Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -58,7 +58,7 @@
Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -69,14 +69,14 @@
Table of Contents
The Berkeley Internet Name Domain (BIND) implements a @@ -87,7 +87,7 @@
In this document, Chapter 1 introduces the basic DNS and BIND concepts. Chapter 2 @@ -116,7 +116,7 @@
In this document, we use the following general typographic conventions: @@ -243,7 +243,7 @@
The purpose of this document is to explain the installation and upkeep of the BIND (Berkeley Internet @@ -253,7 +253,7 @@
The Domain Name System (DNS) is a hierarchical, distributed database. It stores information for mapping Internet host names to @@ -275,7 +275,7 @@
The data stored in the DNS is identified by domain names that are organized as a tree according to organizational or administrative boundaries. Each node of the tree, @@ -321,7 +321,7 @@
To properly operate a name server, it is important to understand the difference between a zone @@ -374,7 +374,7 @@
Each zone is served by at least one authoritative name server, @@ -391,7 +391,7 @@
The authoritative server where the master copy of the zone data is maintained is called the @@ -411,7 +411,7 @@
The other authoritative servers, the slave servers (also known as secondary servers) @@ -427,7 +427,7 @@
Usually all of the zone's authoritative servers are listed in NS records in the parent zone. These NS records constitute @@ -462,7 +462,7 @@
The resolver libraries provided by most operating systems are stub resolvers, meaning that they are not @@ -489,7 +489,7 @@
Even a caching name server does not necessarily perform the complete recursive lookup itself. Instead, it can @@ -516,7 +516,7 @@
The BIND name server can simultaneously act as diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index 377f21de39..5faa556b8c 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -1,5 +1,5 @@ - +
@@ -45,16 +45,16 @@Table of Contents
DNS hardware requirements have traditionally been quite modest. @@ -73,7 +73,7 @@
CPU requirements for BIND 9 range from i486-class machines @@ -84,7 +84,7 @@
The memory of the server has to be large enough to fit the cache and zones loaded off disk. The max-cache-size @@ -107,7 +107,7 @@
For name server intensive environments, there are two alternative configurations that may be used. The first is where clients and @@ -124,7 +124,7 @@
ISC BIND 9 compiles and runs on a large number diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index f8fdfd8ea1..1037104077 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -1,5 +1,5 @@ - +
@@ -47,14 +47,14 @@The following sample configuration is appropriate for a caching-only name server for use by clients internal to a corporation. All @@ -98,7 +98,7 @@ zone "0.0.127.in-addr.arpa" {
This sample configuration is for an authoritative-only server
that is the master server for "example.com"
@@ -146,7 +146,7 @@ zone "eng.example.com" {
A primitive form of load balancing can be achieved in the DNS by using multiple records @@ -289,10 +289,10 @@ zone "eng.example.com" {
This section describes several indispensable diagnostic, administrative and monitoring tools available to the system @@ -786,7 +786,7 @@ controls {
Certain UNIX signals cause the name server to take specific actions, as described in the following table. These signals can diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index ae5341ce84..9ac1d2709a 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -1,5 +1,5 @@ - +
@@ -49,29 +49,29 @@Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a @@ -254,7 +254,7 @@
Let's say a company named Example, Inc.
(example.com)
@@ -511,7 +511,7 @@ nameserver 172.16.72.4
A shared secret is generated to be shared between host1 and host2. An arbitrary key name is chosen: "host1-host2.". The key name must @@ -519,7 +519,7 @@ nameserver 172.16.72.4
The following command will generate a 128-bit (16 byte) HMAC-SHA256 key as described above. Longer keys are better, but shorter keys @@ -543,7 +543,7 @@ nameserver 172.16.72.4
The shared secret is simply a random sequence of bits, encoded in base-64. Most ASCII strings are valid base-64 strings (assuming @@ -558,7 +558,7 @@ nameserver 172.16.72.4
This is beyond the scope of DNS. A secure transport mechanism should be used. This could be secure FTP, ssh, telephone, etc. @@ -566,7 +566,7 @@ nameserver 172.16.72.4
Imagine host1 and host 2 are @@ -593,7 +593,7 @@ key host1-host2. {
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the named.conf file
@@ -625,7 +625,7 @@ server 10.1.2.3 {
BIND allows IP addresses and ranges to be specified in ACL @@ -652,7 +652,7 @@ allow-update { key host1-host2. ;};
The processing of TSIG signed messages can result in several errors. If a signed message is sent to a non-TSIG aware @@ -678,7 +678,7 @@ allow-update { key host1-host2. ;};
TKEY is a mechanism for automatically generating a shared secret between two hosts. There are several "modes" of @@ -714,7 +714,7 @@ allow-update { key host1-host2. ;};
BIND 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535 and RFC 2931. @@ -775,7 +775,7 @@ allow-update { key host1-host2. ;};
The dnssec-keygen program is used to generate keys. @@ -831,7 +831,7 @@ allow-update { key host1-host2. ;};
The dnssec-signzone program is used to sign a zone. @@ -873,7 +873,7 @@ allow-update { key host1-host2. ;};
To enable named to respond appropriately to DNS requests from DNSSEC aware clients, @@ -1019,7 +1019,7 @@ options {
BIND 9 fully supports all currently defined forms of IPv6 name to address and address to name @@ -1057,7 +1057,7 @@ options {
The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the deprecated A6 record, specifies the entire @@ -1076,7 +1076,7 @@ host 3600 IN AAAA 2001:db8::1
When looking up an address in nibble format, the address components are simply reversed, just as in IPv4, and diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index c4d9bb4c3a..af79f61231 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -1,5 +1,5 @@ - +
@@ -45,13 +45,13 @@Table of Contents
Traditionally applications have been linked with a stub resolver library that sends recursive DNS queries to a local caching name diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index b5c1c1e4eb..295c829b8d 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -1,5 +1,5 @@ - +
@@ -48,58 +48,58 @@address_match_list= address_match_list_element ; [ address_match_list_element; ... ]address_match_list_element= [ ! ] (ip_address [/length] | @@ -486,7 +486,7 @@Address match lists are primarily used to determine access control for various server operations. They are also used in @@ -570,7 +570,7 @@
The BIND 9 comment syntax allows for comments to appear @@ -580,7 +580,7 @@
/* This is a BIND comment as in C */@@ -596,7 +596,7 @@Comments may appear anywhere that whitespace may appear in a BIND configuration file. @@ -848,7 +848,7 @@
acl acl-name { address_match_list }; @@ -930,7 +930,7 @@controls { [ inet ( ip_addr | * ) [ port ip_port ] allow {address_match_list} @@ -1054,12 +1054,12 @@includefilename;The include statement inserts the @@ -1074,7 +1074,7 @@
keykey_id{ algorithmstring; secretstring; @@ -1083,7 +1083,7 @@The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) @@ -1130,7 +1130,7 @@
logging { [ channelchannel_name{ ( filepath_name@@ -1154,7 +1154,7 @@The logging statement configures a @@ -1188,7 +1188,7 @@
All log output goes to one or more channels; you can make as many of them as you want. @@ -1753,7 +1753,7 @@ category notify { null; };
The query-errors category is specifically intended for debugging purposes: To identify @@ -1981,7 +1981,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the lwres statement in the
named.conffile: @@ -1997,7 +1997,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]The lwres statement configures the name @@ -2048,7 +2048,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
mastersname[portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; @@ -2056,7 +2056,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]masters lists allow for a common set of masters to be easily used by @@ -2065,7 +2065,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the options statement in the
named.conffile: @@ -3517,7 +3517,7 @@ options {The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3561,7 +3561,7 @@ options {
Dual-stack servers are used as servers of last resort to work around @@ -3758,7 +3758,7 @@ options {
The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4210,7 +4210,7 @@ avoid-v6-udp-ports {};
use-v4-udp-ports, avoid-v4-udp-ports, @@ -4252,7 +4252,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -4414,7 +4414,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
- cleaning-interval
@@ -5210,7 +5210,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -5540,7 +5540,7 @@ deny-answer-aliases { "example.net"; };
The statistics-channels statement @@ -5591,7 +5591,7 @@ deny-answer-aliases { "example.net"; };
trusted-keys {stringnumbernumbernumberstring; [stringnumbernumbernumberstring; [...]] @@ -5600,7 +5600,7 @@ deny-answer-aliases { "example.net"; };The trusted-keys statement defines @@ -5640,7 +5640,7 @@ deny-answer-aliases { "example.net"; };
managed-keys {stringinitial-keynumbernumbernumberstring; [stringinitial-keynumbernumbernumberstring; [...]] @@ -5649,7 +5649,7 @@ deny-answer-aliases { "example.net"; };The managed-keys statement, like @@ -5775,7 +5775,7 @@ deny-answer-aliases { "example.net"; };
The view statement is a powerful feature @@ -6055,10 +6055,10 @@ zone
zone_name[
@@ -6269,7 +6269,7 @@ zone zone_name[The zone's name may optionally be followed by a class. If a class is not specified, class
IN(forInternet), @@ -6291,7 +6291,7 @@ zonezone_name[@@ -6975,7 +6975,7 @@ zonezone_name[A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -7712,7 +7712,7 @@ zone
zone_name[RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -7915,7 +7915,7 @@ zone
zone_name[As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -8171,7 +8171,7 @@ zone
zone_name[Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain @@ -8232,7 +8232,7 @@ zone
zone_name[The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -8247,7 +8247,7 @@ zone
zone_name[When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -8258,7 +8258,7 @@ zone
zone_name[Syntax: $ORIGIN
domain-name@@ -8287,7 +8287,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $INCLUDE
filename@@ -8323,7 +8323,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $TTL
default-ttl@@ -8342,7 +8342,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $GENERATE
range@@ -8766,7 +8766,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -9323,7 +9323,7 @@ HOST-127.EXAMPLE. MX 0 . diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 9cf174fa8e..bcf074ff39 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -1,5 +1,5 @@ - + @@ -50,7 +50,7 @@
@@ -9477,7 +9477,7 @@ HOST-127.EXAMPLE. MX 0 . @@ -50,7 +50,7 @@
@@ -9860,7 +9860,7 @@ HOST-127.EXAMPLE. MX 0 . Socket I/O statistics counters are defined per socket types, which are @@ -10015,7 +10015,7 @@ HOST-127.EXAMPLE. MX 0 .
Most statistics counters that were available in BIND 8 are also supported in diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index f1e1e0bd09..1598d4300b 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -1,5 +1,5 @@ - +
@@ -46,10 +46,10 @@Table of Contents
@@ -122,7 +122,7 @@ zone "example.com" {On UNIX servers, it is possible to run BIND @@ -148,7 +148,7 @@ zone "example.com" {
In order for a chroot environment to @@ -176,7 +176,7 @@ zone "example.com" {
Prior to running the named daemon, use diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 548ae88740..a2b83abf5a 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -1,5 +1,5 @@ - +
@@ -45,18 +45,18 @@Table of Contents
The best solution to solving installation and configuration issues is to take preventative measures by setting @@ -68,7 +68,7 @@
Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that @@ -95,7 +95,7 @@
The Internet Systems Consortium (ISC) offers a wide range diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 17a3a8785b..665a77d36a 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -1,5 +1,5 @@ - +
@@ -45,21 +45,21 @@Table of Contents
@@ -268,42 +268,42 @@Standards
-[RFC974] Mail Routing and the Domain System. January 1986.
+[RFC974] Mail Routing and the Domain System. January 1986.
Proposed Standards
-[RFC1995] Incremental Zone Transfer in DNS. August 1996.
+[RFC1995] Incremental Zone Transfer in DNS. August 1996.
-[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
+[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
-[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
+[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
-[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
+[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
-[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
+[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
-[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
+[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
-[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
+[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
-[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
+[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
-[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
+[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
-@@ -312,19 +312,19 @@[RFC3645] Generic Security Service Algorithm for Secret +
[RFC3645] Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG). October 2003.
DNS Security Proposed Standards
-[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
+[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
-[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
+[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
-[RFC4033] DNS Security Introduction and Requirements. March 2005.
+[RFC4033] DNS Security Introduction and Requirements. March 2005.
-[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
+[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
-@@ -332,146 +332,146 @@[RFC4035] Protocol Modifications for the DNS +
[RFC4035] Protocol Modifications for the DNS Security Extensions. March 2005.
Other Important RFCs About DNS Implementation
-[RFC1535] A Security Problem and Proposed Correction With Widely +
[RFC1535] A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993.
-[RFC1536] Common DNS Implementation +
[RFC1536] Common DNS Implementation Errors and Suggested Fixes. October 1993.
-[RFC4074] Common Misbehaviour Against DNS +
[RFC4074] Common Misbehaviour Against DNS Queries for IPv6 Addresses. May 2005.
Resource Record Types
-[RFC1706] DNS NSAP Resource Records. October 1994.
+[RFC1706] DNS NSAP Resource Records. October 1994.
-[RFC2168] Resolution of Uniform Resource Identifiers using +
[RFC2168] Resolution of Uniform Resource Identifiers using the Domain Name System. June 1997.
-[RFC1876] A Means for Expressing Location Information in the +
[RFC1876] A Means for Expressing Location Information in the Domain Name System. January 1996.
-[RFC2052] A DNS RR for Specifying the +
[RFC2052] A DNS RR for Specifying the Location of Services.. October 1996.
-[RFC2163] Using the Internet DNS to +
[RFC2163] Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping. January 1998.
-[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
+[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
-[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
+[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
-[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
+[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
-[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
+[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
-[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
+[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
-[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
+[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
-[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
+[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
-[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
+[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
DNS and the Internet
-[RFC1101] DNS Encoding of Network Names +
[RFC1101] DNS Encoding of Network Names and Other Types. April 1989.
-[RFC1123] Requirements for Internet Hosts - Application and +
[RFC1123] Requirements for Internet Hosts - Application and Support. October 1989.
-[RFC1591] Domain Name System Structure and Delegation. March 1994.
+[RFC1591] Domain Name System Structure and Delegation. March 1994.
-[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
+[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
DNS Operations
-[RFC1033] Domain administrators operations guide.. November 1987.
+[RFC1033] Domain administrators operations guide.. November 1987.
-[RFC1912] Common DNS Operational and +
[RFC1912] Common DNS Operational and Configuration Errors. February 1996.
Internationalized Domain Names
-[RFC2825] A Tangled Web: Issues of I18N, Domain Names, +
[RFC2825] A Tangled Web: Issues of I18N, Domain Names, and the Other Internet protocols. May 2000.
-@@ -487,47 +487,47 @@[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
+[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
-[RFC1464] Using the Domain Name System To Store Arbitrary String +
[RFC1464] Using the Domain Name System To Store Arbitrary String Attributes. May 1993.
-[RFC1713] Tools for DNS Debugging. November 1994.
+[RFC1713] Tools for DNS Debugging. November 1994.
-[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
+[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
-[RFC2345] Domain Names and Company Name Retrieval. May 1998.
+[RFC2345] Domain Names and Company Name Retrieval. May 1998.
-[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
+[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
-[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
+[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
-[RFC3258] Distributing Authoritative Name Servers via +
[RFC3258] Distributing Authoritative Name Servers via Shared Unicast Addresses. April 2002.
-[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
+[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
@@ -541,39 +541,39 @@Obsolete and Unimplemented Experimental RFC
-[RFC1712] DNS Encoding of Geographical +
[RFC1712] DNS Encoding of Geographical Location. November 1994.
-[RFC2065] Domain Name System Security Extensions. January 1997.
+[RFC2065] Domain Name System Security Extensions. January 1997.
-[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
+[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
-[RFC2535] Domain Name System Security Extensions. March 1999.
+[RFC2535] Domain Name System Security Extensions. March 1999.
-[RFC3008] Domain Name System Security (DNSSEC) +
[RFC3008] Domain Name System Security (DNSSEC) Signing Authority. November 2000.
-[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
+[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
-[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
+[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
-[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
+[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
-[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
+[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
-[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
+[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
-[RFC3757] Domain Name System KEY (DNSKEY) Resource Record +
[RFC3757] Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag. April 2004.
-@@ -594,14 +594,14 @@[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
+[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
-diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index 5814e13593..9bf4f711e4 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -1,5 +1,5 @@ - + @@ -106,6 +106,9 @@ genrandom — generate a file containing random dataDNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
+DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
+isc-hmac-fixup — fixes HMAC keys generated by older versions of BIND + +nsec3hash — generate NSEC3 hash diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 64c2219943..2e7e57f11b 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -1,5 +1,5 @@ - + @@ -41,7 +41,7 @@-+Copyright © 2004-2009 Internet Systems Consortium, Inc. ("ISC")
Copyright © 2004-2010 Internet Systems Consortium, Inc. ("ISC")
Copyright © 2000-2003 Internet Software Consortium.
@@ -51,39 +51,39 @@
- 1. Introduction
- 2. BIND Resource Requirements
- 3. Name Server Configuration
- 4. Advanced DNS Features
@@ -92,34 +92,34 @@- Dynamic Update
- Incremental Zone Transfers (IXFR)
-- Split DNS
-- +
- Split DNS
+- TSIG
- -
-
- Generate Shared Keys for Each Pair of Hosts
-- Copying the Shared Secret to Both Machines
-- Informing the Servers of the Key's Existence
-- Instructing the Server to Use the Key
-- TSIG Key Based Access Control
-- Errors
+- Generate Shared Keys for Each Pair of Hosts
+- Copying the Shared Secret to Both Machines
+- Informing the Servers of the Key's Existence
+- Instructing the Server to Use the Key
+- TSIG Key Based Access Control
+- Errors
- TKEY
-- SIG(0)
+- TKEY
+- SIG(0)
- DNSSEC
- -
- IPv6 Support in BIND 9
+- IPv6 Support in BIND 9
5. The BIND 9 Lightweight Resolver 6. BIND 9 Configuration Reference @@ -127,58 +127,58 @@Configuration File Elements Configuration File Grammar - -
- acl Statement Grammar
+- acl Statement Grammar
- acl Statement Definition and Usage
-- controls Statement Grammar
+- controls Statement Grammar
- controls Statement Definition and Usage
-- include Statement Grammar
-- include Statement Definition and +
- include Statement Grammar
+- include Statement Definition and Usage
-- key Statement Grammar
-- key Statement Definition and Usage
-- logging Statement Grammar
-- logging Statement Definition and +
- key Statement Grammar
+- key Statement Definition and Usage
+- logging Statement Grammar
+- logging Statement Definition and Usage
-- lwres Statement Grammar
-- lwres Statement Definition and Usage
-- masters Statement Grammar
-- masters Statement Definition and +
- lwres Statement Grammar
+- lwres Statement Definition and Usage
+- masters Statement Grammar
+- masters Statement Definition and Usage
-- options Statement Grammar
+- options Statement Grammar
- options Statement Definition and Usage
- server Statement Grammar
- server Statement Definition and Usage
- statistics-channels Statement Grammar
-- statistics-channels Statement Definition and +
- statistics-channels Statement Definition and Usage
-- trusted-keys Statement Grammar
-- trusted-keys Statement Definition +
- trusted-keys Statement Grammar
+- trusted-keys Statement Definition and Usage
-- managed-keys Statement Grammar
-- managed-keys Statement Definition +
- managed-keys Statement Grammar
+- managed-keys Statement Definition and Usage
- view Statement Grammar
-- view Statement Definition and Usage
+- view Statement Definition and Usage
- zone Statement Grammar
-- zone Statement Definition and Usage
+- zone Statement Definition and Usage
Zone File +Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics @@ -187,31 +187,31 @@7. BIND 9 Security Considerations 8. Troubleshooting A. Appendices I. Manual pages @@ -274,6 +274,9 @@ genrandom — generate a file containing random data+isc-hmac-fixup — fixes HMAC keys generated by older versions of BIND + +nsec3hash — generate NSEC3 hash diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index 7524e7595a..1f447dd407 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,20 +50,20 @@
arpaname{ipaddress...}-diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index f4dc1966de..afe589f33d 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -1,5 +1,5 @@ - + @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
ddns-confgen[-a] [algorithm-h] [-k] [keyname-r] [ -srandomfilename| -zzone] [-q] [name]-diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 1f53b6e045..8224d5ed9b 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -1,5 +1,5 @@ - + @@ -52,7 +52,7 @@DESCRIPTION
+DESCRIPTION
ddns-confgen generates a key for use by nsupdate and named. It simplifies configuration @@ -77,7 +77,7 @@
dig[global-queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -98,7 +98,7 @@
-OPTIONS
+OPTIONS
The
-boption sets the source IP address of the query toaddress. This must be a valid @@ -248,7 +248,7 @@-QUERY OPTIONS
+QUERY OPTIONS
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -573,7 +573,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig supports @@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1), named(8), dnssec-keygen(8), @@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index cfadd6ea7b..931802ac53 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -1,5 +1,5 @@ - + @@ -51,14 +51,14 @@
dnssec-dsfromkey{-s} [-1] [-2] [-a] [alg-K] [directory-l] [domain-s] [-c] [class-f] [file-A] [-v] {dnsname}level-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -148,13 +148,13 @@-diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 74187e79f5..6b8a0aa32d 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -1,5 +1,5 @@ - + @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -164,7 +164,7 @@
dnssec-keyfromlabel{-llabel} [-3] [-a] [algorithm-A] [date/offset-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-I] [date/offset-k] [-K] [directory-n] [nametype-P] [date/offset-p] [protocol-R] [date/offset-t] [type-v] {name}level-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -63,7 +63,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -221,7 +221,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes successfully, @@ -260,7 +260,7 @@
-diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 45339becf8..5c9b5301d1 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -1,5 +1,5 @@ - + @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -268,7 +268,7 @@
dnssec-keygen[-a] [algorithm-b] [keysize-n] [nametype-3] [-A] [date/offset-C] [-c] [class-D] [date/offset-E] [engine-e] [-f] [flag-G] [-g] [generator-h] [-I] [date/offset-K] [directory-k] [-P] [date/offset-p] [protocol-q] [-R] [date/offset-r] [randomdev-s] [strength-t] [type-v] [level-z] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -303,7 +303,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be @@ -370,7 +370,7 @@-diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 121e5803cb..3d1b9d8d58 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -1,5 +1,5 @@ - + @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -379,7 +379,7 @@
dnssec-revoke[-hr] [-v] [level-K] [directory-E] [engine-f] {keyfile}-diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index ddf19a5d8e..b8983c755a 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -1,5 +1,5 @@ - + @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@
dnssec-settime[-f] [-K] [directory-P] [date/offset-A] [date/offset-R] [date/offset-I] [date/offset-D] [date/offset-h] [-v] [level-E] {keyfile}engine-DESCRIPTION
+DESCRIPTION
dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the
-P,-A, @@ -75,7 +75,7 @@-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -151,7 +151,7 @@
-PRINTING OPTIONS
+PRINTING OPTIONS
dnssec-settime can also be used to print the timing metadata associated with a key. @@ -177,7 +177,7 @@
-diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 144eab499a..7b038bf795 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -1,5 +1,5 @@ - + @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -185,7 +185,7 @@
dnssec-signzone[-a] [-c] [class-d] [directory-E] [engine-e] [end-time-f] [output-file-g] [-h] [-K] [directory-k] [key-l] [domain-i] [interval-I] [input-format-j] [jitter-N] [soa-serial-format-o] [origin-O] [output-format-p] [-P] [-r] [randomdev-S] [-s] [start-time-T] [ttl-t] [-u] [-v] [level-x] [-z] [-3] [salt-H] [iterations-A] {zonefile} [key...]-diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index 9acce7812b..e520c1c781 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -23,7 +23,7 @@ - +DESCRIPTION
+DESCRIPTION
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@
genrandom{size} {filename}-@@ -91,14 +91,14 @@DESCRIPTION
+DESCRIPTION
genrandom generates a file containing a specified quantity of pseudo-random @@ -59,7 +59,7 @@
Prev Up -Next + Next arpaname Home -nsec3hash + isc-hmac-fixup
host[-aCdlnrsTwv] [-c] [class-N] [ndots-R] [number-t] [type-W] [wait-m] [flag-4] [-6] {name} [server]-DESCRIPTION
+DESCRIPTION
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8).
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index f12f06ed37..993499bd4e 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -14,12 +14,12 @@ - PERFORMANCE OF THIS SOFTWARE. --> - +isc-hmac-fixup - + @@ -50,7 +50,7 @@
isc-hmac-fixup{algorithm} {secret}-DESCRIPTION
+DESCRIPTION
Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@
-diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 8c0cb08ec6..b8a49a5c50 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -1,5 +1,5 @@ - + @@ -50,7 +50,7 @@SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@
named-checkconf[-h] [-v] [-j] [-t] {filename} [directory-p] [-z]-DESCRIPTION
+DESCRIPTION
named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -70,7 +70,7 @@
-diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 8aa496de48..ce749c35fc 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -1,5 +1,5 @@ - + @@ -51,7 +51,7 @@RETURN VALUES
+RETURN VALUES
named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.
named-compilezone[-d] [-j] [-q] [-v] [-c] [class-C] [mode-f] [format-F] [format-i] [mode-k] [mode-m] [mode-n] [mode-o] [filename-r] [mode-s] [style-t] [directory-w] [directory-D] [-W] {mode-o} {zonename} {filename}filename-DESCRIPTION
+DESCRIPTION
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@
-diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 084221fdae..e5e80e0641 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@RETURN VALUES
+RETURN VALUES
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named-journalprint{journal}-diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index dbcfdc2433..e2ca1e7448 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -1,5 +1,5 @@ - + @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
named-journalprint prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@
named[-4] [-6] [-c] [config-file-d] [debug-level-E] [engine-name-f] [-g] [-m] [flag-n] [#cpus-p] [port-s] [-S] [#max-socks-t] [directory-u] [user-v] [-V] [-x]cache-file-DESCRIPTION
+DESCRIPTION
named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -267,7 +267,7 @@
-diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index dbc22996eb..8d0061937b 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@ - +CONFIGURATION
+CONFIGURATION
The named configuration file is too complex to describe in detail here. A complete description is provided @@ -284,7 +284,7 @@
-@@ -97,13 +97,13 @@DESCRIPTION
+DESCRIPTION
nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@
-Prev +PrevUp diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index b89380952e..ba1b667052 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -1,5 +1,5 @@ - + @@ -50,7 +50,7 @@ -genrandom +isc-hmac-fixupHome
nsupdate[-d] [-D] [[-g] | [-o] | [-l] | [-y] | [[hmac:]keyname:secret-k]] [keyfile-t] [timeout-u] [udptimeout-r] [udpretries-R] [randomdev-v] [filename]-DESCRIPTION
+DESCRIPTION
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -210,7 +210,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 166f01ce50..ffe3c9abd3 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -1,5 +1,5 @@ - +
@@ -50,7 +50,7 @@
rndc-confgen[-a] [-b] [keysize-c] [keyfile-h] [-k] [keyname-p] [port-r] [randomfile-s] [address-t] [chrootdir-u]user-diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index bc0a024312..d2b0a83d51 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -1,5 +1,5 @@ - + @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@
rndc.conf-DESCRIPTION
+DESCRIPTION
rndc.confis the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -135,7 +135,7 @@-diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 1fa7fb5df1..e14da5cec4 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -1,5 +1,5 @@ - + @@ -50,7 +50,7 @@NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to recognize the key specified in the
rndc.conf@@ -219,7 +219,7 @@
rndc[-b] [source-address-c] [config-file-k] [key-file-s] [server-p] [port-V] [-y] {command}key_id