+ --- 9.15.6 released ---
+
5319. [func] Trust anchors can now be configured using DS
format to represent a key digest, by using the
new "initial-ds" or "static-ds" keywords in
In general, this version of BIND will build and run on any POSIX-compliant
system with a C11-compliant C compiler, BSD-style sockets with
-RFC-compliant IPv6 support, POSIX-compliant threads, and the OpenSSL
-cryptography library. Atomic operations support from the compiler is
-needed, either in the form of builtin operations, C11 atomics or the
-Interlocked family of functions on Windows.
+RFC-compliant IPv6 support, POSIX-compliant threads, the libuv
+asynchronous I/O library, and the OpenSSL cryptography library. Atomic
+operations support from the compiler is needed, either in the form of
+builtin operations, C11 atomics, or the Interlocked family of functions on
+Windows.
BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x).
For some of the older systems listed below, you will have to install
In general, this version of BIND will build and run on any POSIX-compliant
system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant
-IPv6 support, POSIX-compliant threads, and the OpenSSL cryptography library.
-Atomic operations support from the compiler is needed, either in the form of
-builtin operations, C11 atomics or the Interlocked family of functions on
-Windows.
+IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library,
+and the OpenSSL cryptography library. Atomic operations support from the
+compiler is needed, either in the form of builtin operations, C11 atomics,
+or the `Interlocked` family of functions on Windows.
BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x). For
some of the older systems listed below, you will have to install updated libuv
For a detailed list of changes made throughout the history of BIND 9, see
the file CHANGES. See below for details on the CHANGES file format.
-For up-to-date versions and release notes, see https://www.isc.org/download/.
+For up-to-date versions and release notes, see https://www.isc.org/
+download/.
For information about supported platforms, see PLATFORMS.
BIND 9.15 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.14 and earlier releases. New features include:
+ * New "dnssec-policy" statement to configure a key and signing policy
+ for zones, enabling automatic key regeneration and rollover.
+ * New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API
- * Improved DNSSEC key configuration using dnssec-keys
+ * Improved DNSSEC trust anchor configuration using dnssec-keys,
+ permitting configuration of trust anchors in DS as well as DNSKEY
+ format.
* YAML output for dig, mdig, and delv.
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
-basic POSIX support, and a 64-bit integer type. Successful builds have
-been observed on many versions of Linux and UNIX, including RHEL/CentOS,
-Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD,
-NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and
-OpenWRT.
-
-BIND requires a cryptography provider library such as OpenSSL or a
-hardware service module supporting PKCS#11. On Linux, BIND requires the
-libcap library to set process privileges, though this requirement can be
-overridden by disabling capability support at compile time. See
-Compile-time options below for details on other libraries that may be
-required to support optional features.
+basic POSIX support, and a 64-bit integer type. BIND also requires the
+libuv asynchronous I/O library, and a cryptography provider library such
+as OpenSSL or a hardware service module supporting PKCS#11. On Linux, BIND
+requires the libcap library to set process privileges, though this
+requirement can be overridden by disabling capability support at compile
+time. See Compile-time options below for details on other libraries that
+may be required to support optional features.
+
+Successful builds have been observed on many versions of Linux and UNIX,
+including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware,
+Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE,
+HP-UX, and OpenWRT.
BIND is also available for Windows Server 2008 and higher. See win32utils/
build.txt for details on building for Windows systems.
* New "dnssec-policy" statement to configure a key and signing policy
for zones, enabling automatic key regeneration and rollover.
-* A new network manager based on libuv.
+* New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API
-* Improved DNSSEC trust anchor configuration using `dnssec-keys`
+* Improved DNSSEC trust anchor configuration using `dnssec-keys`,
+ permitting configuration of trust anchors in DS as well as
+ DNSKEY format.
* YAML output for `dig`, `mdig`, and `delv`.
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
-basic POSIX support, and a 64-bit integer type. Successful builds have been
-observed on many versions of Linux and UNIX, including RHEL/CentOS, Fedora,
-Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, NetBSD,
-OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
-
-BIND requires a cryptography provider library such as OpenSSL or a
-hardware service module supporting PKCS#11. On Linux, BIND requires
-the `libcap` library to set process privileges, though this requirement
-can be overridden by disabling capability support at compile time.
-See [Compile-time options](#opts) below for details on other libraries
-that may be required to support optional features.
+basic POSIX support, and a 64-bit integer type. BIND also requires the
+`libuv` asynchronous I/O library, and a cryptography provider library
+such as OpenSSL or a hardware service module supporting PKCS#11. On
+Linux, BIND requires the `libcap` library to set process privileges,
+though this requirement can be overridden by disabling capability
+support at compile time. See [Compile-time options](#opts) below
+for details on other libraries that may be required to support
+optional features.
+
+Successful builds have been observed on many versions of Linux and
+UNIX, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
+Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris,
+OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
BIND is also available for Windows Server 2008 and higher. See
`win32utils/build.txt` for details on building for Windows
dnssec-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keygen\fR\ 'u
-\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-d\ \fR\fB\fIbits\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIpolicy\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-l\ \fR\fB\fIfile\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-T\ \fR\fB\fIrrtype\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&.
.RE
.PP
+\-d \fIbits\fR
+.RS 4
+Key size in bits\&. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256 and RSASHA512 the key size must be in range 1024\-4096\&. DH size is between 128 and 4096\&. This option is ignored for algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448\&.
+.RE
+.PP
\-E \fIengine\fR
.RS 4
Specifies the cryptographic hardware to use, when applicable\&.
Sets the directory in which the key files are to be written\&.
.RE
.PP
+\-k \fIpolicy\fR
+.RS 4
+Create keys for a specific dnssec\-policy\&. If a policy uses multiple keys,
+\fBdnssec\-keygen\fR
+will generate multiple keys\&. This will also create a "\&.state" file to keep track of the key state\&.
+.sp
+This option creates keys according to the dnssec\-policy configuration, hence it cannot be used together with many of the other options that
+\fBdnssec\-keygen\fR
+provides\&.
+.RE
+.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
is the same as leaving it unset\&.
.RE
.PP
+\-l \fIfile\fR
+.RS 4
+Provide a configuration file that contains a dnssec\-policy statement (matching the policy set with
+\fB\-k\fR)\&.
+.RE
+.PP
\-n \fInametype\fR
.RS 4
Specifies the owner type of the key\&. The value of
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
+ [<code class="option">-d <em class="replaceable"><code>bits</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-G</code>]
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-k</code>]
+ [<code class="option">-k <em class="replaceable"><code>policy</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+ [<code class="option">-l <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
+ [<code class="option">-T <em class="replaceable"><code>rrtype</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
the specified class. If not specified, class IN is used.
</p>
</dd>
+<dt><span class="term">-d <em class="replaceable"><code>bits</code></em></span></dt>
+<dd>
+ <p>
+ Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
+ RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
+ DH size is between 128 and 4096. This option is ignored for
+ algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
+ </p>
+ </dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Sets the directory in which the key files are to be written.
</p>
</dd>
+<dt><span class="term">-k <em class="replaceable"><code>policy</code></em></span></dt>
+<dd>
+ <p>
+ Create keys for a specific dnssec-policy. If a policy uses
+ multiple keys, <span class="command"><strong>dnssec-keygen</strong></span> will generate
+ multiple keys. This will also create a ".state" file to keep
+ track of the key state.
+ </p>
+ <p>
+ This option creates keys according to the dnssec-policy
+ configuration, hence it cannot be used together with many of
+ the other options that <span class="command"><strong>dnssec-keygen</strong></span>
+ provides.
+ </p>
+ </dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
+<dt><span class="term">-l <em class="replaceable"><code>file</code></em></span></dt>
+<dd>
+ <p>
+ Provide a configuration file that contains a dnssec-policy
+ statement (matching the policy set with <span class="command"><strong>-k</strong></span>).
+ </p>
+ </dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
dnssec-settime \- set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-settime\fR\ 'u
-\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
+\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-s\fR] [\fB\-g\ \fR\fB\fIstate\fR\fR] [\fB\-d\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-z\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-settime\fR
.PP
When key metadata fields are changed, both files of a key pair (Knnnn\&.+aaa+iiiii\&.key
and
-Knnnn\&.+aaa+iiiii\&.private) are regenerated\&. Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&.
+Knnnn\&.+aaa+iiiii\&.private) are regenerated\&.
+.PP
+Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&.
+.PP
+When working with state files, it is possible to update the timing metadata in those files as well with
+\fB\-s\fR\&. If this option is used you can also update key states with
+\fB\-d\fR
+(DS),
+\fB\-k\fR
+(DNSKEY),
+\fB\-r\fR
+(RRSIG of KSK), or
+\fB\-z\fR
+(RRSIG of ZSK)\&. Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE\&.
+.PP
+You can also set the goal state of the key with
+\fB\-g\fR\&. This should be either HIDDEN or OMNIPRESENT (representing whether the key should be removed from the zone, or published)\&.
+.PP
+It is NOT RECOMMENDED to manipulate state files manually except for testing purposes\&.
.SH "OPTIONS"
.PP
\-f
.sp
As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
.RE
+.SH "KEY STATE OPTIONS"
+.PP
+Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE\&. These should not be set manually except for testing purposes\&.
+.PP
+\-s
+.RS 4
+When setting key timing data, also update the state file\&.
+.RE
+.PP
+\-g
+.RS 4
+Set the goal state for this key\&. Must be HIDDEN or OMNIPRESENT\&.
+.RE
+.PP
+\-d
+.RS 4
+Set the DS state for this key, and when it was last changed\&.
+.RE
+.PP
+\-k
+.RS 4
+Set the DNSKEY state for this key, and when it was last changed\&.
+.RE
+.PP
+\-r
+.RS 4
+Set the RRSIG (KSK) state for this key, and when it was last changed\&.
+.RE
+.PP
+\-z
+.RS 4
+Set the RRSIG (ZSK) state for this key, and when it was last changed\&.
+.RE
.SH "PRINTING OPTIONS"
.PP
\fBdnssec\-settime\fR
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
+ [<code class="option">-s</code>]
+ [<code class="option">-g <em class="replaceable"><code>state</code></em></code>]
+ [<code class="option">-d <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
+ [<code class="option">-k <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
+ [<code class="option">-r <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
+ [<code class="option">-z <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
{keyfile}
</p></div>
</div>
When key metadata fields are changed, both files of a key
pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
<code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
+ </p>
+ <p>
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</p>
+ <p>
+ When working with state files, it is possible to update the timing
+ metadata in those files as well with <code class="option">-s</code>. If this
+ option is used you can also update key states with <code class="option">-d</code>
+ (DS), <code class="option">-k</code> (DNSKEY), <code class="option">-r</code> (RRSIG of KSK),
+ or <code class="option">-z</code> (RRSIG of ZSK). Allowed states are HIDDEN,
+ RUMOURED, OMNIPRESENT, and UNRETENTIVE.
+ </p>
+ <p>
+ You can also set the goal state of the key with <code class="option">-g</code>.
+ This should be either HIDDEN or OMNIPRESENT (representing whether the
+ key should be removed from the zone, or published).
+ </p>
+ <p>
+ It is NOT RECOMMENDED to manipulate state files manually except for
+ testing purposes.
+ </p>
</div>
<div class="refsection">
</div>
<div class="refsection">
-<a name="id-1.10"></a><h2>PRINTING OPTIONS</h2>
+<a name="id-1.10"></a><h2>KEY STATE OPTIONS</h2>
+
+ <p>
+ Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
+ These should not be set manually except for testing purposes.
+ </p>
+
+ <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-s</span></dt>
+<dd>
+ <p>
+ When setting key timing data, also update the state file.
+ </p>
+ </dd>
+<dt><span class="term">-g</span></dt>
+<dd>
+ <p>
+ Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
+ </p>
+ </dd>
+<dt><span class="term">-d</span></dt>
+<dd>
+ <p>
+ Set the DS state for this key, and when it was last changed.
+ </p>
+ </dd>
+<dt><span class="term">-k</span></dt>
+<dd>
+ <p>
+ Set the DNSKEY state for this key, and when it was last changed.
+ </p>
+ </dd>
+<dt><span class="term">-r</span></dt>
+<dd>
+ <p>
+ Set the RRSIG (KSK) state for this key, and when it was last
+ changed.
+ </p>
+ </dd>
+<dt><span class="term">-z</span></dt>
+<dd>
+ <p>
+ Set the RRSIG (ZSK) state for this key, and when it was last
+ changed.
+ </p>
+ </dd>
+</dl></div>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.11"></a><h2>PRINTING OPTIONS</h2>
<p>
<span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
</div>
<div class="refsection">
-<a name="id-1.11"></a><h2>SEE ALSO</h2>
+<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 2019-08-07
+.\" Date: 2019-08-12
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
-.TH "NAMED\&.CONF" "5" "2019\-08\-07" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2019\-08\-12" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\}
.nf
dnssec\-keys { \fIstring\fR ( static\-key |
- initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
+ initial\-key | static\-ds | initial\-ds )
+ \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
.fi
.if n \{\
.\}
.nf
managed\-keys { \fIstring\fR ( static\-key
- | initial\-key ) \fIinteger\fR
- \fIinteger\fR \fIinteger\fR
- \fIquoted_string\fR; \&.\&.\&. }; deprecated
+ | initial\-key | static\-ds |
+ initial\-ds ) \fIinteger\fR \fIinteger\fR
+ \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; deprecated
.fi
.if n \{\
.RE
[ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [ port
\fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
\fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
- in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. };
+ in\-memory \fIboolean\fR ] [ min\-update\-interval \fIduration\fR ]; \&.\&.\&. };
check\-dup\-records ( fail | warn | ignore );
check\-integrity \fIboolean\fR;
check\-mx ( fail | warn | ignore );
fstrm\-set\-output\-notify\-threshold \fIinteger\fR;
fstrm\-set\-output\-queue\-model ( mpsc | spsc );
fstrm\-set\-output\-queue\-size \fIinteger\fR;
- fstrm\-set\-reopen\-interval \fIttlval\fR;
+ fstrm\-set\-reopen\-interval \fIduration\fR;
geoip\-directory ( \fIquoted_string\fR | none );
glue\-cache \fIboolean\fR;
heartbeat\-interval \fIinteger\fR;
hostname ( \fIquoted_string\fR | none );
inline\-signing \fIboolean\fR;
- interface\-interval \fIttlval\fR;
+ interface\-interval \fIduration\fR;
ixfr\-from\-differences ( primary | master | secondary | slave |
\fIboolean\fR );
keep\-response\-order { \fIaddress_match_element\fR; \&.\&.\&. };
key\-directory \fIquoted_string\fR;
- lame\-ttl \fIttlval\fR;
+ lame\-ttl \fIduration\fR;
listen\-on [ port \fIinteger\fR ] [ dscp
\fIinteger\fR ] {
\fIaddress_match_element\fR; \&.\&.\&. };
masterfile\-style ( full | relative );
match\-mapped\-addresses \fIboolean\fR;
max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
- max\-cache\-ttl \fIttlval\fR;
+ max\-cache\-ttl \fIduration\fR;
max\-clients\-per\-query \fIinteger\fR;
max\-journal\-size ( default | unlimited | \fIsizeval\fR );
- max\-ncache\-ttl \fIttlval\fR;
+ max\-ncache\-ttl \fIduration\fR;
max\-records \fIinteger\fR;
max\-recursion\-depth \fIinteger\fR;
max\-recursion\-queries \fIinteger\fR;
max\-refresh\-time \fIinteger\fR;
max\-retry\-time \fIinteger\fR;
max\-rsa\-exponent\-size \fIinteger\fR;
- max\-stale\-ttl \fIttlval\fR;
+ max\-stale\-ttl \fIduration\fR;
max\-transfer\-idle\-in \fIinteger\fR;
max\-transfer\-idle\-out \fIinteger\fR;
max\-transfer\-time\-in \fIinteger\fR;
max\-transfer\-time\-out \fIinteger\fR;
max\-udp\-size \fIinteger\fR;
- max\-zone\-ttl ( unlimited | \fIttlval\fR );
+ max\-zone\-ttl ( unlimited | \fIduration\fR );
memstatistics \fIboolean\fR;
memstatistics\-file \fIquoted_string\fR;
message\-compression \fIboolean\fR;
- min\-cache\-ttl \fIttlval\fR;
- min\-ncache\-ttl \fIttlval\fR;
+ min\-cache\-ttl \fIduration\fR;
+ min\-ncache\-ttl \fIduration\fR;
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
minimal\-any \fIboolean\fR;
notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
[ dscp \fIinteger\fR ];
notify\-to\-soa \fIboolean\fR;
- nta\-lifetime \fIttlval\fR;
- nta\-recheck \fIttlval\fR;
+ nta\-lifetime \fIduration\fR;
+ nta\-recheck \fIduration\fR;
nxdomain\-redirect \fIstring\fR;
pid\-file ( \fIquoted_string\fR | none );
port \fIinteger\fR;
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
- \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
- \fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
+ \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
+ \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
- break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
- min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
+ break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
+ min\-update\-interval \fIduration\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
[ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ] [ dnsrps\-enable \fIboolean\fR ] [
serial\-query\-rate \fIinteger\fR;
serial\-update\-method ( date | increment | unixtime );
server\-id ( \fIquoted_string\fR | none | hostname );
- servfail\-ttl \fIttlval\fR;
+ servfail\-ttl \fIduration\fR;
session\-keyalg \fIstring\fR;
session\-keyfile ( \fIquoted_string\fR | none );
session\-keyname \fIstring\fR;
sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
stacksize ( default | unlimited | \fIsizeval\fR );
stale\-answer\-enable \fIboolean\fR;
- stale\-answer\-ttl \fIttlval\fR;
+ stale\-answer\-ttl \fIduration\fR;
startup\-notify\-rate \fIinteger\fR;
statistics\-file \fIquoted_string\fR;
synth\-from\-dnssec \fIboolean\fR;
[ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [ port
\fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
\fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
- in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. };
+ in\-memory \fIboolean\fR ] [ min\-update\-interval \fIduration\fR ]; \&.\&.\&. };
check\-dup\-records ( fail | warn | ignore );
check\-integrity \fIboolean\fR;
check\-mx ( fail | warn | ignore );
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-keys { \fIstring\fR ( static\-key |
- initial\-key ) \fIinteger\fR \fIinteger\fR
- \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
+ initial\-key | static\-ds | initial\-ds
+ ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
+ \fIquoted_string\fR; \&.\&.\&. };
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
secret \fIstring\fR;
};
key\-directory \fIquoted_string\fR;
- lame\-ttl \fIttlval\fR;
+ lame\-ttl \fIduration\fR;
lmdb\-mapsize \fIsizeval\fR;
managed\-keys { \fIstring\fR (
static\-key | initial\-key
+ | static\-ds | initial\-ds
) \fIinteger\fR \fIinteger\fR
\fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. }; deprecated
match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. };
match\-recursive\-only \fIboolean\fR;
max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
- max\-cache\-ttl \fIttlval\fR;
+ max\-cache\-ttl \fIduration\fR;
max\-clients\-per\-query \fIinteger\fR;
max\-journal\-size ( default | unlimited | \fIsizeval\fR );
- max\-ncache\-ttl \fIttlval\fR;
+ max\-ncache\-ttl \fIduration\fR;
max\-records \fIinteger\fR;
max\-recursion\-depth \fIinteger\fR;
max\-recursion\-queries \fIinteger\fR;
max\-refresh\-time \fIinteger\fR;
max\-retry\-time \fIinteger\fR;
- max\-stale\-ttl \fIttlval\fR;
+ max\-stale\-ttl \fIduration\fR;
max\-transfer\-idle\-in \fIinteger\fR;
max\-transfer\-idle\-out \fIinteger\fR;
max\-transfer\-time\-in \fIinteger\fR;
max\-transfer\-time\-out \fIinteger\fR;
max\-udp\-size \fIinteger\fR;
- max\-zone\-ttl ( unlimited | \fIttlval\fR );
+ max\-zone\-ttl ( unlimited | \fIduration\fR );
message\-compression \fIboolean\fR;
- min\-cache\-ttl \fIttlval\fR;
- min\-ncache\-ttl \fIttlval\fR;
+ min\-cache\-ttl \fIduration\fR;
+ min\-ncache\-ttl \fIduration\fR;
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
minimal\-any \fIboolean\fR;
notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
[ dscp \fIinteger\fR ];
notify\-to\-soa \fIboolean\fR;
- nta\-lifetime \fIttlval\fR;
- nta\-recheck \fIttlval\fR;
+ nta\-lifetime \fIduration\fR;
+ nta\-recheck \fIduration\fR;
nxdomain\-redirect \fIstring\fR;
plugin ( query ) \fIstring\fR [ {
\fIunspecified\-text\fR } ];
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
- \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
- \fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
+ \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
+ \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
- break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
- min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
+ break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
+ min\-update\-interval \fIduration\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
[ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ] [ dnsrps\-enable \fIboolean\fR ] [
\fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
transfers \fIinteger\fR;
};
- servfail\-ttl \fIttlval\fR;
+ servfail\-ttl \fIduration\fR;
sig\-signing\-nodes \fIinteger\fR;
sig\-signing\-signatures \fIinteger\fR;
sig\-signing\-type \fIinteger\fR;
sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
stale\-answer\-enable \fIboolean\fR;
- stale\-answer\-ttl \fIttlval\fR;
+ stale\-answer\-ttl \fIduration\fR;
synth\-from\-dnssec \fIboolean\fR;
transfer\-format ( many\-answers | one\-answer );
transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
dnskey\-sig\-validity \fIinteger\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
+ dnssec\-policy \fIstring\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
file \fIquoted_string\fR;
max\-transfer\-idle\-out \fIinteger\fR;
max\-transfer\-time\-in \fIinteger\fR;
max\-transfer\-time\-out \fIinteger\fR;
- max\-zone\-ttl ( unlimited | \fIttlval\fR );
+ max\-zone\-ttl ( unlimited | \fIduration\fR );
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
multi\-master \fIboolean\fR;
dnskey\-sig\-validity \fIinteger\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
+ dnssec\-policy \fIstring\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
file \fIquoted_string\fR;
max\-transfer\-idle\-out \fIinteger\fR;
max\-transfer\-time\-in \fIinteger\fR;
max\-transfer\-time\-out \fIinteger\fR;
- max\-zone\-ttl ( unlimited | \fIttlval\fR );
+ max\-zone\-ttl ( unlimited | \fIduration\fR );
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
multi\-master \fIboolean\fR;
.if n \{\
.RE
.\}
+.SH "DNSSEC-POLICY"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+dnssec\-policy \fIstring\fR {
+ dnskey\-ttl \fIttlval\fR;
+ keys { ( csk | ksk | zsk ) key\-directory lifetime \fIduration\fR algorithm \fIinteger\fR [ \fIinteger\fR ] ; \&.\&.\&. };
+ parent\-ds\-ttl \fIduration\fR;
+ parent\-propagation\-delay \fIduration\fR;
+ parent\-registration\-delay \fIduration\fR;
+ publish\-safety \fIduration\fR;
+ retire\-safety \fIduration\fR;
+ signatures\-refresh \fIduration\fR;
+ signatures\-validity \fIduration\fR;
+ signatures\-validity\-dnskey \fIduration\fR;
+ zone\-max\-ttl \fIduration\fR;
+ zone\-propagation\-delay \fIduration\fR;
+};
+.fi
+.if n \{\
+.RE
+.\}
.SH "FILES"
.PP
/etc/named\&.conf
<a name="id-1.11"></a><h2>DNSSEC-KEYS</h2>
<div class="literallayout"><p><br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    initial-key | static-ds | initial-ds )<br>
+Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
<p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
-    | initial-key ) <em class="replaceable"><code>integer</code></em><br>
-Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
+    | initial-key | static-ds |<br>
+    initial-ds ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
</p></div>
</div>
    [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
    <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
-     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
+     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>duration</code></em> ]; ... };<br>
check-dup-records ( fail | warn | ignore );<br>
check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
check-mx ( fail | warn | ignore );<br>
fstrm-set-output-notify-threshold <em class="replaceable"><code>integer</code></em>;<br>
fstrm-set-output-queue-model ( mpsc | spsc );<br>
fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
- fstrm-set-reopen-interval <em class="replaceable"><code>ttlval</code></em>;<br>
+ fstrm-set-reopen-interval <em class="replaceable"><code>duration</code></em>;<br>
geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
glue-cache <em class="replaceable"><code>boolean</code></em>;<br>
heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
- interface-interval <em class="replaceable"><code>ttlval</code></em>;<br>
+ interface-interval <em class="replaceable"><code>duration</code></em>;<br>
ixfr-from-differences ( primary | master | secondary | slave |<br>
    <em class="replaceable"><code>boolean</code></em> );<br>
keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
- lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ lame-ttl <em class="replaceable"><code>duration</code></em>;<br>
listen-on [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] {<br>
    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
masterfile-style ( full | relative );<br>
match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
- max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ max-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ max-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
max-rsa-exponent-size <em class="replaceable"><code>integer</code></em>;<br>
- max-stale-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ max-stale-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+ max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
memstatistics <em class="replaceable"><code>boolean</code></em>;<br>
memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
message-compression <em class="replaceable"><code>boolean</code></em>;<br>
- min-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
- min-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ min-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ min-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
- nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
- nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
+ nta-lifetime <em class="replaceable"><code>duration</code></em>;<br>
+ nta-recheck <em class="replaceable"><code>duration</code></em>;<br>
nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
port <em class="replaceable"><code>integer</code></em>;<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
-     <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
-     <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
+     <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
+     <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
-     break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
-     min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
+     break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
+     min-update-interval <em class="replaceable"><code>duration</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
    [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
serial-update-method ( date | increment | unixtime );<br>
server-id ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );<br>
- servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ servfail-ttl <em class="replaceable"><code>duration</code></em>;<br>
session-keyalg <em class="replaceable"><code>string</code></em>;<br>
session-keyfile ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
session-keyname <em class="replaceable"><code>string</code></em>;<br>
sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
stale-answer-enable <em class="replaceable"><code>boolean</code></em>;<br>
- stale-answer-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ stale-answer-ttl <em class="replaceable"><code>duration</code></em>;<br>
startup-notify-rate <em class="replaceable"><code>integer</code></em>;<br>
statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
    [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
    <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
-     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
+     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>duration</code></em> ]; ... };<br>
check-dup-records ( fail | warn | ignore );<br>
check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
check-mx ( fail | warn | ignore );<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-     initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+     initial-key | static-ds | initial-ds<br>
+ Â Â Â Â )Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+     <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
secret <em class="replaceable"><code>string</code></em>;<br>
};<br>
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
- lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ lame-ttl <em class="replaceable"><code>duration</code></em>;<br>
lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
managed-keys { <em class="replaceable"><code>string</code></em> (<br>
    static-key | initial-key<br>
+     | static-ds | initial-ds<br>
    ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
- max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ max-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ max-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- max-stale-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ max-stale-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+ max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
message-compression <em class="replaceable"><code>boolean</code></em>;<br>
- min-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
- min-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ min-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ min-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
- nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
- nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
+ nta-lifetime <em class="replaceable"><code>duration</code></em>;<br>
+ nta-recheck <em class="replaceable"><code>duration</code></em>;<br>
nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ {<br>
    <em class="replaceable"><code>unspecified-text</code></em> } ];<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
-     <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
-     <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
+     <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
+     <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
-     break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
-     min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
+     break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
+     min-update-interval <em class="replaceable"><code>duration</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
    [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
transfers <em class="replaceable"><code>integer</code></em>;<br>
};<br>
- servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ servfail-ttl <em class="replaceable"><code>duration</code></em>;<br>
sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
sig-validity-interval <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
stale-answer-enable <em class="replaceable"><code>boolean</code></em>;<br>
- stale-answer-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ stale-answer-ttl <em class="replaceable"><code>duration</code></em>;<br>
synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
transfer-format ( many-answers | one-answer );<br>
transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+ dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
file <em class="replaceable"><code>quoted_string</code></em>;<br>
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
- max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+ max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+ dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
file <em class="replaceable"><code>quoted_string</code></em>;<br>
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
- max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+ max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.24"></a><h2>FILES</h2>
+<a name="id-1.24"></a><h2>DNSSEC-POLICY</h2>
+
+ <div class="literallayout"><p><br>
+dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
+ dnskey-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
+ parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
+ parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
+ publish-safety <em class="replaceable"><code>duration</code></em>;<br>
+ retire-safety <em class="replaceable"><code>duration</code></em>;<br>
+ signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
+ signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
+ signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
+ zone-max-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
+};<br>
+</p></div>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.25"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsection">
-<a name="id-1.25"></a><h2>SEE ALSO</h2>
+<a name="id-1.26"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">ddns-confgen</span>(8)
Fetch all DNSSEC keys for the given zone from the key directory\&. If they are within their publication period, merge them into the zone\*(Aqs DNSKEY RRset\&. Unlike
\fBrndc sign\fR, however, the zone is not immediately re\-signed by the new keys, but is allowed to incrementally re\-sign over time\&.
.sp
-This command requires that the
+This command requires that the zone is configured with a
+\fBdnssec\-policy\fR, or that the
\fBauto\-dnssec\fR
zone option be set to
maintain, and also requires the zone to be configured to allow dynamic DNS\&. (See "Dynamic Update Policies" in the Administrator Reference Manual for more details\&.)
\fBkey\-directory\fR
option in the BIND 9 Administrator Reference Manual)\&. If they are within their publication period, merge them into the zone\*(Aqs DNSKEY RRset\&. If the DNSKEY RRset is changed, then the zone is automatically re\-signed with the new key set\&.
.sp
-This command requires that the
+This command requires that the zone is configured with a
+\fBdnssec\-policy\fR, or that the
\fBauto\-dnssec\fR
zone option be set to
allow
.PP
\fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR
.RS 4
-Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&.
+Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&. The cache is flushed when validation is turned on or off to avoid using data that might differ between states\&.
.RE
.PP
\fBzonestatus \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR
allowed to incrementally re-sign over time.
</p>
<p>
- This command requires that the
+ This command requires that the zone is configured with a
+ <span class="command"><strong>dnssec-policy</strong></span>, or that the
<span class="command"><strong>auto-dnssec</strong></span> zone option
be set to <code class="literal">maintain</code>,
and also requires the zone to be configured to
re-signed with the new key set.
</p>
<p>
- This command requires that the
+ This command requires that the zone is configured with a
+ <span class="command"><strong>dnssec-policy</strong></span>, or that the
<span class="command"><strong>auto-dnssec</strong></span> zone option be set
to <code class="literal">allow</code> or
<code class="literal">maintain</code>,
<p>
Enable, disable, or check the current status of
DNSSEC validation. By default, validation is enabled.
+ The cache is flushed when validation is turned on or off
+ to avoid using data that might differ between states.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.2">Converting from insecure to secure</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.7">Dynamic DNS update method</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.15">Fully automatic zone signing</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.24">Private-type records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.31">DNSKEY rollovers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.33">Dynamic DNS update method</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.38">Automatic key rollovers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.40">NSEC3PARAM rollovers via UPDATE</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.42">Converting from NSEC to NSEC3</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.44">Converting from NSEC3 to NSEC</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.46">Converting from secure to insecure</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.50">Periodic re-signing</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.52">NSEC3 and OPTOUT</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.9">Dynamic DNS update method</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.17">Fully automatic zone signing</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.27">Private-type records</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">DNSKEY rollovers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.36">Dynamic DNS update method</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">Automatic key rollovers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">NSEC3PARAM rollovers via UPDATE</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC to NSEC3</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.48">Converting from NSEC3 to NSEC</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.50">Converting from secure to insecure</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.54">Periodic re-signing</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.56">NSEC3 and OPTOUT</a></span></dt>
</dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
<dd><dl>
The keys specified in <span class="command"><strong>dnssec-keys</strong></span>
copies of DNSKEY RRs for zones that are used to form the
first link in the cryptographic chain of trust. Keys configured
- with the keyword <span class="command"><strong>static-key</strong></span> are loaded directly
+ with the keyword <span class="command"><strong>static-key</strong></span> or
+ <span class="command"><strong>static-ds</strong></span> are loaded directly
into the table of trust anchors, and can only be changed by
altering the configuration. Keys configured with
- <span class="command"><strong>initial-key</strong></span> are used to initialize
- RFC 5011 trust anchor maintenance, and will be kept up to
- date automatically after the first time <span class="command"><strong>named</strong></span>
- runs.
+ <span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
+ are used to initialize RFC 5011 trust anchor maintenance, and
+ will be kept up to date automatically after the first time
+ <span class="command"><strong>named</strong></span> runs.
</p>
<p>
97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
dgxbcDTClU0CRBdiieyLMNzXG3";
/* Key for our organization's forward zone */
- example.com. static-key 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
- 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
- GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
- 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
- kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
- g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
- TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
- FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
- F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
- /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
- 1OTQ09A0=";
+ example.com. static-ds 54135 5 2 "8EF922C97F1D07B23134440F19682E7519ADDAE180E20B1B1EC52E7F58B2831D"
/* Key for our reverse zone. */
2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
<a name="id-1.5.10.2"></a>Converting from insecure to secure</h3></div></div></div>
</div>
- <p>Changing a zone from insecure to secure can be done in two
- ways: using a dynamic DNS update, or the
- <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
- <p>For either method, you need to configure
- <span class="command"><strong>named</strong></span> so that it can see the
- <code class="filename">K*</code> files which contain the public and private
- parts of the keys that will be used to sign the zone. These files
- will have been generated by
- <span class="command"><strong>dnssec-keygen</strong></span>. You can do this by placing them
- in the key-directory, as specified in
- <code class="filename">named.conf</code>:</p>
- <pre class="programlisting">
+ <p>
+ Changing a zone from insecure to secure can be done in three
+ ways: using a dynamic DNS update, use the
+ <span class="command"><strong>auto-dnssec</strong></span> zone option, or set a DNSSEC
+ policy for the zone with <span class="command"><strong>dnssec-policy</strong></span>.
+ </p>
+ <p>
+ For either method, you need to configure
+ <span class="command"><strong>named</strong></span> so that it can see the
+ <code class="filename">K*</code> files which contain the public and private
+ parts of the keys that will be used to sign the zone. These files
+ will have been generated by
+ <span class="command"><strong>dnssec-keygen</strong></span> (or created when needed by
+ <span class="command"><strong>named</strong></span> if <span class="command"><strong>dnssec-policy</strong></span> is
+ used). Keys should be placed in the key-directory, as specified in
+ <code class="filename">named.conf</code>:</p>
+ <pre class="programlisting">
zone example.net {
type master;
update-policy local;
file "dynamic/example.net/example.net";
key-directory "dynamic/example.net";
};
-</pre>
- <p>If one KSK and one ZSK DNSKEY key have been generated, this
- configuration will cause all records in the zone to be signed
- with the ZSK, and the DNSKEY RRset to be signed with the KSK as
- well. An NSEC chain will be generated as part of the initial
- signing process.</p>
+ </pre>
+ <p>
+ If one KSK and one ZSK DNSKEY key have been generated, this
+ configuration will cause all records in the zone to be signed
+ with the ZSK, and the DNSKEY RRset to be signed with the KSK as
+ well. An NSEC chain will be generated as part of the initial
+ signing process.
+ </p>
+ <p>
+ With <span class="command"><strong>dnssec-policy</strong></span> you specify what keys should
+ be KSK and/or ZSK. If you want a key to sign all records with a key
+ you will need to specify a CSK:
+ </p>
+ <pre class="programlisting">
+ dnssec-policy csk {
+ keys {
+ csk key-directory lifetime P5Y algorithm 13;
+ };
+ };
+ </pre>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.7"></a>Dynamic DNS update method</h3></div></div></div>
+<a name="id-1.5.10.9"></a>Dynamic DNS update method</h3></div></div></div>
</div>
<p>To insert the keys via dynamic update:</p>
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> send
</pre>
- <p>While the update request will complete almost immediately,
- the zone will not be completely signed until
- <span class="command"><strong>named</strong></span> has had time to walk the zone and
- generate the NSEC and RRSIG records. The NSEC record at the apex
- will be added last, to signal that there is a complete NSEC
- chain.</p>
- <p>If you wish to sign using NSEC3 instead of NSEC, you should
- add an NSEC3PARAM record to the initial update request. If you
- wish the NSEC3 chain to have the OPTOUT bit set, set it in the
- flags field of the NSEC3PARAM record.</p>
+ <p>
+ While the update request will complete almost immediately,
+ the zone will not be completely signed until
+ <span class="command"><strong>named</strong></span> has had time to walk the zone and
+ generate the NSEC and RRSIG records. The NSEC record at the apex
+ will be added last, to signal that there is a complete NSEC
+ chain.
+ </p>
+ <p>
+ If you wish to sign using NSEC3 instead of NSEC, you should
+ add an NSEC3PARAM record to the initial update request. If you
+ wish the NSEC3 chain to have the OPTOUT bit set, set it in the
+ flags field of the NSEC3PARAM record.
+ </p>
<pre class="screen">
% nsupdate
> ttl 3600
> update add example.net NSEC3PARAM 1 1 100 1234567890
> send
</pre>
- <p>Again, this update request will complete almost
- immediately; however, the record won't show up until
- <span class="command"><strong>named</strong></span> has had a chance to build/remove the
- relevant chain. A private type record will be created to record
- the state of the operation (see below for more details), and will
- be removed once the operation completes.</p>
- <p>While the initial signing and NSEC/NSEC3 chain generation
- is happening, other updates are possible as well.</p>
+ <p>
+ Again, this update request will complete almost
+ immediately; however, the record won't show up until
+ <span class="command"><strong>named</strong></span> has had a chance to build/remove the
+ relevant chain. A private type record will be created to record
+ the state of the operation (see below for more details), and will
+ be removed once the operation completes.
+ </p>
+ <p>
+ While the initial signing and NSEC/NSEC3 chain generation
+ is happening, other updates are possible as well.
+ </p>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.15"></a>Fully automatic zone signing</h3></div></div></div>
+<a name="id-1.5.10.17"></a>Fully automatic zone signing</h3></div></div></div>
</div>
- <p>To enable automatic signing, add the
- <span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in
- <code class="filename">named.conf</code>.
- <span class="command"><strong>auto-dnssec</strong></span> has two possible arguments:
- <code class="constant">allow</code> or
- <code class="constant">maintain</code>.</p>
- <p>With
- <span class="command"><strong>auto-dnssec allow</strong></span>,
- <span class="command"><strong>named</strong></span> can search the key directory for keys
- matching the zone, insert them into the zone, and use them to
- sign the zone. It will do so only when it receives an
- <span class="command"><strong>rndc sign <zonename></strong></span>.</p>
<p>
-
- <span class="command"><strong>auto-dnssec maintain</strong></span> includes the above
- functionality, but will also automatically adjust the zone's
- DNSKEY records on schedule according to the keys' timing metadata.
- (See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
- <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
+ To enable automatic signing, you can set a
+ <span class="command"><strong>dnssec-policy</strong></span>, or add the
+ <span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in
+ <code class="filename">named.conf</code>.
+ <span class="command"><strong>auto-dnssec</strong></span> has two possible arguments:
+ <code class="constant">allow</code> or
+ <code class="constant">maintain</code>.
+ </p>
+ <p>
+ With <span class="command"><strong>auto-dnssec allow</strong></span>,
+ <span class="command"><strong>named</strong></span> can search the key directory for keys
+ matching the zone, insert them into the zone, and use them to
+ sign the zone. It will do so only when it receives an
+ <span class="command"><strong>rndc sign <zonename></strong></span>.
+ </p>
+ <p>
+
+ <span class="command"><strong>auto-dnssec maintain</strong></span> includes the above
+ functionality, but will also automatically adjust the zone's
+ DNSKEY records on schedule according to the keys' timing metadata.
+ (See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
+ <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
+ </p>
+ <p>
+ <span class="command"><strong>dnssec-policy</strong></span> is like
+ <span class="command"><strong>auto-dnssec maintain</strong></span>, but will also automatically
+ create new keys when necessary. Also any configuration related
+ to DNSSEC signing is retrieved from the policy (ignoring existing
+ DNSSEC named.conf options).
+ </p>
+ <p>
+ <span class="command"><strong>named</strong></span> will periodically search the key directory
+ for keys matching the zone, and if the keys' metadata indicates
+ that any change should be made the zone, such as adding, removing,
+ or revoking a key, then that action will be carried out. By default,
+ the key directory is checked for changes every 60 minutes; this period
+ can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
+ to a maximum of 24 hours. The <span class="command"><strong>rndc loadkeys</strong></span> forces
+ <span class="command"><strong>named</strong></span> to check for key updates immediately.
</p>
<p>
- <span class="command"><strong>named</strong></span> will periodically search the key directory
- for keys matching the zone, and if the keys' metadata indicates
- that any change should be made the zone, such as adding, removing,
- or revoking a key, then that action will be carried out. By default,
- the key directory is checked for changes every 60 minutes; this period
- can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
- to a maximum of 24 hours. The <span class="command"><strong>rndc loadkeys</strong></span> forces
- <span class="command"><strong>named</strong></span> to check for key updates immediately.
+ If keys are present in the key directory the first time the zone
+ is loaded, the zone will be signed immediately, without waiting for an
+ <span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
+ command. (Those commands can still be used when there are unscheduled
+ key changes, however.)
</p>
<p>
- If keys are present in the key directory the first time the zone
- is loaded, the zone will be signed immediately, without waiting for an
- <span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
- command. (Those commands can still be used when there are unscheduled
- key changes, however.)
+ When new keys are added to a zone, the TTL is set to match that
+ of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
+ then the TTL will be set to the TTL specified when the key was
+ created (using the <span class="command"><strong>dnssec-keygen -L</strong></span> option), if
+ any, or to the SOA TTL.
</p>
<p>
- When new keys are added to a zone, the TTL is set to match that
- of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
- then the TTL will be set to the TTL specified when the key was
- created (using the <span class="command"><strong>dnssec-keygen -L</strong></span> option), if
- any, or to the SOA TTL.
+ If you wish the zone to be signed using NSEC3 instead of NSEC,
+ submit an NSEC3PARAM record via dynamic update prior to the
+ scheduled publication and activation of the keys. If you wish the
+ NSEC3 chain to have the OPTOUT bit set, set it in the flags field
+ of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
+ the zone immediately, but it will be stored for later reference. When
+ the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
+ record will appear in the zone.
</p>
<p>
- If you wish the zone to be signed using NSEC3 instead of NSEC,
- submit an NSEC3PARAM record via dynamic update prior to the
- scheduled publication and activation of the keys. If you wish the
- NSEC3 chain to have the OPTOUT bit set, set it in the flags field
- of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
- the zone immediately, but it will be stored for later reference. When
- the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
- record will appear in the zone.
+ Using the
+ <span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be
+ configured to allow dynamic updates, by adding an
+ <span class="command"><strong>allow-update</strong></span> or
+ <span class="command"><strong>update-policy</strong></span> statement to the zone
+ configuration. If this has not been done, the configuration will
+ fail.
</p>
- <p>Using the
- <span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be
- configured to allow dynamic updates, by adding an
- <span class="command"><strong>allow-update</strong></span> or
- <span class="command"><strong>update-policy</strong></span> statement to the zone
- configuration. If this has not been done, the configuration will
- fail.</p>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.24"></a>Private-type records</h3></div></div></div>
+<a name="id-1.5.10.27"></a>Private-type records</h3></div></div></div>
</div>
- <p>The state of the signing process is signaled by
- private-type records (with a default type value of 65534). When
- signing is complete, these records will have a nonzero value for
- the final octet (for those records which have a nonzero initial
- octet).</p>
- <p>The private type record format: If the first octet is
- non-zero then the record indicates that the zone needs to be
- signed with the key matching the record, or that all signatures
- that match the record should be removed.</p>
+ <p>
+ The state of the signing process is signaled by
+ private-type records (with a default type value of 65534). When
+ signing is complete, these records will have a nonzero value for
+ the final octet (for those records which have a nonzero initial
+ octet).
+ </p>
+ <p>
+ The private type record format: If the first octet is
+ non-zero then the record indicates that the zone needs to be
+ signed with the key matching the record, or that all signatures
+ that match the record should be removed.
+ </p>
<p>
</p>
<div class="literallayout"><p><br>
</p></div>
<p>
</p>
- <p>Only records flagged as "complete" can be removed via
- dynamic update. Attempts to remove other private type records
- will be silently ignored.</p>
- <p>If the first octet is zero (this is a reserved algorithm
- number that should never appear in a DNSKEY record) then the
- record indicates changes to the NSEC3 chains are in progress. The
- rest of the record contains an NSEC3PARAM record. The flag field
- tells what operation to perform based on the flag bits.</p>
+ <p>
+ Only records flagged as "complete" can be removed via
+ dynamic update. Attempts to remove other private type records
+ will be silently ignored.
+ </p>
+ <p>
+ If the first octet is zero (this is a reserved algorithm
+ number that should never appear in a DNSKEY record) then the
+ record indicates changes to the NSEC3 chains are in progress. The
+ rest of the record contains an NSEC3PARAM record. The flag field
+ tells what operation to perform based on the flag bits.
+ </p>
<p>
</p>
<div class="literallayout"><p><br>
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.31"></a>DNSKEY rollovers</h3></div></div></div>
+<a name="id-1.5.10.34"></a>DNSKEY rollovers</h3></div></div></div>
</div>
- <p>As with insecure-to-secure conversions, rolling DNSSEC
- keys can be done in two ways: using a dynamic DNS update, or the
- <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
+ <p>
+ As with insecure-to-secure conversions, rolling DNSSEC
+ keys can be done in two ways: using a dynamic DNS update, or the
+ <span class="command"><strong>auto-dnssec</strong></span> zone option.
+ </p>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.33"></a>Dynamic DNS update method</h3></div></div></div>
+<a name="id-1.5.10.36"></a>Dynamic DNS update method</h3></div></div></div>
</div>
- <p> To perform key rollovers via dynamic update, you need to add
- the <code class="filename">K*</code> files for the new keys so that
- <span class="command"><strong>named</strong></span> can find them. You can then add the new
- DNSKEY RRs via dynamic update.
- <span class="command"><strong>named</strong></span> will then cause the zone to be signed
- with the new keys. When the signing is complete the private type
- records will be updated so that the last octet is non
- zero.</p>
- <p>If this is for a KSK you need to inform the parent and any
- trust anchor repositories of the new KSK.</p>
- <p>You should then wait for the maximum TTL in the zone before
- removing the old DNSKEY. If it is a KSK that is being updated,
- you also need to wait for the DS RRset in the parent to be
- updated and its TTL to expire. This ensures that all clients will
- be able to verify at least one signature when you remove the old
- DNSKEY.</p>
- <p>The old DNSKEY can be removed via UPDATE. Take care to
- specify the correct key.
- <span class="command"><strong>named</strong></span> will clean out any signatures generated
- by the old key after the update completes.</p>
+ <p>
+ To perform key rollovers via dynamic update, you need to add
+ the <code class="filename">K*</code> files for the new keys so that
+ <span class="command"><strong>named</strong></span> can find them. You can then add the new
+ DNSKEY RRs via dynamic update.
+ <span class="command"><strong>named</strong></span> will then cause the zone to be signed
+ with the new keys. When the signing is complete the private type
+ records will be updated so that the last octet is non
+ zero.
+ </p>
+ <p>
+ If this is for a KSK you need to inform the parent and any
+ trust anchor repositories of the new KSK.
+ </p>
+ <p>
+ You should then wait for the maximum TTL in the zone before
+ removing the old DNSKEY. If it is a KSK that is being updated,
+ you also need to wait for the DS RRset in the parent to be
+ updated and its TTL to expire. This ensures that all clients will
+ be able to verify at least one signature when you remove the old
+ DNSKEY.
+ </p>
+ <p>
+ The old DNSKEY can be removed via UPDATE. Take care to
+ specify the correct key.
+ <span class="command"><strong>named</strong></span> will clean out any signatures generated
+ by the old key after the update completes.
+ </p>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.38"></a>Automatic key rollovers</h3></div></div></div>
+<a name="id-1.5.10.41"></a>Automatic key rollovers</h3></div></div></div>
</div>
- <p>When a new key reaches its activation date (as set by
- <span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
- if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
- <code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will
- automatically carry out the key rollover. If the key's algorithm
- has not previously been used to sign the zone, then the zone will
- be fully signed as quickly as possible. However, if the new key
- is replacing an existing key of the same algorithm, then the
- zone will be re-signed incrementally, with signatures from the
- old key being replaced with signatures from the new key as their
- signature validity periods expire. By default, this rollover
- completes in 30 days, after which it will be safe to remove the
- old key from the DNSKEY RRset.</p>
+ <p>
+ When a new key reaches its activation date (as set by
+ <span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
+ if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
+ <code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will
+ automatically carry out the key rollover. If the key's algorithm
+ has not previously been used to sign the zone, then the zone will
+ be fully signed as quickly as possible. However, if the new key
+ is replacing an existing key of the same algorithm, then the
+ zone will be re-signed incrementally, with signatures from the
+ old key being replaced with signatures from the new key as their
+ signature validity periods expire. By default, this rollover
+ completes in 30 days, after which it will be safe to remove the
+ old key from the DNSKEY RRset.
+ </p>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.40"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div>
+<a name="id-1.5.10.43"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div>
</div>
- <p>Add the new NSEC3PARAM record via dynamic update. When the
- new NSEC3 chain has been generated, the NSEC3PARAM flag field
- will be zero. At this point you can remove the old NSEC3PARAM
- record. The old chain will be removed after the update request
- completes.</p>
+ <p>
+ Add the new NSEC3PARAM record via dynamic update. When the
+ new NSEC3 chain has been generated, the NSEC3PARAM flag field
+ will be zero. At this point you can remove the old NSEC3PARAM
+ record. The old chain will be removed after the update request
+ completes.
+ </p>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.42"></a>Converting from NSEC to NSEC3</h3></div></div></div>
+<a name="id-1.5.10.45"></a>Converting from NSEC to NSEC3</h3></div></div></div>
</div>
- <p>To do this, you just need to add an NSEC3PARAM record. When
- the conversion is complete, the NSEC chain will have been removed
- and the NSEC3PARAM record will have a zero flag field. The NSEC3
- chain will be generated before the NSEC chain is
- destroyed.</p>
+ <p>
+ To do this, you just need to add an NSEC3PARAM record. When
+ the conversion is complete, the NSEC chain will have been removed
+ and the NSEC3PARAM record will have a zero flag field. The NSEC3
+ chain will be generated before the NSEC chain is
+ destroyed.
+ </p>
+ <p>
+ NSEC3 is not supported yet with <span class="command"><strong>dnssec-policy</strong></span>.
+ </p>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.44"></a>Converting from NSEC3 to NSEC</h3></div></div></div>
+<a name="id-1.5.10.48"></a>Converting from NSEC3 to NSEC</h3></div></div></div>
</div>
- <p>To do this, use <span class="command"><strong>nsupdate</strong></span> to
- remove all NSEC3PARAM records with a zero flag
- field. The NSEC chain will be generated before the NSEC3 chain is
- removed.</p>
+ <p>
+ To do this, use <span class="command"><strong>nsupdate</strong></span> to
+ remove all NSEC3PARAM records with a zero flag
+ field. The NSEC chain will be generated before the NSEC3 chain is
+ removed.
+ </p>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.46"></a>Converting from secure to insecure</h3></div></div></div>
+<a name="id-1.5.10.50"></a>Converting from secure to insecure</h3></div></div></div>
</div>
- <p>To convert a signed zone to unsigned using dynamic DNS,
- delete all the DNSKEY records from the zone apex using
- <span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
- and associated NSEC3PARAM records will be removed automatically.
- This will take place after the update request completes.</p>
- <p> This requires the
- <span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to
- <strong class="userinput"><code>yes</code></strong> in
- <code class="filename">named.conf</code>.</p>
- <p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span>
- zone statement is used, it should be removed or changed to
- <span class="command"><strong>allow</strong></span> instead (or it will re-sign).
+ <p>
+ To convert a signed zone to unsigned using dynamic DNS,
+ delete all the DNSKEY records from the zone apex using
+ <span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
+ and associated NSEC3PARAM records will be removed automatically.
+ This will take place after the update request completes.</p>
+ <p> This requires the
+ <span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to
+ <strong class="userinput"><code>yes</code></strong> in
+ <code class="filename">named.conf</code>.</p>
+ <p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span>
+ zone statement is used, it should be removed or changed to
+ <span class="command"><strong>allow</strong></span> instead (or it will re-sign).
</p>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.50"></a>Periodic re-signing</h3></div></div></div>
+<a name="id-1.5.10.54"></a>Periodic re-signing</h3></div></div></div>
</div>
- <p>In any secure zone which supports dynamic updates, <span class="command"><strong>named</strong></span>
- will periodically re-sign RRsets which have not been re-signed as
- a result of some update action. The signature lifetimes will be
- adjusted so as to spread the re-sign load over time rather than
- all at once.</p>
+ <p>
+ In any secure zone which supports dynamic updates, <span class="command"><strong>named</strong></span>
+ will periodically re-sign RRsets which have not been re-signed as
+ a result of some update action. The signature lifetimes will be
+ adjusted so as to spread the re-sign load over time rather than
+ all at once.
+ </p>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.52"></a>NSEC3 and OPTOUT</h3></div></div></div>
+<a name="id-1.5.10.56"></a>NSEC3 and OPTOUT</h3></div></div></div>
</div>
<p>
- <span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains
- where all the NSEC3 records in the zone have the same OPTOUT
- state.
- <span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3
- records in the chain have mixed OPTOUT state.
- <span class="command"><strong>named</strong></span> does not support changing the OPTOUT
- state of an individual NSEC3 record, the entire chain needs to be
- changed if the OPTOUT state of an individual NSEC3 needs to be
- changed.</p>
+ <span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains
+ where all the NSEC3 records in the zone have the same OPTOUT
+ state.
+ <span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3
+ records in the chain have mixed OPTOUT state.
+ <span class="command"><strong>named</strong></span> does not support changing the OPTOUT
+ state of an individual NSEC3 record, the entire chain needs to be
+ changed if the OPTOUT state of an individual NSEC3 needs to be
+ changed.
+ </p>
</div>
<div class="section">
<p>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
<span class="command"><strong>dnssec-keys</strong></span> statement and the
- <span class="command"><strong>initial-key</strong></span> keyword. Information about
- this can be found in
+ <span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
+ keyword. Information about this can be found in
<a class="xref" href="Bv9ARM.ch05.html#dnssec-keys" title="dnssec-keys Statement Definition and Usage">the section called “<span class="command"><strong>dnssec-keys</strong></span> Statement Definition
and Usage”</a>.</p>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
+ and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
</td>
</tr>
<tr>
+<td>
+ <p><span class="command"><strong>dnssec-policy</strong></span></p>
+ </td>
+<td>
+ <p>
+ describes a DNSSEC key and signing policy for zones.
+ See <a class="xref" href="Bv9ARM.ch05.html#dnssec_policy_grammar" title="dnssec-policy Statement Grammar">the section called “<span class="command"><strong>dnssec-policy</strong></span> Statement Grammar”</a> for details.
+ </p>
+ </td>
+</tr>
+<tr>
<td>
<p><span class="command"><strong>include</strong></span></p>
</td>
</td>
<td>
<p>
- defines DNSSEC keys: if used with the
- <span class="command"><strong>initial-key</strong></span> keyword,
- keys are kept up to date using RFC 5011
- trust anchor maintenance, and if used with
- <span class="command"><strong>static-key</strong></span>, keys are permanent.
+ defines DNSSEC trust anchors: if used with
+ the <span class="command"><strong>initial-key</strong></span> or
+ <span class="command"><strong>initial-ds</strong></span> keyword,
+ trust anchors are kept up to date using RFC
+ 5011 trust anchor maintenance, and if used with
+ <span class="command"><strong>static-key</strong></span> or
+ <span class="command"><strong>static-ds</strong></span>, trust anchors
+ are permanent.
</p>
</td>
</tr>
[ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port
<em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key
<em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [
- <span class="command"><strong>in-memory</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };
+ <span class="command"><strong>in-memory</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>duration</code></em> ]; ... };
<span class="command"><strong>check-dup-records</strong></span> ( fail | warn | ignore );
<span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>check-mx</strong></span> ( fail | warn | ignore );
<span class="command"><strong>fstrm-set-output-notify-threshold</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>fstrm-set-output-queue-model</strong></span> ( mpsc | spsc );
<span class="command"><strong>fstrm-set-output-queue-size</strong></span> <em class="replaceable"><code>integer</code></em>;
- <span class="command"><strong>fstrm-set-reopen-interval</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+ <span class="command"><strong>fstrm-set-reopen-interval</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>geoip-directory</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
<span class="command"><strong>glue-cache</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>heartbeat-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>hostname</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
<span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>boolean</code></em>;
- <span class="command"><strong>interface-interval</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+ <span class="command"><strong>interface-interval</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>ixfr-from-differences</strong></span> ( primary | master | secondary | slave |
<em class="replaceable"><code>boolean</code></em> );
<span class="command"><strong>keep-response-order</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
<span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
- <span class="command"><strong>lame-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+ <span class="command"><strong>lame-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>listen-on</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp
<em class="replaceable"><code>integer</code></em> ] {
<em class="replaceable"><code>address_match_element</code></em>; ... };
<span class="command"><strong>masterfile-style</strong></span> ( full | relative );
<span class="command"><strong>match-mapped-addresses</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>max-cache-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );
- <span class="command"><strong>max-cache-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+ <span class="command"><strong>max-cache-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>max-clients-per-query</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
- <span class="command"><strong>max-ncache-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+ <span class="command"><strong>max-ncache-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-recursion-depth</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-recursion-queries</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-rsa-exponent-size</strong></span> <em class="replaceable"><code>integer</code></em>;
- <span class="command"><strong>max-stale-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+ <span class="command"><strong>max-stale-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
- <span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
+ <span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>duration</code></em> );
<span class="command"><strong>memstatistics</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>memstatistics-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
<span class="command"><strong>message-compression</strong></span> <em class="replaceable"><code>boolean</code></em>;
- <span class="command"><strong>min-cache-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
- <span class="command"><strong>min-ncache-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+ <span class="command"><strong>min-cache-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
+ <span class="command"><strong>min-ncache-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>minimal-any</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]
[ dscp <em class="replaceable"><code>integer</code></em> ];
<span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>boolean</code></em>;
- <span class="command"><strong>nta-lifetime</strong></span> <em class="replaceable"><code>ttlval</code></em>;
- <span class="command"><strong>nta-recheck</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+ <span class="command"><strong>nta-lifetime</strong></span> <em class="replaceable"><code>duration</code></em>;
+ <span class="command"><strong>nta-recheck</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>nxdomain-redirect</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>pid-file</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
<span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>response-padding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size
<em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log
- <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval
- <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |
+ <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval
+ <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |
<span class="command"><strong>nodata</strong></span> | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
<span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [
- <span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [
- <span class="command"><strong>min-update-interval</strong></span> <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [
+ <span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [
+ <span class="command"><strong>min-update-interval</strong></span> <em class="replaceable"><code>duration</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [
<span class="command"><strong>nsip-wait-recurse</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]
[ recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>serial-query-rate</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>serial-update-method</strong></span> ( date | increment | unixtime );
<span class="command"><strong>server-id</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );
- <span class="command"><strong>servfail-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+ <span class="command"><strong>servfail-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>session-keyalg</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>session-keyfile</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
<span class="command"><strong>session-keyname</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>sortlist</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
<span class="command"><strong>stacksize</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
<span class="command"><strong>stale-answer-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
- <span class="command"><strong>stale-answer-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+ <span class="command"><strong>stale-answer-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>startup-notify-rate</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>statistics-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
<span class="command"><strong>synth-from-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em>;
<p>
Specifies the directory in which to store the files that
track managed DNSSEC keys (i.e., those configured using
- the <span class="command"><strong>initial-key</strong></span> keyword in a
+ the <span class="command"><strong>initial-key</strong></span> or
+ <span class="command"><strong>initial-ds</strong></span> keywords in a
<span class="command"><strong>dnssec-keys</strong></span> statement). By default,
this is the working directory. The directory
<span class="emphasis"><em>must</em></span> be writable by the effective
the first time; if unsuccessful, the server will
will terminate, under the assumption that another
server is already running. If not specified, the default is
- <code class="filename">/var/run/named/named.lock</code>.
+ <code class="filename">none</code>.
</p>
<p>
Specifying <span class="command"><strong>lock-file none</strong></span> disables the
<dt><span class="term"><span class="command"><strong>automatic-interface-scan</strong></span></span></dt>
<dd>
<p>
- If <strong class="userinput"><code>yes</code></strong> and supported by the OS,
- automatically rescan network interfaces when the interface
- addresses are added or removed. The default is
- <strong class="userinput"><code>yes</code></strong>.
+ If <strong class="userinput"><code>yes</code></strong> and supported by the operating
+ system, automatically rescan network interfaces when the
+ interface addresses are added or removed. The default is
+ <strong class="userinput"><code>yes</code></strong>. This configuration option does
+ not affect time based <span class="command"><strong>interface-interval</strong></span>
+ option, and it is recommended to set the time based
+ <span class="command"><strong>interface-interval</strong></span> to 0 when the operator
+ confirms that automatic interface scanning is supported by the
+ operating system.
</p>
<p>
- Currently the OS needs to support routing sockets for
- <span class="command"><strong>automatic-interface-scan</strong></span> to be
- supported.
+ The <span class="command"><strong>automatic-interface-scan</strong></span> implementation
+ uses routing sockets for the network interface discovery,
+ and therefore the operating system has to support the routing
+ sockets for this feature to work.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>allow-new-zones</strong></span></span></dt>
response to a UDP request from a cookie aware client.
BADCOOKIE is sent if there is a bad or no existent
server cookie.
+ The default is <strong class="userinput"><code>no</code></strong>.
+ </p>
+ <p>
+ Set this to <strong class="userinput"><code>yes</code></strong> to test that DNS
+ COOKIE clients correctly handle BADCOOKIE or if you are
+ getting a lot of forged DNS requests with DNS COOKIES
+ present. Setting this to <strong class="userinput"><code>yes</code></strong> will
+ result in reduced amplification effect in a reflection
+ attack, as the BADCOOKIE response will be smaller than
+ a full response, while also requiring a legitimate client
+ to follow up with a second query with the new, valid, cookie.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>answer-cookie</strong></span></span></dt>
do not send a correct COOKIE option may be limited
to receiving smaller responses via the
<span class="command"><strong>nocookie-udp-size</strong></span> option.
+ The default is <strong class="userinput"><code>yes</code></strong>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>stale-answer-enable</strong></span></span></dt>
<p>
Synthesize answers from cached NSEC, NSEC3 and
other RRsets that have been proved to be correct
- using DNSSEC. The default is <span class="command"><strong>yes</strong></span>.
+ using DNSSEC. The default is <span class="command"><strong>no</strong></span>,
+ but it will become <span class="command"><strong>yes</strong></span> again
+ in the future releases.
</p>
<p>
Note:
minutes. The default
is 60 minutes. The maximum value is 28 days (40320 minutes).
If set to 0, interface scanning will only occur when
- the configuration file is loaded. After the scan, the
- server will
- begin listening for queries on any newly discovered
- interfaces (provided they are allowed by the
+ the configuration file is loaded, or when
+ <span class="command"><strong>automatic-interface-scan</strong></span> is enabled
+ and supported by the operating system. After the scan, the
+ server will begin listening for queries on any newly
+ discovered interfaces (provided they are allowed by the
<span class="command"><strong>listen-on</strong></span> configuration), and
will stop listening on interfaces that have gone away.
For convenience, TTL-style time unit suffixes may be
The first element (which may be an IP address, an IP prefix, an
ACL name or a nested <span class="command"><strong>address_match_list</strong></span>) of
each top level list is checked against the source address of
- the query until a match is found.
+ the query until a match is found. When the addresses in the
+ first element overlap, the first rule to match gets selected.
</p>
<p>
Once the source address of the query has been matched, if the
<span class="command"><strong>rndc serve-stale on</strong></span>.
</p>
</dd>
+<dt><span class="term"><span class="command"><strong>resolver-nonbackoff-tries</strong></span></span></dt>
+<dd>
+ <p>
+ Specifies how many retries occur before exponential
+ backoff kicks in. The default is <strong class="userinput"><code>3</code></strong>.
+ </p>
+ </dd>
+<dt><span class="term"><span class="command"><strong>resolver-retry-interval</strong></span></span></dt>
+<dd>
+ <p>
+ The base retry interval in milliseconds.
+ The default is <strong class="userinput"><code>800</code></strong>.
+ </p>
+ </dd>
<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt>
<dd>
<p>
<a name="dnssec_keys"></a><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span class="command"><strong>dnssec-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
- <span class="command"><strong>initial-key</strong></span> ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
+ <span class="command"><strong>initial-key</strong></span> | static-ds | initial-ds )
+ <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>quoted_string</code></em>; ... };
</pre>
</div>
trust anchors. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>.
</p>
<p>
- A trust anchor is defined when the public key for
- a non-authoritative zone is known, but cannot be securely
- obtained through DNS, either because it is the DNS root zone
- or because its parent zone is unsigned. Once a key has been
- configured as a trust anchor, it is treated as if it had
- been validated and proven secure.
+ A trust anchor is defined when the public key or public key
+ digest for a non-authoritative zone is known, but cannot be
+ securely obtained through DNS, either because it is the DNS
+ root zone or because its parent zone is unsigned. Once a key
+ or digest has been configured as a trust anchor, it is treated
+ as if it had been validated and proven secure.
</p>
<p>
The resolver attempts DNSSEC validation on all DNS data
<p>
All keys listed in <span class="command"><strong>dnssec-keys</strong></span>, and
their corresponding zones, are deemed to exist regardless
- of what parent zones say. Only keys configured as trust anchors
+ of what parent zones say. Only keys configured as trust anchors
are used to validate the DNSKEY RRset for the corresponding
- name. The parent's DS RRset will not be used.
- </p>
- <p>
- The <span class="command"><strong>dnssec-keys</strong></span> statement can contain
- multiple key entries, each consisting of the key's
- domain name, followed by the <span class="command"><strong>static-key</strong></span> or
- <span class="command"><strong>initial-key</strong></span> keyword, then the key's flags,
- protocol, algorithm, and the Base64 representation of the key
- data. Spaces, tabs, newlines and carriage returns are ignored
- in the key data, so the configuration may be split up into
- multiple lines.
+ name. The parent's DS RRset will not be used.
</p>
<p>
<span class="command"><strong>dnssec-keys</strong></span> may be set at the top level
defined in a view are only used within that view.
</p>
<p>
- <span class="command"><strong>dnssec-keys</strong></span> entries can be configured with
- two keywords: <span class="command"><strong>static-key</strong></span> or
- <span class="command"><strong>initial-key</strong></span>. Keys configured with
- <span class="command"><strong>static-key</strong></span> are immutable,
- while keys configured with <span class="command"><strong>initial-key</strong></span>
+ The <span class="command"><strong>dnssec-keys</strong></span> statement can contain
+ multiple trust anchor entries, each consisting of a
+ domain name, followed by an "anchor type" keyword indicating
+ the trust anchor's format, followed by the key or digest data.
+ </p>
+ <p>
+ If the anchor type is <span class="command"><strong>static-key</strong></span> or
+ <span class="command"><strong>initial-key</strong></span>, then it is followed with the
+ key's flags, protocol, algorithm, and the Base64 representation
+ of the public key data. This is identical to the text
+ representation of a DNSKEY record. Spaces, tabs, newlines and
+ carriage returns are ignored in the key data, so the
+ configuration may be split up into multiple lines.
+ </p>
+ <p>
+ If the anchor type is <span class="command"><strong>static-ds</strong></span> or
+ <span class="command"><strong>initial-ds</strong></span>, then it is followed with the
+ key tag, algorithm, digest type, and the hexidecimal
+ representation of the key digest. This is identical to the
+ text representation of a DS record. Spaces, tabs, newlines
+ and carriage returns are ignored.
+ </p>
+ <p>
+ Trust anchors configured with the
+ <span class="command"><strong>static-key</strong></span> or <span class="command"><strong>static-ds</strong></span>
+ anchor types are immutable, while keys configured with
+ <span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
can be kept up to date automatically, without intervention
from the resolver operator. (<span class="command"><strong>static-key</strong></span>
keys are identical to keys configured using the deprecated
Suppose, for example, that a zone's key-signing
key was compromised, and the zone owner had to revoke and
replace the key. A resolver which had the original key
- configured as a <span class="command"><strong>static-key</strong></span> would be
- unable to validate this zone any longer; it would
- reply with a SERVFAIL response code. This would
- continue until the resolver operator had updated the
- <span class="command"><strong>dnssec-keys</strong></span> statement with the new key.
+ configured using <span class="command"><strong>static-key</strong></span> or
+ <span class="command"><strong>static-ds</strong></span> would be unable to validate
+ this zone any longer; it would reply with a SERVFAIL response
+ code. This would continue until the resolver operator had
+ updated the <span class="command"><strong>dnssec-keys</strong></span> statement with
+ the new key.
</p>
<p>
If, however, the trust anchor had been configured with
- <span class="command"><strong>initial-key</strong></span> instead, then the
- zone owner could add a "stand-by" key to their zone in advance.
- <span class="command"><strong>named</strong></span> would store the stand-by key, and
- when the original key was revoked, <span class="command"><strong>named</strong></span>
- would be able to transition smoothly to the new key. It would
- also recognize that the old key had been revoked, and cease
- using that key to validate answers, minimizing the damage that
- the compromised key could do. This is the process used to
- keep the ICANN root DNSSEC key up to date.
- </p>
- <p>
- Whereas <span class="command"><strong>static-key</strong></span>
- keys continue to be trusted until they are removed from
+ <span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
+ instead, then the zone owner could add a "stand-by" key to
+ their zone in advance. <span class="command"><strong>named</strong></span> would store
+ the stand-by key, and when the original key was revoked,
+ <span class="command"><strong>named</strong></span> would be able to transition smoothly
+ to the new key. It would also recognize that the old key had
+ been revoked, and cease using that key to validate answers,
+ minimizing the damage that the compromised key could do.
+ This is the process used to keep the ICANN root DNSSEC key
+ up to date.
+ </p>
+ <p>
+ Whereas <span class="command"><strong>static-key</strong></span> and
+ <span class="command"><strong>static-ds</strong></span> trust anchors continue
+ to be trusted until they are removed from
<code class="filename">named.conf</code>, an
- <span class="command"><strong>initial-key</strong></span> is only trusted
- <span class="emphasis"><em>once</em></span>: for as long as it
+ <span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
+ is only trusted <span class="emphasis"><em>once</em></span>: for as long as it
takes to load the managed key database and start the RFC 5011
key maintenance process.
</p>
+ <p>
+ It is not possible to mix static with initial trust anchors
+ for the same domain name. It is also not possible to mix
+ <span class="command"><strong>key</strong></span> with <span class="command"><strong>ds</strong></span> trust anchors.
+ </p>
<p>
The first time <span class="command"><strong>named</strong></span> runs with an
- <span class="command"><strong>initial-key</strong></span> configured in
- <code class="filename">named.conf</code>, it fetches the
+ <span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
+ configured in <code class="filename">named.conf</code>, it fetches the
DNSKEY RRset directly from the zone apex, and validates it
- using the key specified in <span class="command"><strong>dnssec-keys</strong></span>.
- If the DNSKEY RRset is validly signed, then it is
- used as the basis for a new managed keys database.
+ using the trust anchor specified in <span class="command"><strong>dnssec-keys</strong></span>.
+ If the DNSKEY RRset is validly signed by a key matching
+ the trust anchor, then it is used as the basis for a new
+ managed keys database.
</p>
<p>
From that point on, whenever <span class="command"><strong>named</strong></span> runs, it
- sees the <span class="command"><strong>initial-key</strong></span> listed in
+ sees the <span class="command"><strong>initial-key</strong></span> or
+ <span class="command"><strong>initial-ds</strong></span> listed in
<span class="command"><strong>dnssec-keys</strong></span>, checks to
make sure RFC 5011 key maintenance has already been initialized
for the specified domain, and if so, it simply moves on. The
</p>
<p>
The next time <span class="command"><strong>named</strong></span> runs after an
- <span class="command"><strong>initial-key</strong></span> has been
- <span class="emphasis"><em>removed</em></span> from the
+ <span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
+ trust anchor has been <span class="emphasis"><em>removed</em></span> from the
<span class="command"><strong>dnssec-keys</strong></span> statement (or changed to
- a <span class="command"><strong>static-key</strong></span>), the corresponding
- zone will be removed from the managed keys database,
- and RFC 5011 key maintenance will no longer be used for that
- domain.
+ a <span class="command"><strong>static-key</strong></span> or <span class="command"><strong>static-ds</strong></span>),
+ the corresponding keys will be removed from the managed keys
+ database, and RFC 5011 key maintenance will no longer be used
+ for that domain.
</p>
<p>
In the current implementation, the managed keys database
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
+<a name="dnssec_policy_grammar"></a><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</h3></div></div></div>
+ <pre class="programlisting">
+<span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em> {
+ <span class="command"><strong>dnskey-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+ <span class="command"><strong>keys</strong></span> { ( csk | ksk | zsk ) key-directory <em class="replaceable"><code>duration</code></em> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };
+ <span class="command"><strong>parent-ds-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
+ <span class="command"><strong>parent-propagation-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
+ <span class="command"><strong>parent-registration-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
+ <span class="command"><strong>publish-safety</strong></span> <em class="replaceable"><code>duration</code></em>;
+ <span class="command"><strong>retire-safety</strong></span> <em class="replaceable"><code>duration</code></em>;
+ <span class="command"><strong>signatures-refresh</strong></span> <em class="replaceable"><code>duration</code></em>;
+ <span class="command"><strong>signatures-validity</strong></span> <em class="replaceable"><code>duration</code></em>;
+ <span class="command"><strong>signatures-validity-dnskey</strong></span> <em class="replaceable"><code>duration</code></em>;
+ <span class="command"><strong>zone-max-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
+ <span class="command"><strong>zone-propagation-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
+};
+</pre>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="dnssec_policy"></a><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
+ and Usage</h3></div></div></div>
+
+ <p>
+ The <span class="command"><strong>dnssec-policy</strong></span> statement defines a key and
+ signing policy (KASP) for zones.
+ </p>
+ <p>
+ KASP is used to determine how one or more zones need to be signed
+ with DNSSEC. For example, how often RRSIG records need to be
+ refreshed, or what cryptographic algorithms to use.
+ </p>
+ <p>
+ You can configure multiple policies. To attach a policy to a zone
+ simply add <strong class="userinput"><code>dnssec-policy "policy_name"</code></strong>
+ option to the <span class="command"><strong>zone</strong></span> statement with a matching
+ policy name.
+ </p>
+
+ <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>dnskey-ttl</strong></span></span></dt>
+<dd>
+ <p>
+ The TTL of the DNSKEY resource records.
+ Default is <code class="constant">3600</code> seconds.
+ </p>
+ </dd>
+<dt><span class="term"><span class="command"><strong>keys</strong></span></span></dt>
+<dd>
+ <p>
+ A list of keys to use. Each line represents one key. Here is
+ an example (for illustration purposes only) of some possible
+ keys in a <span class="command"><strong>dnssec-policy</strong></span>:
+ </p>
+
+<pre class="programlisting">keys {
+ ksk key-directory lifetime P5Y algorithm 8 2048;
+ zsk key-directory lifetime P30D algorithm 8;
+ csk key-directory lifetime P6MT12H3M15S algorithm 13;
+};
+</pre>
+
+ <p>
+ This example lists three keys. The first token determines
+ what RRsets the key will sign. If set to
+ <strong class="userinput"><code>ksk</code></strong> the key will sign the DNSKEY, CDS,
+ and CDNSKEY RRsets, if set to <strong class="userinput"><code>zsk</code></strong> the
+ key will sign the other RRsets, and if set to
+ <strong class="userinput"><code>csk</code></strong> the key will sign all RRsets.
+ </p>
+ <p>
+ The following part determines where the key will be stored.
+ Currently keys can only be stored in the configured
+ <span class="command"><strong>key-directory</strong></span>.
+ </p>
+ <p>
+ The third token tells how long the key may be used. In the
+ example the first key has a lifetime of 5 years, the second
+ key may be used for 30 days and the third key has a rather
+ peculiar lifetime of 6 months, 12 hours, 3 minutes and 15
+ seconds.
+ </p>
+ <p>
+ The last token(s) are the key's algorithm and algorithm
+ length. The length may be omitted as shown in the
+ example for the second and third key.
+ </p>
+ </dd>
+<dt><span class="term"><span class="command"><strong>publish-safety</strong></span></span></dt>
+<dd>
+ <p>
+ A margin that is added to the publish interval in key
+ timing equations to give some extra time to cover
+ unforeseen events. Default is <code class="constant">PT5M</code>
+ (5 minutes).
+ </p>
+ </dd>
+<dt><span class="term"><span class="command"><strong>retire-safety</strong></span></span></dt>
+<dd>
+ <p>
+ A margin that is added to the retire interval in key
+ timing equations to give some extra time to cover
+ unforeseen events. Default is <code class="constant">PT5M</code>
+ (5 minutes).
+ </p>
+ </dd>
+<dt><span class="term"><span class="command"><strong>signatures-refresh</strong></span></span></dt>
+<dd>
+ <p>
+ This determines when a RRSIG record needs to be
+ refreshed. The signatures is renewed when the time until
+ the expiration time is closer than
+ <span class="command"><strong>signatures-refresh</strong></span>.
+ <span class="command"><strong>signatures-resign</strong></span> interval. Default
+ is <code class="constant">P5D</code> (5 days), meaning a signature
+ that will expire in 5 days or sooner will be refreshed.
+ </p>
+ </dd>
+<dt><span class="term"><span class="command"><strong>signatures-validity</strong></span></span></dt>
+<dd>
+ <p>
+ The validity period of an RRSIG record (minus the
+ inception offset and jitter). Default is
+ <code class="constant">P2W</code> (2 weeks).
+ </p>
+ </dd>
+<dt><span class="term"><span class="command"><strong>signatures-validity-dnskey</strong></span></span></dt>
+<dd>
+ <p>
+ Like <span class="command"><strong>signatures-validity</strong></span> but for
+ DNSKEY records. Default is <code class="constant">P2W</code> (2
+ weeks).
+ </p>
+ </dd>
+<dt><span class="term"><span class="command"><strong>zone-max-ttl</strong></span></span></dt>
+<dd>
+ <p>
+ Like <span class="command"><strong>max-zone-ttl</strong></span>, specifies the
+ maximum permissible TTL value in seconds. When loading a
+ zone file using a <code class="option">masterfile-format</code> or
+ <code class="constant">text</code> or <code class="constant">raw</code>,
+ any record encountered with a TTL higher than
+ <code class="option">zone-max-ttl</code> will be capped to the
+ maximum permissible TTL value.
+ </p>
+ <p>
+ This is needed in DNSSEC-maintained zones because when
+ rolling to a new DNSKEY, the old key needs to remain
+ available until RRSIG records have expired from caches.
+ The <code class="option">zone-max-ttl</code> option guarantees that
+ the largest TTL in the zone will be no higher than the
+ set value.
+ </p>
+ <p>
+ (NOTE: Because <code class="constant">map</code>-format files
+ load directly into memory, this option cannot be
+ used with them.)
+ </p>
+ <p>
+ The default value is <code class="constant">PT24H</code> (24 hours).
+ A <code class="option">zone-max-ttl</code> of zero is treated as if
+ the default value is in use.
+ </p>
+ </dd>
+<dt><span class="term"><span class="command"><strong>zone-propagation-delay</strong></span></span></dt>
+<dd>
+ <p>
+ The expected propagation delay from when a zone is
+ updated and when the new version of the zone is served by
+ all its name servers. Default is
+ <code class="constant">PT5M</code> (5 minutes).
+ </p>
+ </dd>
+<dt><span class="term"><span class="command"><strong>parent-ds-ttl</strong></span></span></dt>
+<dd>
+ <p>
+ The TTL of the DS RRset that the parent uses. Default is
+ <code class="constant">PT1H</code> (1 hour).
+ </p>
+ </dd>
+<dt><span class="term"><span class="command"><strong>parent-propagation-delay</strong></span></span></dt>
+<dd>
+ <p>
+ The expected propagation delay from when the parent zone
+ is updated and when the new version of the parent zone is
+ served by all its name servers. Default is
+ <code class="constant">PT1H</code> (1 hour).
+ </p>
+ </dd>
+<dt><span class="term"><span class="command"><strong>parent-registration-delay</strong></span></span></dt>
+<dd>
+ <p>
+ The expected registration delay from when a DS RRset
+ change is requested and when the DS RRset has been
+ updated in the parent zone. Default is
+ <code class="constant">P1D</code> (1 day).
+ </p>
+ </dd>
+</dl></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key
- | initial-key ) <em class="replaceable"><code>integer</code></em>
- <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
- <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated
+ | initial-key | static-ds |
+ <span class="command"><strong>initial-ds</strong></span> ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
+ <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated
</pre>
</div>
<div class="section">
<span class="command"><strong>dnskey-sig-validity</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
<span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
- <span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
+ <span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>duration</code></em> );
<span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
<span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
<span class="command"><strong>dnskey-sig-validity</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
<span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
<span class="command"><strong>forward</strong></span> ( first | only );
<span class="command"><strong>masterfile-style</strong></span> ( full | relative );
<span class="command"><strong>masters</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
- <span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
+ <span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>duration</code></em> );
<span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
};
</pre>
Usage”</a>.
</p>
</dd>
+<dt><span class="term"><span class="command"><strong>dnssec-policy</strong></span></span></dt>
+<dd>
+ <p>
+ The key and signing policy for this zone. Set to
+ <strong class="userinput"><code>"default"</code></strong> if you want to make use
+ of the default policy.
+ </p>
+ </dd>
<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
<dd>
<p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.5</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.6</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_removed">Removed Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.3">Notes for BIND 9.15.3</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.2">Notes for BIND 9.15.2</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.1">Notes for BIND 9.15.1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.0">Notes for BIND 9.15.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.5</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.6</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_download"></a>Download</h3></div></div></div>
<p>
The latest versions of BIND 9 software can always be found at
- <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
+ <a class="link" href="https://www.isc.org/download/" target="_top">https://www.isc.org/download/</a>.
There you will find additional information about each release,
source code, and pre-compiled versions for Microsoft Windows
operating systems.
</p>
</div>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
- option could be exceeded in some cases. This could lead to
- exhaustion of file descriptors. This flaw is disclosed in
- CVE-2018-5743. [GL #615]
- </p>
- </li>
-<li class="listitem">
- <p>
- In certain configurations, <span class="command"><strong>named</strong></span> could crash
- with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
- was in use and a redirected query resulted in an NXDOMAIN from the
- cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
- </p>
- </li>
-<li class="listitem">
- <p>
- A race condition could trigger an assertion failure when
- a large number of incoming packets were being rejected.
- This flaw is disclosed in CVE-2019-6471. [GL #942]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could crash with an assertion failure
- if a forwarder returned a referral, rather than resolving the
- query, when QNAME minimization was enabled. This flaw is
- disclosed in CVE-2019-6476. [GL #1051]
- </p>
- </li>
-<li class="listitem">
- <p>
- A flaw in DNSSEC verification when transferring mirror zones
- could allow data to be incorrectly marked valid. This flaw
- is disclosed in CVE-2019-6475. [GL #1252]
- </p>
- </li>
+<a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ A new asynchronous network communications system based on
+ <span class="command"><strong>libuv</strong></span> is now used by <span class="command"><strong>named</strong></span>
+ for listening for incoming requests and responding to them.
+ This change will make it easier to improve performance and
+ implement new protocol layers (for example, DNS over TLS) in
+ the future. [GL #29]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The new <span class="command"><strong>dnssec-policy</strong></span> option allows the
+ configuration key and signing policy (KASP) for zones. This
+ option enables <span class="command"><strong>named</strong></span> to generate new keys
+ as needed and automatically roll both ZSK and KSK keys.
+ (Note that the syntax for this statement differs from the DNSSEC
+ policy used by <span class="command"><strong>dnssec-keymgr</strong></span>.) [GL #1134]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Two new keywords have been added to the
+ <span class="command"><strong>dnssec-keys</strong></span> statement:
+ <span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
+ These allow the use of trust anchors in DS format instead of
+ DNSKEY format. DS format allows trust anchors to be configured
+ for keys that have not yet been published; this is the format
+ used by IANA when announcing future root keys.
+ </p>
+ <p>
+ As with the <span class="command"><strong>initial-key</strong></span> and
+ <span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
+ configures a dynamic trust anchor to be maintained via RFC 5011, and
+ <span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
+ </p>
+ <p>
+ (Note: Currently, DNSKEY-format and DS-format trust anchors
+ cannot both be used for the same domain name.) [GL #6] [GL #622]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.6-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
+ because it was found to have a significant performance impact on the
+ recursive service. The NSEC Aggressive Cache will be enable by default
+ in the future releases. [GL #1265]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The DNSSEC validation code has been refactored for clarity and to
+ reduce code duplication. [GL #622]
+ </p>
+ </li>
</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ Too many simultaneous pipelined TCP queries could cause
+ resource overuse. We now prevent this by enforcing a limit
+ on the number of simultaneous requests per active connection.
+ This flaw`is disclosed in CVE-2019-6477. [GL #1264]
+ </p>
+ </li></ul></div>
+ </div>
+
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Added a new command line option to <span class="command"><strong>dig</strong></span>:
- <span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
- won't accept a reply from a source other than the one to which
- it sent the query. Add the <span class="command"><strong>+unexpected</strong></span> argument
- to enable it to process replies from unexpected sources.
- </p>
- </li>
-<li class="listitem">
- <p>
- The GeoIP2 API from MaxMind is now supported. Geolocation support
- will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
- library is found at compile time, but can be turned off by using
- <span class="command"><strong>configure --disable-geoip</strong></span>.
- </p>
- <p>
- The default path to the GeoIP2 databases will be set based
- on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
- for example, if it is in <code class="filename">/usr/local/lib</code>,
- then the default path will be
- <code class="filename">/usr/local/share/GeoIP</code>.
- This value can be overridden in <code class="filename">named.conf</code>
- using the <span class="command"><strong>geoip-directory</strong></span> option.
- </p>
- <p>
- Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
- legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
- <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
- no longer work when using GeoIP2. Supported GeoIP2 database
- types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
- <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
- <span class="command"><strong>as</strong></span>. All of these databases support both IPv4
- and IPv6 lookups. [GL #182] [GL #1112]
- </p>
- </li>
-<li class="listitem">
- <p>
- In order to clarify the configuration of DNSSEC keys,
- the <span class="command"><strong>trusted-keys</strong></span> and
- <span class="command"><strong>managed-keys</strong></span> statements have been
- deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
- statement should now be used for both types of key.
- </p>
- <p>
- When used with the keyword <span class="command"><strong>initial-key</strong></span>,
- <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
- <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
- a trust anchor that is to be maintained via RFC 5011.
- </p>
- <p>
- When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
- has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
- configuring a permanent trust anchor that will not automatically
- be updated. (This usage is not recommended for the root key.)
- [GL #6]
- </p>
- </li>
-<li class="listitem">
- <p>
- The new <span class="command"><strong>add-soa</strong></span> option specifies whether
- or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
- should be included in the additional section of RPZ responses.
- [GL #865]
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new metrics have been added to the
- <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
- signing operations. For each key in each zone, the
- <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
- number of signatures <span class="command"><strong>named</strong></span> has generated
- using that key since server startup, and the
- <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
- many of those signatures were refreshed during zone
- maintenance, as opposed to having been generated
- as a result of a zone update. [GL #513]
- </p>
- </li>
-<li class="listitem">
- <p>
+<a name="relnotes-9.15.5"></a>Notes for BIND 9.15.5</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.5-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> could crash with an assertion failure
+ if a forwarder returned a referral, rather than resolving the
+ query, when QNAME minimization was enabled. This flaw is
+ disclosed in CVE-2019-6476. [GL #1051]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ A flaw in DNSSEC verification when transferring mirror zones
+ could allow data to be incorrectly marked valid. This flaw
+ is disclosed in CVE-2019-6475. [GL #1252]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+</div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.15.4"></a>Notes for BIND 9.15.4</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.4-new"></a>New Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ Added a new command line option to <span class="command"><strong>dig</strong></span>:
+ <span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
+ won't accept a reply from a source other than the one to which
+ it sent the query. Add the <span class="command"><strong>+unexpected</strong></span> argument
+ to enable it to process replies from unexpected sources.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
+ <span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
+ option to print output in a a detailed YAML format. [RT #1145]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.4-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
+ that its policies are removed from the RPZ summary database.
+ [GL #1146]
+ </p>
+ </li></ul></div>
+ </div>
+
+</div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.15.3"></a>Notes for BIND 9.15.3</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.3-new"></a>New Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
Statistics channel groups are now toggleable. [GL #1030]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
- <span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
- option to print output in a a detailed YAML format. [RT #1145]
- </p>
- </li>
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.3-removed"></a>Removed Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ DNSSEC Lookaside Validation (DLV) is now obsolete.
+ The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
+ marked as deprecated; when used in <code class="filename">named.conf</code>,
+ it will generate a warning but will otherwise be ignored.
+ All code enabling the use of lookaside validation has been removed
+ from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
+ [GL #7]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.3-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
+ made default. Old non-default HMAC-SHA based DNS Cookie algorithms
+ have been removed, and only the default AES algorithm is being kept
+ for legacy reasons. This change doesn't have any operational impact
+ in most common scenarios. [GL #605]
+ </p>
+ <p>
+ If you are running multiple DNS Servers (different versions of BIND 9
+ or DNS server from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), you'll have to make
+ sure that all the servers are configured with the same DNS Cookie
+ algorithm and same Server Secret for the best performance.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
+ <span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
+ output. The standard error output is only used to print warnings and
+ errors, and in case the user requests the signed zone to be printed to
+ standard output with <span class="command"><strong>-f -</strong></span> option. A new
+ configuration option <span class="command"><strong>-q</strong></span> has been added to silence
+ all output on standard output except for the name of the signed zone.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ DS records included in DNS referral messages can now be validated
+ and cached immediately, reducing the number of queries needed for
+ a DNSSEC validation. [GL #964]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.3-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ Cache database statistics counters could report invalid values
+ when stale answers were enabled, because of a bug in counter
+ maintenance when cache data becomes stale. The statistics counters
+ have been corrected to report the number of RRsets for each
+ RR type that are active, stale but still potentially served,
+ or stale and marked for deletion. [GL #602]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+ cause unexpected results; this has been fixed. [GL #1106]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
+ to ensure bits 64-71 are zero. [GL #1159]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
+ <span class="command"><strong>dnstap-output</strong></span> option when
+ <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Handle ETIMEDOUT error on connect() with a non-blocking
+ socket. [GL #1133]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
+ when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
+ </p>
+ </li>
</ul></div>
+ </div>
+
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
- no longer has any effect. DNSSEC responses are always enabled
- if signatures and other DNSSEC data are present. [GL #866]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>cleaning-interval</strong></span> option has been
- removed. [GL !1731]
- </p>
- </li>
-<li class="listitem">
- <p>
- DNSSEC Lookaside Validation (DLV) is now obsolete.
- The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
- marked as deprecated; when used in <code class="filename">named.conf</code>,
- it will generate a warning but will otherwise be ignored.
- All code enabling the use of lookaside validation has been removed
- from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
- [GL #7]
- </p>
- </li>
+<a name="relnotes-9.15.2"></a>Notes for BIND 9.15.2</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.2-new"></a>New Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ The GeoIP2 API from MaxMind is now supported. Geolocation support
+ will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
+ library is found at compile time, but can be turned off by using
+ <span class="command"><strong>configure --disable-geoip</strong></span>.
+ </p>
+ <p>
+ The default path to the GeoIP2 databases will be set based
+ on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
+ for example, if it is in <code class="filename">/usr/local/lib</code>,
+ then the default path will be
+ <code class="filename">/usr/local/share/GeoIP</code>.
+ This value can be overridden in <code class="filename">named.conf</code>
+ using the <span class="command"><strong>geoip-directory</strong></span> option.
+ </p>
+ <p>
+ Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
+ legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
+ <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
+ no longer work when using GeoIP2. Supported GeoIP2 database
+ types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
+ <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
+ <span class="command"><strong>as</strong></span>. All of these databases support both IPv4
+ and IPv6 lookups. [GL #182] [GL #1112]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Two new metrics have been added to the
+ <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
+ signing operations. For each key in each zone, the
+ <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
+ number of signatures <span class="command"><strong>named</strong></span> has generated
+ using that key since server startup, and the
+ <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
+ many of those signatures were refreshed during zone
+ maintenance, as opposed to having been generated
+ as a result of a zone update. [GL #513]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.2-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ When <span class="command"><strong>qname-minimization</strong></span> was set to
+ <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
+ would fail to resolve, but would have succeeded when minimization
+ was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
+ resolution in such cases, and also uses type A rather than NS for
+ minimal queries in order to reduce the likelihood of encountering
+ the problem. [GL #1055]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>./configure</strong></span> no longer sets
+ <span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
+ <span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
+ when <span class="command"><strong>--prefix</strong></span> is not specified and the
+ aforementioned options are not specified explicitly. Instead,
+ Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
+ <span class="command"><strong>$prefix/var</strong></span> are respected.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Glue address records were not being returned in responses
+ to root priming queries; this has been corrected. [GL #1092]
+ </p>
+ </li>
</ul></div>
+ </div>
+
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> will now log a warning if
- a static key is configured for the root zone. [GL #6]
- </p>
- </li>
-<li class="listitem">
- <p>
- When static and managed DNSSEC keys were both configured for the
- same name, or when a static key was used to
- configure a trust anchor for the root zone and
- <span class="command"><strong>dnssec-validation</strong></span> was set to the default
- value of <code class="literal">auto</code>, automatic RFC 5011 key
- rollovers would be disabled. This combination of settings was
- never intended to work, but there was no check for it in the
- parser. This has been corrected, and it is now a fatal
- configuration error. [GL #868]
- </p>
- </li>
-<li class="listitem">
- <p>
- DS and CDS records are now generated with SHA-256 digests
- only, instead of both SHA-1 and SHA-256. This affects the
- default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
- <code class="filename">dsset</code> files generated by
- <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
- a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
- <code class="filename">keyset</code> files, the CDS records added to
- a zone by <span class="command"><strong>named</strong></span> and
- <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
- parameters in key files, and the checks performed by
- <span class="command"><strong>dnssec-checkds</strong></span>.
- </p>
- </li>
-<li class="listitem">
- <p>
- JSON-C is now the only supported library for enabling JSON
- support for BIND statistics. The <span class="command"><strong>configure</strong></span>
- option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
- to <span class="command"><strong>--with-json-c</strong></span>. Use
- <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
- the <span class="command"><strong>json-c</strong></span> library as the new
- <span class="command"><strong>configure</strong></span> option does not take the library
- installation path as an optional argument.
- </p>
- </li>
-<li class="listitem">
- <p>
- A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
- made default. Old non-default HMAC-SHA based DNS Cookie algorithms
- have been removed, and only the default AES algorithm is being kept
- for legacy reasons. This change doesn't have any operational impact
- in most common scenarios. [GL #605]
- </p>
- <p>
- If you are running multiple DNS Servers (different versions of BIND 9
- or DNS server from multiple vendors) responding from the same IP
- address (anycast or load-balancing scenarios), you'll have to make
- sure that all the servers are configured with the same DNS Cookie
- algorithm and same Server Secret for the best performance.
- </p>
- </li>
-<li class="listitem">
- <p>
- The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
- <span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
- output. The standard error output is only used to print warnings and
- errors, and in case the user requests the signed zone to be printed to
- standard output with <span class="command"><strong>-f -</strong></span> option. A new
- configuration option <span class="command"><strong>-q</strong></span> has been added to silence
- all output on standard output except for the name of the signed zone.
- </p>
- </li>
-<li class="listitem">
- <p>
- DS records included in DNS referral messages can now be validated
- and cached immediately, reducing the number of queries needed for
- a DNSSEC validation. [GL #964]
- </p>
- </li>
+<a name="relnotes-9.15.1"></a>Notes for BIND 9.15.1</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.1-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ A race condition could trigger an assertion failure when
+ a large number of incoming packets were being rejected.
+ This flaw is disclosed in CVE-2019-6471. [GL #942]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.1-new"></a>New Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ In order to clarify the configuration of DNSSEC keys,
+ the <span class="command"><strong>trusted-keys</strong></span> and
+ <span class="command"><strong>managed-keys</strong></span> statements have been
+ deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
+ statement should now be used for both types of key.
+ </p>
+ <p>
+ When used with the keyword <span class="command"><strong>initial-key</strong></span>,
+ <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
+ <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
+ a trust anchor that is to be maintained via RFC 5011.
+ </p>
+ <p>
+ When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
+ has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
+ configuring a permanent trust anchor that will not automatically
+ be updated. (This usage is not recommended for the root key.)
+ [GL #6]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.1-removed"></a>Removed Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ The <span class="command"><strong>cleaning-interval</strong></span> option has been
+ removed. [GL !1731]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.1-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> will now log a warning if
+ a static key is configured for the root zone. [GL #6]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ JSON-C is now the only supported library for enabling JSON
+ support for BIND statistics. The <span class="command"><strong>configure</strong></span>
+ option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
+ to <span class="command"><strong>--with-json-c</strong></span>. Use
+ <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
+ the <span class="command"><strong>json-c</strong></span> library as the new
+ <span class="command"><strong>configure</strong></span> option does not take the library
+ installation path as an optional argument.
+ </p>
+ </li>
</ul></div>
+ </div>
+
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- The <span class="command"><strong>allow-update</strong></span> and
- <span class="command"><strong>allow-update-forwarding</strong></span> options were
- inadvertently treated as configuration errors when used at the
- <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
- This has now been corrected.
- [GL #913]
- </p>
- </li>
-<li class="listitem">
- <p>
- When <span class="command"><strong>qname-minimization</strong></span> was set to
- <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
- would fail to resolve, but would have succeeded when minimization
- was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
- resolution in such cases, and also uses type A rather than NS for
- minimal queries in order to reduce the likelihood of encountering
- the problem. [GL #1055]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>./configure</strong></span> no longer sets
- <span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
- <span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
- when <span class="command"><strong>--prefix</strong></span> is not specified and the
- aforementioned options are not specified explicitly. Instead,
- Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
- <span class="command"><strong>$prefix/var</strong></span> are respected.
- </p>
- </li>
-<li class="listitem">
- <p>
- Glue address records were not being returned in responses
- to root priming queries; this has been corrected. [GL #1092]
- </p>
- </li>
-<li class="listitem">
- <p>
- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
- cause unexpected results; this has been fixed. [GL #1106]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
- to ensure bits 64-71 are zero. [GL #1159]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
- <span class="command"><strong>dnstap-output</strong></span> option when
- <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
- </p>
- </li>
-<li class="listitem">
- <p>
- Handle ETIMEDOUT error on connect() with a non-blocking
- socket. [GL #1133]
- </p>
- </li>
-<li class="listitem">
- <p>
- Cache database statistics counters could report invalid values
- when stale answers were enabled, because of a bug in counter
- maintenance when cache data becomes stale. The statistics counters
- have been corrected to report the number of RRsets for each
- RR type that are active, stale but still potentially served,
- or stale and marked for deletion. [GL #602]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
- when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
- </p>
- </li>
-<li class="listitem">
- <p>
- When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
- that its policies are removed from the RPZ summary database.
- [GL #1146]
- </p>
- </li>
+<a name="relnotes-9.15.0"></a>Notes for BIND 9.15.0</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.0-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ In certain configurations, <span class="command"><strong>named</strong></span> could crash
+ with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+ was in use and a redirected query resulted in an NXDOMAIN from the
+ cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. This flaw is disclosed in
+ CVE-2018-5743. [GL #615]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.0-new"></a>New Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ The new <span class="command"><strong>add-soa</strong></span> option specifies whether
+ or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
+ should be included in the additional section of RPZ responses.
+ [GL #865]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.0-removed"></a>Removed Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
+ no longer has any effect. DNSSEC responses are always enabled
+ if signatures and other DNSSEC data are present. [GL #866]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.0-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ When static and managed DNSSEC keys were both configured for the
+ same name, or when a static key was used to
+ configure a trust anchor for the root zone and
+ <span class="command"><strong>dnssec-validation</strong></span> was set to the default
+ value of <code class="literal">auto</code>, automatic RFC 5011 key
+ rollovers would be disabled. This combination of settings was
+ never intended to work, but there was no check for it in the
+ parser. This has been corrected, and it is now a fatal
+ configuration error. [GL #868]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ DS and CDS records are now generated with SHA-256 digests
+ only, instead of both SHA-1 and SHA-256. This affects the
+ default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
+ <code class="filename">dsset</code> files generated by
+ <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
+ a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
+ <code class="filename">keyset</code> files, the CDS records added to
+ a zone by <span class="command"><strong>named</strong></span> and
+ <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
+ parameters in key files, and the checks performed by
+ <span class="command"><strong>dnssec-checkds</strong></span>.
+ </p>
+ </li>
</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.0-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ The <span class="command"><strong>allow-update</strong></span> and
+ <span class="command"><strong>allow-update-forwarding</strong></span> options were
+ inadvertently treated as configuration errors when used at the
+ <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
+ This has now been corrected.
+ [GL #913]
+ </p>
+ </li></ul></div>
+ </div>
+
</div>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at
least December 2021. See
- <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
+ <a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
for details of ISC's software support policy.
</p>
</div>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
- <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
+ <a class="link" href="https://www.isc.org/donate/" target="_top">https://www.isc.org/donate/</a>.
</p>
</div>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
<code class="filename">named.conf</code>, except that all
<span class="command"><strong>managed-keys</strong></span> entries will be treated as
if they were configured with the <span class="command"><strong>static-key</strong></span>
- keyword, even if they are configured with <span class="command"><strong>initial-key</strong></span>.
+ or <span class="command"><strong>static-ds</strong></span> keywords, even if they are configured
+ with <span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>iniital-ds</strong></span>.
(See <a class="xref" href="Bv9ARM.ch05.html#managed-keys" title="managed-keys Statement Grammar">the section called “<span class="command"><strong>managed-keys</strong></span> Statement Grammar”</a> for syntax details.)
</p>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.15.5</p></div>
+<div><p class="releaseinfo">BIND Version 9.15.6</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.2">Converting from insecure to secure</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.7">Dynamic DNS update method</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.15">Fully automatic zone signing</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.24">Private-type records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.31">DNSKEY rollovers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.33">Dynamic DNS update method</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.38">Automatic key rollovers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.40">NSEC3PARAM rollovers via UPDATE</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.42">Converting from NSEC to NSEC3</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.44">Converting from NSEC3 to NSEC</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.46">Converting from secure to insecure</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.50">Periodic re-signing</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.52">NSEC3 and OPTOUT</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.9">Dynamic DNS update method</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.17">Fully automatic zone signing</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.27">Private-type records</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">DNSKEY rollovers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.36">Dynamic DNS update method</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">Automatic key rollovers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">NSEC3PARAM rollovers via UPDATE</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC to NSEC3</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.48">Converting from NSEC3 to NSEC</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.50">Converting from secure to insecure</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.54">Periodic re-signing</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.56">NSEC3 and OPTOUT</a></span></dt>
</dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
+ and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.5</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.6</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_removed">Removed Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.3">Notes for BIND 9.15.3</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.2">Notes for BIND 9.15.2</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.1">Notes for BIND 9.15.1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.0">Notes for BIND 9.15.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
+ [<code class="option">-d <em class="replaceable"><code>bits</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-G</code>]
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-k</code>]
+ [<code class="option">-k <em class="replaceable"><code>policy</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+ [<code class="option">-l <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
+ [<code class="option">-T <em class="replaceable"><code>rrtype</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
the specified class. If not specified, class IN is used.
</p>
</dd>
+<dt><span class="term">-d <em class="replaceable"><code>bits</code></em></span></dt>
+<dd>
+ <p>
+ Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
+ RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
+ DH size is between 128 and 4096. This option is ignored for
+ algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
+ </p>
+ </dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Sets the directory in which the key files are to be written.
</p>
</dd>
+<dt><span class="term">-k <em class="replaceable"><code>policy</code></em></span></dt>
+<dd>
+ <p>
+ Create keys for a specific dnssec-policy. If a policy uses
+ multiple keys, <span class="command"><strong>dnssec-keygen</strong></span> will generate
+ multiple keys. This will also create a ".state" file to keep
+ track of the key state.
+ </p>
+ <p>
+ This option creates keys according to the dnssec-policy
+ configuration, hence it cannot be used together with many of
+ the other options that <span class="command"><strong>dnssec-keygen</strong></span>
+ provides.
+ </p>
+ </dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
+<dt><span class="term">-l <em class="replaceable"><code>file</code></em></span></dt>
+<dd>
+ <p>
+ Provide a configuration file that contains a dnssec-policy
+ statement (matching the policy set with <span class="command"><strong>-k</strong></span>).
+ </p>
+ </dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
+ [<code class="option">-s</code>]
+ [<code class="option">-g <em class="replaceable"><code>state</code></em></code>]
+ [<code class="option">-d <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
+ [<code class="option">-k <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
+ [<code class="option">-r <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
+ [<code class="option">-z <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
{keyfile}
</p></div>
</div>
When key metadata fields are changed, both files of a key
pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
<code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
+ </p>
+ <p>
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</p>
+ <p>
+ When working with state files, it is possible to update the timing
+ metadata in those files as well with <code class="option">-s</code>. If this
+ option is used you can also update key states with <code class="option">-d</code>
+ (DS), <code class="option">-k</code> (DNSKEY), <code class="option">-r</code> (RRSIG of KSK),
+ or <code class="option">-z</code> (RRSIG of ZSK). Allowed states are HIDDEN,
+ RUMOURED, OMNIPRESENT, and UNRETENTIVE.
+ </p>
+ <p>
+ You can also set the goal state of the key with <code class="option">-g</code>.
+ This should be either HIDDEN or OMNIPRESENT (representing whether the
+ key should be removed from the zone, or published).
+ </p>
+ <p>
+ It is NOT RECOMMENDED to manipulate state files manually except for
+ testing purposes.
+ </p>
</div>
<div class="refsection">
</div>
<div class="refsection">
-<a name="id-1.13.15.10"></a><h2>PRINTING OPTIONS</h2>
+<a name="id-1.13.15.10"></a><h2>KEY STATE OPTIONS</h2>
+
+ <p>
+ Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
+ These should not be set manually except for testing purposes.
+ </p>
+
+ <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-s</span></dt>
+<dd>
+ <p>
+ When setting key timing data, also update the state file.
+ </p>
+ </dd>
+<dt><span class="term">-g</span></dt>
+<dd>
+ <p>
+ Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
+ </p>
+ </dd>
+<dt><span class="term">-d</span></dt>
+<dd>
+ <p>
+ Set the DS state for this key, and when it was last changed.
+ </p>
+ </dd>
+<dt><span class="term">-k</span></dt>
+<dd>
+ <p>
+ Set the DNSKEY state for this key, and when it was last changed.
+ </p>
+ </dd>
+<dt><span class="term">-r</span></dt>
+<dd>
+ <p>
+ Set the RRSIG (KSK) state for this key, and when it was last
+ changed.
+ </p>
+ </dd>
+<dt><span class="term">-z</span></dt>
+<dd>
+ <p>
+ Set the RRSIG (ZSK) state for this key, and when it was last
+ changed.
+ </p>
+ </dd>
+</dl></div>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.13.15.11"></a><h2>PRINTING OPTIONS</h2>
<p>
<span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
</div>
<div class="refsection">
-<a name="id-1.13.15.11"></a><h2>SEE ALSO</h2>
+<a name="id-1.13.15.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
<a name="id-1.13.27.11"></a><h2>DNSSEC-KEYS</h2>
<div class="literallayout"><p><br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    initial-key | static-ds | initial-ds )<br>
+Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
<p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
-    | initial-key ) <em class="replaceable"><code>integer</code></em><br>
-Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
+    | initial-key | static-ds |<br>
+    initial-ds ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
</p></div>
</div>
    [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
    <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
-     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
+     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>duration</code></em> ]; ... };<br>
check-dup-records ( fail | warn | ignore );<br>
check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
check-mx ( fail | warn | ignore );<br>
fstrm-set-output-notify-threshold <em class="replaceable"><code>integer</code></em>;<br>
fstrm-set-output-queue-model ( mpsc | spsc );<br>
fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
- fstrm-set-reopen-interval <em class="replaceable"><code>ttlval</code></em>;<br>
+ fstrm-set-reopen-interval <em class="replaceable"><code>duration</code></em>;<br>
geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
glue-cache <em class="replaceable"><code>boolean</code></em>;<br>
heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
- interface-interval <em class="replaceable"><code>ttlval</code></em>;<br>
+ interface-interval <em class="replaceable"><code>duration</code></em>;<br>
ixfr-from-differences ( primary | master | secondary | slave |<br>
    <em class="replaceable"><code>boolean</code></em> );<br>
keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
- lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ lame-ttl <em class="replaceable"><code>duration</code></em>;<br>
listen-on [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] {<br>
    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
masterfile-style ( full | relative );<br>
match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
- max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ max-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ max-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
max-rsa-exponent-size <em class="replaceable"><code>integer</code></em>;<br>
- max-stale-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ max-stale-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+ max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
memstatistics <em class="replaceable"><code>boolean</code></em>;<br>
memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
message-compression <em class="replaceable"><code>boolean</code></em>;<br>
- min-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
- min-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ min-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ min-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
- nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
- nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
+ nta-lifetime <em class="replaceable"><code>duration</code></em>;<br>
+ nta-recheck <em class="replaceable"><code>duration</code></em>;<br>
nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
port <em class="replaceable"><code>integer</code></em>;<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
-     <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
-     <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
+     <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
+     <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
-     break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
-     min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
+     break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
+     min-update-interval <em class="replaceable"><code>duration</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
    [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
serial-update-method ( date | increment | unixtime );<br>
server-id ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );<br>
- servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ servfail-ttl <em class="replaceable"><code>duration</code></em>;<br>
session-keyalg <em class="replaceable"><code>string</code></em>;<br>
session-keyfile ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
session-keyname <em class="replaceable"><code>string</code></em>;<br>
sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
stale-answer-enable <em class="replaceable"><code>boolean</code></em>;<br>
- stale-answer-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ stale-answer-ttl <em class="replaceable"><code>duration</code></em>;<br>
startup-notify-rate <em class="replaceable"><code>integer</code></em>;<br>
statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
    [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
    <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
-     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
+     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>duration</code></em> ]; ... };<br>
check-dup-records ( fail | warn | ignore );<br>
check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
check-mx ( fail | warn | ignore );<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-     initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+     initial-key | static-ds | initial-ds<br>
+ Â Â Â Â )Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+     <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
secret <em class="replaceable"><code>string</code></em>;<br>
};<br>
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
- lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ lame-ttl <em class="replaceable"><code>duration</code></em>;<br>
lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
managed-keys { <em class="replaceable"><code>string</code></em> (<br>
    static-key | initial-key<br>
+     | static-ds | initial-ds<br>
    ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
- max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ max-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ max-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- max-stale-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ max-stale-ttl <em class="replaceable"><code>duration</code></em>;<br>
max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+ max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
message-compression <em class="replaceable"><code>boolean</code></em>;<br>
- min-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
- min-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ min-cache-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ min-ncache-ttl <em class="replaceable"><code>duration</code></em>;<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]<br>
    [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
- nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
- nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
+ nta-lifetime <em class="replaceable"><code>duration</code></em>;<br>
+ nta-recheck <em class="replaceable"><code>duration</code></em>;<br>
nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ {<br>
    <em class="replaceable"><code>unspecified-text</code></em> } ];<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
-     <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
-     <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
+     <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
+     <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
-     break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
-     min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
+     break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
+     min-update-interval <em class="replaceable"><code>duration</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
    [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
transfers <em class="replaceable"><code>integer</code></em>;<br>
};<br>
- servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ servfail-ttl <em class="replaceable"><code>duration</code></em>;<br>
sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
sig-validity-interval <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
stale-answer-enable <em class="replaceable"><code>boolean</code></em>;<br>
- stale-answer-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ stale-answer-ttl <em class="replaceable"><code>duration</code></em>;<br>
synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
transfer-format ( many-answers | one-answer );<br>
transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+ dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
file <em class="replaceable"><code>quoted_string</code></em>;<br>
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
- max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+ max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+ dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
file <em class="replaceable"><code>quoted_string</code></em>;<br>
max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
- max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+ max-zone-ttl ( unlimited | <em class="replaceable"><code>duration</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.24"></a><h2>FILES</h2>
+<a name="id-1.13.27.24"></a><h2>DNSSEC-POLICY</h2>
+
+ <div class="literallayout"><p><br>
+dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
+ dnskey-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
+ parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
+ parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
+ publish-safety <em class="replaceable"><code>duration</code></em>;<br>
+ retire-safety <em class="replaceable"><code>duration</code></em>;<br>
+ signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
+ signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
+ signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
+ zone-max-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
+};<br>
+</p></div>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.13.27.25"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsection">
-<a name="id-1.13.27.25"></a><h2>SEE ALSO</h2>
+<a name="id-1.13.27.26"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">ddns-confgen</span>(8)
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
allowed to incrementally re-sign over time.
</p>
<p>
- This command requires that the
+ This command requires that the zone is configured with a
+ <span class="command"><strong>dnssec-policy</strong></span>, or that the
<span class="command"><strong>auto-dnssec</strong></span> zone option
be set to <code class="literal">maintain</code>,
and also requires the zone to be configured to
re-signed with the new key set.
</p>
<p>
- This command requires that the
+ This command requires that the zone is configured with a
+ <span class="command"><strong>dnssec-policy</strong></span>, or that the
<span class="command"><strong>auto-dnssec</strong></span> zone option be set
to <code class="literal">allow</code> or
<code class="literal">maintain</code>,
<p>
Enable, disable, or check the current status of
DNSSEC validation. By default, validation is enabled.
+ The cache is flushed when validation is turned on or off
+ to avoid using data that might differ between states.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.15.5</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.15.6</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
policy used by <span class="command"><strong>dnssec-keymgr</strong></span>.) [GL #1134]
</p>
</li>
+<li class="listitem">
+ <p>
+ Two new keywords have been added to the
+ <span class="command"><strong>dnssec-keys</strong></span> statement:
+ <span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
+ These allow the use of trust anchors in DS format instead of
+ DNSKEY format. DS format allows trust anchors to be configured
+ for keys that have not yet been published; this is the format
+ used by IANA when announcing future root keys.
+ </p>
+ <p>
+ As with the <span class="command"><strong>initial-key</strong></span> and
+ <span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
+ configures a dynamic trust anchor to be maintained via RFC 5011, and
+ <span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
+ </p>
+ <p>
+ (Note: Currently, DNSKEY-format and DS-format trust anchors
+ cannot both be used for the same domain name.) [GL #6] [GL #622]
+ </p>
+ </li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-changes"></a>Feature Changes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
<p>
NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
because it was found to have a significant performance impact on the
recursive service. The NSEC Aggressive Cache will be enable by default
in the future releases. [GL #1265]
</p>
+ </li>
+<li class="listitem">
+ <p>
+ The DNSSEC validation code has been refactored for clarity and to
+ reduce code duplication. [GL #622]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ Too many simultaneous pipelined TCP queries could cause
+ resource overuse. We now prevent this by enforcing a limit
+ on the number of simultaneous requests per active connection.
+ This flaw`is disclosed in CVE-2019-6477. [GL #1264]
+ </p>
</li></ul></div>
</div>
-Release Notes for BIND Version 9.15.5
+Release Notes for BIND Version 9.15.6
Introduction
that the syntax for this statement differs from the DNSSEC policy used
by dnssec-keymgr.) [GL #1134]
+ * Two new keywords have been added to the dnssec-keys statement:
+ initial-ds and static-ds. These allow the use of trust anchors in DS
+ format instead of DNSKEY format. DS format allows trust anchors to be
+ configured for keys that have not yet been published; this is the
+ format used by IANA when announcing future root keys.
+
+ As with the initial-key and static-key keywords, initial-ds configures
+ a dynamic trust anchor to be maintained via RFC 5011, and static-ds
+ configures a permanent trust anchor.
+
+ (Note: Currently, DNSKEY-format and DS-format trust anchors cannot
+ both be used for the same domain name.) [GL #6] [GL #622]
+
Feature Changes
* NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
recursive service. The NSEC Aggressive Cache will be enable by default
in the future releases. [GL #1265]
+ * The DNSSEC validation code has been refactored for clarity and to
+ reduce code duplication. [GL #622]
+
+Security Fixes
+
+ * Too many simultaneous pipelined TCP queries could cause resource
+ overuse. We now prevent this by enforcing a limit on the number of
+ simultaneous requests per active connection. This flaw`is disclosed in
+ CVE-2019-6477. [GL #1264]
+
Notes for BIND 9.15.5
Security Fixes
max-records <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-out <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
+ max-zone-ttl ( unlimited | <duration> );
notify ( explicit | master-only | <boolean> );
notify-delay <integer>;
notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
<quoted_string>; ... }; // may occur multiple times
dnssec-policy <string> {
- dnskey-ttl <ttlval>;
- keys { ( csk | ksk | zsk ) key-directory lifetime <duration> algorithm <integer>
- [ <integer> ]; ... };
- parent-ds-ttl <duration>;
- parent-propagation-delay <duration>;
- parent-registration-delay <duration>;
+ dnskey-ttl <duration>;
+ keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <duration>
+ algorithm <integer> [ <integer> ]; ... };
+ parent-ds-ttl <duration>;
+ parent-propagation-delay <duration>;
+ parent-registration-delay <duration>;
publish-safety <duration>;
retire-safety <duration>;
signatures-refresh <duration>;
signatures-validity <duration>;
signatures-validity-dnskey <duration>;
zone-max-ttl <duration>;
- zone-propagation-delay <duration>;
+ zone-propagation-delay <duration>;
}; // may occur multiple times
dyndb <string> <quoted_string> {
[ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
<integer> ] | <ipv6_address> [ port <integer> ] ) [ key
<string> ]; ... } ] [ zone-directory <quoted_string> ] [
- in-memory <boolean> ] [ min-update-interval <ttlval> ]; ... };
+ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );
trust-anchor <string> |
auto | no ); // obsolete, may occur multiple times
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+ dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
fstrm-set-output-notify-threshold <integer>; // not configured
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
- fstrm-set-reopen-interval <ttlval>; // not configured
- geoip-directory ( <quoted_string> | none );
+ fstrm-set-reopen-interval <duration>; // not configured
+ geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // ancient
host-statistics-max <integer>; // ancient
hostname ( <quoted_string> | none );
inline-signing <boolean>;
- interface-interval <ttlval>;
+ interface-interval <duration>;
ixfr-from-differences ( primary | master | secondary | slave |
<boolean> );
keep-response-order { <address_match_element>; ... };
key-directory <quoted_string>;
- lame-ttl <ttlval>;
+ lame-ttl <duration>;
listen-on [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
match-mapped-addresses <boolean>;
max-acache-size ( unlimited | <sizeval> ); // obsolete
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
- max-cache-ttl <ttlval>;
+ max-cache-ttl <duration>;
max-clients-per-query <integer>;
max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
max-journal-size ( default | unlimited | <sizeval> );
- max-ncache-ttl <ttlval>;
+ max-ncache-ttl <duration>;
max-records <integer>;
max-recursion-depth <integer>;
max-recursion-queries <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
max-rsa-exponent-size <integer>;
- max-stale-ttl <ttlval>;
+ max-stale-ttl <duration>;
max-transfer-idle-in <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-udp-size <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
+ max-zone-ttl ( unlimited | <duration> );
memstatistics <boolean>;
memstatistics-file <quoted_string>;
message-compression <boolean>;
- min-cache-ttl <ttlval>;
- min-ncache-ttl <ttlval>;
+ min-cache-ttl <duration>;
+ min-ncache-ttl <duration>;
min-refresh-time <integer>;
min-retry-time <integer>;
min-roots <integer>; // ancient
[ dscp <integer> ];
notify-to-soa <boolean>;
nsec3-test-zone <boolean>; // test only
- nta-lifetime <ttlval>;
- nta-recheck <ttlval>;
+ nta-lifetime <duration>;
+ nta-recheck <duration>;
nxdomain-redirect <string>;
pid-file ( <quoted_string> | none );
port <integer>;
response-padding { <address_match_element>; ... } block-size
<integer>;
response-policy { zone <string> [ add-soa <boolean> ] [ log
- <boolean> ] [ max-policy-ttl <ttlval> ] [ min-update-interval
- <ttlval> ] [ policy ( cname | disabled | drop | given | no-op |
- nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
+ <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
+ <duration> ] [ policy ( cname | disabled | drop | given | no-op
+ | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
- break-dnssec <boolean> ] [ max-policy-ttl <ttlval> ] [
- min-update-interval <ttlval> ] [ min-ns-dots <integer> ] [
+ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
+ min-update-interval <duration> ] [ min-ns-dots <integer> ] [
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
serial-query-rate <integer>;
serial-update-method ( date | increment | unixtime );
server-id ( <quoted_string> | none | hostname );
- servfail-ttl <ttlval>;
+ servfail-ttl <duration>;
session-keyalg <string>;
session-keyfile ( <quoted_string> | none );
session-keyname <string>;
sortlist { <address_match_element>; ... };
stacksize ( default | unlimited | <sizeval> );
stale-answer-enable <boolean>;
- stale-answer-ttl <ttlval>;
+ stale-answer-ttl <duration>;
startup-notify-rate <integer>;
statistics-file <quoted_string>;
statistics-interval <integer>; // ancient
[ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
<integer> ] | <ipv6_address> [ port <integer> ] ) [ key
<string> ]; ... } ] [ zone-directory <quoted_string> ] [
- in-memory <boolean> ] [ min-update-interval <ttlval> ]; ... };
+ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );
trust-anchor <string> |
auto | no ); // obsolete, may occur multiple times
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+ dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
secret <string>;
}; // may occur multiple times
key-directory <quoted_string>;
- lame-ttl <ttlval>;
- lmdb-mapsize <sizeval>;
+ lame-ttl <duration>;
+ lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> (
static-key | initial-key
match-recursive-only <boolean>;
max-acache-size ( unlimited | <sizeval> ); // obsolete
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
- max-cache-ttl <ttlval>;
+ max-cache-ttl <duration>;
max-clients-per-query <integer>;
max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
max-journal-size ( default | unlimited | <sizeval> );
- max-ncache-ttl <ttlval>;
+ max-ncache-ttl <duration>;
max-records <integer>;
max-recursion-depth <integer>;
max-recursion-queries <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
- max-stale-ttl <ttlval>;
+ max-stale-ttl <duration>;
max-transfer-idle-in <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-udp-size <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
+ max-zone-ttl ( unlimited | <duration> );
message-compression <boolean>;
- min-cache-ttl <ttlval>;
- min-ncache-ttl <ttlval>;
+ min-cache-ttl <duration>;
+ min-ncache-ttl <duration>;
min-refresh-time <integer>;
min-retry-time <integer>;
min-roots <integer>; // ancient
[ dscp <integer> ];
notify-to-soa <boolean>;
nsec3-test-zone <boolean>; // test only
- nta-lifetime <ttlval>;
- nta-recheck <ttlval>;
+ nta-lifetime <duration>;
+ nta-recheck <duration>;
nxdomain-redirect <string>;
plugin ( query ) <string> [ {
<unspecified-text> } ]; // may occur multiple times
response-padding { <address_match_element>; ... } block-size
<integer>;
response-policy { zone <string> [ add-soa <boolean> ] [ log
- <boolean> ] [ max-policy-ttl <ttlval> ] [ min-update-interval
- <ttlval> ] [ policy ( cname | disabled | drop | given | no-op |
- nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
+ <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
+ <duration> ] [ policy ( cname | disabled | drop | given | no-op
+ | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
- break-dnssec <boolean> ] [ max-policy-ttl <ttlval> ] [
- min-update-interval <ttlval> ] [ min-ns-dots <integer> ] [
+ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
+ min-update-interval <duration> ] [ min-ns-dots <integer> ] [
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
<integer> | * ) ] [ dscp <integer> ];
transfers <integer>;
}; // may occur multiple times
- servfail-ttl <ttlval>;
+ servfail-ttl <duration>;
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
sig-validity-interval <integer> [ <integer> ];
sortlist { <address_match_element>; ... };
stale-answer-enable <boolean>;
- stale-answer-ttl <ttlval>;
+ stale-answer-ttl <duration>;
suppress-initial-notify <boolean>; // not yet implemented
synth-from-dnssec <boolean>;
topology { <address_match_element>; ... }; // ancient
dnskey-sig-validity <integer>;
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
+ dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
file <quoted_string>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
+ max-zone-ttl ( unlimited | <duration> );
min-refresh-time <integer>;
min-retry-time <integer>;
multi-master <boolean>;
dnskey-sig-validity <integer>;
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
+ dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
file <quoted_string>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
+ max-zone-ttl ( unlimited | <duration> );
min-refresh-time <integer>;
min-retry-time <integer>;
multi-master <boolean>;
<integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
+dnssec-policy <string> {
+ dnskey-ttl <duration>;
+ keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <duration>
+ algorithm <integer> [ <integer> ]; ... };
+ parent-ds-ttl <duration>;
+ parent-propagation-delay <duration>;
+ parent-registration-delay <duration>;
+ publish-safety <duration>;
+ retire-safety <duration>;
+ signatures-refresh <duration>;
+ signatures-validity <duration>;
+ signatures-validity-dnskey <duration>;
+ zone-max-ttl <duration>;
+ zone-propagation-delay <duration>;
+}; // may occur multiple times
+
dyndb <string> <quoted_string> {
<unspecified-text> }; // may occur multiple times
[ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
<integer> ] | <ipv6_address> [ port <integer> ] ) [ key
<string> ]; ... } ] [ zone-directory <quoted_string> ] [
- in-memory <boolean> ] [ min-update-interval <ttlval> ]; ... };
+ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+ dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
fstrm-set-output-notify-threshold <integer>; // not configured
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
- fstrm-set-reopen-interval <ttlval>; // not configured
- geoip-directory ( <quoted_string> | none );
+ fstrm-set-reopen-interval <duration>; // not configured
+ geoip-directory ( <quoted_string> | none ); // not configured
glue-cache <boolean>;
heartbeat-interval <integer>;
hostname ( <quoted_string> | none );
inline-signing <boolean>;
- interface-interval <ttlval>;
+ interface-interval <duration>;
ixfr-from-differences ( primary | master | secondary | slave |
<boolean> );
keep-response-order { <address_match_element>; ... };
key-directory <quoted_string>;
- lame-ttl <ttlval>;
+ lame-ttl <duration>;
listen-on [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
managed-keys-directory <quoted_string>;
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
match-mapped-addresses <boolean>;
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
- max-cache-ttl <ttlval>;
+ max-cache-ttl <duration>;
max-clients-per-query <integer>;
max-journal-size ( default | unlimited | <sizeval> );
- max-ncache-ttl <ttlval>;
+ max-ncache-ttl <duration>;
max-records <integer>;
max-recursion-depth <integer>;
max-recursion-queries <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
max-rsa-exponent-size <integer>;
- max-stale-ttl <ttlval>;
+ max-stale-ttl <duration>;
max-transfer-idle-in <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-udp-size <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
+ max-zone-ttl ( unlimited | <duration> );
memstatistics <boolean>;
memstatistics-file <quoted_string>;
message-compression <boolean>;
- min-cache-ttl <ttlval>;
- min-ncache-ttl <ttlval>;
+ min-cache-ttl <duration>;
+ min-ncache-ttl <duration>;
min-refresh-time <integer>;
min-retry-time <integer>;
minimal-any <boolean>;
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
[ dscp <integer> ];
notify-to-soa <boolean>;
- nta-lifetime <ttlval>;
- nta-recheck <ttlval>;
+ nta-lifetime <duration>;
+ nta-recheck <duration>;
nxdomain-redirect <string>;
pid-file ( <quoted_string> | none );
port <integer>;
response-padding { <address_match_element>; ... } block-size
<integer>;
response-policy { zone <string> [ add-soa <boolean> ] [ log
- <boolean> ] [ max-policy-ttl <ttlval> ] [ min-update-interval
- <ttlval> ] [ policy ( cname | disabled | drop | given | no-op |
- nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
+ <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
+ <duration> ] [ policy ( cname | disabled | drop | given | no-op
+ | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
- break-dnssec <boolean> ] [ max-policy-ttl <ttlval> ] [
- min-update-interval <ttlval> ] [ min-ns-dots <integer> ] [
+ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
+ min-update-interval <duration> ] [ min-ns-dots <integer> ] [
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
serial-query-rate <integer>;
serial-update-method ( date | increment | unixtime );
server-id ( <quoted_string> | none | hostname );
- servfail-ttl <ttlval>;
+ servfail-ttl <duration>;
session-keyalg <string>;
session-keyfile ( <quoted_string> | none );
session-keyname <string>;
sortlist { <address_match_element>; ... };
stacksize ( default | unlimited | <sizeval> );
stale-answer-enable <boolean>;
- stale-answer-ttl <ttlval>;
+ stale-answer-ttl <duration>;
startup-notify-rate <integer>;
statistics-file <quoted_string>;
synth-from-dnssec <boolean>;
[ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
<integer> ] | <ipv6_address> [ port <integer> ] ) [ key
<string> ]; ... } ] [ zone-directory <quoted_string> ] [
- in-memory <boolean> ] [ min-update-interval <ttlval> ]; ... };
+ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );
<quoted_string>; ... }; // may occur multiple times
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+ dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
secret <string>;
}; // may occur multiple times
key-directory <quoted_string>;
- lame-ttl <ttlval>;
- lmdb-mapsize <sizeval>;
+ lame-ttl <duration>;
+ lmdb-mapsize <sizeval>; // non-operational
managed-keys { <string> (
static-key | initial-key
| static-ds | initial-ds
match-destinations { <address_match_element>; ... };
match-recursive-only <boolean>;
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
- max-cache-ttl <ttlval>;
+ max-cache-ttl <duration>;
max-clients-per-query <integer>;
max-journal-size ( default | unlimited | <sizeval> );
- max-ncache-ttl <ttlval>;
+ max-ncache-ttl <duration>;
max-records <integer>;
max-recursion-depth <integer>;
max-recursion-queries <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
- max-stale-ttl <ttlval>;
+ max-stale-ttl <duration>;
max-transfer-idle-in <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-udp-size <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
+ max-zone-ttl ( unlimited | <duration> );
message-compression <boolean>;
- min-cache-ttl <ttlval>;
- min-ncache-ttl <ttlval>;
+ min-cache-ttl <duration>;
+ min-ncache-ttl <duration>;
min-refresh-time <integer>;
min-retry-time <integer>;
minimal-any <boolean>;
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
[ dscp <integer> ];
notify-to-soa <boolean>;
- nta-lifetime <ttlval>;
- nta-recheck <ttlval>;
+ nta-lifetime <duration>;
+ nta-recheck <duration>;
nxdomain-redirect <string>;
plugin ( query ) <string> [ {
<unspecified-text> } ]; // may occur multiple times
response-padding { <address_match_element>; ... } block-size
<integer>;
response-policy { zone <string> [ add-soa <boolean> ] [ log
- <boolean> ] [ max-policy-ttl <ttlval> ] [ min-update-interval
- <ttlval> ] [ policy ( cname | disabled | drop | given | no-op |
- nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
+ <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
+ <duration> ] [ policy ( cname | disabled | drop | given | no-op
+ | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
- break-dnssec <boolean> ] [ max-policy-ttl <ttlval> ] [
- min-update-interval <ttlval> ] [ min-ns-dots <integer> ] [
+ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
+ min-update-interval <duration> ] [ min-ns-dots <integer> ] [
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
<integer> | * ) ] [ dscp <integer> ];
transfers <integer>;
}; // may occur multiple times
- servfail-ttl <ttlval>;
+ servfail-ttl <duration>;
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
sig-validity-interval <integer> [ <integer> ];
sortlist { <address_match_element>; ... };
stale-answer-enable <boolean>;
- stale-answer-ttl <ttlval>;
+ stale-answer-ttl <duration>;
synth-from-dnssec <boolean>;
transfer-format ( many-answers | one-answer );
transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
dnskey-sig-validity <integer>;
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
+ dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
file <quoted_string>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
+ max-zone-ttl ( unlimited | <duration> );
min-refresh-time <integer>;
min-retry-time <integer>;
multi-master <boolean>;
dnskey-sig-validity <integer>;
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
+ dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
file <quoted_string>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
+ max-zone-ttl ( unlimited | <duration> );
min-refresh-time <integer>;
min-retry-time <integer>;
multi-master <boolean>;
masterfile-style ( full | relative );
masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
max-records <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
+ max-zone-ttl ( unlimited | <duration> );
zone-statistics ( full | terse | none | <boolean> );
};
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1501
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1504
+LIBINTERFACE = 1505
LIBREVISION = 0
-LIBAGE = 1
+LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1503
+LIBINTERFACE = 1504
LIBREVISION = 0
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1501
-LIBREVISION = 1
+LIBINTERFACE = 1502
+LIBREVISION = 0
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1501
-LIBREVISION = 1
+LIBINTERFACE = 1502
+LIBREVISION = 0
LIBAGE = 0
DESCRIPTION="(Development Release)"
MAJORVER=9
MINORVER=15
-PATCHVER=5
+PATCHVER=6
RELEASETYPE=
RELEASEVER=
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
