+ --- 9.13.4 released ---
+
5098. [func] Failed memory allocations are now fatal. [GL #674]
5097. [cleanup] Remove embedded ATF unit testing framework
* Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
* Platforms that don't support atomic operations (via compiler or
library)
+ * Linux without NPTL (Native POSIX Thread Library)
+
+Platform quirks
+
+ARM
+
+If the compilation ends with following error:
+
+Error: selected processor does not support `yield' in ARM mode
+
+You will need to set -march compiler option to native, so the compiler
+recognizes yield assembler instruction. The proper way to set -march=
+native would be to put it into CFLAGS, e.g. run ./configure like this:
+CFLAGS="-march=native -Os -g" ./configure plus your usual options.
+
+If that doesn't work, you can enforce the minimum CPU and FPU (taken from
+Debian armhf documentation):
+
+ * The lowest worthwhile CPU implementation is Armv7-A, therefore the
+ recommended build option is -march=armv7-a.
+
+ * FPU should be set at VFPv3-D16 as they represent the miminum
+ specification of the processors to support here, therefore the
+ recommended build option is -mfpu=vfpv3-d16.
+
+The configure command should look like this:
+
+CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
BIND 9.13 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.12 and earlier releases. New features include:
+ * Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root
number of changes from BIND 9.12 and earlier releases. New features
include:
+* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root zone.
It is possible to set per\-user defaults for
\fBdig\fR
via
-${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&.
+${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
+\fB\-r\fR
+option disables this feature, for scripts that need predictable behaviour\&.
.PP
The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
\fB\-t\fR
using the command\-line interface\&.
.RE
.PP
-\-i
-.RS 4
-Do reverse IPv6 lookups using the obsolete RFC 1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC 2874) are not attempted\&.
-.RE
-.PP
\-k \fIkeyfile\fR
.RS 4
Sign queries using TSIG using a key read from the given file\&. Key files can be generated using
from other arguments\&.
.RE
.PP
+\-r
+.RS 4
+Do not read options from
+${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
+.RE
+.PP
\-t \fItype\fR
.RS 4
The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
\fBdig\fR
automatically performs a lookup for a name like
94\&.2\&.0\&.192\&.in\-addr\&.arpa
-and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain (but see also the
-\fB\-i\fR
-option)\&.
+and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
.RE
.PP
\-y \fI[hmac:]\fR\fIkeyname:secret\fR
.PP
\fB+[no]idnin\fR
.RS 4
-Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to process IDN input\&.
+Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
+.sp
+The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]idnout\fR
.RS 4
-Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to convert output\&.
+Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
+.sp
+The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]ignore\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters
\fI+noidnin\fR
and
-\fI+noidnout\fR\&.
+\fI+noidnout\fR
+or define the
+\fBIDN_DISABLE\fR
+environment variable\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
<p>
It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
- <code class="filename">${HOME}/.digrc</code>. This file is read and
- any options in it
- are applied before the command line arguments.
+ <code class="filename">${HOME}/.digrc</code>. This file is read and any
+ options in it are applied before the command line arguments.
+ The <code class="option">-r</code> option disables this feature, for
+ scripts that need predictable behaviour.
</p>
<p>
<span class="command"><strong>dig</strong></span> using the command-line interface.
</p>
</dd>
-<dt><span class="term">-i</span></dt>
-<dd>
- <p>
- Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
- domain, which is no longer in use. Obsolete bit string
- label queries (RFC 2874) are not attempted.
- </p>
- </dd>
<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
<dd>
<p>
the <em class="parameter"><code>name</code></em> from other arguments.
</p>
</dd>
+<dt><span class="term">-r</span></dt>
+<dd>
+ <p>
+ Do not read options from <code class="filename">${HOME}/.digrc</code>.
+ This is useful for scripts that need predictable behaviour.
+ </p>
+ </dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
<code class="literal">94.2.0.192.in-addr.arpa</code> and sets the
query type and class to PTR and IN respectively. IPv6
addresses are looked up using nibble format under the
- IP6.ARPA domain (but see also the <code class="option">-i</code>
- option).
+ IP6.ARPA domain.
</p>
</dd>
<dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
<p>
Process [do not process] IDN domain names on input.
This requires IDN SUPPORT to have been enabled at
- compile time. The default is to process IDN input.
+ compile time.
+ </p>
+ <p>
+ The default is to process IDN input when standard output
+ is a tty. The IDN processing on input is disabled when
+ dig output is redirected to files, pipes, and other
+ non-tty file descriptors.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
<p>
Convert [do not convert] puny code on output.
This requires IDN SUPPORT to have been enabled at
- compile time. The default is to convert output.
+ compile time.
+ </p>
+ <p>
+ The default is to process puny code on output when
+ standard output is a tty. The puny code processing on
+ output is disabled when dig output is redirected to
+ files, pipes, and other non-tty file descriptors.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
reply from the server.
If you'd like to turn off the IDN support for some reason, use
parameters <em class="parameter"><code>+noidnin</code></em> and
- <em class="parameter"><code>+noidnout</code></em>.
+ <em class="parameter"><code>+noidnout</code></em> or define
+ the <code class="envar">IDN_DISABLE</code> environment variable.
+
</p>
</div>
verbose option\&.
.RE
.PP
-\-i
-.RS 4
-Obsolete\&. Use the IP6\&.INT domain for reverse lookups of IPv6 addresses as defined in RFC1886 and deprecated in RFC4159\&. The default is to use IP6\&.ARPA as specified in RFC3596\&.
-.RE
-.PP
\-l
.RS 4
List zone: The
\fBhost\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBhost\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, defines the
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
\fBIDN_DISABLE\fR
environment variable\&. The IDN support is disabled if the variable is set when
\fBhost\fR
Equivalent to the <code class="option">-v</code> verbose option.
</p>
</dd>
-<dt><span class="term">-i</span></dt>
-<dd>
- <p>
- Obsolete.
- Use the IP6.INT domain for reverse lookups of IPv6
- addresses as defined in RFC1886 and deprecated in RFC4159.
- The default is to use IP6.ARPA as specified in RFC3596.
- </p>
- </dd>
<dt><span class="term">-l</span></dt>
<dd>
<p>
<span class="command"><strong>host</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
- If you'd like to turn off the IDN support for some reason, defines
+ If you'd like to turn off the IDN support for some reason, define
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span class="command"><strong>host</strong></span> runs.
.PP
\fBnslookup\fR
returns with an exit status of 1 if any query failed, and 0 otherwise\&.
+.SH "IDN SUPPORT"
+.PP
+If
+\fBnslookup\fR
+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
+\fBnslookup\fR
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
+\fBIDN_DISABLE\fR
+environment variable\&. The IDN support is disabled if the variable is set when
+\fBnslookup\fR
+runs or when the standard output is not a tty\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
</div>
<div class="refsection">
-<a name="id-1.11"></a><h2>FILES</h2>
+<a name="id-1.11"></a><h2>IDN SUPPORT</h2>
+
+ <p>
+ If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
+ domain name) support, it can accept and display non-ASCII domain names.
+ <span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
+ domain name before sending a request to DNS server or displaying a
+ reply from the server.
+ If you'd like to turn off the IDN support for some reason, define
+ the <code class="envar">IDN_DISABLE</code> environment variable.
+ The IDN support is disabled if the variable is set when
+ <span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
+ a tty.
+ </p>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.12"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
-<a name="id-1.12"></a><h2>SEE ALSO</h2>
+<a name="id-1.13"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
.RS 4
Selects the cryptographic algorithm\&. The value of
\fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
+must be one of RSAMD5, RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
\fB\-3\fR
is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
.sp
-These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
+These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
\fB\-3\fR
-option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
+option, then NSEC3RSASHA1 will be used instead\&.
.sp
As of BIND 9\&.12\&.0, this option is mandatory except when using the
\fB\-S\fR
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
+ NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</p>
<p>
<p>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
- ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
- or NSEC3DSA will be used instead.
+ will be used instead.
</p>
<p>
As of BIND 9.12.0, this option is mandatory except when using
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
\fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
+must be one of RSAMD5, RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
\fB\-T KEY\fR
option as well\&.
.sp
-These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
+These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
\fB\-3\fR
-option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
+option, then NSEC3RSASHA1 will be used instead\&.
.sp
This parameter
\fImust\fR
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
+ NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <code class="option">-T KEY</code>
<p>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
- ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
- or NSEC3DSA will be used instead.
+ will be used instead.
</p>
<p>
This parameter <span class="emphasis"><em>must</em></span> be specified except
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 2018-06-21
+.\" Date: 2018-10-23
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
-.TH "NAMED\&.CONF" "5" "2018\-06\-21" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2018\-10\-23" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
] [ dscp \fIinteger\fR ];
alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR |
* ) ] [ dscp \fIinteger\fR ];
+ answer\-cookie \fIboolean\fR;
attach\-cache \fIstring\fR;
auth\-nxdomain \fIboolean\fR; // default changed
auto\-dnssec ( allow | maintain | off );
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
dnssec\-validation ( yes | no | auto );
- dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
- response ) ]; \&.\&.\&. };
+ dnstap { ( all | auth | client | forwarder | resolver | update ) [
+ ( query | response ) ]; \&.\&.\&. };
dnstap\-identity ( \fIquoted_string\fR | none | hostname );
dnstap\-output ( file | unix ) \fIquoted_string\fR [ size ( unlimited |
\fIsize\fR ) ] [ versions ( unlimited | \fIinteger\fR ) ] [ suffix (
memstatistics \fIboolean\fR;
memstatistics\-file \fIquoted_string\fR;
message\-compression \fIboolean\fR;
+ min\-cache\-ttl \fIttlval\fR;
+ min\-ncache\-ttl \fIttlval\fR;
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
minimal\-any \fIboolean\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
dnssec\-validation ( yes | no | auto );
- dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
- response ) ]; \&.\&.\&. };
+ dnstap { ( all | auth | client | forwarder | resolver | update ) [
+ ( query | response ) ]; \&.\&.\&. };
dual\-stack\-servers [ port \fIinteger\fR ] { ( \fIquoted_string\fR [ port
\fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv4_address\fR [ port
\fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv6_address\fR [ port
static\-stub | stub );
update\-check\-ksk \fIboolean\fR;
update\-policy ( local | { ( deny | grant ) \fIstring\fR (
- 6to4\-self | external | krb5\-self | krb5\-subdomain |
- ms\-self | ms\-subdomain | name | self | selfsub |
- selfwild | subdomain | tcp\-self | wildcard | zonesub )
- [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. };
+ 6to4\-self | external | krb5\-self | krb5\-selfsub |
+ krb5\-subdomain | ms\-self | ms\-selfsub | ms\-subdomain |
+ name | self | selfsub | selfwild | subdomain | tcp\-self
+ | wildcard | zonesub ) [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. };
use\-alt\-transfer\-source \fIboolean\fR;
zero\-no\-soa\-ttl \fIboolean\fR;
zone\-statistics ( full | terse | none | \fIboolean\fR );
stub );
update\-check\-ksk \fIboolean\fR;
update\-policy ( local | { ( deny | grant ) \fIstring\fR ( 6to4\-self |
- external | krb5\-self | krb5\-subdomain | ms\-self | ms\-subdomain
- | name | self | selfsub | selfwild | subdomain | tcp\-self |
- wildcard | zonesub ) [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. };
+ external | krb5\-self | krb5\-selfsub | krb5\-subdomain | ms\-self
+ | ms\-selfsub | ms\-subdomain | name | self | selfsub | selfwild
+ | subdomain | tcp\-self | wildcard | zonesub ) [ \fIstring\fR ]
+ \fIrrtypelist\fR; \&.\&.\&. };
use\-alt\-transfer\-source \fIboolean\fR;
zero\-no\-soa\-ttl \fIboolean\fR;
zone\-statistics ( full | terse | none | \fIboolean\fR );
    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |<br>
    * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+ answer-cookie <em class="replaceable"><code>boolean</code></em>;<br>
attach-cache <em class="replaceable"><code>string</code></em>;<br>
auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
auto-dnssec ( allow | maintain | off );<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
dnssec-validation ( yes | no | auto );<br>
- dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |<br>
-     response ) ]; ... };<br>
+ dnstap { ( all | auth | client | forwarder | resolver | update ) [<br>
+     ( query | response ) ]; ... };<br>
dnstap-identity ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );<br>
dnstap-output ( file | unix ) <em class="replaceable"><code>quoted_string</code></em> [ size ( unlimited |<br>
    <em class="replaceable"><code>size</code></em> ) ] [ versions ( unlimited | <em class="replaceable"><code>integer</code></em> ) ] [ suffix (<br>
memstatistics <em class="replaceable"><code>boolean</code></em>;<br>
memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
message-compression <em class="replaceable"><code>boolean</code></em>;<br>
+ min-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ min-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
dnssec-validation ( yes | no | auto );<br>
- dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |<br>
-     response ) ]; ... };<br>
+ dnstap { ( all | auth | client | forwarder | resolver | update ) [<br>
+     ( query | response ) ]; ... };<br>
dual-stack-servers [ port <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>quoted_string</code></em> [ port<br>
    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
    static-stub | stub );<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> (<br>
-     6to4-self | external | krb5-self | krb5-subdomain |<br>
-     ms-self | ms-subdomain | name | self | selfsub |<br>
-     selfwild | subdomain | tcp-self | wildcard | zonesub )<br>
-     [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+     6to4-self | external | krb5-self | krb5-selfsub |<br>
+     krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |<br>
+     name | self | selfsub | selfwild | subdomain | tcp-self<br>
+     | wildcard | zonesub ) [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
    stub );<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self |<br>
-     external | krb5-self | krb5-subdomain | ms-self | ms-subdomain<br>
-     | name | self | selfsub | selfwild | subdomain | tcp-self |<br>
-     wildcard | zonesub ) [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+     external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self<br>
+     | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild<br>
+     | subdomain | tcp-self | wildcard | zonesub ) [ <em class="replaceable"><code>string</code></em> ]<br>
+     <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
.PP
\fBkey\-size\fR
.RS 4
-Specifies the number of bits to use in creating keys\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 1024 bits for DSA keys and 2048 for RSA\&.
+Specifies the number of bits to use in creating keys\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 2048 bits for RSA keys\&.
.RE
.PP
\fBkeyttl\fR
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
- configured, the default is 1024 bits for DSA keys and 2048 for
- RSA.
+ configured, the default is 2048 bits for RSA keys.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>
\fBrndc trace\fR\&.
.RE
.PP
-\fBnta \fR\fB[( \-d | \-f | \-r | \-l \fIduration\fR)]\fR\fB \fR\fB\fIdomain\fR\fR\fB \fR\fB[\fIview\fR]\fR\fB \fR
+\fBnta \fR\fB[( \-class \fIclass\fR | \-dump | \-force | \-remove | \-lifetime \fIduration\fR)]\fR\fB \fR\fB\fIdomain\fR\fR\fB \fR\fB[\fIview\fR]\fR\fB \fR
.RS 4
Sets a DNSSEC negative trust anchor (NTA) for
\fBdomain\fR, with a lifetime of
to zero is equivalent to
\fB\-remove\fR\&.
.sp
-If
+If the
\fB\-dump\fR
is used, any other arguments are ignored, and a list of existing NTAs is printed (note that this may include NTAs that are expired but have not yet been cleaned up)\&.
.sp
\fB\-force\fR
overrides this behavior and forces an NTA to persist for its entire lifetime, regardless of whether data could be validated if the NTA were not present\&.
.sp
+The view class can be specified with
+\fB\-class\fR\&. The default is class
+\fBIN\fR, which is the only class for which DNSSEC is currently supported\&.
+.sp
All of these options can be shortened, i\&.e\&., to
\fB\-l\fR,
\fB\-r\fR,
-\fB\-d\fR, and
-\fB\-f\fR\&.
+\fB\-d\fR,
+\fB\-f\fR, and
+\fB\-c\fR\&.
+.sp
+Unrecognized options are treated as errors\&. To reference a domain or view name that begins with a hyphen, use a double\-hyphen on the command line to indicate the end of options\&.
.RE
.PP
\fBquerylog\fR [ on | off ]
.PP
\fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR
.RS 4
-Enable, disable, or check the current status of DNSSEC validation\&. Note
+Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&. (Note that
\fBdnssec\-enable\fR
-also needs to be set to
+must also be
\fByes\fR
-or
-\fBauto\fR
-to be effective\&. It defaults to enabled\&.
+(the default value) for signatures to be returned along with validated data\&. If validation is enabled while
+\fBdnssec\-enable\fR
+is set to
+\fBno\fR, the server will validate internally, but will not supply clients with the necessary records to allow validity to be confirmed\&.)
.RE
.PP
\fBzonestatus \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>nta
- [<span class="optional">( -d | -f | -r | -l <em class="replaceable"><code>duration</code></em>)</span>]
+ [<span class="optional">( -class <em class="replaceable"><code>class</code></em> | -dump | -force | -remove | -lifetime <em class="replaceable"><code>duration</code></em>)</span>]
<em class="replaceable"><code>domain</code></em>
[<span class="optional"><em class="replaceable"><code>view</code></em></span>]
</code></strong></span></dt>
is equivalent to <code class="option">-remove</code>.
</p>
<p>
- If <code class="option">-dump</code> is used, any other arguments
+ If the <code class="option">-dump</code> is used, any other arguments
are ignored, and a list of existing NTAs is printed
(note that this may include NTAs that are expired but
have not yet been cleaned up).
lifetime, regardless of whether data could be
validated if the NTA were not present.
</p>
+ <p>
+ The view class can be specified with <code class="option">-class</code>.
+ The default is class <strong class="userinput"><code>IN</code></strong>, which is
+ the only class for which DNSSEC is currently supported.
+ </p>
<p>
All of these options can be shortened, i.e., to
<code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,
- and <code class="option">-f</code>.
+ <code class="option">-f</code>, and <code class="option">-c</code>.
+ </p>
+ <p>
+ Unrecognized options are treated as errors. To reference
+ a domain or view name that begins with a hyphen,
+ use a double-hyphen on the command line to indicate the
+ end of options.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional"> on | off </span>] </span></dt>
<dd>
<p>
Enable, disable, or check the current status of
- DNSSEC validation.
- Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
- set to <strong class="userinput"><code>yes</code></strong> or
- <strong class="userinput"><code>auto</code></strong> to be effective.
- It defaults to enabled.
+ DNSSEC validation. By default, validation is enabled.
+ (Note that <span class="command"><strong>dnssec-enable</strong></span> must also be
+ <strong class="userinput"><code>yes</code></strong> (the default value) for signatures
+ to be returned along with validated data. If validation is
+ enabled while <span class="command"><strong>dnssec-enable</strong></span> is set to
+ <strong class="userinput"><code>no</code></strong>, the server will validate internally,
+ but will not supply clients with the necessary records to allow
+ validity to be confirmed.)
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
\fB\-x\fR
option is supplied to indicate a reverse lookup with the "PTR" query type\&.
.PP
-The
-\fB\-i\fR
-option sets the reverse domain for IPv6 addresses to IP6\&.INT\&.
-.PP
Reverse lookups \(em mapping addresses to names \(em are simplified by the
\fB\-x\fR
option\&.
\fBmdig\fR
automatically performs a lookup for a query name like
11\&.12\&.13\&.10\&.in\-addr\&.arpa
-and sets the query type and class to PTR and IN respectively\&. By default, IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&. To use the older RFC1886 method using the IP6\&.INT domain specify the
-\fB\-i\fR
-option\&.
+and sets the query type and class to PTR and IN respectively\&. By default, IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
.PP
The local query options are:
.PP
a reverse lookup with the "PTR" query type.
</p>
- <p>
- The <code class="option">-i</code> option sets the reverse domain for
- IPv6 addresses to IP6.INT.
- </p>
-
<p>
Reverse lookups — mapping addresses to names — are
simplified by the <code class="option">-x</code> option.
query name like <code class="literal">11.12.13.10.in-addr.arpa</code> and
sets the query type and class to PTR and IN respectively.
By default, IPv6 addresses are looked up using nibble format
- under the IP6.ARPA domain. To use the older RFC1886 method
- using the IP6.INT domain specify the <code class="option">-i</code> option.
+ under the IP6.ARPA domain.
</p>
<p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers for DNSSEC</a></span></dt>
</dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="dnssec_config"></a>Configuring Servers</h3></div></div></div>
-
+<a name="dnssec_config"></a>Configuring Servers for DNSSEC</h3></div></div></div>
<p>
To enable <span class="command"><strong>named</strong></span> to respond appropriately
- to DNS requests from DNSSEC aware clients,
- <span class="command"><strong>dnssec-enable</strong></span> must be set to yes.
- This is the default setting.
+ to DNS requests from DNSSEC-aware clients,
+ <span class="command"><strong>dnssec-enable</strong></span> must be set to
+ <strong class="userinput"><code>yes</code></strong>. This is the default setting.
</p>
-
<p>
- To enable <span class="command"><strong>named</strong></span> to validate answers from
- other servers, the <span class="command"><strong>dnssec-enable</strong></span> option
- must be set to <strong class="userinput"><code>yes</code></strong>, and the
+ To enable <span class="command"><strong>named</strong></span> to validate answers
+ received from other servers, the
<span class="command"><strong>dnssec-validation</strong></span> option must be set to
either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
</p>
-
<p>
When <span class="command"><strong>dnssec-validation</strong></span> is set to
<strong class="userinput"><code>auto</code></strong>, a trust anchor for the DNS
root zone will automatically be used. This trust anchor is
provided as part of BIND and is kept up to date using RFC 5011
key management.
- If <span class="command"><strong>dnssec-validation</strong></span> is set to
- <strong class="userinput"><code>yes</code></strong>, then
- DNSSEC validation only occurs if
- at least one trust anchor has been explicitly configured
- in <code class="filename">named.conf</code>,
+ </p>
+ <p>
+ When <span class="command"><strong>dnssec-validation</strong></span> is set to
+ <strong class="userinput"><code>yes</code></strong>, DNSSEC validation will only occur
+ if at least one trust anchor has been explicitly configured
+ in <code class="filename">named.conf</code>
using a <span class="command"><strong>trusted-keys</strong></span> or
<span class="command"><strong>managed-keys</strong></span> statement.
- If <span class="command"><strong>dnssec-validation</strong></span> is set to
- <strong class="userinput"><code>no</code></strong>, then DNSSEC validation will
- not occur.
+ </p>
+ <p>
+ When <span class="command"><strong>dnssec-validation</strong></span> is set to
+ <strong class="userinput"><code>no</code></strong>, DNSSEC validation will not occur.
+ </p>
+ <p>
The default is <strong class="userinput"><code>auto</code></strong> unless BIND is
built with <span class="command"><strong>configure --disable-auto-validation</strong></span>,
in which case the default is <strong class="userinput"><code>yes</code></strong>.
</p>
+ <p>
+ If <span class="command"><strong>dnssec-enable</strong></span> is set to
+ <strong class="userinput"><code>no</code></strong>, then the default for
+ <span class="command"><strong>dnssec-validation</strong></span> is also changed to
+ <strong class="userinput"><code>no</code></strong>. If
+ <span class="command"><strong>dnssec-validation</strong></span> is set to
+ <strong class="userinput"><code>yes</code></strong>, the server will
+ perform DNSSEC validation internally, but will not return
+ signatures when queried - but it will not be turned on
+ automatically.
+ </p>
<p>
<span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
] [ dscp <em class="replaceable"><code>integer</code></em> ];
<span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |
* ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+ <span class="command"><strong>answer-cookie</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>attach-cache</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>auth-nxdomain</strong></span> <em class="replaceable"><code>boolean</code></em>; // default changed
<span class="command"><strong>auto-dnssec</strong></span> ( allow | maintain | off );
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
<span class="command"><strong>dnssec-validation</strong></span> ( yes | no | auto );
- <span class="command"><strong>dnstap</strong></span> { ( all | auth | client | forwarder | resolver ) [ ( query |
- <span class="command"><strong>response</strong></span> ) ]; ... };
+ <span class="command"><strong>dnstap</strong></span> { ( all | auth | client | forwarder | resolver | update ) [
+ ( query | response ) ]; ... };
<span class="command"><strong>dnstap-identity</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );
<span class="command"><strong>dnstap-output</strong></span> ( file | unix ) <em class="replaceable"><code>quoted_string</code></em> [ size ( unlimited |
<em class="replaceable"><code>size</code></em> ) ] [ versions ( unlimited | <em class="replaceable"><code>integer</code></em> ) ] [ suffix (
<span class="command"><strong>max-ncache-ttl</strong></span>,
<span class="command"><strong>max-stale-ttl</strong></span>,
<span class="command"><strong>max-cache-size</strong></span>, and
+ <span class="command"><strong>min-cache-ttl</strong></span>,
+ <span class="command"><strong>min-ncache-ttl</strong></span>,
<span class="command"><strong>zero-no-soa-ttl</strong></span>.
</p>
The <span class="command"><strong>dnstap</strong></span> option is a bracketed list
of message types to be logged. These may be set differently
for each view. Supported types are <code class="literal">client</code>,
- <code class="literal">auth</code>, <code class="literal">resolver</code>, and
- <code class="literal">forwarder</code>. Specifying type
- <code class="literal">all</code> will cause all <span class="command"><strong>dnstap</strong></span>
- messages to be logged, regardless of type.
+ <code class="literal">auth</code>, <code class="literal">resolver</code>,
+ <code class="literal">forwarder</code>, and <code class="literal">update</code>.
+ Specifying type <code class="literal">all</code> will cause all
+ <span class="command"><strong>dnstap</strong></span> messages to be logged, regardless of
+ type.
</p>
<p>
Each type may take an additional argument to indicate whether
<dt><span class="term"><span class="command"><strong>dnssec-validation</strong></span></span></dt>
<dd>
<p>
- Enable DNSSEC validation in <span class="command"><strong>named</strong></span>.
- Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
- set to <strong class="userinput"><code>yes</code></strong> to be effective.
+ This enables DNSSEC validation in <span class="command"><strong>named</strong></span>.
+ Note that <span class="command"><strong>dnssec-enable</strong></span> also needs to
+ be set to <strong class="userinput"><code>yes</code></strong> for signatures to be
+ returned to the client along with validated answers.
+ </p>
+ <p>
+ If set to <strong class="userinput"><code>auto</code></strong>,
+ DNSSEC validation is enabled, and a default trust anchor
+ for the DNS root zone is used.
+ </p>
+ <p>
+ If set to <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is
+ enabled, but a trust anchor must be manually configured
+ using a <span class="command"><strong>trusted-keys</strong></span>
+ or <span class="command"><strong>managed-keys</strong></span> statement; if there
+ is no configured trust anchor, validation will not take
+ place.
+ </p>
+ <p>
If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
is disabled.
</p>
<p>
- If set to <strong class="userinput"><code>auto</code></strong>, DNSSEC validation
- is enabled, and a default trust anchor for the DNS root
- zone is used. If set to <strong class="userinput"><code>yes</code></strong>,
- DNSSEC validation is enabled, but a trust anchor must be
- manually configured using a <span class="command"><strong>trusted-keys</strong></span>
- or <span class="command"><strong>managed-keys</strong></span> statement. The default
- is <strong class="userinput"><code>yes</code></strong>.
+ The default is <strong class="userinput"><code>auto</code></strong>, unless
+ BIND is built with
+ <span class="command"><strong>configure --disable-auto-validation</strong></span>,
+ in which case the default is <strong class="userinput"><code>yes</code></strong>.
+ If <span class="command"><strong>dnssec-enable</strong></span> is set to
+ <strong class="userinput"><code>no</code></strong>, then the default for
+ <span class="command"><strong>dnssec-validation</strong></span> is also
+ <strong class="userinput"><code>no</code></strong>. Validation can still be turned on
+ if desired - this results in a server that performs DNSSEC
+ validation but does not return signatures when queried -
+ but it will not be turned on automatically.
</p>
<p>
The default root trust anchor is stored in the file
<code class="filename">bind.keys</code>.
<span class="command"><strong>named</strong></span> will load that key at
startup if <span class="command"><strong>dnssec-validation</strong></span> is
- set to <code class="constant">auto</code>. A copy of the file is
+ set to <strong class="userinput"><code>auto</code></strong>. A copy of the file is
installed along with BIND 9, and is current as of the
release date. If the root key expires, a new copy of
<code class="filename">bind.keys</code> can be downloaded
from <a class="link" href="https://www.isc.org/bind-keys" target="_top">https://www.isc.org/bind-keys</a>.
</p>
<p>
- To prevent problems if <code class="filename">bind.keys</code> is
+ (To prevent problems if <code class="filename">bind.keys</code> is
not found, the current trust anchor is also compiled in
to <span class="command"><strong>named</strong></span>. Relying on this is not
recommended, however, as it requires <span class="command"><strong>named</strong></span>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
- <span class="command"><strong>named</strong></span> <span class="emphasis"><em>only</em></span>
- loads the root key from <code class="filename">bind.keys</code>.
+ <span class="command"><strong>named</strong></span> loads <span class="emphasis"><em>only</em></span>
+ the root key from <code class="filename">bind.keys</code>.
The file cannot be used to store keys for other zones.
The root key in <code class="filename">bind.keys</code> is ignored
if <span class="command"><strong>dnssec-validation auto</strong></span> is not in
<dt><span class="term"><span class="command"><strong>allow-query-cache-on</strong></span></span></dt>
<dd>
<p>
- Specifies which local addresses can give answers
- from the cache. If not specified, the default is
- to allow cache queries on any address,
- <span class="command"><strong>localnets</strong></span> and
- <span class="command"><strong>localhost</strong></span>.
+ Specifies which local addresses can send answers
+ from the cache. If <span class="command"><strong>allow-query-cache-on</strong></span>
+ is not set, then <span class="command"><strong>allow-recursion-on</strong></span> is
+ used if set. Otherwise, the default is
+ to allow cache responses to be sent from any address.
+ Note: Both <span class="command"><strong>allow-query-cache</strong></span> and
+ <span class="command"><strong>allow-query-cache-on</strong></span> must be
+ satisfied before a cache response can be sent;
+ a client that is blocked by one cannot be allowed
+ by the other.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>allow-recursion</strong></span></span></dt>
<dd>
<p>
Specifies which local addresses can accept recursive
- queries. If not specified, the default is to allow
- recursive queries on all addresses.
+ queries. If <span class="command"><strong>allow-recursion-on</strong></span>
+ is not set, then <span class="command"><strong>allow-query-cache-on</strong></span>
+ is used if set; otherwise, the default is to allow
+ recursive queries on all addresses: Any client permitted
+ to send recursive queries can send them to any address
+ on which <span class="command"><strong>named</strong></span> is listening.
+ Note: Both <span class="command"><strong>allow-recursion</strong></span> and
+ <span class="command"><strong>allow-recursion-on</strong></span> must be
+ satisfied before recursion is allowed;
+ a client that is blocked by one cannot be allowed
+ by the other.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt>
second.
</p>
</dd>
+<dt><span class="term"><span class="command"><strong>min-ncache-ttl</strong></span></span></dt>
+<dd>
+ <p>
+ To reduce network traffic and increase performance, the server
+ stores negative answers. <span class="command"><strong>min-ncache-ttl</strong></span> is
+ used to set a minimum retention time for these answers in the
+ server in seconds. For convenience, TTL-style time unit
+ suffixes may be used to specify the value. The default
+ <span class="command"><strong>min-ncache-ttl</strong></span> is <code class="literal">0</code>
+ seconds. <span class="command"><strong>min-ncache-ttl</strong></span> cannot exceed 90
+ seconds and will be truncated to 90 seconds if set to a
+ greater value.
+ </p>
+ </dd>
+<dt><span class="term"><span class="command"><strong>min-cache-ttl</strong></span></span></dt>
+<dd>
+ <p>
+ Sets the minimum time for which the server will cache ordinary
+ (positive) answers in seconds. For convenience, TTL-style time
+ unit suffixes may be used to specify the value. The default
+ <span class="command"><strong>min-cache-ttl</strong></span> is <code class="literal">0</code>
+ seconds. <span class="command"><strong>min-cache-ttl</strong></span> cannot exceed 90
+ seconds and will be truncated to 90 seconds if set to a
+ greater value.
+ </p>
+ </dd>
<dt><span class="term"><span class="command"><strong>max-ncache-ttl</strong></span></span></dt>
<dd>
<p>
javascript-capable browser.
</p>
- <p>
- Applications that depend on a particular XML schema
- can request
- <a class="link" href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2
- of the statistics XML schema or
- <a class="link" href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
- If the requested schema is supported by the server, then
- it will respond; if not, it will return a "page not found"
- error.
- </p>
-
<p>
Broken-out subsets of the statistics can be viewed at
<a class="link" href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a>
<span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
<span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>boolean</code></em>;
- <span class="command"><strong>update-policy</strong></span> ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self | external | krb5-self | krb5-subdomain | ms-self | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };
+ <span class="command"><strong>update-policy</strong></span> ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };
<span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
};
the rules are checked for each existing record type.
</p>
<p>
- The <em class="replaceable"><code>ruletype</code></em> field has 13
+ The <em class="replaceable"><code>ruletype</code></em> field has 16
values:
<code class="varname">name</code>, <code class="varname">subdomain</code>,
<code class="varname">wildcard</code>, <code class="varname">self</code>,
<code class="varname">selfsub</code>, <code class="varname">selfwild</code>,
<code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
+ <code class="varname">krb5-selfsub</code>, <code class="varname">ms-selfsub</code>,
<code class="varname">krb5-subdomain</code>,
<code class="varname">ms-subdomain</code>,
<code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,
</td>
</tr>
<tr>
+<td>
+ <p>
+ <code class="varname">ms-selfsub</code>
+ </p>
+ </td>
+<td>
+ <p>
+ This is similar to <span class="command"><strong>ms-self</strong></span>
+ except it also allows updates to any subdomain of
+ the name specified in the Windows machine
+ principal, not just to the name itself.
+ </p>
+ </td>
+</tr>
+<tr>
<td>
<p>
<code class="varname">ms-subdomain</code>
</td>
</tr>
<tr>
+<td>
+ <p>
+ <code class="varname">krb5-selfsub</code>
+ </p>
+ </td>
+<td>
+ <p>
+ This is similar to <span class="command"><strong>krb5-self</strong></span>
+ except it also allows updates to any subdomain of
+ the name specified in the 'machine' part of the
+ Kerberos principal, not just to the name itself.
+ </p>
+ </td>
+</tr>
+<tr>
<td>
<p>
<code class="varname">krb5-subdomain</code>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.3</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.4</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.3</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.4</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ Task manager and socket code have been substantially modified.
+ The manager uses per-cpu queues for tasks and network stack runs
+ multiple event loops in CPU-affinitive threads. This greatly
+ improves performance on large systems, especially when using
+ multi-queue NICs.
+ </p>
+ </li>
<li class="listitem">
<p>
A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
them. [GL #237]
</p>
</li>
+<li class="listitem">
+ <p>
+ Two new update policy rule types have been added
+ <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
+ which allow machines with Kerberos principals to update
+ the name space at or below the machine names identified
+ in the respective principals.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
+ can be used to make BIND enable and enforce FIPS mode in the
+ OpenSSL library. When compiled with such option the BIND will
+ refuse to run if FIPS mode can't be enabled, thus this option
+ must be only enabled for the systems where FIPS mode is available.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Two new configuration options <span class="command"><strong>min-cache-ttl</strong></span> and
+ <span class="command"><strong>min-ncache-ttl</strong></span> has been added to allow the BIND 9
+ administrator to override the minimum TTL in the received DNS records
+ (positive caching) and for storing the information about non-existent
+ records (negative caching). The configured minimum TTL for both
+ configuration options cannot exceed 90 seconds.
+ </p>
+ </li>
</ul></div>
</div>
usually long after their end-of-life date and they are
neither developed nor supported by their respective vendors.
</p>
+ <p>
+ Support for DSA and DSA-NSEC3-SHA1 algorithms has been
+ removed from BIND as the DSA key length is limited to 1024
+ bits and this is not considered secure enough.
+ </p>
</li>
</ul></div>
</div>
that have timed out, in addition to those that respond. [GL #64]
</p>
</li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
- processing on the input domain name, when BIND is compiled
- with IDN support.
- </p>
- </li>
<li class="listitem">
<p>
Up to 64 <span class="command"><strong>response-policy</strong></span> zones are now
instead of using the <span class="command"><strong>resolver</strong></span> category.
</p>
</li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
+ between views of the same name but different class; this
+ has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
+ option. [GL #105]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>allow-recursion-on</strong></span> and
+ <span class="command"><strong>allow-query-cache-on</strong></span> each now default to
+ the other if only one of them is set, in order to be consistent
+ with the way <span class="command"><strong>allow-recursion</strong></span> and
+ <span class="command"><strong>allow-query-cache</strong></span> work. [GL #319]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and
+ <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing
+ when the standard output is not a TTY (i.e., when the output
+ is not being read by a human). When running from a shell
+ script, the command line options <span class="command"><strong>+idnin</strong></span> and
+ <span class="command"><strong>+idnout</strong></span> may be used to enable IDN
+ processing of input and output domain names, respectively.
+ When running on a TTY, the <span class="command"><strong>+noidnin</strong></span> and
+ <span class="command"><strong>+noidnout</strong></span> options may be used to disable
+ IDN processing of input and output domain names.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The configuration option <span class="command"><strong>max-ncache-ttl</strong></span> cannot
+ exceed seven days. Previously, larger values than this were silently
+ lowered; now, they trigger a configuration error.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The new <span class="command"><strong>dig -r</strong></span> command line option
+ disables reading of the file <code class="filename">$HOME/.digrc</code>.
+ </p>
+ </li>
</ul></div>
</div>
to be non-resolvable. [GL #390]
</p>
</li>
+<li class="listitem">
+ <p>
+ When a negative trust anchor was added to multiple views
+ using <span class="command"><strong>rndc nta</strong></span>, the text returned via
+ <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
+ first line, making it appear that only one NTA had been
+ added. This has been fixed. [GL #105]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The view name is now included in the output of
+ <span class="command"><strong>rndc nta -dump</strong></span>, for consistency with
+ other options. [GL !816]
+ </p>
+ </li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> now rejects excessively large
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.13.3</p></div>
+<div><p class="releaseinfo">BIND Version 9.13.4</p></div>
<div><p class="copyright">Copyright © 2000-2018 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers for DNSSEC</a></span></dt>
</dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.3</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.4</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
<p>
It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
- <code class="filename">${HOME}/.digrc</code>. This file is read and
- any options in it
- are applied before the command line arguments.
+ <code class="filename">${HOME}/.digrc</code>. This file is read and any
+ options in it are applied before the command line arguments.
+ The <code class="option">-r</code> option disables this feature, for
+ scripts that need predictable behaviour.
</p>
<p>
<span class="command"><strong>dig</strong></span> using the command-line interface.
</p>
</dd>
-<dt><span class="term">-i</span></dt>
-<dd>
- <p>
- Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
- domain, which is no longer in use. Obsolete bit string
- label queries (RFC 2874) are not attempted.
- </p>
- </dd>
<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
<dd>
<p>
the <em class="parameter"><code>name</code></em> from other arguments.
</p>
</dd>
+<dt><span class="term">-r</span></dt>
+<dd>
+ <p>
+ Do not read options from <code class="filename">${HOME}/.digrc</code>.
+ This is useful for scripts that need predictable behaviour.
+ </p>
+ </dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
<code class="literal">94.2.0.192.in-addr.arpa</code> and sets the
query type and class to PTR and IN respectively. IPv6
addresses are looked up using nibble format under the
- IP6.ARPA domain (but see also the <code class="option">-i</code>
- option).
+ IP6.ARPA domain.
</p>
</dd>
<dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
<p>
Process [do not process] IDN domain names on input.
This requires IDN SUPPORT to have been enabled at
- compile time. The default is to process IDN input.
+ compile time.
+ </p>
+ <p>
+ The default is to process IDN input when standard output
+ is a tty. The IDN processing on input is disabled when
+ dig output is redirected to files, pipes, and other
+ non-tty file descriptors.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
<p>
Convert [do not convert] puny code on output.
This requires IDN SUPPORT to have been enabled at
- compile time. The default is to convert output.
+ compile time.
+ </p>
+ <p>
+ The default is to process puny code on output when
+ standard output is a tty. The puny code processing on
+ output is disabled when dig output is redirected to
+ files, pipes, and other non-tty file descriptors.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
reply from the server.
If you'd like to turn off the IDN support for some reason, use
parameters <em class="parameter"><code>+noidnin</code></em> and
- <em class="parameter"><code>+noidnout</code></em>.
+ <em class="parameter"><code>+noidnout</code></em> or define
+ the <code class="envar">IDN_DISABLE</code> environment variable.
+
</p>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
+ NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</p>
<p>
<p>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
- ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
- or NSEC3DSA will be used instead.
+ will be used instead.
</p>
<p>
As of BIND 9.12.0, this option is mandatory except when using
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
+ NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <code class="option">-T KEY</code>
<p>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
- ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
- or NSEC3DSA will be used instead.
+ will be used instead.
</p>
<p>
This parameter <span class="emphasis"><em>must</em></span> be specified except
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
- configured, the default is 1024 bits for DSA keys and 2048 for
- RSA.
+ configured, the default is 2048 bits for RSA keys.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
Equivalent to the <code class="option">-v</code> verbose option.
</p>
</dd>
-<dt><span class="term">-i</span></dt>
-<dd>
- <p>
- Obsolete.
- Use the IP6.INT domain for reverse lookups of IPv6
- addresses as defined in RFC1886 and deprecated in RFC4159.
- The default is to use IP6.ARPA as specified in RFC3596.
- </p>
- </dd>
<dt><span class="term">-l</span></dt>
<dd>
<p>
<span class="command"><strong>host</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
- If you'd like to turn off the IDN support for some reason, defines
+ If you'd like to turn off the IDN support for some reason, define
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span class="command"><strong>host</strong></span> runs.
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
a reverse lookup with the "PTR" query type.
</p>
- <p>
- The <code class="option">-i</code> option sets the reverse domain for
- IPv6 addresses to IP6.INT.
- </p>
-
<p>
Reverse lookups — mapping addresses to names — are
simplified by the <code class="option">-x</code> option.
query name like <code class="literal">11.12.13.10.in-addr.arpa</code> and
sets the query type and class to PTR and IN respectively.
By default, IPv6 addresses are looked up using nibble format
- under the IP6.ARPA domain. To use the older RFC1886 method
- using the IP6.INT domain specify the <code class="option">-i</code> option.
+ under the IP6.ARPA domain.
</p>
<p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |<br>
    * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
+ answer-cookie <em class="replaceable"><code>boolean</code></em>;<br>
attach-cache <em class="replaceable"><code>string</code></em>;<br>
auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
auto-dnssec ( allow | maintain | off );<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
dnssec-validation ( yes | no | auto );<br>
- dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |<br>
-     response ) ]; ... };<br>
+ dnstap { ( all | auth | client | forwarder | resolver | update ) [<br>
+     ( query | response ) ]; ... };<br>
dnstap-identity ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );<br>
dnstap-output ( file | unix ) <em class="replaceable"><code>quoted_string</code></em> [ size ( unlimited |<br>
    <em class="replaceable"><code>size</code></em> ) ] [ versions ( unlimited | <em class="replaceable"><code>integer</code></em> ) ] [ suffix (<br>
memstatistics <em class="replaceable"><code>boolean</code></em>;<br>
memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
message-compression <em class="replaceable"><code>boolean</code></em>;<br>
+ min-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ min-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
dnssec-validation ( yes | no | auto );<br>
- dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |<br>
-     response ) ]; ... };<br>
+ dnstap { ( all | auth | client | forwarder | resolver | update ) [<br>
+     ( query | response ) ]; ... };<br>
dual-stack-servers [ port <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>quoted_string</code></em> [ port<br>
    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv4_address</code></em> [ port<br>
    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
    static-stub | stub );<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> (<br>
-     6to4-self | external | krb5-self | krb5-subdomain |<br>
-     ms-self | ms-subdomain | name | self | selfsub |<br>
-     selfwild | subdomain | tcp-self | wildcard | zonesub )<br>
-     [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+     6to4-self | external | krb5-self | krb5-selfsub |<br>
+     krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |<br>
+     name | self | selfsub | selfwild | subdomain | tcp-self<br>
+     | wildcard | zonesub ) [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
    stub );<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self |<br>
-     external | krb5-self | krb5-subdomain | ms-self | ms-subdomain<br>
-     | name | self | selfsub | selfwild | subdomain | tcp-self |<br>
-     wildcard | zonesub ) [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+     external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self<br>
+     | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild<br>
+     | subdomain | tcp-self | wildcard | zonesub ) [ <em class="replaceable"><code>string</code></em> ]<br>
+     <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</div>
<div class="refsection">
-<a name="id-1.13.29.11"></a><h2>FILES</h2>
+<a name="id-1.13.29.11"></a><h2>IDN SUPPORT</h2>
+
+ <p>
+ If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
+ domain name) support, it can accept and display non-ASCII domain names.
+ <span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
+ domain name before sending a request to DNS server or displaying a
+ reply from the server.
+ If you'd like to turn off the IDN support for some reason, define
+ the <code class="envar">IDN_DISABLE</code> environment variable.
+ The IDN support is disabled if the variable is set when
+ <span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
+ a tty.
+ </p>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.13.29.12"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
-<a name="id-1.13.29.12"></a><h2>SEE ALSO</h2>
+<a name="id-1.13.29.13"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>nta
- [<span class="optional">( -d | -f | -r | -l <em class="replaceable"><code>duration</code></em>)</span>]
+ [<span class="optional">( -class <em class="replaceable"><code>class</code></em> | -dump | -force | -remove | -lifetime <em class="replaceable"><code>duration</code></em>)</span>]
<em class="replaceable"><code>domain</code></em>
[<span class="optional"><em class="replaceable"><code>view</code></em></span>]
</code></strong></span></dt>
is equivalent to <code class="option">-remove</code>.
</p>
<p>
- If <code class="option">-dump</code> is used, any other arguments
+ If the <code class="option">-dump</code> is used, any other arguments
are ignored, and a list of existing NTAs is printed
(note that this may include NTAs that are expired but
have not yet been cleaned up).
lifetime, regardless of whether data could be
validated if the NTA were not present.
</p>
+ <p>
+ The view class can be specified with <code class="option">-class</code>.
+ The default is class <strong class="userinput"><code>IN</code></strong>, which is
+ the only class for which DNSSEC is currently supported.
+ </p>
<p>
All of these options can be shortened, i.e., to
<code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,
- and <code class="option">-f</code>.
+ <code class="option">-f</code>, and <code class="option">-c</code>.
+ </p>
+ <p>
+ Unrecognized options are treated as errors. To reference
+ a domain or view name that begins with a hyphen,
+ use a double-hyphen on the command line to indicate the
+ end of options.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional"> on | off </span>] </span></dt>
<dd>
<p>
Enable, disable, or check the current status of
- DNSSEC validation.
- Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
- set to <strong class="userinput"><code>yes</code></strong> or
- <strong class="userinput"><code>auto</code></strong> to be effective.
- It defaults to enabled.
+ DNSSEC validation. By default, validation is enabled.
+ (Note that <span class="command"><strong>dnssec-enable</strong></span> must also be
+ <strong class="userinput"><code>yes</code></strong> (the default value) for signatures
+ to be returned along with validated data. If validation is
+ enabled while <span class="command"><strong>dnssec-enable</strong></span> is set to
+ <strong class="userinput"><code>no</code></strong>, the server will validate internally,
+ but will not supply clients with the necessary records to allow
+ validity to be confirmed.)
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.3 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.13.3</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.13.4</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ Task manager and socket code have been substantially modified.
+ The manager uses per-cpu queues for tasks and network stack runs
+ multiple event loops in CPU-affinitive threads. This greatly
+ improves performance on large systems, especially when using
+ multi-queue NICs.
+ </p>
+ </li>
<li class="listitem">
<p>
A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
them. [GL #237]
</p>
</li>
+<li class="listitem">
+ <p>
+ Two new update policy rule types have been added
+ <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
+ which allow machines with Kerberos principals to update
+ the name space at or below the machine names identified
+ in the respective principals.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
+ can be used to make BIND enable and enforce FIPS mode in the
+ OpenSSL library. When compiled with such option the BIND will
+ refuse to run if FIPS mode can't be enabled, thus this option
+ must be only enabled for the systems where FIPS mode is available.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Two new configuration options <span class="command"><strong>min-cache-ttl</strong></span> and
+ <span class="command"><strong>min-ncache-ttl</strong></span> has been added to allow the BIND 9
+ administrator to override the minimum TTL in the received DNS records
+ (positive caching) and for storing the information about non-existent
+ records (negative caching). The configured minimum TTL for both
+ configuration options cannot exceed 90 seconds.
+ </p>
+ </li>
</ul></div>
</div>
usually long after their end-of-life date and they are
neither developed nor supported by their respective vendors.
</p>
+ <p>
+ Support for DSA and DSA-NSEC3-SHA1 algorithms has been
+ removed from BIND as the DSA key length is limited to 1024
+ bits and this is not considered secure enough.
+ </p>
</li>
</ul></div>
</div>
that have timed out, in addition to those that respond. [GL #64]
</p>
</li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
- processing on the input domain name, when BIND is compiled
- with IDN support.
- </p>
- </li>
<li class="listitem">
<p>
Up to 64 <span class="command"><strong>response-policy</strong></span> zones are now
instead of using the <span class="command"><strong>resolver</strong></span> category.
</p>
</li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
+ between views of the same name but different class; this
+ has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
+ option. [GL #105]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>allow-recursion-on</strong></span> and
+ <span class="command"><strong>allow-query-cache-on</strong></span> each now default to
+ the other if only one of them is set, in order to be consistent
+ with the way <span class="command"><strong>allow-recursion</strong></span> and
+ <span class="command"><strong>allow-query-cache</strong></span> work. [GL #319]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and
+ <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing
+ when the standard output is not a TTY (i.e., when the output
+ is not being read by a human). When running from a shell
+ script, the command line options <span class="command"><strong>+idnin</strong></span> and
+ <span class="command"><strong>+idnout</strong></span> may be used to enable IDN
+ processing of input and output domain names, respectively.
+ When running on a TTY, the <span class="command"><strong>+noidnin</strong></span> and
+ <span class="command"><strong>+noidnout</strong></span> options may be used to disable
+ IDN processing of input and output domain names.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The configuration option <span class="command"><strong>max-ncache-ttl</strong></span> cannot
+ exceed seven days. Previously, larger values than this were silently
+ lowered; now, they trigger a configuration error.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The new <span class="command"><strong>dig -r</strong></span> command line option
+ disables reading of the file <code class="filename">$HOME/.digrc</code>.
+ </p>
+ </li>
</ul></div>
</div>
to be non-resolvable. [GL #390]
</p>
</li>
+<li class="listitem">
+ <p>
+ When a negative trust anchor was added to multiple views
+ using <span class="command"><strong>rndc nta</strong></span>, the text returned via
+ <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
+ first line, making it appear that only one NTA had been
+ added. This has been fixed. [GL #105]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The view name is now included in the output of
+ <span class="command"><strong>rndc nta -dump</strong></span>, for consistency with
+ other options. [GL !816]
+ </p>
+ </li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> now rejects excessively large
-Release Notes for BIND Version 9.13.3
+Release Notes for BIND Version 9.13.4
Introduction
New Features
+ * Task manager and socket code have been substantially modified. The
+ manager uses per-cpu queues for tasks and network stack runs multiple
+ event loops in CPU-affinitive threads. This greatly improves
+ performance on large systems, especially when using multi-queue NICs.
+
* A new secondary zone option, mirror, enables named to serve a
transferred copy of a zone's contents without acting as an authority
for the zone. A zone must be fully validated against an active trust
DNSSEC validation should not be performed, regardless of whether a
trust anchor has been configured above them. [GL #237]
+ * Two new update policy rule types have been added krb5-selfsub and
+ ms-selfsub which allow machines with Kerberos principals to update the
+ name space at or below the machine names identified in the respective
+ principals.
+
+ * The new configure option --enable-fips-mode can be used to make BIND
+ enable and enforce FIPS mode in the OpenSSL library. When compiled
+ with such option the BIND will refuse to run if FIPS mode can't be
+ enabled, thus this option must be only enabled for the systems where
+ FIPS mode is available.
+
+ * Two new configuration options min-cache-ttl and min-ncache-ttl has
+ been added to allow the BIND 9 administrator to override the minimum
+ TTL in the received DNS records (positive caching) and for storing the
+ information about non-existent records (negative caching). The
+ configured minimum TTL for both configuration options cannot exceed 90
+ seconds.
+
Removed Features
* Workarounds for servers that misbehave when queried with EDNS have
and they are neither developed nor supported by their respective
vendors.
+ Support for DSA and DSA-NSEC3-SHA1 algorithms has been removed from
+ BIND as the DSA key length is limited to 1024 bits and this is not
+ considered secure enough.
+
Feature Changes
* BIND will now always use the best CSPRNG (cryptographically-secure
* dig +nssearch will now list name servers that have timed out, in
addition to those that respond. [GL #64]
- * dig +noidnin can be used to disable IDN processing on the input domain
- name, when BIND is compiled with IDN support.
-
* Up to 64 response-policy zones are now supported by default;
previously the limit was 32. [GL #123]
* NSID logging (enabled by the request-nsid option) now has its own nsid
category, instead of using the resolver category.
+ * The rndc nta command could not differentiate between views of the same
+ name but different class; this has been corrected with the addition of
+ a -class option. [GL #105]
+
+ * allow-recursion-on and allow-query-cache-on each now default to the
+ other if only one of them is set, in order to be consistent with the
+ way allow-recursion and allow-query-cache work. [GL #319]
+
+ * When compiled with IDN support, the dig and nslookup commands now
+ disable IDN processing when the standard output is not a TTY (i.e.,
+ when the output is not being read by a human). When running from a
+ shell script, the command line options +idnin and +idnout may be used
+ to enable IDN processing of input and output domain names,
+ respectively. When running on a TTY, the +noidnin and +noidnout
+ options may be used to disable IDN processing of input and output
+ domain names.
+
+ * The configuration option max-ncache-ttl cannot exceed seven days.
+ Previously, larger values than this were silently lowered; now, they
+ trigger a configuration error.
+
+ * The new dig -r command line option disables reading of the file $HOME
+ /.digrc.
+
Bug Fixes
* Running rndc reconfig could cause inline-signing zones to stop
treated as an error; this caused certain domains to be non-resolvable.
[GL #390]
+ * When a negative trust anchor was added to multiple views using rndc
+ nta, the text returned via rndc was incorrectly truncated after the
+ first line, making it appear that only one NTA had been added. This
+ has been fixed. [GL #105]
+
+ * The view name is now included in the output of rndc nta -dump, for
+ consistency with other options. [GL !816]
+
* named now rejects excessively large incremental (IXFR) zone transfers
in order to prevent possible corruption of journal files which could
cause named to abort when loading zones. [GL #339]
configuration options cannot exceed 90 seconds.
</para>
</listitem>
- <listitem>
- <para>
- The configuration option <command>max-ncache-ttl</command> was
- silently capped to 7 days, and the upper limit is now enforced.
- </para>
- </listitem>
</itemizedlist>
</section>
that have timed out, in addition to those that respond. [GL #64]
</para>
</listitem>
- <listitem>
- <para>
- <command>dig +noidnin</command> can be used to disable IDN
- processing on the input domain name, when BIND is compiled
- with IDN support.
- </para>
- </listitem>
<listitem>
<para>
Up to 64 <command>response-policy</command> zones are now
</listitem>
<listitem>
<para>
- When compiled with IDN support, the <command>dig</command> and the
- <command>nslookup</command> commands now disable IDN processing when
- the standard output is not a tty (e.g. not used by human). The command
- line options +idnin and +idnout need to be used to enable IDN
- processing when <command>dig</command> or <command>nslookup</command>
- is used from the shell scripts.
+ When compiled with IDN support, the <command>dig</command> and
+ <command>nslookup</command> commands now disable IDN processing
+ when the standard output is not a TTY (i.e., when the output
+ is not being read by a human). When running from a shell
+ script, the command line options <command>+idnin</command> and
+ <command>+idnout</command> may be used to enable IDN
+ processing of input and output domain names, respectively.
+ When running on a TTY, the <command>+noidnin</command> and
+ <command>+noidnout</command> options may be used to disable
+ IDN processing of input and output domain names.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The configuration option <command>max-ncache-ttl</command> cannot
+ exceed seven days. Previously, larger values than this were silently
+ lowered; now, they trigger a configuration error.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The new <command>dig -r</command> command line option
+ disables reading of the file <filename>$HOME/.digrc</filename>.
</para>
</listitem>
</itemizedlist>
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
- dnstap { ( all | auth | client | forwarder | resolver | update ) [
- ( query | response ) ]; ... };
- dnstap-identity ( <quoted_string> | none | hostname );
- dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited |
- <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
- increment | timestamp ) ];
- dnstap-version ( <quoted_string> | none );
+ dnstap { ( all | auth | client | forwarder |
+ resolver | update ) [ ( query | response ) ];
+ ... }; // not configured
+ dnstap-identity ( <quoted_string> | none |
+ hostname ); // not configured
+ dnstap-output ( file | unix ) <quoted_string> [
+ size ( unlimited | <size> ) ] [ versions (
+ unlimited | <integer> ) ] [ suffix ( increment
+ | timestamp ) ]; // not configured
+ dnstap-version ( <quoted_string> | none ); // not configured
dscp <integer>;
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
- fstrm-set-buffer-hint <integer>;
- fstrm-set-flush-timeout <integer>;
- fstrm-set-input-queue-size <integer>;
- fstrm-set-output-notify-threshold <integer>;
- fstrm-set-output-queue-model ( mpsc | spsc );
- fstrm-set-output-queue-size <integer>;
- fstrm-set-reopen-interval <ttlval>;
+ fstrm-set-buffer-hint <integer>; // not configured
+ fstrm-set-flush-timeout <integer>; // not configured
+ fstrm-set-input-queue-size <integer>; // not configured
+ fstrm-set-output-notify-threshold <integer>; // not configured
+ fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
+ fstrm-set-output-queue-size <integer>; // not configured
+ fstrm-set-reopen-interval <ttlval>; // not configured
geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // obsolete
managed-keys-directory <quoted_string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
- dnstap { ( all | auth | client | forwarder | resolver | update ) [
- ( query | response ) ]; ... };
+ dnstap { ( all | auth | client | forwarder |
+ resolver | update ) [ ( query | response ) ];
+ ... }; // not configured
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port
<integer> ] [ dscp <integer> ] | <ipv6_address> [ port
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // obsolete
managed-keys { <string> <string>
<integer> <integer> <integer>
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1301
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 0
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13: 1300-1399
-LIBINTERFACE = 1303
+LIBINTERFACE = 1304
LIBREVISION = 0
LIBAGE = 0
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1301
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 0
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13: 1300-1399
-LIBINTERFACE = 1303
+LIBINTERFACE = 1304
LIBREVISION = 0
LIBAGE = 0
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1301
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 0
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1303
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 0
DESCRIPTION="(Development Release)"
MAJORVER=9
MINORVER=13
-PATCHVER=3
+PATCHVER=4
RELEASETYPE=
RELEASEVER=
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
