_string</code></em> perm <em class="replaceable"><code>integer</code></em>
+	    <span class="command"><strong>owner</strong></span> <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [
+	    <span class="command"><strong>keys</strong></span> { <em class="replaceable"><code>string</code></em>; ... } ] [ read-only
+	    <em class="replaceable"><code>boolean</code></em> ];
+};
 </pre>
-
       </div>
 
       <div class="section">
@@ -1195,13 +1193,12 @@
       <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="key_grammar"></a><span class="command"><strong>key</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_id</code></em> <span class="command"><strong>{</strong></span>
-    <span class="command"><strong>algorithm</strong></span> <em class="replaceable"><code>algorithm_id</code></em><span class="command"><strong>;</strong></span>
-    <span class="command"><strong>secret</strong></span> <em class="replaceable"><code>secret_string</code></em><span class="command"><strong>;</strong></span>
-<span class="command"><strong>};</strong></span>
+        <pre class="programlisting">
+<span class="command"><strong>key</strong></span> <em class="replaceable"><code>string</code></em> {
+	<span class="command"><strong>algorithm</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>secret</strong></span> <em class="replaceable"><code>string</code></em>;
+};
 </pre>
-
       </div>
 
       <div class="section">
@@ -1257,30 +1254,23 @@
       <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="logging_grammar"></a><span class="command"><strong>logging</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>logging {</strong></span>
-  [ <span class="command"><strong>channel</strong></span> <em class="replaceable"><code>channel_name</code></em> <span class="command"><strong>{</strong></span>
-    ( ( <span class="command"><strong>file</strong></span> <em class="replaceable"><code>path_name</code></em>
-          [ <span class="command"><strong>versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <code class="option">unlimited</code> ) ]
-          [ <span class="command"><strong>size</strong></span> <em class="replaceable"><code>size_spec</code></em> ]
-          [ <span class="command"><strong>suffix</strong></span> ( <code class="option">increment</code> | <code class="option">timestamp</code> ) )
-      | <span class="command"><strong>syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
-      | <span class="command"><strong>stderr</strong></span>
-      | <span class="command"><strong>null</strong></span> ) <span class="command"><strong>;</strong></span>
-      [ <span class="command"><strong>severity</strong></span> ( <code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
-                   <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ) <span class="command"><strong>;</strong></span> ]
-      [ <span class="command"><strong>print-category</strong></span> <em class="replaceable"><code>yes_or_no</code></em> <span class="command"><strong>;</strong></span> ]
-      [ <span class="command"><strong>print-severity</strong></span> <em class="replaceable"><code>yes_or_no</code></em> <span class="command"><strong>;</strong></span> ]
-      [ <span class="command"><strong>print-time</strong></span> ( <code class="option">yes</code> | <code class="option">no</code> | <code class="option">local</code> | <code class="option">iso8601</code> | <code class="option">iso8601-utc</code> ) ;
-      [ <span class="command"><strong>buffered</strong></span> <em class="replaceable"><code>yes_or_no</code></em> <span class="command"><strong>;</strong></span> ]
-    <span class="command"><strong>};</strong></span> ]
-  [ <span class="command"><strong>category</strong></span> <em class="replaceable"><code>category_name</code></em> <span class="command"><strong>{</strong></span>
-     <em class="replaceable"><code>channel_name</code></em> <span class="command"><strong>;</strong></span> ...
-    <span class="command"><strong>};</strong></span> ]
-    ...
-<span class="command"><strong>};</strong></span>
+        <pre class="programlisting">
+<span class="command"><strong>logging</strong></span> {
+	<span class="command"><strong>category</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };
+	<span class="command"><strong>channel</strong></span> <em class="replaceable"><code>string</code></em> {
+		<span class="command"><strong>buffered</strong></span> <em class="replaceable"><code>boolean</code></em>;
+		<span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em> [ versions ( unlimited | <em class="replaceable"><code>integer</code></em> ) ]
+		    [ size <em class="replaceable"><code>size</code></em> ] [ suffix ( increment | timestamp ) ];
+		<span class="command"><strong>null</strong></span>;
+		<span class="command"><strong>print-category</strong></span> <em class="replaceable"><code>boolean</code></em>;
+		<span class="command"><strong>print-severity</strong></span> <em class="replaceable"><code>boolean</code></em>;
+		<span class="command"><strong>print-time</strong></span> ( iso8601 | iso8601-utc | local | <em class="replaceable"><code>boolean</code></em> );
+		<span class="command"><strong>severity</strong></span> <em class="replaceable"><code>log_severity</code></em>;
+		<span class="command"><strong>stderr</strong></span>;
+		<span class="command"><strong>syslog</strong></span> [ <em class="replaceable"><code>syslog_facility</code></em> ];
+	};
+};
 </pre>
-
       </div>
 
       <div class="section">
@@ -2323,15 +2313,12 @@ badresp:1,adberr:0,findfail:0,valfail:0]
       <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="masters_grammar"></a><span class="command"><strong>masters</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting">
-<span class="command"><strong>masters</strong></span> <em class="replaceable"><code>name</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
-  ( <em class="replaceable"><code>masters_list</code></em> <span class="command"><strong>;</strong></span> ) |
-  ( <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key</code></em> ] <span class="command"><strong>;</strong></span> )
-    ...
-<span class="command"><strong>};</strong></span>
+        <pre class="programlisting">
+<span class="command"><strong>masters</strong></span> <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp
+    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [
+    <span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port
+    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
 </pre>
-
       </div>
 
       <div class="section">
@@ -2354,318 +2341,301 @@ badresp:1,adberr:0,findfail:0,valfail:0]
           This is the grammar of the <span class="command"><strong>options</strong></span>
           statement in the <code class="filename">named.conf</code> file:
         </p>
-
-<pre class="programlisting"><span class="command"><strong>options {</strong></span>
-  [ <span class="command"><strong>attach-cache</strong></span> <em class="replaceable"><code>cache_name</code></em> ; ]
-  [ <span class="command"><strong>version</strong></span> <em class="replaceable"><code>version_string</code></em> ; ]
-  [ <span class="command"><strong>hostname</strong></span> <em class="replaceable"><code>hostname_string</code></em> ; ]
-  [ <span class="command"><strong>server-id</strong></span> <em class="replaceable"><code>server_id_string</code></em> ; ]
-  [ <span class="command"><strong>directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>dnstap {</strong></span> <em class="replaceable"><code>message_type</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>dnstap-output</strong></span> ( <code class="option">file</code> | <code class="option">unix</code> ) <em class="replaceable"><code>path_name</code></em> [ <span class="command"><strong>size</strong></span> <em class="replaceable"><code>size_spec</code></em> ] [ <span class="command"><strong>versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <code class="option">unlimited</code> ) ] ; ]
-  [ <span class="command"><strong>dnstap-identity</strong></span> ( <em class="replaceable"><code>string</code></em> | <code class="option">hostname</code> | <code class="option">none</code> ) ; ]
-  [ <span class="command"><strong>dnstap-version</strong></span> ( <em class="replaceable"><code>string</code></em> | <code class="option">none</code> ) ; ]
-  [ <span class="command"><strong>fstrm-set-buffer-hint</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>fstrm-set-flush-timeout</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>fstrm-set-input-queue-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>fstrm-set-output-notify-threshold</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>fstrm-set-output-queue-model</strong></span> ( <code class="option">mpsc</code> | <code class="option">spsc</code> ) ; ]
-  [ <span class="command"><strong>fstrm-set-output-queue-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>fstrm-set-reopen-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>geoip-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>managed-keys-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>new-zones-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>named-xfer</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>tkey-gssapi-keytab</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>tkey-gssapi-credential</strong></span> <em class="replaceable"><code>principal</code></em> ; ]
-  [ <span class="command"><strong>tkey-domain</strong></span> <em class="replaceable"><code>domain_name</code></em> ; ]
-  [ <span class="command"><strong>tkey-dhkey</strong></span> <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em> ; ]
-  [ <span class="command"><strong>cache-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>dump-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>bindkeys-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>lock-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>secroots-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>session-keyfile</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>session-keyname</strong></span> <em class="replaceable"><code>key_name</code></em> ; ]
-  [ <span class="command"><strong>session-keyalg</strong></span> <em class="replaceable"><code>algorithm_id</code></em> ; ]
-  [ <span class="command"><strong>memstatistics</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>memstatistics-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>pid-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>recursing-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>statistics-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>zone-statistics</strong></span> ( <code class="option">full</code> | <code class="option">terse</code> | <code class="option">none</code> ) ; ]
-  [ <span class="command"><strong>auth-nxdomain</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>nxdomain-redirect</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>deallocate-on-exit</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>dialup</strong></span> <em class="replaceable"><code>dialup_option</code></em> ; ]
-  [ <span class="command"><strong>fake-iquery</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>fetch-glue</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>flush-zones-on-shutdown</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>has-old-clients</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>host-statistics</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>host-statistics-max</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>glue-cache</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>minimal-any</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>minimal-responses</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">no-auth</code> | <code class="option">no-auth-recursive</code> ) ; ]
-  [ <span class="command"><strong>multiple-cnames</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>notify</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">explicit</code> | <code class="option">master-only</code> ) ; ]
-  [ <span class="command"><strong>recursion</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>send-cookie</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>require-server-cookie</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>cookie-algorithm</strong></span> <em class="replaceable"><code>algorithm_id</code></em> ; ]
-  [ <span class="command"><strong>cookie-secret</strong></span> <em class="replaceable"><code>secret_string</code></em> ; ]
-  [ <span class="command"><strong>nocookie-udp-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>request-nsid</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>rfc2308-type1</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>use-id-pool</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>maintain-ixfr-base</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>ixfr-from-differences</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">master</code> | <code class="option">slave</code> ) ; ]
-  [ <span class="command"><strong>auto-dnssec</strong></span> ( <code class="option">allow</code> | <code class="option">maintain</code> | <code class="option">off</code> ) ; ]
-  [ <span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>dnssec-enable</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>dnssec-validation</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">auto</code> ) ; ]
-  [ <span class="command"><strong>dnssec-lookaside</strong></span> ( <code class="option">auto</code> | <code class="option">no</code> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ) ; ]
-  [ <span class="command"><strong>dnssec-must-be-secure</strong></span> <em class="replaceable"><code>domain yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>dnssec-accept-expired</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>forward</strong></span> ( <code class="option">only</code> | <code class="option">first</code> ) ; ]
-  [ <span class="command"><strong>forwarders {</strong></span>
-      ( <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; )
-        ...
-    <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>dual-stack-servers</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
-      ( ( <em class="replaceable"><code>domain_name</code></em> | <em class="replaceable"><code>ip_addr</code></em> ) [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; )
-        ...
-    <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>check-names</strong></span> ( <code class="option">master</code> | <code class="option">slave</code> | <code class="option">response</code> )
-                ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
-  [ <span class="command"><strong>check-dup-records</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
-  [ <span class="command"><strong>check-mx</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
-  [ <span class="command"><strong>check-wildcard</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>check-mx-cname</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
-  [ <span class="command"><strong>check-srv-cname</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
-  [ <span class="command"><strong>check-sibling</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>check-spf</strong></span> ( <code class="option">warn</code> | <code class="option">ignore</code> ) ; ]
-  [ <span class="command"><strong>allow-new-zones</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>allow-notify {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-query {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-query-on {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-query-cache {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-query-cache-on {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-transfer {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-recursion {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-recursion-on {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-update {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ]
-  [ <span class="command"><strong>allow-update-forwarding {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>automatic-interface-scan</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>geoip-use-ecs</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>dnssec-update-mode</strong></span> ( <code class="option">maintain</code> | <code class="option">no-resign</code> ) ; ]
-  [ <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>try-tcp-refresh</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>allow-v6-synthesis {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>blackhole {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>keep-response-order {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>no-case-compress {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>message-compression</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>use-v4-udp-ports {</strong></span> <em class="replaceable"><code>port_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>avoid-v4-udp-ports {</strong></span> <em class="replaceable"><code>port_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>use-v6-udp-ports {</strong></span> <em class="replaceable"><code>port_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>avoid-v6-udp-ports {</strong></span> <em class="replaceable"><code>port_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>listen-on</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>listen-on-v6</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>query-source</strong></span> ( [ <span class="command"><strong>address</strong></span> ] ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="option">*</code> ) )
-      [ <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>ip_port</code></em> | <code class="option">*</code> ) ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ] ;
-  [ <span class="command"><strong>query-source-v6</strong></span> ( [ <span class="command"><strong>address</strong></span> ] ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="option">*</code> ) )
-      [ <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>ip_port</code></em> | <code class="option">*</code> ) ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ] ;
-  [ <span class="command"><strong>use-queryport-pool</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>queryport-pool-ports</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>queryport-pool-updateinterval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>reserved-sockets</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>recursive-clients</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>tcp-clients</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>clients-per-query</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-clients-per-query</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>fetches-per-server</strong></span> <em class="replaceable"><code>number</code></em> [ ( <code class="option">drop</code> | <code class="option">fail</code> ) ] ; ]
-  [ <span class="command"><strong>fetches-per-zone</strong></span> <em class="replaceable"><code>number</code></em> [ ( <code class="option">drop</code> | <code class="option">fail</code> ) ] ; ]
-  [ <span class="command"><strong>fetch-quota-params</strong></span> <em class="replaceable"><code>number fixedpoint fixedpoint fixedpoint</code></em> ; ]
-  [ <span class="command"><strong>notify-rate</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>startup-notify-rate</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>serial-query-rate</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>serial-queries</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>tcp-listen-queue</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>tcp-initial-timeout</strong></span> <em class="replaceable"><code>number</code></em>; ]
-  [ <span class="command"><strong>tcp-idle-timeout</strong></span> <em class="replaceable"><code>number</code></em>; ]
-  [ <span class="command"><strong>tcp-keepalive-timeout</strong></span> <em class="replaceable"><code>number</code></em>; ]
-  [ <span class="command"><strong>tcp-advertised-timeout</strong></span> <em class="replaceable"><code>number</code></em>; ]
-  [ <span class="command"><strong>transfer-format</strong></span> ( <code class="option">one-answer</code> | <code class="option">many-answers</code> ) ; ]
-  [ <span class="command"><strong>transfer-message-size</strong></span>  <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>transfers-in</strong></span>  <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>transfers-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>transfers-per-ns</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="option">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="option">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="option">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="option">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>seconds</code></em> ; ]
-  [ <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="option">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="option">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>also-notify</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em>] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em>] <span class="command"><strong>{</strong></span>
-      ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] ) [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em> ] ;
-        ...
-    <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>max-ixfr-log-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-journal-size</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
-  [ <span class="command"><strong>coresize</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
-  [ <span class="command"><strong>datasize</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
-  [ <span class="command"><strong>files</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
-  [ <span class="command"><strong>stacksize</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
-  [ <span class="command"><strong>cleaning-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>heartbeat-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>interface-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>statistics-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>topology {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>sortlist {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>rrset-order {</strong></span> <em class="replaceable"><code>order_spec</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>lame-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-ncache-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-cache-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-stale-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-zone-ttl</strong></span> ( <code class="option">unlimited</code> | <em class="replaceable"><code>number</code></em> ) ; ]
-  [ <span class="command"><strong>stale-answer-enable</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>stale-answer-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>serial-update-method</strong></span> ( <code class="option">increment</code> | <code class="option">unixtime</code> | <code class="option">date</code> ) ; ]
-  [ <span class="command"><strong>servfail-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>number</code></em> [<em class="replaceable"><code>number</code></em>] ; ]
-  [ <span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>min-roots</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>use-ixfr</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>provide-ixfr</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>treat-cr-as-space</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>nta-lifetime</strong></span> <em class="replaceable"><code>duration</code></em> ; ]
-  [ <span class="command"><strong>nta-recheck</strong></span> <em class="replaceable"><code>duration</code></em> ; ]
-  [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ; ]
-  [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ; ]
-  [ <span class="command"><strong>random-device</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>max-cache-size</strong></span> <em class="replaceable"><code>size_or_percent</code></em> ; ]
-  [ <span class="command"><strong>match-mapped-addresses</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>filter-aaaa-on-v4</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">break-dnssec</code> ) ; ]
-  [ <span class="command"><strong>filter-aaaa-on-v6</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">break-dnssec</code> ) ; ]
-  [ <span class="command"><strong>filter-aaaa {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>dns64</strong></span> <em class="replaceable"><code>ipv6-prefix</code></em> <span class="command"><strong>{</strong></span>
-      [ <span class="command"><strong>clients {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-      [ <span class="command"><strong>mapped {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-      [ <span class="command"><strong>exclude {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-      [ <span class="command"><strong>suffix</strong></span> <em class="replaceable"><code>ip6-address</code></em> ; ]
-      [ <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-      [ <span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-    <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>dns64-server</strong></span> <em class="replaceable"><code>name</code></em> ]
-  [ <span class="command"><strong>dns64-contact</strong></span> <em class="replaceable"><code>name</code></em> ]
-  [ <span class="command"><strong>preferred-glue</strong></span> ( <code class="option">A</code> | <code class="option">AAAA</code> | <code class="option">none</code> ); ]
-  [ <span class="command"><strong>edns-udp-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-udp-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>response-padding</strong></span> { <em class="replaceable"><code>address_match_list</code></em> } block-size <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-rsa-exponent-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>root-delegation-only</strong></span> [ <span class="command"><strong>exclude {</strong></span> <em class="replaceable"><code>namelist</code></em> <span class="command"><strong>}</strong></span> ] ; ]
-  [ <span class="command"><strong>querylog</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>disable-algorithms</strong></span> <em class="replaceable"><code>domain</code></em> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>algorithm</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>disable-ds-digests</strong></span> <em class="replaceable"><code>domain</code></em> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>digest_type</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>max-recursion-depth</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-recursion-queries</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>masterfile-format</strong></span> ( <code class="option">text</code> | <code class="option">raw</code> | <code class="option">map</code> ) ; ]
-  [ <span class="command"><strong>masterfile-style</strong></span> ( <code class="option">relative</code> | <code class="option">full</code> ) ; ]
-  [ <span class="command"><strong>empty-server</strong></span> <em class="replaceable"><code>name</code></em> ; ]
-  [ <span class="command"><strong>empty-contact</strong></span> <em class="replaceable"><code>name</code></em> ; ]
-  [ <span class="command"><strong>empty-zones-enable</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>disable-empty-zone</strong></span> <em class="replaceable"><code>zone_name</code></em> ; ]
-  [ <span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>zero-no-soa-ttl-cache</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>resolver-query-timeout</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>deny-answer-addresses {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span>
-      [ <span class="command"><strong>except-from {</strong></span> <em class="replaceable"><code>namelist</code></em> <span class="command"><strong>}</strong></span> ] ; ]
-  [ <span class="command"><strong>deny-answer-aliases {</strong></span> <em class="replaceable"><code>namelist</code></em> <span class="command"><strong>}</strong></span>
-      [ <span class="command"><strong>except-from {</strong></span> <em class="replaceable"><code>namelist</code></em> <span class="command"><strong>}</strong></span> ] ; ]
-  [ <span class="command"><strong>prefetch</strong></span> <em class="replaceable"><code>number</code></em> [ <em class="replaceable"><code>number</code></em> ] ; ]
-  [ <span class="command"><strong>rate-limit {</strong></span>
-      [ <span class="command"><strong>responses-per-second</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-      [ <span class="command"><strong>referrals-per-second</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-      [ <span class="command"><strong>nodata-per-second</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-      [ <span class="command"><strong>nxdomains-per-second</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-      [ <span class="command"><strong>errors-per-second</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-      [ <span class="command"><strong>all-per-second</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-      [ <span class="command"><strong>window</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-      [ <span class="command"><strong>log-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-      [ <span class="command"><strong>qps-scale</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-      [ <span class="command"><strong>ipv4-prefix-length</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-      [ <span class="command"><strong>ipv6-prefix-length</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-      [ <span class="command"><strong>slip</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-      [ <span class="command"><strong>exempt-clients {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-      [ <span class="command"><strong>max-table-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-      [ <span class="command"><strong>min-table-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-    <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>response-policy {</strong></span>
-        <span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em>
-      [ <span class="command"><strong>policy</strong></span> ( given | disabled | passthru | drop |
-                 tcp-only | nxdomain | nodata | cname <em class="replaceable"><code>domain</code></em> ) ]
-      [ <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
-      [ <span class="command"><strong>log</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
-      [ <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>number</code></em> ]
-      [ <span class="command"><strong>min-update-interval</strong></span> <em class="replaceable"><code>number</code></em> ]
-      [ <span class="command"><strong>nsip-enable</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
-      [ <span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ] ;
-         ...
-    <span class="command"><strong>}</strong></span> [ <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
-      [ <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>number</code></em> ]
-      [ <span class="command"><strong>min-update-interval</strong></span> <em class="replaceable"><code>number</code></em> ]
-      [ <span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
-      [ <span class="command"><strong>min-ns-dots</strong></span> <em class="replaceable"><code>number</code></em> ]
-      [ <span class="command"><strong>nsip-wait-recurse</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
-      [ <span class="command"><strong>qname-wait-recurse</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
-      [ <span class="command"><strong>nsip-enable</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
-      [ <span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
-      [ <span class="command"><strong>dnsrps-enable</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
-      [ <span class="command"><strong>dnsrps-options</strong></span> { <em class="replaceable"><code>parameters</code></em> } ] ; ]
-  [ <span class="command"><strong>catalog-zones {</strong></span>
-        <span class="command"><strong>zone</strong></span> <em class="replaceable"><code>quoted_string</code></em>
-          [ <code class="option">default-masters</code> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
-              ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em>] [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em>] ) ;
-                ...
-            <span class="command"><strong>}</strong></span> ]
-          [ <span class="command"><strong>zone-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ]
-          [ <span class="command"><strong>in-memory</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
-          [ <span class="command"><strong>min-update-interval</strong></span> <em class="replaceable"><code>interval</code></em> ] ;
-        ...
-    <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>v6-bias</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>trust-anchor-telemetry</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-<span class="command"><strong>}</strong></span> ; ]
+        <pre class="programlisting">
+<span class="command"><strong>options</strong></span> {
+	<span class="command"><strong>allow-new-zones</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>allow-notify</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-query-cache</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-query-cache-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-recursion</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-recursion-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-transfer</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-update</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-update-forwarding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>also-notify</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> |
+	    <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port
+	    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+	<span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |
+	    * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>attach-cache</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>auth-nxdomain</strong></span> <em class="replaceable"><code>boolean</code></em>; // default changed
+	<span class="command"><strong>auto-dnssec</strong></span> ( allow | maintain | off );
+	<span class="command"><strong>automatic-interface-scan</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>avoid-v4-udp-ports</strong></span> { <em class="replaceable"><code>portrange</code></em>; ... };
+	<span class="command"><strong>avoid-v6-udp-ports</strong></span> { <em class="replaceable"><code>portrange</code></em>; ... };
+	<span class="command"><strong>bindkeys-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>blackhole</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>cache-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>catalog-zones</strong></span> { zone <em class="replaceable"><code>quoted_string</code></em> [ default-masters [ port
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [
+	    <span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key
+	    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [
+	    <span class="command"><strong>in-memory</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };
+	<span class="command"><strong>check-dup-records</strong></span> ( fail | warn | ignore );
+	<span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>check-mx</strong></span> ( fail | warn | ignore );
+	<span class="command"><strong>check-mx-cname</strong></span> ( fail | warn | ignore );
+	<span class="command"><strong>check-names</strong></span> ( primary | master |
+	    <span class="command"><strong>secondary</strong></span> | slave | response ) (
+	    <span class="command"><strong>fail</strong></span> | warn | ignore );
+	<span class="command"><strong>check-sibling</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>check-spf</strong></span> ( warn | ignore );
+	<span class="command"><strong>check-srv-cname</strong></span> ( fail | warn | ignore );
+	<span class="command"><strong>check-wildcard</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>cleaning-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>clients-per-query</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>cookie-algorithm</strong></span> ( aes | sha1 | sha256 );
+	<span class="command"><strong>cookie-secret</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>coresize</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+	<span class="command"><strong>datasize</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+	<span class="command"><strong>deny-answer-addresses</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... } [
+	    <span class="command"><strong>except-from</strong></span> { <em class="replaceable"><code>quoted_string</code></em>; ... } ];
+	<span class="command"><strong>deny-answer-aliases</strong></span> { <em class="replaceable"><code>quoted_string</code></em>; ... } [ except-from {
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } ];
+	<span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
+	<span class="command"><strong>directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>disable-algorithms</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;
+	    ... };
+	<span class="command"><strong>disable-ds-digests</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;
+	    ... };
+	<span class="command"><strong>disable-empty-zone</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>dns64</strong></span> <em class="replaceable"><code>netprefix</code></em> {
+		<span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em>;
+		<span class="command"><strong>clients</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+		<span class="command"><strong>exclude</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+		<span class="command"><strong>mapped</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+		<span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
+		<span class="command"><strong>suffix</strong></span> <em class="replaceable"><code>ipv6_address</code></em>;
+	};
+	<span class="command"><strong>dns64-contact</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>dns64-server</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>dnsrps-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>dnsrps-options</strong></span> { <em class="replaceable"><code>unspecified-text</code></em> };
+	<span class="command"><strong>dnssec-accept-expired</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>dnssec-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>dnssec-lookaside</strong></span> ( <em class="replaceable"><code>string</code></em> trust-anchor
+	    <em class="replaceable"><code>string</code></em> | auto | no );
+	<span class="command"><strong>dnssec-must-be-secure</strong></span> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
+	<span class="command"><strong>dnssec-validation</strong></span> ( yes | no | auto );
+	<span class="command"><strong>dnstap</strong></span> { ( all | auth | client | forwarder |
+	    <span class="command"><strong>resolver</strong></span> ) [ ( query | response ) ]; ... };
+	<span class="command"><strong>dnstap-identity</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none |
+	    <span class="command"><strong>hostname</strong></span> );
+	<span class="command"><strong>dnstap-output</strong></span> ( file | unix ) <em class="replaceable"><code>quoted_string</code></em> [
+	    <span class="command"><strong>size</strong></span> ( unlimited | <em class="replaceable"><code>size</code></em> ) ] [ versions (
+	    <span class="command"><strong>unlimited</strong></span> | <em class="replaceable"><code>integer</code></em> ) ] [ suffix ( increment
+	    | timestamp ) ];
+	<span class="command"><strong>dnstap-version</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+	<span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>dual-stack-servers</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>quoted_string</code></em> [ port
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv4_address</code></em> [ port
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] ); ... };
+	<span class="command"><strong>dump-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>edns-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>empty-contact</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>empty-server</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>empty-zones-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>fetch-quota-params</strong></span> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;
+	<span class="command"><strong>fetches-per-server</strong></span> <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];
+	<span class="command"><strong>fetches-per-zone</strong></span> <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];
+	<span class="command"><strong>files</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+	<span class="command"><strong>filter-aaaa</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>filter-aaaa-on-v4</strong></span> ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );
+	<span class="command"><strong>filter-aaaa-on-v6</strong></span> ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );
+	<span class="command"><strong>flush-zones-on-shutdown</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>forward</strong></span> ( first | only );
+	<span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
+	<span class="command"><strong>fstrm-set-buffer-hint</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>fstrm-set-flush-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>fstrm-set-input-queue-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>fstrm-set-output-notify-threshold</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>fstrm-set-output-queue-model</strong></span> ( mpsc | spsc );
+	<span class="command"><strong>fstrm-set-output-queue-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>fstrm-set-reopen-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>geoip-directory</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+	<span class="command"><strong>geoip-use-ecs</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>glue-cache</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>heartbeat-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>hostname</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+	<span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>interface-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>ixfr-from-differences</strong></span> ( primary | master | secondary | slave |
+	    <em class="replaceable"><code>boolean</code></em> );
+	<span class="command"><strong>keep-response-order</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>lame-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+	<span class="command"><strong>listen-on</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp
+	    <em class="replaceable"><code>integer</code></em> ] {
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>listen-on-v6</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp
+	    <em class="replaceable"><code>integer</code></em> ] {
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>lmdb-mapsize</strong></span> <em class="replaceable"><code>sizeval</code></em>;
+	<span class="command"><strong>lock-file</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+	<span class="command"><strong>managed-keys-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
+	<span class="command"><strong>masterfile-style</strong></span> ( full | relative );
+	<span class="command"><strong>match-mapped-addresses</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>max-cache-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );
+	<span class="command"><strong>max-cache-ttl</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-clients-per-query</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+	<span class="command"><strong>max-ncache-ttl</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-recursion-depth</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-recursion-queries</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-rsa-exponent-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-stale-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+	<span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
+	<span class="command"><strong>memstatistics</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>memstatistics-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>message-compression</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>minimal-any</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>minimal-responses</strong></span> ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );
+	<span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>new-zones-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>no-case-compress</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>nocookie-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
+	<span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>notify-rate</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
+	    <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]
+	    [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>nta-lifetime</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+	<span class="command"><strong>nta-recheck</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+	<span class="command"><strong>nxdomain-redirect</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>pid-file</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+	<span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>preferred-glue</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>prefetch</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>provide-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>query-source</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]
+	    <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>query-source-v6</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) ]
+	    <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>querylog</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>random-device</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+	<span class="command"><strong>rate-limit</strong></span> {
+		<span class="command"><strong>all-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
+		<span class="command"><strong>errors-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
+		<span class="command"><strong>exempt-clients</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+		<span class="command"><strong>ipv4-prefix-length</strong></span> <em class="replaceable"><code>integer</code></em>;
+		<span class="command"><strong>ipv6-prefix-length</strong></span> <em class="replaceable"><code>integer</code></em>;
+		<span class="command"><strong>log-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
+		<span class="command"><strong>max-table-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+		<span class="command"><strong>min-table-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+		<span class="command"><strong>nodata-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
+		<span class="command"><strong>nxdomains-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
+		<span class="command"><strong>qps-scale</strong></span> <em class="replaceable"><code>integer</code></em>;
+		<span class="command"><strong>referrals-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
+		<span class="command"><strong>responses-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
+		<span class="command"><strong>slip</strong></span> <em class="replaceable"><code>integer</code></em>;
+		<span class="command"><strong>window</strong></span> <em class="replaceable"><code>integer</code></em>;
+	};
+	<span class="command"><strong>recursing-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>recursion</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>recursive-clients</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>request-nsid</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>require-server-cookie</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>reserved-sockets</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>resolver-nonbackoff-tries</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>resolver-query-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>resolver-retry-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>response-padding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size
+	    <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [
+	    <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [
+	    <span class="command"><strong>policy</strong></span> ( cname | disabled | drop | given | no-op | nodata |
+	    <span class="command"><strong>nxdomain</strong></span> | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
+	    <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
+	    <span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [
+	    <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [
+	    <span class="command"><strong>min-ns-dots</strong></span> <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [
+	    <span class="command"><strong>qname-wait-recurse</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [
+	    <span class="command"><strong>nsip-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [
+	    <span class="command"><strong>dnsrps-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em>
+	    } ];
+	<span class="command"><strong>root-delegation-only</strong></span> [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];
+	<span class="command"><strong>rrset-order</strong></span> { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name
+	    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };
+	<span class="command"><strong>secroots-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>send-cookie</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>serial-query-rate</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>serial-update-method</strong></span> ( date | increment | unixtime );
+	<span class="command"><strong>server-id</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );
+	<span class="command"><strong>servfail-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+	<span class="command"><strong>session-keyalg</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>session-keyfile</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+	<span class="command"><strong>session-keyname</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>sortlist</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>stacksize</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+	<span class="command"><strong>stale-answer-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>stale-answer-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+	<span class="command"><strong>startup-notify-rate</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>statistics-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>synth-from-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>tcp-advertised-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>tcp-clients</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>tcp-idle-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>tcp-initial-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>tcp-keepalive-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>tcp-listen-queue</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>tkey-dhkey</strong></span> <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>tkey-domain</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>tkey-gssapi-credential</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>tkey-gssapi-keytab</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>transfer-format</strong></span> ( many-answers | one-answer );
+	<span class="command"><strong>transfer-message-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
+	    <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>transfers-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>transfers-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>transfers-per-ns</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>trust-anchor-telemetry</strong></span> <em class="replaceable"><code>boolean</code></em>; // experimental
+	<span class="command"><strong>try-tcp-refresh</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>use-v4-udp-ports</strong></span> { <em class="replaceable"><code>portrange</code></em>; ... };
+	<span class="command"><strong>use-v6-udp-ports</strong></span> { <em class="replaceable"><code>portrange</code></em>; ... };
+	<span class="command"><strong>v6-bias</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>version</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+	<span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>zero-no-soa-ttl-cache</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
+};
 </pre>
-
       </div>
 
       <div class="section">
@@ -8441,42 +8411,40 @@ example.com                 CNAME   rpz-tcp-only.
       <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="server_statement_grammar"></a><span class="command"><strong>server</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>server</strong></span> ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>ip_prefix</code></em> ) <span class="command"><strong>{</strong></span>
-  [ <span class="command"><strong>bogus</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>provide-ixfr</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>request-nsid</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>send-cookie</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>edns</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>edns-udp-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>edns-version</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-udp-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>padding</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>tcp-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>tcp-keepalive</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>transfers</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>transfer-format</strong></span> ( one-answer | many-answers ) ; ]
-  [ <span class="command"><strong>keys</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>key_id</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>query-source</strong></span> ( [ <span class="command"><strong>address</strong></span> ] ( <em class="replaceable"><code>ip_addr</code></em> | <code class="constant">*</code> ) )
-      [ <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>ip_port</code></em> | <code class="constant">*</code> ) ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>query-source-v6</strong></span> ( [ <span class="command"><strong>address</strong></span> ] ( <em class="replaceable"><code>ip_addr</code></em> | <code class="constant">*</code> ) )
-      [ <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>ip_port</code></em> | <code class="constant">*</code> ) ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>use-queryport-pool</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>queryport-pool-ports</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>queryport-pool-updateinterval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
+        <pre class="programlisting">
+<span class="command"><strong>server</strong></span> <em class="replaceable"><code>netprefix</code></em> {
+	<span class="command"><strong>bogus</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>edns</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>edns-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>edns-version</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>keys</strong></span> <em class="replaceable"><code>server_key</code></em>;
+	<span class="command"><strong>max-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
+	    <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]
+	    [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>padding</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>provide-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>query-source</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]
+	    <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>query-source-v6</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) ]
+	    <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>request-nsid</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>send-cookie</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>tcp-keepalive</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>tcp-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>transfer-format</strong></span> ( many-answers | one-answer );
+	<span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
+	    <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>transfers</strong></span> <em class="replaceable"><code>integer</code></em>;
+};
 </pre>
-
         </div>
 
         <div class="section">
@@ -8747,12 +8715,13 @@ example.com                 CNAME   rpz-tcp-only.
       <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="statschannels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>statistics-channels {</strong></span>
-  [ <span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ip_addr</code></em> | <code class="constant">*</code> ) [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ]
-      [ <span class="command"><strong>allow { </strong></span><em class="replaceable"><code> address_match_list </code></em> <span class="command"><strong>}</strong></span> ] ; ]
-    ...
-<span class="command"><strong>}</strong></span>;
+        <pre class="programlisting">
+<span class="command"><strong>statistics-channels</strong></span> {
+	<span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |
+	    * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
+	    <span class="command"><strong>allow</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ...
+	    } ];
+};
 </pre>
       </div>
 
@@ -8881,13 +8850,10 @@ example.com                 CNAME   rpz-tcp-only.
         <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>trusted-keys {</strong></span>
-  ( <em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key_data</code></em> ; )
-    ...
-<span class="command"><strong>}</strong></span> ;
+        <pre class="programlisting">
+<span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
 </pre>
-
         </div>
         <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -8938,13 +8904,10 @@ example.com                 CNAME   rpz-tcp-only.
         <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>managed-keys {</strong></span>
-  ( <em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>initial_key</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key_data</code></em> ; )
-    ...
-<span class="command"><strong>}</strong></span> ;
+        <pre class="programlisting">
+<span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
 </pre>
-
         </div>
         <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -9218,216 +9181,203 @@ view "external" {
 <a name="zone_statement_grammar"></a><span class="command"><strong>zone</strong></span>
             Statement Grammar</h3></div></div></div>
 
-<pre class="programlisting"><span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
-    <span class="command"><strong>type</strong></span> master ;
-  [ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-query-on</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-transfer</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-update</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>update-policy</strong></span> <code class="option">local</code> | <span class="command"><strong>{</strong></span> <em class="replaceable"><code>update_policy_rule</code></em> ; ...  <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>also-notify</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
-      ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] ) [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em> ] ;
-        ...
-    <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>check-names</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
-  [ <span class="command"><strong>check-mx</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
-  [ <span class="command"><strong>check-wildcard</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>check-spf</strong></span> ( <code class="option">warn</code> | <code class="option">ignore</code> ); ]
-  [ <span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>dialup</strong></span> <em class="replaceable"><code>dialup_option</code></em> ; ]
-  [ <span class="command"><strong>file</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>masterfile-format</strong></span> ( <code class="option">text</code> | <code class="option">raw</code> | <code class="option">map</code> ) ; ]
-  [ <span class="command"><strong>journal</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>max-journal-size</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
-  [ <span class="command"><strong>forward</strong></span> ( <code class="option">only</code> | <code class="option">first</code> ) ; ]
-  [ <span class="command"><strong>forwarders</strong></span> <span class="command"><strong>{</strong></span> [ <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ... ] <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>ixfr-base</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>ixfr-from-differences</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>ixfr-tmp-file</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>maintain-ixfr-base</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>max-ixfr-log-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>notify</strong></span> <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">explicit</code> | <code class="option">master-only</code> ; ]
-  [ <span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>seconds</code></em> ; ]
-  [ <span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>pubkey</strong></span> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>zone-statistics</strong></span> ( <code class="option">full</code> | <code class="option">terse</code> | <code class="option">none</code> ) ; ]
-  [ <span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>number</code></em> [ <em class="replaceable"><code>number</code></em> ] ; ]
-  [ <span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong></strong></span><span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>auto-dnssec</strong></span> ( <code class="option">allow</code> | <code class="option">maintain</code> | <code class="option">off</code> ) ; ]
-  [ <span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>serial-update-method</strong></span> ( <code class="option">increment</code> | <code class="option">unixtime</code> | <code class="option">date</code> ) ; ]
-  [ <span class="command"><strong>max-zone-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
-    <span class="command"><strong>type</strong></span> slave ;
-  [ <span class="command"><strong>allow-notify</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-query-on</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-transfer</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-update-forwarding</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>dnssec-update-mode</strong></span> ( <code class="option">maintain</code> | <code class="option">no-resign</code> ); ]
-  [ <span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>try-tcp-refresh</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>also-notify</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
-      ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] ) [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em> ] ;
-        ...
-    <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>check-names</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
-  [ <span class="command"><strong>dialup</strong></span> <em class="replaceable"><code>dialup_option</code></em> ; ]
-  [ <span class="command"><strong>file</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>masterfile-format</strong></span> ( <code class="option">text</code> | <code class="option">raw</code> | <code class="option">map</code> ) ; ]
-  [ <span class="command"><strong>journal</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>max-journal-size</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
-  [ <span class="command"><strong>forward</strong></span> ( <code class="option">only</code> | <code class="option">first</code> ) ; ]
-  [ <span class="command"><strong>forwarders</strong></span> <span class="command"><strong>{</strong></span> [ <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ... <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>ixfr-base</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>ixfr-from-differences</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>ixfr-tmp-file</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>maintain-ixfr-base</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>masters</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
-      ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] ) [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em> ] ;
-        ...
-    <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>max-ixfr-log-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>notify</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">explicit</code> | <code class="option">master-only</code> ) ; ]
-  [ <span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>seconds</code></em> ; ]
-  [ <span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>pubkey</strong></span> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>zone-statistics</strong></span> ( <code class="option">full</code> | <code class="option">terse</code> | <code class="option">none</code> ) ; ]
-  [ <span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>number</code></em> [ <em class="replaceable"><code>number</code></em> ] ; ]
-  [ <span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong></strong></span><span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
-  [ <span class="command"><strong>auto-dnssec</strong></span> ( <code class="option">allow</code> | <code class="option">maintain</code> | <code class="option">off</code> ) ; ]
-  [ <span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
-    <span class="command"><strong>type</strong></span> hint;
-    <span class="command"><strong>file</strong></span> <em class="replaceable"><code>string</code></em> ;
-  [ <span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>check-names</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ] // Not Implemented.
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
-    <span class="command"><strong>type</strong></span> stub;
-  [ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>allow-query-on</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>check-names</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
-  [ <span class="command"><strong>dialup</strong></span> <em class="replaceable"><code>dialup_option</code></em> ; ]
-  [ <span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>file</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>masterfile-format</strong></span> ( <code class="option">text</code> | <code class="option">raw</code> | <code class="option">map</code> ) ; ]
-  [ <span class="command"><strong>forward</strong></span> ( <code class="option">only</code> | <code class="option">first</code> ) ; ]
-  [ <span class="command"><strong>forwarders</strong></span> <span class="command"><strong>{</strong></span> [ <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ... ] <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>masters</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
-      ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] ) [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em> ] ;
-        ...
-    <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>pubkey</strong></span> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
-      [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
-  [ <span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>zone-statistics</strong></span> ( <code class="option">full</code> | <code class="option">terse</code> | <code class="option">none</code> ) ; ]
-  [ <span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
-    <span class="command"><strong>type</strong></span> static-stub;
-  [ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>server-addresses</strong></span> <span class="command"><strong>{</strong></span> [ <em class="replaceable"><code>ip_addr</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>server-names</strong></span> <span class="command"><strong>{</strong></span> [ <em class="replaceable"><code>namelist</code></em> ] <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>zone-statistics</strong></span> ( <code class="option">full</code> | <code class="option">terse</code> | <code class="option">none</code> ) ; ]
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
-    <span class="command"><strong>type</strong></span> forward;
-  [ <span class="command"><strong>forward</strong></span> ( <code class="option">only</code> | <code class="option">first</code> ) ; ]
-  [ <span class="command"><strong>forwarders</strong></span> <span class="command"><strong>{</strong></span> [ <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ... <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>"."</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
-    <span class="command"><strong>type</strong></span> redirect;
-  [ <span class="command"><strong>file</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-  [ <span class="command"><strong>masters</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
-      ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] ) [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em> ] ;
-        ...
-    <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>masterfile-format</strong></span> ( <code class="option">text</code> | <code class="option">raw</code> | <code class="option">map</code> ) ; ]
-  [ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>max-zone-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
-    <span class="command"><strong>type</strong></span> delegation-only;
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
-  [ <span class="command"><strong>in-view</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
-
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+	<span class="command"><strong>type</strong></span> master;
+	<span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-transfer</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-update</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>also-notify</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+	<span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>auto-dnssec</strong></span> ( allow | maintain | off );
+	<span class="command"><strong>check-dup-records</strong></span> ( fail | warn | ignore );
+	<span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>check-mx</strong></span> ( fail | warn | ignore );
+	<span class="command"><strong>check-mx-cname</strong></span> ( fail | warn | ignore );
+	<span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
+	<span class="command"><strong>check-sibling</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>check-spf</strong></span> ( warn | ignore );
+	<span class="command"><strong>check-srv-cname</strong></span> ( fail | warn | ignore );
+	<span class="command"><strong>check-wildcard</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
+	<span class="command"><strong>dlz</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
+	<span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>forward</strong></span> ( first | only );
+	<span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
+	<span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>ixfr-from-differences</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>journal</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
+	<span class="command"><strong>masterfile-style</strong></span> ( full | relative );
+	<span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+	<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
+	<span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
+	<span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>serial-update-method</strong></span> ( date | increment | unixtime );
+	<span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>update-policy</strong></span> ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self | external | krb5-self | krb5-subdomain | ms-self | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };
+	<span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+	<span class="command"><strong>type</strong></span> slave;
+	<span class="command"><strong>allow-notify</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-transfer</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-update-forwarding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>also-notify</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+	<span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>auto-dnssec</strong></span> ( allow | maintain | off );
+	<span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
+	<span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
+	<span class="command"><strong>dlz</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
+	<span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>forward</strong></span> ( first | only );
+	<span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
+	<span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>ixfr-from-differences</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>journal</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
+	<span class="command"><strong>masterfile-style</strong></span> ( full | relative );
+	<span class="command"><strong>masters</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+	<span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+	<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
+	<span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>try-tcp-refresh</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+	<span class="command"><strong>type</strong></span> hint;
+	<span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
+	<span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+	<span class="command"><strong>type</strong></span> stub;
+	<span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
+	<span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
+	<span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>forward</strong></span> ( first | only );
+	<span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
+	<span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
+	<span class="command"><strong>masterfile-style</strong></span> ( full | relative );
+	<span class="command"><strong>masters</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+	<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+	<span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+	<span class="command"><strong>type</strong></span> static-stub;
+	<span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>server-addresses</strong></span> { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ]; ... };
+	<span class="command"><strong>server-names</strong></span> { <em class="replaceable"><code>quoted_string</code></em>; ... };
+	<span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+	<span class="command"><strong>type</strong></span> forward;
+	<span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>forward</strong></span> ( first | only );
+	<span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+	<span class="command"><strong>type</strong></span> redirect;
+	<span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+	<span class="command"><strong>dlz</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+	<span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
+	<span class="command"><strong>masterfile-style</strong></span> ( full | relative );
+	<span class="command"><strong>masters</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+	<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
+	<span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+	<span class="command"><strong>type</strong></span> delegation-only;
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+	<span class="command"><strong>in-view</strong></span> <em class="replaceable"><code>string</code></em>;
+};
 </pre>
 
         </div>
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index eca7d93898..2d5afd1041 100644
Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ
diff --git a/doc/arm/acl.grammar.xml b/doc/arm/acl.grammar.xml
new file mode 100644
index 0000000000..3758e1de5b
--- /dev/null
+++ b/doc/arm/acl.grammar.xml
@@ -0,0 +1,13 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-options.pl -->
+
+<programlisting>
+<command>acl</command> <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };
+</programlisting>
diff --git a/doc/arm/controls.grammar.xml b/doc/arm/controls.grammar.xml
new file mode 100644
index 0000000000..51864c963f
--- /dev/null
+++ b/doc/arm/controls.grammar.xml
@@ -0,0 +1,23 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-options.pl -->
+
+<programlisting>
+<command>controls</command> {
+	<command>inet</command> ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> |
+	    * ) [ port ( <replaceable>integer</replaceable> | * ) ] allow
+	    { <replaceable>address_match_element</replaceable>; ... } [
+	    <command>keys</command> { <replaceable>string</replaceable>; ... } ] [ read-only
+	    <replaceable>boolean</replaceable> ];
+	<command>unix</command> <replaceable>quoted_string</replaceable> perm <replaceable>integer</replaceable>
+	    <command>owner</command> <replaceable>integer</replaceable> group <replaceable>integer</replaceable> [
+	    <command>keys</command> { <replaceable>string</replaceable>; ... } ] [ read-only
+	    <replaceable>boolean</replaceable> ];
+};
+</programlisting>
diff --git a/doc/arm/delegation-only.zoneopt.xml b/doc/arm/delegation-only.zoneopt.xml
new file mode 100644
index 0000000000..b367fb0313
--- /dev/null
+++ b/doc/arm/delegation-only.zoneopt.xml
@@ -0,0 +1,14 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-zoneopt.pl -->
+<programlisting>
+<command>zone</command> <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
+	<command>type</command> delegation-only;
+};
+</programlisting>
diff --git a/doc/arm/forward.zoneopt.xml b/doc/arm/forward.zoneopt.xml
new file mode 100644
index 0000000000..4d8e9c1246
--- /dev/null
+++ b/doc/arm/forward.zoneopt.xml
@@ -0,0 +1,17 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-zoneopt.pl -->
+<programlisting>
+<command>zone</command> <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
+	<command>type</command> forward;
+	<command>delegation-only</command> <replaceable>boolean</replaceable>;
+	<command>forward</command> ( first | only );
+	<command>forwarders</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
+};
+</programlisting>
diff --git a/doc/arm/hint.zoneopt.xml b/doc/arm/hint.zoneopt.xml
new file mode 100644
index 0000000000..d2716aa4a0
--- /dev/null
+++ b/doc/arm/hint.zoneopt.xml
@@ -0,0 +1,17 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-zoneopt.pl -->
+<programlisting>
+<command>zone</command> <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
+	<command>type</command> hint;
+	<command>check-names</command> ( fail | warn | ignore );
+	<command>delegation-only</command> <replaceable>boolean</replaceable>;
+	<command>file</command> <replaceable>quoted_string</replaceable>;
+};
+</programlisting>
diff --git a/doc/arm/in-view.zoneopt.xml b/doc/arm/in-view.zoneopt.xml
new file mode 100644
index 0000000000..729a66219c
--- /dev/null
+++ b/doc/arm/in-view.zoneopt.xml
@@ -0,0 +1,14 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-zoneopt.pl -->
+<programlisting>
+<command>zone</command> <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
+	<command>in-view</command> <replaceable>string</replaceable>;
+};
+</programlisting>
diff --git a/doc/arm/key.grammar.xml b/doc/arm/key.grammar.xml
new file mode 100644
index 0000000000..2fceb9cd69
--- /dev/null
+++ b/doc/arm/key.grammar.xml
@@ -0,0 +1,16 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-options.pl -->
+
+<programlisting>
+<command>key</command> <replaceable>string</replaceable> {
+	<command>algorithm</command> <replaceable>string</replaceable>;
+	<command>secret</command> <replaceable>string</replaceable>;
+};
+</programlisting>
diff --git a/doc/arm/logging.grammar.xml b/doc/arm/logging.grammar.xml
new file mode 100644
index 0000000000..f9b3130125
--- /dev/null
+++ b/doc/arm/logging.grammar.xml
@@ -0,0 +1,27 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-options.pl -->
+
+<programlisting>
+<command>logging</command> {
+	<command>category</command> <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
+	<command>channel</command> <replaceable>string</replaceable> {
+		<command>buffered</command> <replaceable>boolean</replaceable>;
+		<command>file</command> <replaceable>quoted_string</replaceable> [ versions ( unlimited | <replaceable>integer</replaceable> ) ]
+		    [ size <replaceable>size</replaceable> ] [ suffix ( increment | timestamp ) ];
+		<command>null</command>;
+		<command>print-category</command> <replaceable>boolean</replaceable>;
+		<command>print-severity</command> <replaceable>boolean</replaceable>;
+		<command>print-time</command> ( iso8601 | iso8601-utc | local | <replaceable>boolean</replaceable> );
+		<command>severity</command> <replaceable>log_severity</replaceable>;
+		<command>stderr</command>;
+		<command>syslog</command> [ <replaceable>syslog_facility</replaceable> ];
+	};
+};
+</programlisting>
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index b59af7caa1..040a195639 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -89,14 +89,14 @@ acl
     <div class="literallayout"><p><br>
 controls {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
-	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] allow<br>
-	    { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
-	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
-	    <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	    * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] allow<br>
+	    { <em class="replaceable"><code>address_match_element</code></em>; ... } [<br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } ] [ read-only<br>
+	    <em class="replaceable"><code>boolean</code></em> ];<br>
 	unix <em class="replaceable"><code>quoted_string</code></em> perm <em class="replaceable"><code>integer</code></em><br>
-	    owner <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [<span class="optional"><br>
-	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
-	    <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	    owner <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [<br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } ] [ read-only<br>
+	    <em class="replaceable"><code>boolean</code></em> ];<br>
 };<br>
 </p></div>
   </div>
@@ -140,20 +140,21 @@ logging
 	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
 	channel <em class="replaceable"><code>string</code></em> {<br>
 		buffered <em class="replaceable"><code>boolean</code></em>;<br>
-		file <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> versions ( unlimited | <em class="replaceable"><code>integer</code></em> ) </span>]<br>
-		    [<span class="optional"> size <em class="replaceable"><code>size</code></em> </span>] [<span class="optional"> suffix ( increment | timestamp ) </span>];<br>
+		file <em class="replaceable"><code>quoted_string</code></em> [ versions ( unlimited | <em class="replaceable"><code>integer</code></em> ) ]<br>
+		    [ size <em class="replaceable"><code>size</code></em> ] [ suffix ( increment | timestamp ) ];<br>
 		null;<br>
 		print-category <em class="replaceable"><code>boolean</code></em>;<br>
 		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
 		print-time ( iso8601 | iso8601-utc | local | <em class="replaceable"><code>boolean</code></em> );<br>
 		severity <em class="replaceable"><code>log_severity</code></em>;<br>
 		stderr;<br>
-		syslog [<span class="optional"> <em class="replaceable"><code>syslog_facility</code></em> </span>];<br>
+		syslog [ <em class="replaceable"><code>syslog_facility</code></em> ];<br>
 	};<br>
 };<br>
 </p></div>
   </div>
 
+
   <div class="refsection">
 <a name="id-1.14.27.14"></a><h2>MANAGED-KEYS</h2>
 
@@ -167,10 +168,10 @@ managed-keys
 <a name="id-1.14.27.15"></a><h2>MASTERS</h2>
 
     <div class="literallayout"><p><br>
-masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
-    <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
-    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
+    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
+    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
 </p></div>
   </div>
 
@@ -179,10 +180,6 @@ masters
 
     <div class="literallayout"><p><br>
 options {<br>
-	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
 	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -194,13 +191,13 @@ options
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
-	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	also-notify [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	attach-cache <em class="replaceable"><code>string</code></em>;<br>
 	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
 	auto-dnssec ( allow | maintain | off );<br>
@@ -210,17 +207,18 @@ options
 	bindkeys-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
-	    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
-	    <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
-	    in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [ default-masters [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
+	    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
+	    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 	check-dup-records ( fail | warn | ignore );<br>
 	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
 	check-mx ( fail | warn | ignore );<br>
 	check-mx-cname ( fail | warn | ignore );<br>
-	check-names ( master | slave | response<br>
-	    ) ( fail | warn | ignore );<br>
+	check-names ( primary | master |<br>
+	    secondary | slave | response ) (<br>
+	    fail | warn | ignore );<br>
 	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
 	check-spf ( warn | ignore );<br>
 	check-srv-cname ( fail | warn | ignore );<br>
@@ -231,10 +229,10 @@ options
 	cookie-secret <em class="replaceable"><code>string</code></em>;<br>
 	coresize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	datasize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
-	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
-	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
-	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [ except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
 	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
 	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
@@ -252,6 +250,8 @@ options
 	};<br>
 	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
 	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnsrps-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
@@ -263,35 +263,35 @@ options
 	dnssec-update-mode ( maintain | no-resign );<br>
 	dnssec-validation ( yes | no | auto );<br>
 	dnstap { ( all | auth | client | forwarder |<br>
-	    resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
+	    resolver ) [ ( query | response ) ]; ... };<br>
 	dnstap-identity ( <em class="replaceable"><code>quoted_string</code></em> | none |<br>
 	    hostname );<br>
-	dnstap-output ( file | unix ) <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"><br>
-	    size ( unlimited | <em class="replaceable"><code>size</code></em> ) </span>] [<span class="optional"> versions (<br>
-	    unlimited | <em class="replaceable"><code>integer</code></em> ) </span>] [<span class="optional"> suffix ( increment<br>
-	    | timestamp ) </span>];<br>
+	dnstap-output ( file | unix ) <em class="replaceable"><code>quoted_string</code></em> [<br>
+	    size ( unlimited | <em class="replaceable"><code>size</code></em> ) ] [ versions (<br>
+	    unlimited | <em class="replaceable"><code>integer</code></em> ) ] [ suffix ( increment<br>
+	    | timestamp ) ];<br>
 	dnstap-version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	dscp <em class="replaceable"><code>integer</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	dual-stack-servers [ port <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>quoted_string</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] ); ... };<br>
 	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
 	empty-contact <em class="replaceable"><code>string</code></em>;<br>
 	empty-server <em class="replaceable"><code>string</code></em>;<br>
 	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
-	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
-	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];<br>
 	files ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
 	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
 	flush-zones-on-shutdown <em class="replaceable"><code>boolean</code></em>;<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
-	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	forwarders [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 	fstrm-set-buffer-hint <em class="replaceable"><code>integer</code></em>;<br>
 	fstrm-set-flush-timeout <em class="replaceable"><code>integer</code></em>;<br>
 	fstrm-set-input-queue-size <em class="replaceable"><code>integer</code></em>;<br>
@@ -300,20 +300,22 @@ options
 	fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
 	fstrm-set-reopen-interval <em class="replaceable"><code>integer</code></em>;<br>
 	geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	geoip-use-ecs ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	geoip-use-ecs <em class="replaceable"><code>boolean</code></em>;<br>
+	glue-cache <em class="replaceable"><code>boolean</code></em>;<br>
 	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
 	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
 	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
-	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
+	ixfr-from-differences ( primary | master | secondary | slave |<br>
+	    <em class="replaceable"><code>boolean</code></em> );<br>
 	keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	listen-on [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
+	    <em class="replaceable"><code>integer</code></em> ] {<br>
 	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	listen-on-v6 [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
+	    <em class="replaceable"><code>integer</code></em> ] {<br>
 	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
 	lock-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
@@ -321,11 +323,10 @@ options
 	masterfile-format ( map | raw | text );<br>
 	masterfile-style ( full | relative );<br>
 	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
-	max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
 	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
-	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
@@ -333,6 +334,7 @@ options
 	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-rsa-exponent-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-stale-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
@@ -347,33 +349,33 @@ options
 	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
 	minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+	new-zones-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
 	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
 	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
 	notify-rate <em class="replaceable"><code>integer</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
+	    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
 	nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
 	nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
 	nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
 	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	port <em class="replaceable"><code>integer</code></em>;<br>
 	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
 	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
-	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
-	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
-	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	query-source-v6 ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) ]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	querylog <em class="replaceable"><code>boolean</code></em>;<br>
-	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
+	random-device ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	rate-limit {<br>
 		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
 		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
@@ -399,20 +401,26 @@ options
 	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
 	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
 	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-nonbackoff-tries <em class="replaceable"><code>integer</code></em>;<br>
 	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
 	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
 	    <em class="replaceable"><code>integer</code></em>;<br>
-	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
 	    policy ( cname | disabled | drop | given | no-op | nodata |<br>
-	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"><br>
-	    recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
-	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
-	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em><br>
+	    } ];<br>
+	root-delegation-only [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+	rrset-order { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
 	secroots-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
 	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
@@ -425,9 +433,11 @@ options
 	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
 	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	stale-answer-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	stale-answer-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	startup-notify-rate <em class="replaceable"><code>integer</code></em>;<br>
 	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
@@ -443,10 +453,10 @@ options
 	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
 	transfer-format ( many-answers | one-answer );<br>
 	transfer-message-size <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
 	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
 	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
@@ -476,18 +486,18 @@ server
 	edns-version <em class="replaceable"><code>integer</code></em>;<br>
 	keys <em class="replaceable"><code>server_key</code></em>;<br>
 	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
+	    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	padding <em class="replaceable"><code>integer</code></em>;<br>
 	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
-	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
-	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
-	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	query-source-v6 ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) ]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
@@ -495,10 +505,10 @@ server
 	tcp-keepalive <em class="replaceable"><code>boolean</code></em>;<br>
 	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
 	transfer-format ( many-answers | one-answer );<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	transfers <em class="replaceable"><code>integer</code></em>;<br>
 };<br>
 </p></div>
@@ -510,9 +520,9 @@ server
     <div class="literallayout"><p><br>
 statistics-channels {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
-	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
 	    allow { <em class="replaceable"><code>address_match_element</code></em>; ...<br>
-	    } </span>];<br>
+	    } ];<br>
 };<br>
 </p></div>
   </div>
@@ -530,11 +540,7 @@ trusted-keys
 <a name="id-1.14.27.20"></a><h2>VIEW</h2>
 
     <div class="literallayout"><p><br>
-view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
-	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
+view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -546,38 +552,39 @@ view
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
-	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	also-notify [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	attach-cache <em class="replaceable"><code>string</code></em>;<br>
 	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
 	auto-dnssec ( allow | maintain | off );<br>
 	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
-	    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
-	    <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
-	    in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [ default-masters [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
+	    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
+	    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 	check-dup-records ( fail | warn | ignore );<br>
 	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
 	check-mx ( fail | warn | ignore );<br>
 	check-mx-cname ( fail | warn | ignore );<br>
-	check-names ( master | slave | response<br>
-	    ) ( fail | warn | ignore );<br>
+	check-names ( primary | master |<br>
+	    secondary | slave | response ) (<br>
+	    fail | warn | ignore );<br>
 	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
 	check-spf ( warn | ignore );<br>
 	check-srv-cname ( fail | warn | ignore );<br>
 	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
 	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
-	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
-	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
-	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [ except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
 	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
 	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
 	    ... };<br>
@@ -598,6 +605,8 @@ view
 	};<br>
 	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
 	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnsrps-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
@@ -609,11 +618,11 @@ view
 	dnssec-update-mode ( maintain | no-resign );<br>
 	dnssec-validation ( yes | no | auto );<br>
 	dnstap { ( all | auth | client | forwarder |<br>
-	    resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	    resolver ) [ ( query | response ) ]; ... };<br>
+	dual-stack-servers [ port <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>quoted_string</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] ); ... };<br>
 	dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
 	    <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
@@ -621,16 +630,18 @@ view
 	empty-server <em class="replaceable"><code>string</code></em>;<br>
 	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
-	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
-	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];<br>
 	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
 	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
-	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	forwarders [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };<br>
+	glue-cache <em class="replaceable"><code>boolean</code></em>;<br>
 	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
-	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
+	ixfr-from-differences ( primary | master | secondary | slave |<br>
+	    <em class="replaceable"><code>boolean</code></em> );<br>
 	key <em class="replaceable"><code>string</code></em> {<br>
 		algorithm <em class="replaceable"><code>string</code></em>;<br>
 		secret <em class="replaceable"><code>string</code></em>;<br>
@@ -646,17 +657,17 @@ view
 	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-	max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
 	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
-	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
 	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-stale-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
@@ -669,28 +680,28 @@ view
 	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
 	minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+	new-zones-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
 	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
 	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
+	    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
 	nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
 	nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
 	nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
 	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
 	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
-	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
-	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
-	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	query-source-v6 ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) ]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	rate-limit {<br>
 		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
 		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
@@ -713,20 +724,26 @@ view
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
 	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	resolver-nonbackoff-tries <em class="replaceable"><code>integer</code></em>;<br>
 	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
 	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
 	    <em class="replaceable"><code>integer</code></em>;<br>
-	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
 	    policy ( cname | disabled | drop | given | no-op | nodata |<br>
-	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"><br>
-	    recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
-	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
-	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em><br>
+	    } ];<br>
+	root-delegation-only [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+	rrset-order { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
 	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
 	serial-update-method ( date | increment | unixtime );<br>
 	server <em class="replaceable"><code>netprefix</code></em> {<br>
@@ -736,20 +753,20 @@ view
 		edns-version <em class="replaceable"><code>integer</code></em>;<br>
 		keys <em class="replaceable"><code>server_key</code></em>;<br>
 		max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
-		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
-		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 		padding <em class="replaceable"><code>integer</code></em>;<br>
 		provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-		query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port<br>
-		    ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
-		    <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
-		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-		query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"><br>
-		    port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
-		    <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
-		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port<br>
+		    ( <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | * ) ] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<br>
+		    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+		query-source-v6 ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<br>
+		    port ( <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] (<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> | * ) ] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<br>
+		    dscp <em class="replaceable"><code>integer</code></em> ];<br>
 		request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 		request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
@@ -757,24 +774,26 @@ view
 		tcp-keepalive <em class="replaceable"><code>boolean</code></em>;<br>
 		tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
 		transfer-format ( many-answers | one-answer );<br>
-		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 		transfers <em class="replaceable"><code>integer</code></em>;<br>
 	};<br>
 	servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
 	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	stale-answer-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	stale-answer-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
 	transfer-format ( many-answers | one-answer );<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
 	trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
 	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
@@ -785,21 +804,21 @@ view
 	v6-bias <em class="replaceable"><code>integer</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 		allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 		allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 		allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 		allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 		allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 		allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-		also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
-		    <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] |<br>
-		    <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>];<br>
+		also-notify [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { (<br>
+		    <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] |<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ];<br>
 		    ... };<br>
-		alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
-		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-		alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+		alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 		auto-dnssec ( allow | maintain | off );<br>
 		check-dup-records ( fail | warn | ignore );<br>
 		check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
@@ -821,9 +840,9 @@ view
 		dnssec-update-mode ( maintain | no-resign );<br>
 		file <em class="replaceable"><code>quoted_string</code></em>;<br>
 		forward ( first | only );<br>
-		forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
-		    <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
-		    dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		forwarders [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [<br>
+		    dscp <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 		in-view <em class="replaceable"><code>string</code></em>;<br>
 		inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
 		ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
@@ -831,11 +850,11 @@ view
 		key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 		masterfile-format ( map | raw | text );<br>
 		masterfile-style ( full | relative );<br>
-		masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em><br>
-		    | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"><br>
-		    port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+		masters [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em><br>
+		    | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [<br>
+		    port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
 		max-ixfr-log-size ( default | unlimited |<br>
-		max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+		max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 		max-records <em class="replaceable"><code>integer</code></em>;<br>
 		max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 		max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
@@ -849,38 +868,38 @@ view
 		multi-master <em class="replaceable"><code>boolean</code></em>;<br>
 		notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
 		notify-delay <em class="replaceable"><code>integer</code></em>;<br>
-		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
-		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
-		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 		notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-		nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
 		pubkey <em class="replaceable"><code>integer</code></em><br>
 		    <em class="replaceable"><code>integer</code></em><br>
 		    <em class="replaceable"><code>integer</code></em><br>
 		request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 		serial-update-method ( date | increment | unixtime );<br>
-		server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"><br>
-		    port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<br>
+		    port <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 		server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 		sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
 		sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
 		sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-		sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
-		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		sig-validity-interval <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 		try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-		type ( delegation-only | forward | hint | master | redirect<br>
-		    | slave | static-stub | stub );<br>
+		type ( primary | master | secondary | slave |<br>
+		    delegation-only | forward | hint | redirect |<br>
+		    static-stub | stub );<br>
 		update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
 		update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> (<br>
 		    6to4-self | external | krb5-self | krb5-subdomain |<br>
 		    ms-self | ms-subdomain | name | self | selfsub |<br>
 		    selfwild | subdomain | tcp-self | wildcard | zonesub )<br>
-		    [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+		    [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
 		use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
 		zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 		zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
@@ -894,20 +913,20 @@ view
 <a name="id-1.14.27.21"></a><h2>ZONE</h2>
 
     <div class="literallayout"><p><br>
-zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
-	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	also-notify [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	auto-dnssec ( allow | maintain | off );<br>
 	check-dup-records ( fail | warn | ignore );<br>
 	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
@@ -928,8 +947,8 @@ zone
 	dnssec-update-mode ( maintain | no-resign );<br>
 	file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
-	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	forwarders [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 	in-view <em class="replaceable"><code>string</code></em>;<br>
 	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
 	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
@@ -937,10 +956,10 @@ zone
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	masterfile-format ( map | raw | text );<br>
 	masterfile-style ( full | relative );<br>
-	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
-	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
-	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	masters [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
+	max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
@@ -954,35 +973,34 @@ zone
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
 	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
 	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
+	    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
 	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
 	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 	serial-update-method ( date | increment | unixtime );<br>
-	server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port<br>
-	    <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port<br>
+	    <em class="replaceable"><code>integer</code></em> ]; ... };<br>
 	server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
 	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
+	    dscp <em class="replaceable"><code>integer</code></em> ];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	type ( delegation-only | forward | hint | master | redirect | slave<br>
-	    | static-stub | stub );<br>
+	type ( primary | master | secondary | slave | delegation-only |<br>
+	    forward | hint | redirect | static-stub | stub );<br>
 	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
 	update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self |<br>
 	    external | krb5-self | krb5-subdomain | ms-self | ms-subdomain<br>
 	    | name | self | selfsub | selfwild | subdomain | tcp-self |<br>
-	    wildcard | zonesub ) [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+	    wildcard | zonesub ) [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
 	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
diff --git a/doc/arm/managed-keys.grammar.xml b/doc/arm/managed-keys.grammar.xml
new file mode 100644
index 0000000000..3377a80cb4
--- /dev/null
+++ b/doc/arm/managed-keys.grammar.xml
@@ -0,0 +1,14 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-options.pl -->
+
+<programlisting>
+<command>managed-keys</command> { <replaceable>string</replaceable> <replaceable>string</replaceable> <replaceable>integer</replaceable>
+    <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
+</programlisting>
diff --git a/doc/arm/master.zoneopt.xml b/doc/arm/master.zoneopt.xml
new file mode 100644
index 0000000000..8801e33dc1
--- /dev/null
+++ b/doc/arm/master.zoneopt.xml
@@ -0,0 +1,66 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-zoneopt.pl -->
+<programlisting>
+<command>zone</command> <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
+	<command>type</command> ( master | primary );
+	<command>allow-query</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-query-on</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-transfer</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-update</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>also-notify</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
+	<command>alt-transfer-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+	<command>alt-transfer-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+	<command>auto-dnssec</command> ( allow | maintain | off );
+	<command>check-dup-records</command> ( fail | warn | ignore );
+	<command>check-integrity</command> <replaceable>boolean</replaceable>;
+	<command>check-mx</command> ( fail | warn | ignore );
+	<command>check-mx-cname</command> ( fail | warn | ignore );
+	<command>check-names</command> ( fail | warn | ignore );
+	<command>check-sibling</command> <replaceable>boolean</replaceable>;
+	<command>check-spf</command> ( warn | ignore );
+	<command>check-srv-cname</command> ( fail | warn | ignore );
+	<command>check-wildcard</command> <replaceable>boolean</replaceable>;
+	<command>database</command> <replaceable>string</replaceable>;
+	<command>dialup</command> ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
+	<command>dlz</command> <replaceable>string</replaceable>;
+	<command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>;
+	<command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>;
+	<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
+	<command>dnssec-update-mode</command> ( maintain | no-resign );
+	<command>file</command> <replaceable>quoted_string</replaceable>;
+	<command>forward</command> ( first | only );
+	<command>forwarders</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
+	<command>inline-signing</command> <replaceable>boolean</replaceable>;
+	<command>ixfr-from-differences</command> <replaceable>boolean</replaceable>;
+	<command>journal</command> <replaceable>quoted_string</replaceable>;
+	<command>key-directory</command> <replaceable>quoted_string</replaceable>;
+	<command>masterfile-format</command> ( map | raw | text );
+	<command>masterfile-style</command> ( full | relative );
+	<command>max-journal-size</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
+	<command>max-records</command> <replaceable>integer</replaceable>;
+	<command>max-transfer-idle-out</command> <replaceable>integer</replaceable>;
+	<command>max-transfer-time-out</command> <replaceable>integer</replaceable>;
+	<command>max-zone-ttl</command> ( unlimited | <replaceable>ttlval</replaceable> );
+	<command>notify</command> ( explicit | master-only | <replaceable>boolean</replaceable> );
+	<command>notify-delay</command> <replaceable>integer</replaceable>;
+	<command>notify-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+	<command>notify-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+	<command>notify-to-soa</command> <replaceable>boolean</replaceable>;
+	<command>serial-update-method</command> ( date | increment | unixtime );
+	<command>sig-signing-nodes</command> <replaceable>integer</replaceable>;
+	<command>sig-signing-signatures</command> <replaceable>integer</replaceable>;
+	<command>sig-signing-type</command> <replaceable>integer</replaceable>;
+	<command>sig-validity-interval</command> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
+	<command>update-check-ksk</command> <replaceable>boolean</replaceable>;
+	<command>update-policy</command> ( local | { ( deny | grant ) <replaceable>string</replaceable> ( 6to4-self | external | krb5-self | krb5-subdomain | ms-self | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <replaceable>string</replaceable> ] <replaceable>rrtypelist</replaceable>; ... };
+	<command>zero-no-soa-ttl</command> <replaceable>boolean</replaceable>;
+	<command>zone-statistics</command> ( full | terse | none | <replaceable>boolean</replaceable> );
+};
+</programlisting>
diff --git a/doc/arm/masters.grammar.xml b/doc/arm/masters.grammar.xml
new file mode 100644
index 0000000000..f76d9026ac
--- /dev/null
+++ b/doc/arm/masters.grammar.xml
@@ -0,0 +1,16 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-options.pl -->
+
+<programlisting>
+<command>masters</command> <replaceable>string</replaceable> [ port <replaceable>integer</replaceable> ] [ dscp
+    <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [
+    <command>port</command> <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
+    <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
+</programlisting>
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf
index 6dc2536f1c..663abae8a0 100644
Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ
diff --git a/doc/arm/options.grammar.xml b/doc/arm/options.grammar.xml
new file mode 100644
index 0000000000..d6898e0c1c
--- /dev/null
+++ b/doc/arm/options.grammar.xml
@@ -0,0 +1,305 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-options.pl -->
+
+<programlisting>
+<command>options</command> {
+	<command>allow-new-zones</command> <replaceable>boolean</replaceable>;
+	<command>allow-notify</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-query</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-query-cache</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-query-cache-on</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-query-on</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-recursion</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-recursion-on</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-transfer</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-update</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-update-forwarding</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>also-notify</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> |
+	    <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
+	    <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
+	<command>alt-transfer-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
+	    ] [ dscp <replaceable>integer</replaceable> ];
+	<command>alt-transfer-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> |
+	    * ) ] [ dscp <replaceable>integer</replaceable> ];
+	<command>attach-cache</command> <replaceable>string</replaceable>;
+	<command>auth-nxdomain</command> <replaceable>boolean</replaceable>; // default changed
+	<command>auto-dnssec</command> ( allow | maintain | off );
+	<command>automatic-interface-scan</command> <replaceable>boolean</replaceable>;
+	<command>avoid-v4-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
+	<command>avoid-v6-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
+	<command>bindkeys-file</command> <replaceable>quoted_string</replaceable>;
+	<command>blackhole</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>cache-file</command> <replaceable>quoted_string</replaceable>;
+	<command>catalog-zones</command> { zone <replaceable>quoted_string</replaceable> [ default-masters [ port
+	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [
+	    <command>port</command> <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key
+	    <replaceable>string</replaceable> ]; ... } ] [ zone-directory <replaceable>quoted_string</replaceable> ] [
+	    <command>in-memory</command> <replaceable>boolean</replaceable> ] [ min-update-interval <replaceable>integer</replaceable> ]; ... };
+	<command>check-dup-records</command> ( fail | warn | ignore );
+	<command>check-integrity</command> <replaceable>boolean</replaceable>;
+	<command>check-mx</command> ( fail | warn | ignore );
+	<command>check-mx-cname</command> ( fail | warn | ignore );
+	<command>check-names</command> ( primary | master |
+	    <command>secondary</command> | slave | response ) (
+	    <command>fail</command> | warn | ignore );
+	<command>check-sibling</command> <replaceable>boolean</replaceable>;
+	<command>check-spf</command> ( warn | ignore );
+	<command>check-srv-cname</command> ( fail | warn | ignore );
+	<command>check-wildcard</command> <replaceable>boolean</replaceable>;
+	<command>cleaning-interval</command> <replaceable>integer</replaceable>;
+	<command>clients-per-query</command> <replaceable>integer</replaceable>;
+	<command>cookie-algorithm</command> ( aes | sha1 | sha256 );
+	<command>cookie-secret</command> <replaceable>string</replaceable>;
+	<command>coresize</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
+	<command>datasize</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
+	<command>deny-answer-addresses</command> { <replaceable>address_match_element</replaceable>; ... } [
+	    <command>except-from</command> { <replaceable>quoted_string</replaceable>; ... } ];
+	<command>deny-answer-aliases</command> { <replaceable>quoted_string</replaceable>; ... } [ except-from {
+	    <replaceable>quoted_string</replaceable>; ... } ];
+	<command>dialup</command> ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
+	<command>directory</command> <replaceable>quoted_string</replaceable>;
+	<command>disable-algorithms</command> <replaceable>string</replaceable> { <replaceable>string</replaceable>;
+	    ... };
+	<command>disable-ds-digests</command> <replaceable>string</replaceable> { <replaceable>string</replaceable>;
+	    ... };
+	<command>disable-empty-zone</command> <replaceable>string</replaceable>;
+	<command>dns64</command> <replaceable>netprefix</replaceable> {
+		<command>break-dnssec</command> <replaceable>boolean</replaceable>;
+		<command>clients</command> { <replaceable>address_match_element</replaceable>; ... };
+		<command>exclude</command> { <replaceable>address_match_element</replaceable>; ... };
+		<command>mapped</command> { <replaceable>address_match_element</replaceable>; ... };
+		<command>recursive-only</command> <replaceable>boolean</replaceable>;
+		<command>suffix</command> <replaceable>ipv6_address</replaceable>;
+	};
+	<command>dns64-contact</command> <replaceable>string</replaceable>;
+	<command>dns64-server</command> <replaceable>string</replaceable>;
+	<command>dnsrps-enable</command> <replaceable>boolean</replaceable>;
+	<command>dnsrps-options</command> { <replaceable>unspecified-text</replaceable> };
+	<command>dnssec-accept-expired</command> <replaceable>boolean</replaceable>;
+	<command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>;
+	<command>dnssec-enable</command> <replaceable>boolean</replaceable>;
+	<command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>;
+	<command>dnssec-lookaside</command> ( <replaceable>string</replaceable> trust-anchor
+	    <replaceable>string</replaceable> | auto | no );
+	<command>dnssec-must-be-secure</command> <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
+	<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
+	<command>dnssec-update-mode</command> ( maintain | no-resign );
+	<command>dnssec-validation</command> ( yes | no | auto );
+	<command>dnstap</command> { ( all | auth | client | forwarder |
+	    <command>resolver</command> ) [ ( query | response ) ]; ... };
+	<command>dnstap-identity</command> ( <replaceable>quoted_string</replaceable> | none |
+	    <command>hostname</command> );
+	<command>dnstap-output</command> ( file | unix ) <replaceable>quoted_string</replaceable> [
+	    <command>size</command> ( unlimited | <replaceable>size</replaceable> ) ] [ versions (
+	    <command>unlimited</command> | <replaceable>integer</replaceable> ) ] [ suffix ( increment
+	    | timestamp ) ];
+	<command>dnstap-version</command> ( <replaceable>quoted_string</replaceable> | none );
+	<command>dscp</command> <replaceable>integer</replaceable>;
+	<command>dual-stack-servers</command> [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
+	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv4_address</replaceable> [ port
+	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
+	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] ); ... };
+	<command>dump-file</command> <replaceable>quoted_string</replaceable>;
+	<command>edns-udp-size</command> <replaceable>integer</replaceable>;
+	<command>empty-contact</command> <replaceable>string</replaceable>;
+	<command>empty-server</command> <replaceable>string</replaceable>;
+	<command>empty-zones-enable</command> <replaceable>boolean</replaceable>;
+	<command>fetch-quota-params</command> <replaceable>integer</replaceable> <replaceable>fixedpoint</replaceable> <replaceable>fixedpoint</replaceable> <replaceable>fixedpoint</replaceable>;
+	<command>fetches-per-server</command> <replaceable>integer</replaceable> [ ( drop | fail ) ];
+	<command>fetches-per-zone</command> <replaceable>integer</replaceable> [ ( drop | fail ) ];
+	<command>files</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
+	<command>filter-aaaa</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>filter-aaaa-on-v4</command> ( break-dnssec | <replaceable>boolean</replaceable> );
+	<command>filter-aaaa-on-v6</command> ( break-dnssec | <replaceable>boolean</replaceable> );
+	<command>flush-zones-on-shutdown</command> <replaceable>boolean</replaceable>;
+	<command>forward</command> ( first | only );
+	<command>forwarders</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable>
+	    | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
+	<command>fstrm-set-buffer-hint</command> <replaceable>integer</replaceable>;
+	<command>fstrm-set-flush-timeout</command> <replaceable>integer</replaceable>;
+	<command>fstrm-set-input-queue-size</command> <replaceable>integer</replaceable>;
+	<command>fstrm-set-output-notify-threshold</command> <replaceable>integer</replaceable>;
+	<command>fstrm-set-output-queue-model</command> ( mpsc | spsc );
+	<command>fstrm-set-output-queue-size</command> <replaceable>integer</replaceable>;
+	<command>fstrm-set-reopen-interval</command> <replaceable>integer</replaceable>;
+	<command>geoip-directory</command> ( <replaceable>quoted_string</replaceable> | none );
+	<command>geoip-use-ecs</command> <replaceable>boolean</replaceable>;
+	<command>glue-cache</command> <replaceable>boolean</replaceable>;
+	<command>heartbeat-interval</command> <replaceable>integer</replaceable>;
+	<command>hostname</command> ( <replaceable>quoted_string</replaceable> | none );
+	<command>inline-signing</command> <replaceable>boolean</replaceable>;
+	<command>interface-interval</command> <replaceable>integer</replaceable>;
+	<command>ixfr-from-differences</command> ( primary | master | secondary | slave |
+	    <replaceable>boolean</replaceable> );
+	<command>keep-response-order</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>key-directory</command> <replaceable>quoted_string</replaceable>;
+	<command>lame-ttl</command> <replaceable>ttlval</replaceable>;
+	<command>listen-on</command> [ port <replaceable>integer</replaceable> ] [ dscp
+	    <replaceable>integer</replaceable> ] {
+	    <replaceable>address_match_element</replaceable>; ... };
+	<command>listen-on-v6</command> [ port <replaceable>integer</replaceable> ] [ dscp
+	    <replaceable>integer</replaceable> ] {
+	    <replaceable>address_match_element</replaceable>; ... };
+	<command>lmdb-mapsize</command> <replaceable>sizeval</replaceable>;
+	<command>lock-file</command> ( <replaceable>quoted_string</replaceable> | none );
+	<command>managed-keys-directory</command> <replaceable>quoted_string</replaceable>;
+	<command>masterfile-format</command> ( map | raw | text );
+	<command>masterfile-style</command> ( full | relative );
+	<command>match-mapped-addresses</command> <replaceable>boolean</replaceable>;
+	<command>max-cache-size</command> ( default | unlimited | <replaceable>sizeval</replaceable> | <replaceable>percentage</replaceable> );
+	<command>max-cache-ttl</command> <replaceable>integer</replaceable>;
+	<command>max-clients-per-query</command> <replaceable>integer</replaceable>;
+	<command>max-journal-size</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
+	<command>max-ncache-ttl</command> <replaceable>integer</replaceable>;
+	<command>max-records</command> <replaceable>integer</replaceable>;
+	<command>max-recursion-depth</command> <replaceable>integer</replaceable>;
+	<command>max-recursion-queries</command> <replaceable>integer</replaceable>;
+	<command>max-refresh-time</command> <replaceable>integer</replaceable>;
+	<command>max-retry-time</command> <replaceable>integer</replaceable>;
+	<command>max-rsa-exponent-size</command> <replaceable>integer</replaceable>;
+	<command>max-stale-ttl</command> <replaceable>ttlval</replaceable>;
+	<command>max-transfer-idle-in</command> <replaceable>integer</replaceable>;
+	<command>max-transfer-idle-out</command> <replaceable>integer</replaceable>;
+	<command>max-transfer-time-in</command> <replaceable>integer</replaceable>;
+	<command>max-transfer-time-out</command> <replaceable>integer</replaceable>;
+	<command>max-udp-size</command> <replaceable>integer</replaceable>;
+	<command>max-zone-ttl</command> ( unlimited | <replaceable>ttlval</replaceable> );
+	<command>memstatistics</command> <replaceable>boolean</replaceable>;
+	<command>memstatistics-file</command> <replaceable>quoted_string</replaceable>;
+	<command>message-compression</command> <replaceable>boolean</replaceable>;
+	<command>min-refresh-time</command> <replaceable>integer</replaceable>;
+	<command>min-retry-time</command> <replaceable>integer</replaceable>;
+	<command>minimal-any</command> <replaceable>boolean</replaceable>;
+	<command>minimal-responses</command> ( no-auth | no-auth-recursive | <replaceable>boolean</replaceable> );
+	<command>multi-master</command> <replaceable>boolean</replaceable>;
+	<command>new-zones-directory</command> <replaceable>quoted_string</replaceable>;
+	<command>no-case-compress</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>nocookie-udp-size</command> <replaceable>integer</replaceable>;
+	<command>notify</command> ( explicit | master-only | <replaceable>boolean</replaceable> );
+	<command>notify-delay</command> <replaceable>integer</replaceable>;
+	<command>notify-rate</command> <replaceable>integer</replaceable>;
+	<command>notify-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
+	    <command>dscp</command> <replaceable>integer</replaceable> ];
+	<command>notify-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ]
+	    [ dscp <replaceable>integer</replaceable> ];
+	<command>notify-to-soa</command> <replaceable>boolean</replaceable>;
+	<command>nta-lifetime</command> <replaceable>ttlval</replaceable>;
+	<command>nta-recheck</command> <replaceable>ttlval</replaceable>;
+	<command>nxdomain-redirect</command> <replaceable>string</replaceable>;
+	<command>pid-file</command> ( <replaceable>quoted_string</replaceable> | none );
+	<command>port</command> <replaceable>integer</replaceable>;
+	<command>preferred-glue</command> <replaceable>string</replaceable>;
+	<command>prefetch</command> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
+	<command>provide-ixfr</command> <replaceable>boolean</replaceable>;
+	<command>query-source</command> ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
+	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
+	    <command>port</command> ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
+	<command>query-source-v6</command> ( ( [ address ] ( <replaceable>ipv6_address</replaceable> | * ) [ port (
+	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv6_address</replaceable> | * ) ]
+	    <command>port</command> ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
+	<command>querylog</command> <replaceable>boolean</replaceable>;
+	<command>random-device</command> ( <replaceable>quoted_string</replaceable> | none );
+	<command>rate-limit</command> {
+		<command>all-per-second</command> <replaceable>integer</replaceable>;
+		<command>errors-per-second</command> <replaceable>integer</replaceable>;
+		<command>exempt-clients</command> { <replaceable>address_match_element</replaceable>; ... };
+		<command>ipv4-prefix-length</command> <replaceable>integer</replaceable>;
+		<command>ipv6-prefix-length</command> <replaceable>integer</replaceable>;
+		<command>log-only</command> <replaceable>boolean</replaceable>;
+		<command>max-table-size</command> <replaceable>integer</replaceable>;
+		<command>min-table-size</command> <replaceable>integer</replaceable>;
+		<command>nodata-per-second</command> <replaceable>integer</replaceable>;
+		<command>nxdomains-per-second</command> <replaceable>integer</replaceable>;
+		<command>qps-scale</command> <replaceable>integer</replaceable>;
+		<command>referrals-per-second</command> <replaceable>integer</replaceable>;
+		<command>responses-per-second</command> <replaceable>integer</replaceable>;
+		<command>slip</command> <replaceable>integer</replaceable>;
+		<command>window</command> <replaceable>integer</replaceable>;
+	};
+	<command>recursing-file</command> <replaceable>quoted_string</replaceable>;
+	<command>recursion</command> <replaceable>boolean</replaceable>;
+	<command>recursive-clients</command> <replaceable>integer</replaceable>;
+	<command>request-expire</command> <replaceable>boolean</replaceable>;
+	<command>request-ixfr</command> <replaceable>boolean</replaceable>;
+	<command>request-nsid</command> <replaceable>boolean</replaceable>;
+	<command>require-server-cookie</command> <replaceable>boolean</replaceable>;
+	<command>reserved-sockets</command> <replaceable>integer</replaceable>;
+	<command>resolver-nonbackoff-tries</command> <replaceable>integer</replaceable>;
+	<command>resolver-query-timeout</command> <replaceable>integer</replaceable>;
+	<command>resolver-retry-interval</command> <replaceable>integer</replaceable>;
+	<command>response-padding</command> { <replaceable>address_match_element</replaceable>; ... } block-size
+	    <replaceable>integer</replaceable>;
+	<command>response-policy</command> { zone <replaceable>quoted_string</replaceable> [ log <replaceable>boolean</replaceable> ] [
+	    <command>max-policy-ttl</command> <replaceable>integer</replaceable> ] [ min-update-interval <replaceable>integer</replaceable> ] [
+	    <command>policy</command> ( cname | disabled | drop | given | no-op | nodata |
+	    <command>nxdomain</command> | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
+	    <command>recursive-only</command> <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
+	    <command>nsdname-enable</command> <replaceable>boolean</replaceable> ]; ... } [ break-dnssec <replaceable>boolean</replaceable> ] [
+	    <command>max-policy-ttl</command> <replaceable>integer</replaceable> ] [ min-update-interval <replaceable>integer</replaceable> ] [
+	    <command>min-ns-dots</command> <replaceable>integer</replaceable> ] [ nsip-wait-recurse <replaceable>boolean</replaceable> ] [
+	    <command>qname-wait-recurse</command> <replaceable>boolean</replaceable> ] [ recursive-only <replaceable>boolean</replaceable> ] [
+	    <command>nsip-enable</command> <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
+	    <command>dnsrps-enable</command> <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
+	    } ];
+	<command>root-delegation-only</command> [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
+	<command>rrset-order</command> { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
+	    <replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
+	<command>secroots-file</command> <replaceable>quoted_string</replaceable>;
+	<command>send-cookie</command> <replaceable>boolean</replaceable>;
+	<command>serial-query-rate</command> <replaceable>integer</replaceable>;
+	<command>serial-update-method</command> ( date | increment | unixtime );
+	<command>server-id</command> ( <replaceable>quoted_string</replaceable> | none | hostname );
+	<command>servfail-ttl</command> <replaceable>ttlval</replaceable>;
+	<command>session-keyalg</command> <replaceable>string</replaceable>;
+	<command>session-keyfile</command> ( <replaceable>quoted_string</replaceable> | none );
+	<command>session-keyname</command> <replaceable>string</replaceable>;
+	<command>sig-signing-nodes</command> <replaceable>integer</replaceable>;
+	<command>sig-signing-signatures</command> <replaceable>integer</replaceable>;
+	<command>sig-signing-type</command> <replaceable>integer</replaceable>;
+	<command>sig-validity-interval</command> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
+	<command>sortlist</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>stacksize</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
+	<command>stale-answer-enable</command> <replaceable>boolean</replaceable>;
+	<command>stale-answer-ttl</command> <replaceable>ttlval</replaceable>;
+	<command>startup-notify-rate</command> <replaceable>integer</replaceable>;
+	<command>statistics-file</command> <replaceable>quoted_string</replaceable>;
+	<command>synth-from-dnssec</command> <replaceable>boolean</replaceable>;
+	<command>tcp-advertised-timeout</command> <replaceable>integer</replaceable>;
+	<command>tcp-clients</command> <replaceable>integer</replaceable>;
+	<command>tcp-idle-timeout</command> <replaceable>integer</replaceable>;
+	<command>tcp-initial-timeout</command> <replaceable>integer</replaceable>;
+	<command>tcp-keepalive-timeout</command> <replaceable>integer</replaceable>;
+	<command>tcp-listen-queue</command> <replaceable>integer</replaceable>;
+	<command>tkey-dhkey</command> <replaceable>quoted_string</replaceable> <replaceable>integer</replaceable>;
+	<command>tkey-domain</command> <replaceable>quoted_string</replaceable>;
+	<command>tkey-gssapi-credential</command> <replaceable>quoted_string</replaceable>;
+	<command>tkey-gssapi-keytab</command> <replaceable>quoted_string</replaceable>;
+	<command>transfer-format</command> ( many-answers | one-answer );
+	<command>transfer-message-size</command> <replaceable>integer</replaceable>;
+	<command>transfer-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
+	    <command>dscp</command> <replaceable>integer</replaceable> ];
+	<command>transfer-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
+	    ] [ dscp <replaceable>integer</replaceable> ];
+	<command>transfers-in</command> <replaceable>integer</replaceable>;
+	<command>transfers-out</command> <replaceable>integer</replaceable>;
+	<command>transfers-per-ns</command> <replaceable>integer</replaceable>;
+	<command>trust-anchor-telemetry</command> <replaceable>boolean</replaceable>; // experimental
+	<command>try-tcp-refresh</command> <replaceable>boolean</replaceable>;
+	<command>update-check-ksk</command> <replaceable>boolean</replaceable>;
+	<command>use-alt-transfer-source</command> <replaceable>boolean</replaceable>;
+	<command>use-v4-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
+	<command>use-v6-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
+	<command>v6-bias</command> <replaceable>integer</replaceable>;
+	<command>version</command> ( <replaceable>quoted_string</replaceable> | none );
+	<command>zero-no-soa-ttl</command> <replaceable>boolean</replaceable>;
+	<command>zero-no-soa-ttl-cache</command> <replaceable>boolean</replaceable>;
+	<command>zone-statistics</command> ( full | terse | none | <replaceable>boolean</replaceable> );
+};
+</programlisting>
diff --git a/doc/arm/redirect.zoneopt.xml b/doc/arm/redirect.zoneopt.xml
new file mode 100644
index 0000000000..c176558126
--- /dev/null
+++ b/doc/arm/redirect.zoneopt.xml
@@ -0,0 +1,24 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-zoneopt.pl -->
+<programlisting>
+<command>zone</command> <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
+	<command>type</command> redirect;
+	<command>allow-query</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-query-on</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>dlz</command> <replaceable>string</replaceable>;
+	<command>file</command> <replaceable>quoted_string</replaceable>;
+	<command>masterfile-format</command> ( map | raw | text );
+	<command>masterfile-style</command> ( full | relative );
+	<command>masters</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
+	<command>max-records</command> <replaceable>integer</replaceable>;
+	<command>max-zone-ttl</command> ( unlimited | <replaceable>ttlval</replaceable> );
+	<command>zone-statistics</command> ( full | terse | none | <replaceable>boolean</replaceable> );
+};
+</programlisting>
diff --git a/doc/arm/server.grammar.xml b/doc/arm/server.grammar.xml
new file mode 100644
index 0000000000..b78be9e9fa
--- /dev/null
+++ b/doc/arm/server.grammar.xml
@@ -0,0 +1,44 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-options.pl -->
+
+<programlisting>
+<command>server</command> <replaceable>netprefix</replaceable> {
+	<command>bogus</command> <replaceable>boolean</replaceable>;
+	<command>edns</command> <replaceable>boolean</replaceable>;
+	<command>edns-udp-size</command> <replaceable>integer</replaceable>;
+	<command>edns-version</command> <replaceable>integer</replaceable>;
+	<command>keys</command> <replaceable>server_key</replaceable>;
+	<command>max-udp-size</command> <replaceable>integer</replaceable>;
+	<command>notify-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
+	    <command>dscp</command> <replaceable>integer</replaceable> ];
+	<command>notify-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ]
+	    [ dscp <replaceable>integer</replaceable> ];
+	<command>padding</command> <replaceable>integer</replaceable>;
+	<command>provide-ixfr</command> <replaceable>boolean</replaceable>;
+	<command>query-source</command> ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
+	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
+	    <command>port</command> ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
+	<command>query-source-v6</command> ( ( [ address ] ( <replaceable>ipv6_address</replaceable> | * ) [ port (
+	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv6_address</replaceable> | * ) ]
+	    <command>port</command> ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
+	<command>request-expire</command> <replaceable>boolean</replaceable>;
+	<command>request-ixfr</command> <replaceable>boolean</replaceable>;
+	<command>request-nsid</command> <replaceable>boolean</replaceable>;
+	<command>send-cookie</command> <replaceable>boolean</replaceable>;
+	<command>tcp-keepalive</command> <replaceable>boolean</replaceable>;
+	<command>tcp-only</command> <replaceable>boolean</replaceable>;
+	<command>transfer-format</command> ( many-answers | one-answer );
+	<command>transfer-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
+	    <command>dscp</command> <replaceable>integer</replaceable> ];
+	<command>transfer-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
+	    ] [ dscp <replaceable>integer</replaceable> ];
+	<command>transfers</command> <replaceable>integer</replaceable>;
+};
+</programlisting>
diff --git a/doc/arm/slave.zoneopt.xml b/doc/arm/slave.zoneopt.xml
new file mode 100644
index 0000000000..b305787931
--- /dev/null
+++ b/doc/arm/slave.zoneopt.xml
@@ -0,0 +1,69 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-zoneopt.pl -->
+<programlisting>
+<command>zone</command> <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
+	<command>type</command> ( slave | secondary );
+	<command>allow-notify</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-query</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-query-on</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-transfer</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-update-forwarding</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>also-notify</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
+	<command>alt-transfer-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+	<command>alt-transfer-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+	<command>auto-dnssec</command> ( allow | maintain | off );
+	<command>check-names</command> ( fail | warn | ignore );
+	<command>database</command> <replaceable>string</replaceable>;
+	<command>dialup</command> ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
+	<command>dlz</command> <replaceable>string</replaceable>;
+	<command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>;
+	<command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>;
+	<command>dnssec-update-mode</command> ( maintain | no-resign );
+	<command>file</command> <replaceable>quoted_string</replaceable>;
+	<command>forward</command> ( first | only );
+	<command>forwarders</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
+	<command>inline-signing</command> <replaceable>boolean</replaceable>;
+	<command>ixfr-from-differences</command> <replaceable>boolean</replaceable>;
+	<command>journal</command> <replaceable>quoted_string</replaceable>;
+	<command>key-directory</command> <replaceable>quoted_string</replaceable>;
+	<command>masterfile-format</command> ( map | raw | text );
+	<command>masterfile-style</command> ( full | relative );
+	<command>masters</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
+	<command>max-journal-size</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
+	<command>max-records</command> <replaceable>integer</replaceable>;
+	<command>max-refresh-time</command> <replaceable>integer</replaceable>;
+	<command>max-retry-time</command> <replaceable>integer</replaceable>;
+	<command>max-transfer-idle-in</command> <replaceable>integer</replaceable>;
+	<command>max-transfer-idle-out</command> <replaceable>integer</replaceable>;
+	<command>max-transfer-time-in</command> <replaceable>integer</replaceable>;
+	<command>max-transfer-time-out</command> <replaceable>integer</replaceable>;
+	<command>min-refresh-time</command> <replaceable>integer</replaceable>;
+	<command>min-retry-time</command> <replaceable>integer</replaceable>;
+	<command>multi-master</command> <replaceable>boolean</replaceable>;
+	<command>notify</command> ( explicit | master-only | <replaceable>boolean</replaceable> );
+	<command>notify-delay</command> <replaceable>integer</replaceable>;
+	<command>notify-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+	<command>notify-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+	<command>notify-to-soa</command> <replaceable>boolean</replaceable>;
+	<command>request-expire</command> <replaceable>boolean</replaceable>;
+	<command>request-ixfr</command> <replaceable>boolean</replaceable>;
+	<command>sig-signing-nodes</command> <replaceable>integer</replaceable>;
+	<command>sig-signing-signatures</command> <replaceable>integer</replaceable>;
+	<command>sig-signing-type</command> <replaceable>integer</replaceable>;
+	<command>sig-validity-interval</command> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
+	<command>transfer-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+	<command>transfer-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+	<command>try-tcp-refresh</command> <replaceable>boolean</replaceable>;
+	<command>update-check-ksk</command> <replaceable>boolean</replaceable>;
+	<command>use-alt-transfer-source</command> <replaceable>boolean</replaceable>;
+	<command>zero-no-soa-ttl</command> <replaceable>boolean</replaceable>;
+	<command>zone-statistics</command> ( full | terse | none | <replaceable>boolean</replaceable> );
+};
+</programlisting>
diff --git a/doc/arm/static-stub.zoneopt.xml b/doc/arm/static-stub.zoneopt.xml
new file mode 100644
index 0000000000..6571a8075f
--- /dev/null
+++ b/doc/arm/static-stub.zoneopt.xml
@@ -0,0 +1,22 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-zoneopt.pl -->
+<programlisting>
+<command>zone</command> <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
+	<command>type</command> static-stub;
+	<command>allow-query</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-query-on</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>forward</command> ( first | only );
+	<command>forwarders</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
+	<command>max-records</command> <replaceable>integer</replaceable>;
+	<command>server-addresses</command> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ]; ... };
+	<command>server-names</command> { <replaceable>quoted_string</replaceable>; ... };
+	<command>zone-statistics</command> ( full | terse | none | <replaceable>boolean</replaceable> );
+};
+</programlisting>
diff --git a/doc/arm/statistics-channels.grammar.xml b/doc/arm/statistics-channels.grammar.xml
new file mode 100644
index 0000000000..a50f32152c
--- /dev/null
+++ b/doc/arm/statistics-channels.grammar.xml
@@ -0,0 +1,18 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-options.pl -->
+
+<programlisting>
+<command>statistics-channels</command> {
+	<command>inet</command> ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> |
+	    * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
+	    <command>allow</command> { <replaceable>address_match_element</replaceable>; ...
+	    } ];
+};
+</programlisting>
diff --git a/doc/arm/stub.zoneopt.xml b/doc/arm/stub.zoneopt.xml
new file mode 100644
index 0000000000..ccd038ffdb
--- /dev/null
+++ b/doc/arm/stub.zoneopt.xml
@@ -0,0 +1,38 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-zoneopt.pl -->
+<programlisting>
+<command>zone</command> <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
+	<command>type</command> stub;
+	<command>allow-query</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>allow-query-on</command> { <replaceable>address_match_element</replaceable>; ... };
+	<command>check-names</command> ( fail | warn | ignore );
+	<command>database</command> <replaceable>string</replaceable>;
+	<command>delegation-only</command> <replaceable>boolean</replaceable>;
+	<command>dialup</command> ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
+	<command>file</command> <replaceable>quoted_string</replaceable>;
+	<command>forward</command> ( first | only );
+	<command>forwarders</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
+	<command>masterfile-format</command> ( map | raw | text );
+	<command>masterfile-style</command> ( full | relative );
+	<command>masters</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
+	<command>max-records</command> <replaceable>integer</replaceable>;
+	<command>max-refresh-time</command> <replaceable>integer</replaceable>;
+	<command>max-retry-time</command> <replaceable>integer</replaceable>;
+	<command>max-transfer-idle-in</command> <replaceable>integer</replaceable>;
+	<command>max-transfer-time-in</command> <replaceable>integer</replaceable>;
+	<command>min-refresh-time</command> <replaceable>integer</replaceable>;
+	<command>min-retry-time</command> <replaceable>integer</replaceable>;
+	<command>multi-master</command> <replaceable>boolean</replaceable>;
+	<command>transfer-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+	<command>transfer-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+	<command>use-alt-transfer-source</command> <replaceable>boolean</replaceable>;
+	<command>zone-statistics</command> ( full | terse | none | <replaceable>boolean</replaceable> );
+};
+</programlisting>
diff --git a/doc/arm/trusted-keys.grammar.xml b/doc/arm/trusted-keys.grammar.xml
new file mode 100644
index 0000000000..2e7da28a7b
--- /dev/null
+++ b/doc/arm/trusted-keys.grammar.xml
@@ -0,0 +1,14 @@
+<!--
+ - Copyright (C) 2004-2018  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-options.pl -->
+
+<programlisting>
+<command>trusted-keys</command> { <replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
+    <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
+</programlisting>
diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in
index b3a1f68d3b..5ee27a7e31 100644
--- a/doc/misc/Makefile.in
+++ b/doc/misc/Makefile.in
@@ -30,6 +30,15 @@ options: FORCE
 	if test -x ${CFG_TEST} ; \
 	then \
 		${CFG_TEST} --named --grammar > $@.raw ; \
+		${CFG_TEST} --zonegrammar master > master.zoneopt ; \
+		${CFG_TEST} --zonegrammar slave > slave.zoneopt ; \
+		${CFG_TEST} --zonegrammar forward > forward.zoneopt ; \
+		${CFG_TEST} --zonegrammar hint > hint.zoneopt ; \
+		${CFG_TEST} --zonegrammar stub > stub.zoneopt ; \
+		${CFG_TEST} --zonegrammar static-stub > static-stub.zoneopt ; \
+		${CFG_TEST} --zonegrammar redirect > redirect.zoneopt ; \
+		${CFG_TEST} --zonegrammar delegation-only > delegation-only.zoneopt ; \
+		${CFG_TEST} --zonegrammar in-view > in-view.zoneopt ; \
 		${PERL} ${srcdir}/sort-options.pl < $@.raw > $@.sorted ; \
 		${PERL} ${srcdir}/format-options.pl < $@.sorted > $@.new ; \
 		mv -f $@.new $@ ; \
@@ -40,3 +49,22 @@ options: FORCE
 
 docbook: options
 	${PERL} docbook-options.pl options > ${top_srcdir}/bin/named/named.conf.docbook
+	${PERL} docbook-zoneopt.pl master.zoneopt > ${top_srcdir}/doc/arm/master.zoneopt.xml
+	${PERL} docbook-zoneopt.pl slave.zoneopt > ${top_srcdir}/doc/arm/slave.zoneopt.xml
+	${PERL} docbook-zoneopt.pl forward.zoneopt > ${top_srcdir}/doc/arm/forward.zoneopt.xml
+	${PERL} docbook-zoneopt.pl hint.zoneopt > ${top_srcdir}/doc/arm/hint.zoneopt.xml
+	${PERL} docbook-zoneopt.pl stub.zoneopt > ${top_srcdir}/doc/arm/stub.zoneopt.xml
+	${PERL} docbook-zoneopt.pl static-stub.zoneopt > ${top_srcdir}/doc/arm/static-stub.zoneopt.xml
+	${PERL} docbook-zoneopt.pl redirect.zoneopt > ${top_srcdir}/doc/arm/redirect.zoneopt.xml
+	${PERL} docbook-zoneopt.pl delegation-only.zoneopt > ${top_srcdir}/doc/arm/delegation-only.zoneopt.xml
+	${PERL} docbook-zoneopt.pl in-view.zoneopt > ${top_srcdir}/doc/arm/in-view.zoneopt.xml
+	${PERL} docbook-grammars.pl options acl > ${top_srcdir}/doc/arm/acl.grammar.xml
+	${PERL} docbook-grammars.pl options controls > ${top_srcdir}/doc/arm/controls.grammar.xml
+	${PERL} docbook-grammars.pl options key > ${top_srcdir}/doc/arm/key.grammar.xml
+	${PERL} docbook-grammars.pl options logging > ${top_srcdir}/doc/arm/logging.grammar.xml
+	${PERL} docbook-grammars.pl options masters > ${top_srcdir}/doc/arm/masters.grammar.xml
+	${PERL} docbook-grammars.pl options options > ${top_srcdir}/doc/arm/options.grammar.xml
+	${PERL} docbook-grammars.pl options server > ${top_srcdir}/doc/arm/server.grammar.xml
+	${PERL} docbook-grammars.pl options statistics-channels > ${top_srcdir}/doc/arm/statistics-channels.grammar.xml
+	${PERL} docbook-grammars.pl options trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml
+	${PERL} docbook-grammars.pl options managed-keys > ${top_srcdir}/doc/arm/managed-keys.grammar.xml
diff --git a/doc/misc/delegation-only.zoneopt b/doc/misc/delegation-only.zoneopt
new file mode 100644
index 0000000000..ab86327cbd
--- /dev/null
+++ b/doc/misc/delegation-only.zoneopt
@@ -0,0 +1,3 @@
+zone <string> [ <class> ] {
+	type delegation-only;
+};
diff --git a/doc/misc/docbook-grammars.pl b/doc/misc/docbook-grammars.pl
new file mode 100644
index 0000000000..95620b2eff
--- /dev/null
+++ b/doc/misc/docbook-grammars.pl
@@ -0,0 +1,82 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+use warnings;
+use strict;
+use Time::Piece;
+
+if (@ARGV < 2) {
+	print STDERR <<'END';
+usage:
+    perl docbook-options.pl options_file section > section.grammar.xml
+END
+	exit 1;
+}
+
+my $FILE = shift;
+my $SECTION = shift;
+
+open (FH, "<", $FILE) or die "Can't open $FILE";
+
+my $t = Time::Piece->new();
+my $year = $t->year;
+
+print <<END;
+<!--
+ - Copyright (C) 2004-$year  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-options.pl -->
+
+<programlisting>
+END
+
+# skip preamble
+my $preamble = 0;
+while (<FH>) {
+	if (m{^\s*$}) {
+		last if $preamble > 0;
+	} else {
+		$preamble++;
+	}
+}
+
+my $display = 0;
+while (<FH>) {
+	if (m{^$SECTION\b}) {
+		$display = 1
+	}
+
+	if (m{// not.*implemented} || m{// obsolete} || m{// test.*only}) {
+		next;
+	}
+
+	s{ // not configured}{};
+	s{ // non-operational}{};
+	s{ // may occur multiple times}{};
+	s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
+	s{^(\s*)([a-z0-9_-]+)\b}{$1<command>$2</command>};
+	s{[[]}{[}g;
+	s{[]]}{]}g;
+	s{        }{\t}g;
+
+	if (m{^\s*$} && $display) {
+		last;
+	}
+	if ($display) {
+		print;
+	}
+}
+
+print <<END;
+</programlisting>
+END
diff --git a/doc/misc/docbook-options.pl b/doc/misc/docbook-options.pl
index 9b78fd5ea4..75b775f78b 100644
--- a/doc/misc/docbook-options.pl
+++ b/doc/misc/docbook-options.pl
@@ -122,6 +122,7 @@ while (<FH>) {
 	}
 
 	s{ // not configured}{};
+	s{ // non-operational}{};
 	s{ // may occur multiple times}{};
 	s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
 	s{[[]}{[}g;
diff --git a/doc/misc/docbook-zoneopt.pl b/doc/misc/docbook-zoneopt.pl
new file mode 100644
index 0000000000..900dddf53f
--- /dev/null
+++ b/doc/misc/docbook-zoneopt.pl
@@ -0,0 +1,61 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+use warnings;
+use strict;
+use Time::Piece;
+
+if (@ARGV < 1) {
+	print STDERR <<'END';
+usage:
+    perl docbook-zoneopt.pl zoneopt_file [YYYY]
+END
+	exit 1;
+}
+
+my $FILE = shift;
+
+my $t = Time::Piece->new();
+my $year;
+$year = `git log --max-count=1 --date=format:%Y --format='%cd' -- $FILE` or $year = $t->year;
+chomp $year;
+
+open (FH, "<", $FILE) or die "Can't open $FILE";
+
+print <<END;
+<!--
+ - Copyright (C) 2004-$year  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-zoneopt.pl -->
+<programlisting>
+END
+
+while (<FH>) {
+	if (m{// not.*implemented} || m{// obsolete} || m{// test.*only}) {
+		next;
+	}
+
+	s{ // not configured}{};
+	s{ // may occur multiple times}{};
+	s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
+	s{^(\s*)([a-z0-9_-]+)\b}{$1<command>$2</command>};
+	s{[[]}{[}g;
+	s{[]]}{]}g;
+	s{        }{\t}g;
+
+	print;
+}
+
+print <<END;
+</programlisting>
+END
diff --git a/doc/misc/forward.zoneopt b/doc/misc/forward.zoneopt
new file mode 100644
index 0000000000..e694813a86
--- /dev/null
+++ b/doc/misc/forward.zoneopt
@@ -0,0 +1,6 @@
+zone <string> [ <class> ] {
+	type forward;
+	delegation-only <boolean>;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+};
diff --git a/doc/misc/hint.zoneopt b/doc/misc/hint.zoneopt
new file mode 100644
index 0000000000..d7ec16c739
--- /dev/null
+++ b/doc/misc/hint.zoneopt
@@ -0,0 +1,6 @@
+zone <string> [ <class> ] {
+	type hint;
+	check-names ( fail | warn | ignore );
+	delegation-only <boolean>;
+	file <quoted_string>;
+};
diff --git a/doc/misc/in-view.zoneopt b/doc/misc/in-view.zoneopt
new file mode 100644
index 0000000000..c63c4273e5
--- /dev/null
+++ b/doc/misc/in-view.zoneopt
@@ -0,0 +1,3 @@
+zone <string> [ <class> ] {
+	in-view <string>;
+};
diff --git a/doc/misc/master.zoneopt b/doc/misc/master.zoneopt
new file mode 100644
index 0000000000..7bec788bb6
--- /dev/null
+++ b/doc/misc/master.zoneopt
@@ -0,0 +1,56 @@
+zone <string> [ <class> ] {
+	type ( master | primary );
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	allow-transfer { <address_match_element>; ... };
+	allow-update { <address_match_element>; ... };
+	also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	auto-dnssec ( allow | maintain | off );
+	check-dup-records ( fail | warn | ignore );
+	check-integrity <boolean>;
+	check-mx ( fail | warn | ignore );
+	check-mx-cname ( fail | warn | ignore );
+	check-names ( fail | warn | ignore );
+	check-sibling <boolean>;
+	check-spf ( warn | ignore );
+	check-srv-cname ( fail | warn | ignore );
+	check-wildcard <boolean>;
+	database <string>;
+	dialup ( notify | notify-passive | passive | refresh | <boolean> );
+	dlz <string>;
+	dnssec-dnskey-kskonly <boolean>;
+	dnssec-loadkeys-interval <integer>;
+	dnssec-secure-to-insecure <boolean>;
+	dnssec-update-mode ( maintain | no-resign );
+	file <quoted_string>;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+	inline-signing <boolean>;
+	ixfr-from-differences <boolean>;
+	journal <quoted_string>;
+	key-directory <quoted_string>;
+	masterfile-format ( map | raw | text );
+	masterfile-style ( full | relative );
+	max-journal-size ( default | unlimited | <sizeval> );
+	max-records <integer>;
+	max-transfer-idle-out <integer>;
+	max-transfer-time-out <integer>;
+	max-zone-ttl ( unlimited | <ttlval> );
+	notify ( explicit | master-only | <boolean> );
+	notify-delay <integer>;
+	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	notify-to-soa <boolean>;
+	nsec3-test-zone <boolean>; // test only
+	serial-update-method ( date | increment | unixtime );
+	sig-signing-nodes <integer>;
+	sig-signing-signatures <integer>;
+	sig-signing-type <integer>;
+	sig-validity-interval <integer> [ <integer> ];
+	update-check-ksk <boolean>;
+	update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-subdomain | ms-self | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... };
+	zero-no-soa-ttl <boolean>;
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/redirect.zoneopt b/doc/misc/redirect.zoneopt
new file mode 100644
index 0000000000..a127de9bbf
--- /dev/null
+++ b/doc/misc/redirect.zoneopt
@@ -0,0 +1,13 @@
+zone <string> [ <class> ] {
+	type redirect;
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	dlz <string>;
+	file <quoted_string>;
+	masterfile-format ( map | raw | text );
+	masterfile-style ( full | relative );
+	masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	max-records <integer>;
+	max-zone-ttl ( unlimited | <ttlval> );
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/slave.zoneopt b/doc/misc/slave.zoneopt
new file mode 100644
index 0000000000..a9e62a4503
--- /dev/null
+++ b/doc/misc/slave.zoneopt
@@ -0,0 +1,59 @@
+zone <string> [ <class> ] {
+	type ( slave | secondary );
+	allow-notify { <address_match_element>; ... };
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	allow-transfer { <address_match_element>; ... };
+	allow-update-forwarding { <address_match_element>; ... };
+	also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	auto-dnssec ( allow | maintain | off );
+	check-names ( fail | warn | ignore );
+	database <string>;
+	dialup ( notify | notify-passive | passive | refresh | <boolean> );
+	dlz <string>;
+	dnssec-dnskey-kskonly <boolean>;
+	dnssec-loadkeys-interval <integer>;
+	dnssec-update-mode ( maintain | no-resign );
+	file <quoted_string>;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+	inline-signing <boolean>;
+	ixfr-from-differences <boolean>;
+	journal <quoted_string>;
+	key-directory <quoted_string>;
+	masterfile-format ( map | raw | text );
+	masterfile-style ( full | relative );
+	masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	max-journal-size ( default | unlimited | <sizeval> );
+	max-records <integer>;
+	max-refresh-time <integer>;
+	max-retry-time <integer>;
+	max-transfer-idle-in <integer>;
+	max-transfer-idle-out <integer>;
+	max-transfer-time-in <integer>;
+	max-transfer-time-out <integer>;
+	min-refresh-time <integer>;
+	min-retry-time <integer>;
+	multi-master <boolean>;
+	notify ( explicit | master-only | <boolean> );
+	notify-delay <integer>;
+	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	notify-to-soa <boolean>;
+	nsec3-test-zone <boolean>; // test only
+	request-expire <boolean>;
+	request-ixfr <boolean>;
+	sig-signing-nodes <integer>;
+	sig-signing-signatures <integer>;
+	sig-signing-type <integer>;
+	sig-validity-interval <integer> [ <integer> ];
+	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	try-tcp-refresh <boolean>;
+	update-check-ksk <boolean>;
+	use-alt-transfer-source <boolean>;
+	zero-no-soa-ttl <boolean>;
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/static-stub.zoneopt b/doc/misc/static-stub.zoneopt
new file mode 100644
index 0000000000..74abe0b137
--- /dev/null
+++ b/doc/misc/static-stub.zoneopt
@@ -0,0 +1,11 @@
+zone <string> [ <class> ] {
+	type static-stub;
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	forward ( first | only );
+	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+	max-records <integer>;
+	server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
+	server-names { <quoted_string>; ... };
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/stub.zoneopt b/doc/misc/stub.zoneopt
new file mode 100644
index 0000000000..b18b102912
--- /dev/null
+++ b/doc/misc/stub.zoneopt
@@ -0,0 +1,27 @@
+zone <string> [ <class> ] {
+	type stub;
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	check-names ( fail | warn | ignore );
+	database <string>;
+	delegation-only <boolean>;
+	dialup ( notify | notify-passive | passive | refresh | <boolean> );
+	file <quoted_string>;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+	masterfile-format ( map | raw | text );
+	masterfile-style ( full | relative );
+	masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	max-records <integer>;
+	max-refresh-time <integer>;
+	max-retry-time <integer>;
+	max-transfer-idle-in <integer>;
+	max-transfer-time-in <integer>;
+	min-refresh-time <integer>;
+	min-retry-time <integer>;
+	multi-master <boolean>;
+	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	use-alt-transfer-source <boolean>;
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 0645cc44cc..b11de10edc 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -46,6 +46,8 @@
 
 #include <isccfg/aclconf.h>
 #include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/namedconf.h>
 
 #include <bind9/check.h>
 
@@ -1799,17 +1801,6 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 	return (result);
 }
 
-#define MASTERZONE	1
-#define SLAVEZONE	2
-#define STUBZONE	4
-#define HINTZONE	8
-#define FORWARDZONE	16
-#define DELEGATIONZONE	32
-#define STATICSTUBZONE	64
-#define REDIRECTZONE	128
-#define STREDIRECTZONE	0	/* Set to REDIRECTZONE to allow xfr-in. */
-#define CHECKACL	512
-
 typedef struct {
 	const char *name;
 	int allowed;
@@ -1863,82 +1854,20 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	isc_boolean_t dlz;
 	dns_masterformat_t masterformat;
 	isc_boolean_t ddns = ISC_FALSE;
-
-	static optionstable options[] = {
-	{ "allow-notify", SLAVEZONE | CHECKACL },
-	{ "allow-query", MASTERZONE | SLAVEZONE | STUBZONE | REDIRECTZONE |
-	  CHECKACL | STATICSTUBZONE },
-	{ "allow-transfer", MASTERZONE | SLAVEZONE | CHECKACL },
-	{ "allow-update", MASTERZONE | CHECKACL },
-	{ "allow-update-forwarding", SLAVEZONE | CHECKACL },
-	{ "also-notify", MASTERZONE | SLAVEZONE },
-	{ "auto-dnssec", MASTERZONE | SLAVEZONE },
-	{ "check-dup-records", MASTERZONE },
-	{ "check-mx", MASTERZONE },
-	{ "check-mx-cname", MASTERZONE },
-	{ "check-srv-cname", MASTERZONE },
-	{ "check-wildcard", MASTERZONE },
-	{ "database", MASTERZONE | SLAVEZONE | STUBZONE | REDIRECTZONE },
-	{ "delegation-only", HINTZONE | STUBZONE | FORWARDZONE |
-	  DELEGATIONZONE },
-	{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "dnssec-dnskey-kskonly", MASTERZONE | SLAVEZONE },
-	{ "dnssec-loadkeys-interval", MASTERZONE | SLAVEZONE },
-	{ "dnssec-secure-to-insecure", MASTERZONE },
-	{ "file", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE | REDIRECTZONE },
-	{ "forward", MASTERZONE | SLAVEZONE | STUBZONE | STATICSTUBZONE |
-	  FORWARDZONE },
-	{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | STATICSTUBZONE |
-	  FORWARDZONE },
-	{ "integrity-check", MASTERZONE },
-	{ "ixfr-base", MASTERZONE | SLAVEZONE },
-	{ "ixfr-tmp-file", MASTERZONE | SLAVEZONE },
-	{ "journal", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
-	{ "key-directory", MASTERZONE | SLAVEZONE },
-	{ "maintain-ixfr-base", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
-	{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE |
-	  REDIRECTZONE },
-	{ "masters", SLAVEZONE | STUBZONE | REDIRECTZONE },
-	{ "max-ixfr-log-size", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
-	{ "max-records", MASTERZONE | SLAVEZONE | STUBZONE | STREDIRECTZONE |
-	  STATICSTUBZONE | REDIRECTZONE },
-	{ "max-refresh-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "max-retry-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "max-transfer-idle-in", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "max-transfer-idle-out", MASTERZONE | SLAVEZONE },
-	{ "max-transfer-time-in", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "max-transfer-time-out", MASTERZONE | SLAVEZONE },
-	{ "max-zone-ttl", MASTERZONE | REDIRECTZONE },
-	{ "min-refresh-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "min-retry-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "notify", MASTERZONE | SLAVEZONE },
-	{ "notify-source", MASTERZONE | SLAVEZONE },
-	{ "notify-source-v6", MASTERZONE | SLAVEZONE },
-	{ "pubkey", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "request-expire", SLAVEZONE | REDIRECTZONE },
-	{ "request-ixfr", SLAVEZONE | REDIRECTZONE },
-	{ "server-addresses", STATICSTUBZONE },
-	{ "server-names", STATICSTUBZONE },
-	{ "sig-re-signing-interval", MASTERZONE | SLAVEZONE },
-	{ "sig-signing-nodes", MASTERZONE | SLAVEZONE },
-	{ "sig-signing-signatures", MASTERZONE | SLAVEZONE },
-	{ "sig-signing-type", MASTERZONE | SLAVEZONE },
-	{ "sig-validity-interval", MASTERZONE | SLAVEZONE },
-	{ "signing", MASTERZONE | SLAVEZONE },
-	{ "transfer-source", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "transfer-source-v6", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "try-tcp-refresh", SLAVEZONE | STREDIRECTZONE },
-	{ "update-check-ksk", MASTERZONE | SLAVEZONE },
-	{ "update-policy", MASTERZONE },
-	{ "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE |
-	  STATICSTUBZONE | REDIRECTZONE },
+	const void *clauses = NULL;
+	const char *option = NULL;
+	static const char *acls[] = {
+		"allow-notify",
+		"allow-transfer",
+		"allow-update",
+		"allow-update-forwarding",
 	};
 
 	static optionstable dialups[] = {
-	{ "notify", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
-	{ "notify-passive", SLAVEZONE | STREDIRECTZONE },
-	{ "passive", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "refresh", SLAVEZONE | STUBZONE | STREDIRECTZONE },
+	{ "notify", CFG_ZONE_MASTER | CFG_ZONE_SLAVE },
+	{ "notify-passive", CFG_ZONE_SLAVE },
+	{ "passive", CFG_ZONE_SLAVE | CFG_ZONE_STUB },
+	{ "refresh", CFG_ZONE_SLAVE | CFG_ZONE_STUB },
 	};
 
 	znamestr = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
@@ -1979,30 +1908,30 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	}
 
 	typestr = cfg_obj_asstring(obj);
-	if (strcasecmp(typestr, "master") == 0)
-		ztype = MASTERZONE;
-	else if (strcasecmp(typestr, "slave") == 0)
-		ztype = SLAVEZONE;
-	else if (strcasecmp(typestr, "stub") == 0)
-		ztype = STUBZONE;
-	else if (strcasecmp(typestr, "static-stub") == 0)
-		ztype = STATICSTUBZONE;
-	else if (strcasecmp(typestr, "forward") == 0)
-		ztype = FORWARDZONE;
-	else if (strcasecmp(typestr, "hint") == 0)
-		ztype = HINTZONE;
-	else if (strcasecmp(typestr, "delegation-only") == 0)
-		ztype = DELEGATIONZONE;
-	else if (strcasecmp(typestr, "redirect") == 0)
-		ztype = REDIRECTZONE;
-	else {
+	if (strcasecmp(typestr, "master") == 0) {
+		ztype = CFG_ZONE_MASTER;
+	} else if (strcasecmp(typestr, "slave") == 0) {
+		ztype = CFG_ZONE_SLAVE;
+	} else if (strcasecmp(typestr, "stub") == 0) {
+		ztype = CFG_ZONE_STUB;
+	} else if (strcasecmp(typestr, "static-stub") == 0) {
+		ztype = CFG_ZONE_STATICSTUB;
+	} else if (strcasecmp(typestr, "forward") == 0) {
+		ztype = CFG_ZONE_FORWARD;
+	} else if (strcasecmp(typestr, "hint") == 0) {
+		ztype = CFG_ZONE_HINT;
+	} else if (strcasecmp(typestr, "delegation-only") == 0) {
+		ztype = CFG_ZONE_DELEGATION;
+	} else if (strcasecmp(typestr, "redirect") == 0) {
+		ztype = CFG_ZONE_REDIRECT;
+	} else {
 		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 			    "zone '%s': invalid type %s",
 			    znamestr, typestr);
 		return (ISC_R_FAILURE);
 	}
 
-	if (ztype == REDIRECTZONE && strcmp(znamestr, ".") != 0) {
+	if (ztype == CFG_ZONE_REDIRECT && strcmp(znamestr, ".") != 0) {
 		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
 			    "redirect zones must be called \".\"");
 		return (ISC_R_FAILURE);
@@ -2048,8 +1977,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 
 		zname = dns_fixedname_name(&fixedname);
 		dns_name_format(zname, namebuf, sizeof(namebuf));
-		tresult = nameexist(zconfig, namebuf, ztype == HINTZONE ? 1 :
-				    ztype == REDIRECTZONE ? 2 : 3,
+		tresult = nameexist(zconfig, namebuf,
+				    ztype == CFG_ZONE_HINT ? 1 :
+				     ztype == CFG_ZONE_REDIRECT ? 2 : 3,
 				    symtab, "zone '%s': already exists "
 				    "previous definition: %s:%u", logctx, mctx);
 		if (tresult != ISC_R_SUCCESS)
@@ -2069,47 +1999,39 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		result = ISC_R_FAILURE;
 
 	/*
-	 * Look for inappropriate options for the given zone type.
+	 * Check validity of the zone options.
+	 */
+	option = cfg_map_firstclause(&cfg_type_zoneopts, &clauses, &i);
+	while (option != NULL) {
+		obj = NULL;
+		if (cfg_map_get(zoptions, option, &obj) == ISC_R_SUCCESS &&
+		    obj != NULL && !cfg_clause_validforzone(option, ztype))
+		{
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "option '%s' is not allowed "
+				    "in '%s' zone '%s'",
+				    option, typestr, znamestr);
+			result = ISC_R_FAILURE;
+		}
+		option = cfg_map_nextclause(&cfg_type_zoneopts, &clauses, &i);
+	}
+
+	/*
 	 * Check that ACLs expand correctly.
 	 */
-	for (i = 0; i < sizeof(options) / sizeof(options[0]); i++) {
-		obj = NULL;
-		if ((options[i].allowed & ztype) == 0 &&
-		    cfg_map_get(zoptions, options[i].name, &obj) ==
-		    ISC_R_SUCCESS)
-		{
-			if (strcmp(options[i].name, "allow-update") != 0 ||
-			    ztype != SLAVEZONE) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "option '%s' is not allowed "
-					    "in '%s' zone '%s'",
-					    options[i].name, typestr,
-					    znamestr);
-					result = ISC_R_FAILURE;
-			} else
-				cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-					    "option '%s' is not allowed "
-					    "in '%s' zone '%s'",
-					    options[i].name, typestr,
-					    znamestr);
+	for (i = 0; i < (sizeof(acls) / sizeof(acls[0])); i++) {
+		tresult = checkacl(acls[i], actx, zconfig,
+				   voptions, config, logctx, mctx);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
 		}
-		obj = NULL;
-		if ((options[i].allowed & ztype) != 0 &&
-		    (options[i].allowed & CHECKACL) != 0) {
-
-			tresult = checkacl(options[i].name, actx, zconfig,
-					   voptions, config, logctx, mctx);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-		}
-
 	}
 
 	/*
 	 * Master & slave zones may have an "also-notify" field, but
 	 * shouldn't if notify is disabled.
 	 */
-	if (ztype == MASTERZONE || ztype == SLAVEZONE ) {
+	if (ztype == CFG_ZONE_MASTER || ztype == CFG_ZONE_SLAVE) {
 		isc_boolean_t donotify = ISC_TRUE;
 
 		obj = NULL;
@@ -2123,7 +2045,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 				donotify = cfg_obj_asboolean(obj);
 			else {
 				const char *notifystr = cfg_obj_asstring(obj);
-				if (ztype != MASTERZONE &&
+				if (ztype != CFG_ZONE_MASTER &&
 				    strcasecmp(notifystr, "master-only") == 0)
 					donotify = ISC_FALSE;
 			}
@@ -2152,7 +2074,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	/*
 	 * Slave & stub zones must have a "masters" field.
 	 */
-	if (ztype == SLAVEZONE || ztype == STUBZONE) {
+	if (ztype == CFG_ZONE_SLAVE || ztype == CFG_ZONE_STUB) {
 		obj = NULL;
 		if (cfg_map_get(zoptions, "masters", &obj) != ISC_R_SUCCESS) {
 			cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
@@ -2177,7 +2099,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	/*
 	 * Master zones can't have both "allow-update" and "update-policy".
 	 */
-	if (ztype == MASTERZONE || ztype == SLAVEZONE) {
+	if (ztype == CFG_ZONE_MASTER || ztype == CFG_ZONE_SLAVE) {
 		isc_boolean_t signing = ISC_FALSE;
 		isc_result_t res1, res2, res3;
 		const cfg_obj_t *au = NULL;
@@ -2242,7 +2164,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 				    "'auto-dnssec %s;' requires%s "
 				    "inline-signing to be configured for "
 				    "the zone", arg,
-				    (ztype == MASTERZONE) ?
+				    (ztype == CFG_ZONE_MASTER) ?
 					 " dynamic DNS or" : "");
 			result = ISC_R_FAILURE;
 		}
@@ -2261,7 +2183,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 
 		obj = NULL;
 		res1 = cfg_map_get(zoptions, "dnssec-dnskey-kskonly", &obj);
-		if (res1 == ISC_R_SUCCESS && ztype == SLAVEZONE && !signing) {
+		if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SLAVE &&
+		    !signing)
+		{
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "dnssec-dnskey-kskonly: requires "
 				    "inline-signing when used in slave zone");
@@ -2270,7 +2194,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 
 		obj = NULL;
 		res1 = cfg_map_get(zoptions, "dnssec-loadkeys-interval", &obj);
-		if (res1 == ISC_R_SUCCESS && ztype == SLAVEZONE && !signing) {
+		if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SLAVE &&
+		    !signing)
+		{
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "dnssec-loadkeys-interval: requires "
 				    "inline-signing when used in slave zone");
@@ -2279,7 +2205,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 
 		obj = NULL;
 		res1 = cfg_map_get(zoptions, "update-check-ksk", &obj);
-		if (res1 == ISC_R_SUCCESS && ztype == SLAVEZONE && !signing) {
+		if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SLAVE &&
+		    !signing)
+		{
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "update-check-ksk: requires "
 				    "inline-signing when used in slave zone");
@@ -2290,7 +2218,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	/*
 	 * Check the excessively complicated "dialup" option.
 	 */
-	if (ztype == MASTERZONE || ztype == SLAVEZONE || ztype == STUBZONE) {
+	if (ztype == CFG_ZONE_MASTER || ztype == CFG_ZONE_SLAVE ||
+	    ztype == CFG_ZONE_STUB)
+	{
 		const cfg_obj_t *dialup = NULL;
 		(void)cfg_map_get(zoptions, "dialup", &dialup);
 		if (dialup != NULL && cfg_obj_isstring(dialup)) {
@@ -2338,7 +2268,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	 * Check that a RFC 1918 / ULA reverse zone is not forward first
 	 * unless explictly configured to be so.
 	 */
-	if (ztype == FORWARDZONE && (rfc1918 || ula)) {
+	if (ztype == CFG_ZONE_FORWARD && (rfc1918 || ula)) {
 		obj = NULL;
 		(void)cfg_map_get(zoptions, "forward", &obj);
 		if (obj == NULL) {
@@ -2365,7 +2295,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	 */
 	obj = NULL;
 	(void)cfg_map_get(zoptions, "server-addresses", &obj);
-	if (ztype == STATICSTUBZONE && obj != NULL) {
+	if (ztype == CFG_ZONE_STATICSTUB && obj != NULL) {
 		for (element = cfg_list_first(obj);
 		     element != NULL;
 		     element = cfg_list_next(element))
@@ -2398,7 +2328,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	 */
 	obj = NULL;
 	(void)cfg_map_get(zoptions, "server-names", &obj);
-	if (zname != NULL && ztype == STATICSTUBZONE && obj != NULL) {
+	if (zname != NULL && ztype == CFG_ZONE_STATICSTUB && obj != NULL) {
 		for (element = cfg_list_first(obj);
 		     element != NULL;
 		     element = cfg_list_next(element))
@@ -2534,20 +2464,23 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		obj = NULL;
 		res1 = cfg_map_get(zoptions, "inline-signing", &obj);
 		if ((tresult != ISC_R_SUCCESS &&
-		    (ztype == MASTERZONE || ztype == HINTZONE ||
-		     (ztype == SLAVEZONE && res1 == ISC_R_SUCCESS &&
-		      cfg_obj_asboolean(obj))))) {
+		    (ztype == CFG_ZONE_MASTER || ztype == CFG_ZONE_HINT ||
+		     (ztype == CFG_ZONE_SLAVE && res1 == ISC_R_SUCCESS &&
+		      cfg_obj_asboolean(obj)))))
+		{
 			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
 			    "zone '%s': missing 'file' entry",
 			    znamestr);
 			result = tresult;
 		} else if (tresult == ISC_R_SUCCESS &&
-			   (ztype == SLAVEZONE || ddns)) {
+			   (ztype == CFG_ZONE_SLAVE || ddns)) {
 			tresult = fileexist(fileobj, files, ISC_TRUE, logctx);
 			if (tresult != ISC_R_SUCCESS)
 				result = tresult;
 		} else if (tresult == ISC_R_SUCCESS &&
-			   (ztype == MASTERZONE || ztype == HINTZONE)) {
+			   (ztype == CFG_ZONE_MASTER ||
+			    ztype == CFG_ZONE_HINT))
+		{
 			tresult = fileexist(fileobj, files, ISC_FALSE, logctx);
 			if (tresult != ISC_R_SUCCESS)
 				result = tresult;
diff --git a/lib/isccfg/include/isccfg/cfg.h b/lib/isccfg/include/isccfg/cfg.h
index b60b628f7f..94dec54675 100644
--- a/lib/isccfg/include/isccfg/cfg.h
+++ b/lib/isccfg/include/isccfg/cfg.h
@@ -6,8 +6,6 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
-/* $Id: cfg.h,v 1.46 2010/08/13 23:47:04 tbox Exp $ */
-
 #ifndef ISCCFG_CFG_H
 #define ISCCFG_CFG_H 1
 
@@ -538,6 +536,13 @@ cfg_obj_line(const cfg_obj_t *obj);
  * Return the line in file where this object was defined.
  */
 
+const char *
+cfg_map_firstclause(const cfg_type_t *map, const void **clauses,
+                    unsigned int *idx);
+const char *
+cfg_map_nextclause(const cfg_type_t *map, const void **clauses,
+                   unsigned int *idx);
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISCCFG_CFG_H */
diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h
index 364f3dbacb..1257f2ea61 100644
--- a/lib/isccfg/include/isccfg/grammar.h
+++ b/lib/isccfg/include/isccfg/grammar.h
@@ -6,8 +6,6 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
-/* $Id: grammar.h,v 1.24 2011/01/04 23:47:14 tbox Exp $ */
-
 #ifndef ISCCFG_GRAMMAR_H
 #define ISCCFG_GRAMMAR_H 1
 
@@ -52,6 +50,21 @@
  * compile time options, but is harmless. */
 #define CFG_CLAUSEFLAG_NOOP		0x00000200
 
+/*%
+ * Zone types for which a clause is valid:
+ * These share space with CFG_CLAUSEFLAG values, but count
+ * down from the top.
+ */
+#define CFG_ZONE_MASTER			0x80000000
+#define CFG_ZONE_SLAVE			0x40000000
+#define CFG_ZONE_STUB			0x20000000
+#define CFG_ZONE_HINT			0x10000000
+#define CFG_ZONE_FORWARD		0x08000000
+#define CFG_ZONE_STATICSTUB		0x04000000
+#define CFG_ZONE_REDIRECT		0x02000000
+#define CFG_ZONE_DELEGATION		0x01000000
+#define CFG_ZONE_INVIEW			0x00800000
+
 typedef struct cfg_clausedef cfg_clausedef_t;
 typedef struct cfg_tuplefielddef cfg_tuplefielddef_t;
 typedef struct cfg_printer cfg_printer_t;
@@ -507,4 +520,32 @@ isc_boolean_t
 cfg_is_enum(const char *s, const char *const *enums);
 /*%< Return true iff the string 's' is one of the strings in 'enums' */
 
+isc_boolean_t
+cfg_clause_validforzone(const char *name, unsigned int ztype);
+/*%<
+ * Check whether an option is legal for the specified zone type.
+ */
+
+void
+cfg_print_zonegrammar(const unsigned int zonetype,
+		      void (*f)(void *closure, const char *text, int textlen),
+		      void *closure);
+/*%<
+ * Print a summary of the grammar of the zone type represented by
+ * 'zonetype'.
+ */
+
+void
+cfg_print_clauseflags(cfg_printer_t *pctx, unsigned int flags);
+/*%<
+ * Print clause flags (e.g. "obsolete", "not implemented", etc) in
+ * human readable form
+ */
+
+void
+cfg_print_indent(cfg_printer_t *pctx);
+/*%<
+ * Print the necessary indent required by the current settings of 'pctx'.
+ */
+
 #endif /* ISCCFG_GRAMMAR_H */
diff --git a/lib/isccfg/include/isccfg/namedconf.h b/lib/isccfg/include/isccfg/namedconf.h
index 74f0f38f11..b5c3150c9c 100644
--- a/lib/isccfg/include/isccfg/namedconf.h
+++ b/lib/isccfg/include/isccfg/namedconf.h
@@ -48,4 +48,7 @@ LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
 /*%< An EDNS client subnet address, used as an ACL element */
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ecsprefix;
 
+/*%< Zone options */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_zoneopts;
+
 #endif /* ISCCFG_NAMEDCONF_H */
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index e84ea17bb9..22c5f78350 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -24,6 +24,7 @@
 #include <isccfg/cfg.h>
 #include <isccfg/grammar.h>
 #include <isccfg/log.h>
+#include <isccfg/namedconf.h>
 
 #define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
 
@@ -141,7 +142,6 @@ static cfg_type_t cfg_type_ttlval;
 static cfg_type_t cfg_type_view;
 static cfg_type_t cfg_type_viewopts;
 static cfg_type_t cfg_type_zone;
-static cfg_type_t cfg_type_zoneopts;
 
 /*% tkey-dhkey */
 
@@ -1998,106 +1998,280 @@ static cfg_type_t cfg_type_validityinterval = {
 /*%
  * Clauses that can be found in a 'zone' statement,
  * with defaults in the 'view' or 'options' statement.
+ *
+ * Note: CFG_ZONE_* options indicate in which zone types this clause is
+ * legal.
  */
 static cfg_clausedef_t
 zone_clauses[] = {
-	{ "allow-notify", &cfg_type_bracketed_aml, 0 },
-	{ "allow-query", &cfg_type_bracketed_aml, 0 },
-	{ "allow-query-on", &cfg_type_bracketed_aml, 0 },
-	{ "allow-transfer", &cfg_type_bracketed_aml, 0 },
-	{ "allow-update", &cfg_type_bracketed_aml, 0 },
-	{ "allow-update-forwarding", &cfg_type_bracketed_aml, 0 },
-	{ "also-notify", &cfg_type_namesockaddrkeylist, 0 },
-	{ "alt-transfer-source", &cfg_type_sockaddr4wild, 0 },
-	{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ "auto-dnssec", &cfg_type_autodnssec, 0 },
-	{ "check-dup-records", &cfg_type_checkmode, 0 },
-	{ "check-integrity", &cfg_type_boolean, 0 },
-	{ "check-mx", &cfg_type_checkmode, 0 },
-	{ "check-mx-cname", &cfg_type_checkmode, 0 },
-	{ "check-sibling", &cfg_type_boolean, 0 },
-	{ "check-spf", &cfg_type_warn, 0 },
-	{ "check-srv-cname", &cfg_type_checkmode, 0 },
-	{ "check-wildcard", &cfg_type_boolean, 0 },
-	{ "dialup", &cfg_type_dialuptype, 0 },
-	{ "dnssec-dnskey-kskonly", &cfg_type_boolean, 0 },
-	{ "dnssec-loadkeys-interval", &cfg_type_uint32, 0 },
-	{ "dnssec-secure-to-insecure", &cfg_type_boolean, 0 },
-	{ "dnssec-update-mode", &cfg_type_dnssecupdatemode, 0 },
-	{ "forward", &cfg_type_forwardtype, 0 },
-	{ "forwarders", &cfg_type_portiplist, 0 },
-	{ "inline-signing", &cfg_type_boolean, 0 },
-	{ "key-directory", &cfg_type_qstring, 0 },
-	{ "maintain-ixfr-base", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "masterfile-format", &cfg_type_masterformat, 0 },
-	{ "masterfile-style", &cfg_type_masterstyle, 0 },
-	{ "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "max-journal-size", &cfg_type_size, 0 },
-	{ "max-records", &cfg_type_uint32, 0 },
-	{ "max-refresh-time", &cfg_type_uint32, 0 },
-	{ "max-retry-time", &cfg_type_uint32, 0 },
-	{ "max-transfer-idle-in", &cfg_type_uint32, 0 },
-	{ "max-transfer-idle-out", &cfg_type_uint32, 0 },
-	{ "max-transfer-time-in", &cfg_type_uint32, 0 },
-	{ "max-transfer-time-out", &cfg_type_uint32, 0 },
-	{ "max-zone-ttl", &cfg_type_maxttl, 0 },
-	{ "min-refresh-time", &cfg_type_uint32, 0 },
-	{ "min-retry-time", &cfg_type_uint32, 0 },
-	{ "multi-master", &cfg_type_boolean, 0 },
-	{ "notify", &cfg_type_notifytype, 0 },
-	{ "notify-delay", &cfg_type_uint32, 0 },
-	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
-	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ "notify-to-soa", &cfg_type_boolean, 0 },
-	{ "nsec3-test-zone", &cfg_type_boolean, CFG_CLAUSEFLAG_TESTONLY },
-	{ "request-expire", &cfg_type_boolean, 0 },
-	{ "request-ixfr", &cfg_type_boolean, 0 },
-	{ "serial-update-method", &cfg_type_updatemethod, 0 },
-	{ "sig-signing-nodes", &cfg_type_uint32, 0 },
-	{ "sig-signing-signatures", &cfg_type_uint32, 0 },
-	{ "sig-signing-type", &cfg_type_uint32, 0 },
-	{ "sig-validity-interval", &cfg_type_validityinterval, 0 },
-	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
-	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ "try-tcp-refresh", &cfg_type_boolean, 0 },
-	{ "update-check-ksk", &cfg_type_boolean, 0 },
-	{ "use-alt-transfer-source", &cfg_type_boolean, 0 },
-	{ "zero-no-soa-ttl", &cfg_type_boolean, 0 },
-	{ "zone-statistics", &cfg_type_zonestat, 0 },
+	{ "allow-notify", &cfg_type_bracketed_aml,
+		CFG_ZONE_SLAVE
+	},
+	{ "allow-query", &cfg_type_bracketed_aml,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_REDIRECT | CFG_ZONE_STATICSTUB
+	},
+	{ "allow-query-on", &cfg_type_bracketed_aml,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_REDIRECT | CFG_ZONE_STATICSTUB
+	},
+	{ "allow-transfer", &cfg_type_bracketed_aml,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "allow-update", &cfg_type_bracketed_aml,
+		CFG_ZONE_MASTER
+	},
+	{ "allow-update-forwarding", &cfg_type_bracketed_aml,
+		CFG_ZONE_SLAVE
+	},
+	{ "also-notify", &cfg_type_namesockaddrkeylist,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "alt-transfer-source", &cfg_type_sockaddr4wild,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "auto-dnssec", &cfg_type_autodnssec,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "check-dup-records", &cfg_type_checkmode,
+		CFG_ZONE_MASTER
+	},
+	{ "check-integrity", &cfg_type_boolean,
+		CFG_ZONE_MASTER
+	},
+	{ "check-mx", &cfg_type_checkmode,
+		CFG_ZONE_MASTER
+	},
+	{ "check-mx-cname", &cfg_type_checkmode,
+		CFG_ZONE_MASTER
+	},
+	{ "check-sibling", &cfg_type_boolean,
+		CFG_ZONE_MASTER
+	},
+	{ "check-spf", &cfg_type_warn,
+		CFG_ZONE_MASTER
+	},
+	{ "check-srv-cname", &cfg_type_checkmode,
+		CFG_ZONE_MASTER
+	},
+	{ "check-wildcard", &cfg_type_boolean,
+		CFG_ZONE_MASTER
+	},
+	{ "dialup", &cfg_type_dialuptype,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "dnssec-dnskey-kskonly", &cfg_type_boolean,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "dnssec-loadkeys-interval", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "dnssec-secure-to-insecure", &cfg_type_boolean,
+		CFG_ZONE_MASTER
+	},
+	{ "dnssec-update-mode", &cfg_type_dnssecupdatemode,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "forward", &cfg_type_forwardtype,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_STATICSTUB | CFG_ZONE_FORWARD
+	},
+	{ "forwarders", &cfg_type_portiplist,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_STATICSTUB | CFG_ZONE_FORWARD
+	},
+	{ "inline-signing", &cfg_type_boolean,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "key-directory", &cfg_type_qstring,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "maintain-ixfr-base", &cfg_type_boolean,
+		CFG_CLAUSEFLAG_OBSOLETE
+	},
+	{ "masterfile-format", &cfg_type_masterformat,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE |
+		CFG_ZONE_STUB | CFG_ZONE_REDIRECT
+	},
+	{ "masterfile-style", &cfg_type_masterstyle,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE |
+		CFG_ZONE_STUB | CFG_ZONE_REDIRECT
+	},
+	{ "max-ixfr-log-size", &cfg_type_size,
+		CFG_CLAUSEFLAG_OBSOLETE
+	},
+	{ "max-journal-size", &cfg_type_size,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "max-records", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT
+	},
+	{ "max-refresh-time", &cfg_type_uint32,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "max-retry-time", &cfg_type_uint32,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "max-transfer-idle-in", &cfg_type_uint32,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "max-transfer-idle-out", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "max-transfer-time-in", &cfg_type_uint32,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "max-transfer-time-out", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "max-zone-ttl", &cfg_type_maxttl,
+		CFG_ZONE_MASTER | CFG_ZONE_REDIRECT
+	},
+	{ "min-refresh-time", &cfg_type_uint32,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "min-retry-time", &cfg_type_uint32,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "multi-master", &cfg_type_boolean,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "notify", &cfg_type_notifytype,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "notify-delay", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "notify-source", &cfg_type_sockaddr4wild,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "notify-source-v6", &cfg_type_sockaddr6wild,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "notify-to-soa", &cfg_type_boolean,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "nsec3-test-zone", &cfg_type_boolean,
+		CFG_CLAUSEFLAG_TESTONLY |
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "request-expire", &cfg_type_boolean,
+		CFG_ZONE_SLAVE
+	},
+	{ "request-ixfr", &cfg_type_boolean,
+		CFG_ZONE_SLAVE
+	},
+	{ "serial-update-method", &cfg_type_updatemethod,
+		CFG_ZONE_MASTER
+	},
+	{ "sig-signing-nodes", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "sig-signing-signatures", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "sig-signing-type", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "sig-validity-interval", &cfg_type_validityinterval,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "transfer-source", &cfg_type_sockaddr4wild,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "transfer-source-v6", &cfg_type_sockaddr6wild,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "try-tcp-refresh", &cfg_type_boolean,
+		CFG_ZONE_SLAVE
+	},
+	{ "update-check-ksk", &cfg_type_boolean,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "use-alt-transfer-source", &cfg_type_boolean,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "zero-no-soa-ttl", &cfg_type_boolean,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "zone-statistics", &cfg_type_zonestat,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT
+	},
 	{ NULL, NULL, 0 }
 };
 
 /*%
- * Clauses that can be found in a 'zone' statement
- * only.
+ * Clauses that can be found in a 'zone' statement only.
+ *
+ * Note: CFG_ZONE_* options indicate in which zone types this clause is
+ * legal.
  */
 static cfg_clausedef_t
 zone_only_clauses[] = {
-	{ "type", &cfg_type_zonetype, 0 },
-	{ "file", &cfg_type_qstring, 0 },
-	{ "journal", &cfg_type_qstring, 0 },
-	{ "ixfr-base", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "ixfr-tmp-file", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "masters", &cfg_type_namesockaddrkeylist, 0 },
-	{ "pubkey", &cfg_type_pubkey,
-	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OBSOLETE },
-	{ "update-policy", &cfg_type_updatepolicy, 0 },
-	{ "database", &cfg_type_astring, 0 },
-	{ "dlz", &cfg_type_astring, 0 },
-	{ "delegation-only", &cfg_type_boolean, 0 },
 	/*
 	 * Note that the format of the check-names option is different between
 	 * the zone options and the global/view options.  Ugh.
 	 */
-	{ "check-names", &cfg_type_checkmode, 0 },
-	{ "in-view", &cfg_type_astring, 0 },
-	{ "ixfr-from-differences", &cfg_type_boolean, 0 },
-	{ "server-addresses", &cfg_type_bracketed_sockaddrlist, 0 },
-	{ "server-names", &cfg_type_namelist, 0 },
+	{ "check-names", &cfg_type_checkmode,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE |
+		CFG_ZONE_HINT | CFG_ZONE_STUB
+	},
+	{ "database", &cfg_type_astring,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "delegation-only", &cfg_type_boolean,
+		CFG_ZONE_HINT | CFG_ZONE_STUB | CFG_ZONE_FORWARD
+	},
+	{ "dlz", &cfg_type_astring,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_REDIRECT
+	},
+	{ "file", &cfg_type_qstring,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_HINT | CFG_ZONE_REDIRECT
+	},
+	{ "in-view", &cfg_type_astring,
+		CFG_ZONE_INVIEW
+	},
+	{ "ixfr-base", &cfg_type_qstring,
+		CFG_CLAUSEFLAG_OBSOLETE
+	},
+	{ "ixfr-from-differences", &cfg_type_boolean,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "ixfr-tmp-file", &cfg_type_qstring,
+		CFG_CLAUSEFLAG_OBSOLETE
+	},
+	{ "journal", &cfg_type_qstring,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "masters", &cfg_type_namesockaddrkeylist,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB | CFG_ZONE_REDIRECT
+	},
+	{ "pubkey", &cfg_type_pubkey,
+		CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OBSOLETE
+	},
+	{ "server-addresses", &cfg_type_bracketed_sockaddrlist,
+		CFG_ZONE_STATICSTUB
+	},
+	{ "server-names", &cfg_type_namelist,
+		CFG_ZONE_STATICSTUB
+	},
+	{ "type", &cfg_type_zonetype,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_STATICSTUB | CFG_ZONE_DELEGATION | CFG_ZONE_HINT |
+		CFG_ZONE_REDIRECT | CFG_ZONE_FORWARD
+	},
+	{ "update-policy", &cfg_type_updatepolicy,
+		CFG_ZONE_MASTER
+	},
 	{ NULL, NULL, 0 }
 };
 
-
 /*% The top-level named.conf syntax. */
 
 static cfg_clausedef_t *
@@ -2160,7 +2334,7 @@ zone_clausesets[] = {
 	zone_clauses,
 	NULL
 };
-static cfg_type_t cfg_type_zoneopts = {
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_zoneopts = {
 	"zoneopts", cfg_parse_map, cfg_print_map,
 	cfg_doc_map, &cfg_rep_map, zone_clausesets };
 
@@ -3861,3 +4035,118 @@ static cfg_type_t cfg_type_maxttl = {
 	"maxttl_no_default", parse_maxttl, cfg_print_ustring, doc_maxttl,
 	&cfg_rep_string, maxttl_enums
 };
+
+static int cmp_clause(const void *ap, const void *bp) {
+	const cfg_clausedef_t *a = (const cfg_clausedef_t *)ap;
+	const cfg_clausedef_t *b = (const cfg_clausedef_t *)bp;
+	return (strcmp(a->name, b->name));
+}
+
+isc_boolean_t
+cfg_clause_validforzone(const char *name, unsigned int ztype) {
+	const cfg_clausedef_t *clause;
+	isc_boolean_t valid = ISC_FALSE;
+
+	for (clause = zone_clauses; clause->name != NULL; clause++) {
+		if ((clause->flags & ztype) == 0 ||
+		    strcmp(clause->name, name) != 0)
+		{
+			continue;
+		}
+		valid = ISC_TRUE;
+	}
+	for (clause = zone_only_clauses; clause->name != NULL; clause++) {
+		if ((clause->flags & ztype) == 0 ||
+		    strcmp(clause->name, name) != 0)
+		{
+			continue;
+		}
+		valid = ISC_TRUE;
+	}
+
+	return (valid);
+}
+
+void
+cfg_print_zonegrammar(const unsigned int zonetype,
+		      void (*f)(void *closure, const char *text, int textlen),
+		      void *closure)
+{
+#define NCLAUSES \
+	(((sizeof(zone_clauses) + sizeof(zone_only_clauses)) / \
+	  sizeof(clause[0])) - 1)
+
+	cfg_printer_t pctx;
+	cfg_clausedef_t *clause = NULL;
+	cfg_clausedef_t clauses[NCLAUSES];
+
+	pctx.f = f;
+	pctx.closure = closure;
+	pctx.indent = 0;
+	pctx.flags = 0;
+
+	memmove(clauses, zone_clauses, sizeof(zone_clauses));
+	memmove(clauses + sizeof(zone_clauses)/sizeof(zone_clauses[0]) - 1,
+	        zone_only_clauses, sizeof(zone_only_clauses));
+	qsort(clauses, NCLAUSES - 1, sizeof(clause[0]), cmp_clause);
+
+	cfg_print_cstr(&pctx, "zone <string> [ <class> ] {\n");
+	pctx.indent++;
+
+	switch (zonetype) {
+	case CFG_ZONE_MASTER:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type ( master | primary );\n");
+		break;
+	case CFG_ZONE_SLAVE:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type ( slave | secondary );\n");
+		break;
+	case CFG_ZONE_STUB:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type stub;\n");
+		break;
+	case CFG_ZONE_HINT:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type hint;\n");
+		break;
+	case CFG_ZONE_FORWARD:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type forward;\n");
+		break;
+	case CFG_ZONE_STATICSTUB:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type static-stub;\n");
+		break;
+	case CFG_ZONE_REDIRECT:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type redirect;\n");
+		break;
+	case CFG_ZONE_DELEGATION:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type delegation-only;\n");
+		break;
+	case CFG_ZONE_INVIEW:
+		/* no zone type is specified for these */
+		break;
+	default:
+		INSIST(0);
+	}
+
+	for (clause = clauses; clause->name != NULL; clause++) {
+		if ((clause->flags & zonetype) == 0 ||
+		    strcasecmp(clause->name, "type") == 0) {
+			continue;
+		}
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, clause->name);
+		cfg_print_cstr(&pctx, " ");
+		cfg_doc_obj(&pctx, clause->type);
+		cfg_print_cstr(&pctx, ";");
+		cfg_print_clauseflags(&pctx, clause->flags);
+		cfg_print_cstr(&pctx, "\n");
+	}
+
+	pctx.indent--;
+	cfg_print_cstr(&pctx, "};\n");
+}
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index 6d15e0c953..eb84363915 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -157,8 +157,8 @@ print_open(cfg_printer_t *pctx) {
 	}
 }
 
-static void
-print_indent(cfg_printer_t *pctx) {
+void
+cfg_print_indent(cfg_printer_t *pctx) {
 	int indent = pctx->indent;
 	if ((pctx->flags & CFG_PRINTER_ONELINE) != 0) {
 		cfg_print_cstr(pctx, " ");
@@ -174,7 +174,7 @@ static void
 print_close(cfg_printer_t *pctx) {
 	if ((pctx->flags & CFG_PRINTER_ONELINE) == 0) {
 		pctx->indent--;
-		print_indent(pctx);
+		cfg_print_indent(pctx);
 	}
 	cfg_print_cstr(pctx, "}");
 }
@@ -1467,7 +1467,7 @@ print_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 			cfg_print_obj(pctx, elt->obj);
 			cfg_print_cstr(pctx, "; ");
 		} else {
-			print_indent(pctx);
+			cfg_print_indent(pctx);
 			cfg_print_obj(pctx, elt->obj);
 			cfg_print_cstr(pctx, ";\n");
 		}
@@ -1909,7 +1909,7 @@ cfg_parse_netprefix_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **
 static void
 print_symval(cfg_printer_t *pctx, const char *name, cfg_obj_t *obj) {
 	if ((pctx->flags & CFG_PRINTER_ONELINE) == 0)
-		print_indent(pctx);
+		cfg_print_indent(pctx);
 
 	cfg_print_cstr(pctx, name);
 	cfg_print_cstr(pctx, " ");
@@ -1984,8 +1984,8 @@ static struct flagtext {
 	{ 0, NULL }
 };
 
-static void
-print_clause_flags(cfg_printer_t *pctx, unsigned int flags) {
+void
+cfg_print_clauseflags(cfg_printer_t *pctx, unsigned int flags) {
 	struct flagtext *p;
 	isc_boolean_t first = ISC_TRUE;
 	for (p = flagtexts; p->flag != 0; p++) {
@@ -2009,14 +2009,12 @@ cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type) {
 	REQUIRE(type != NULL);
 
 	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
-		for (clause = *clauseset;
-		     clause->name != NULL;
-		     clause++) {
+		for (clause = *clauseset; clause->name != NULL; clause++) {
 			cfg_print_cstr(pctx, clause->name);
 			cfg_print_cstr(pctx, " ");
 			cfg_doc_obj(pctx, clause->type);
 			cfg_print_cstr(pctx, ";");
-			print_clause_flags(pctx, clause->flags);
+			cfg_print_clauseflags(pctx, clause->flags);
 			cfg_print_cstr(pctx, "\n\n");
 		}
 	}
@@ -2058,16 +2056,14 @@ cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) {
 	print_open(pctx);
 
 	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
-		for (clause = *clauseset;
-		     clause->name != NULL;
-		     clause++) {
-			print_indent(pctx);
+		for (clause = *clauseset; clause->name != NULL; clause++) {
+			cfg_print_indent(pctx);
 			cfg_print_cstr(pctx, clause->name);
 			if (clause->type->print != cfg_print_void)
 				cfg_print_cstr(pctx, " ");
 			cfg_doc_obj(pctx, clause->type);
 			cfg_print_cstr(pctx, ";");
-			print_clause_flags(pctx, clause->flags);
+			cfg_print_clauseflags(pctx, clause->flags);
 			cfg_print_cstr(pctx, "\n");
 		}
 	}
@@ -2115,6 +2111,55 @@ cfg_map_count(const cfg_obj_t *mapobj) {
 	return (isc_symtab_count(map->symtab));
 }
 
+const char *
+cfg_map_firstclause(const cfg_type_t *map, const void **clauses,
+		    unsigned int *idx)
+{
+	cfg_clausedef_t * const * clauseset;
+
+	REQUIRE(map != NULL && map->rep == &cfg_rep_map);
+	REQUIRE(idx != NULL);
+	REQUIRE(clauses != NULL && *clauses == NULL);
+
+	clauseset = map->of;
+	if (*clauseset == NULL) {
+		return (NULL);
+	}
+	*clauses = *clauseset;
+	*idx = 0;
+	while ((*clauseset)[*idx].name == NULL) {
+		*clauses = (*++clauseset);
+		if (*clauses == NULL)
+			return (NULL);
+	}
+	return ((*clauseset)[*idx].name);
+}
+
+const char *
+cfg_map_nextclause(const cfg_type_t *map, const void **clauses,
+		   unsigned int *idx)
+{
+	cfg_clausedef_t * const * clauseset;
+
+	REQUIRE(map != NULL && map->rep == &cfg_rep_map);
+	REQUIRE(idx != NULL);
+	REQUIRE(clauses != NULL && *clauses != NULL);
+
+	clauseset = map->of;
+	while (*clauseset != NULL && *clauseset != *clauses) {
+		clauseset++;
+	}
+	INSIST(*clauseset == *clauses);
+	(*idx)++;
+	while ((*clauseset)[*idx].name == NULL) {
+		*idx = 0;
+		*clauses = (*++clauseset);
+		if (*clauses == NULL)
+			return (NULL);
+	}
+	return ((*clauseset)[*idx].name);
+}
+
 /* Parse an arbitrary token, storing its raw text representation. */
 static isc_result_t
 parse_token(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
diff --git a/lib/isccfg/tests/parser_test.c b/lib/isccfg/tests/parser_test.c
index 175492675a..8f42c4aa0d 100644
--- a/lib/isccfg/tests/parser_test.c
+++ b/lib/isccfg/tests/parser_test.c
@@ -134,10 +134,56 @@ ATF_TC_BODY(parse_buffer, tc) {
 	cleanup();
 }
 
+ATF_TC(cfg_map_firstclause);
+ATF_TC_HEAD(cfg_map_firstclause, tc) {
+	atf_tc_set_md_var(tc, "descr", "cfg_map_firstclause");
+}
+ATF_TC_BODY(cfg_map_firstclause, tc) {
+	const char *name = NULL;
+	const void *clauses = NULL;
+	unsigned int idx;
+
+	UNUSED(tc);
+
+	name = cfg_map_firstclause(&cfg_type_zoneopts, &clauses, &idx);
+	ATF_CHECK(name != NULL);
+	ATF_CHECK(clauses != NULL);
+	ATF_CHECK_EQ(idx, 0);
+}
+
+ATF_TC(cfg_map_nextclause);
+ATF_TC_HEAD(cfg_map_nextclause, tc) {
+	atf_tc_set_md_var(tc, "descr", "cfg_map_firstclause");
+}
+ATF_TC_BODY(cfg_map_nextclause, tc) {
+	const char *name = NULL;
+	const void *clauses = NULL;
+	unsigned int idx;
+
+	UNUSED(tc);
+
+	name = cfg_map_firstclause(&cfg_type_zoneopts, &clauses, &idx);
+	ATF_REQUIRE(name != NULL);
+	ATF_REQUIRE(clauses != NULL);
+	ATF_REQUIRE_EQ(idx, ISC_R_SUCCESS);
+
+	do {
+		name = cfg_map_nextclause(&cfg_type_zoneopts, &clauses, &idx);
+		if (name != NULL) {
+			ATF_CHECK(clauses != NULL);
+		} else {
+			ATF_CHECK_EQ(clauses, NULL);
+			ATF_CHECK_EQ(idx, 0);
+		}
+	} while (name != NULL);
+}
+
 /*
  * Main
  */
 ATF_TP_ADD_TCS(tp) {
 	ATF_TP_ADD_TC(tp, parse_buffer);
+	ATF_TP_ADD_TC(tp, cfg_map_firstclause);
+	ATF_TP_ADD_TC(tp, cfg_map_nextclause);
 	return (atf_no_error());
 }