From: Tinderbox User Date: Thu, 12 Dec 2019 23:36:53 +0000 (+0000) Subject: prep 9.15.7 X-Git-Tag: v9.15.7^2^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e088272172b3e57421853ce34777cf4352a0bcb2;p=thirdparty%2Fbind9.git prep 9.15.7 --- diff --git a/CHANGES b/CHANGES index adbbeaf75cb..9f44c824d71 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.15.7 released --- + 5336. [bug] The TCP high-water statistic could report an incorrect value on startup. [GL #1392] diff --git a/README b/README index c7e010c107c..b5bbfe67978 100644 --- a/README +++ b/README @@ -115,9 +115,9 @@ of changes from BIND 9.14 and earlier releases. New features include: for zones, enabling automatic key regeneration and rollover. * New new network manager based on libuv. * Support for the new GeoIP2 geolocation API - * Improved DNSSEC trust anchor configuration using dnssec-keys, - permitting configuration of trust anchors in DS as well as DNSKEY - format. + * Improved DNSSEC trust anchor configuration using the trust-anchors + statement, permitting configuration of trust anchors in DS as well as + DNSKEY format. * YAML output for dig, mdig, and delv. Building BIND @@ -180,9 +180,10 @@ Dependencies Portions of BIND that are written in Python, including dnssec-keymgr, dnssec-coverage, dnssec-checkds, and some of the system tests, require the -argparse and ply modules to be available. argparse is a standard module as -of Python 2.7 and Python 3.2. ply is available from https:// -pypi.python.org/pypi/ply. +argparse, ply and distutils.core modules to be available. argparse is a +standard module as of Python 2.7 and Python 3.2. ply is available from +https://pypi.python.org/pypi/ply. distutils.core is required for +installation. Compile-time options diff --git a/bin/delv/delv.1 b/bin/delv/delv.1 index 48b298a7a7e..20d5ab0f4fc 100644 --- a/bin/delv/delv.1 +++ b/bin/delv/delv.1 @@ -144,7 +144,7 @@ options\&. Note: When reading the trust anchor file, \fBdelv\fR treats -\fBdnssec\-keys\fR\fBinitial\-key\fR +\fBtrust\-anchors\fR\fBinitial\-key\fR and \fBstatic\-key\fR entries identically\&. That is, even if a key is configured with diff --git a/bin/delv/delv.html b/bin/delv/delv.html index 7ba08add2ad..b52bccec3a3 100644 --- a/bin/delv/delv.html +++ b/bin/delv/delv.html @@ -197,7 +197,7 @@

Note: When reading the trust anchor file, - delv treats dnssec-keys + delv treats trust-anchors initial-key and static-key entries identically. That is, even if a key is configured with initial-key, indicating that it is diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 45d30a8d7d2..81caab20993 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -97,20 +97,6 @@ dlz \fIstring\fR { .if n \{\ .RE .\} -.SH "DNSSEC-KEYS" -.sp -.if n \{\ -.RS 4 -.\} -.nf -dnssec\-keys { \fIstring\fR ( static\-key | - initial\-key | static\-ds | initial\-ds ) - \fIinteger\fR \fIinteger\fR \fIinteger\fR - \fIquoted_string\fR; \&.\&.\&. }; -.fi -.if n \{\ -.RE -.\} .SH "DYNDB" .sp .if n \{\ @@ -164,7 +150,7 @@ logging { .\} .SH "MANAGED-KEYS" .PP -Deprecated \- see DNSSEC\-KEYS\&. +Deprecated \- see TRUST\-ANCHORS\&. .sp .if n \{\ .RS 4 @@ -565,9 +551,23 @@ statistics\-channels { .if n \{\ .RE .\} +.SH "TRUST-ANCHORS" +.sp +.if n \{\ +.RS 4 +.\} +.nf +trust\-anchors { \fIstring\fR ( static\-key | + initial\-key | static\-ds | initial\-ds ) + \fIinteger\fR \fIinteger\fR \fIinteger\fR + \fIquoted_string\fR; \&.\&.\&. }; +.fi +.if n \{\ +.RE +.\} .SH "TRUSTED-KEYS" .PP -Deprecated \- see DNSSEC\-KEYS\&. +Deprecated \- see TRUST\-ANCHORS\&. .sp .if n \{\ .RS 4 @@ -655,10 +655,6 @@ view \fIstring\fR [ \fIclass\fR ] { dnsrps\-options { \fIunspecified\-text\fR }; dnssec\-accept\-expired \fIboolean\fR; dnssec\-dnskey\-kskonly \fIboolean\fR; - dnssec\-keys { \fIstring\fR ( static\-key | - initial\-key | static\-ds | initial\-ds - ) \fIinteger\fR \fIinteger\fR \fIinteger\fR - \fIquoted_string\fR; \&.\&.\&. }; dnssec\-loadkeys\-interval \fIinteger\fR; dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; dnssec\-secure\-to\-insecure \fIboolean\fR; @@ -849,6 +845,10 @@ view \fIstring\fR [ \fIclass\fR ] { transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ]; trust\-anchor\-telemetry \fIboolean\fR; // experimental + trust\-anchors { \fIstring\fR ( static\-key | + initial\-key | static\-ds | initial\-ds + ) \fIinteger\fR \fIinteger\fR \fIinteger\fR + \fIquoted_string\fR; \&.\&.\&. }; trusted\-keys { \fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR @@ -1074,7 +1074,7 @@ zone \fIstring\fR [ \fIclass\fR ] { .\} .nf dnssec\-policy \fIstring\fR { - dnskey\-ttl \fIttlval\fR; + dnskey\-ttl \fIduration\fR; keys { ( csk | ksk | zsk ) key\-directory lifetime \fIduration\fR algorithm \fIinteger\fR [ \fIinteger\fR ] ; \&.\&.\&. }; parent\-ds\-ttl \fIduration\fR; parent\-propagation\-delay \fIduration\fR; diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index c23c10a5448..fba43fe8370 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -92,17 +92,7 @@ dlz

-

DNSSEC-KEYS

-


-dnssec-keys { string ( static-key |
-    initial-key | static-ds | initial-ds )
-    integer integer integer
-    quoted_string; ... };
-

-
- -
-

DYNDB

+

DYNDB


dyndb string quoted_string {
    unspecified-text };
@@ -110,7 +100,7 @@ dyndb

-

KEY

+

KEY


key string {
algorithm string;
@@ -120,7 +110,7 @@ key

-

LOGGING

+

LOGGING


logging {
category string { string; ... };
@@ -141,8 +131,8 @@ logging

-

MANAGED-KEYS

-

Deprecated - see DNSSEC-KEYS.

+

MANAGED-KEYS

+

Deprecated - see TRUST-ANCHORS.


managed-keys { string ( static-key
    | initial-key | static-ds |
@@ -152,7 +142,7 @@ managed-keys

-

MASTERS

+

MASTERS


masters string [ port integer ] [ dscp
    integer ] { ( masters | ipv4_address [
@@ -162,7 +152,7 @@ masters

-

OPTIONS

+

OPTIONS


options {
allow-new-zones boolean;
@@ -461,7 +451,7 @@ options

-

PLUGIN

+

PLUGIN


plugin ( query ) string [ { unspecified-text
    } ];
@@ -469,7 +459,7 @@ plugin

-

SERVER

+

SERVER


server netprefix {
bogus boolean;
@@ -507,7 +497,7 @@ server

-

STATISTICS-CHANNELS

+

STATISTICS-CHANNELS


statistics-channels {
inet ( ipv4_address | ipv6_address |
@@ -518,9 +508,19 @@ statistics-channels

+
+

TRUST-ANCHORS

+


+trust-anchors { string ( static-key |
+    initial-key | static-ds | initial-ds )
+    integer integer integer
+    quoted_string; ... };
+

+
+

TRUSTED-KEYS

-

Deprecated - see DNSSEC-KEYS.

+

Deprecated - see TRUST-ANCHORS.


trusted-keys { string integer
    integer integer
@@ -600,10 +600,6 @@ view dnsrps-options { unspecified-text };
dnssec-accept-expired boolean;
dnssec-dnskey-kskonly boolean;
- dnssec-keys { string ( static-key |
-     initial-key | static-ds | initial-ds
-     ) integer integer integer
-     quoted_string; ... };
dnssec-loadkeys-interval integer;
dnssec-must-be-secure string boolean;
dnssec-secure-to-insecure boolean;
@@ -794,6 +790,10 @@ view transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * )
    ] [ dscp integer ];
trust-anchor-telemetry boolean; // experimental
+ trust-anchors { string ( static-key |
+     initial-key | static-ds | initial-ds
+     ) integer integer integer
+     quoted_string; ... };
trusted-keys { string
    integer integer
    integer
@@ -1012,7 +1012,7 @@ zone


dnssec-policy string {
- dnskey-ttl ttlval;
+ dnskey-ttl duration;
keys { ( csk | ksk | zsk ) key-directory lifetime duration algorithm integer [ integer ] ; ... };
parent-ds-ttl duration;
parent-propagation-delay duration;
diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index 18020ea2ece..555448cddce 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -516,7 +516,7 @@ timer\&. \fBsecroots \fR\fB[\-]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR .RS 4 Dump the security roots (i\&.e\&., trust anchors configured via -\fBdnssec\-keys\fR +\fBtrust\-anchors\fR statements, or the managed\-keys or trusted\-keys statements (both deprecated), or via \fBdnssec\-validation auto\fR) and negative trust anchors for the specified views\&. If no view is specified, all views are dumped\&. Security roots will indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query)\&. .sp diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index 762b283bfee..be8a4e3f603 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -654,7 +654,7 @@

Dump the security roots (i.e., trust anchors - configured via dnssec-keys statements, or the + configured via trust-anchors statements, or the managed-keys or trusted-keys statements (both deprecated), or via dnssec-validation auto) and negative trust anchors for the specified views. If no view is specified, all diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index 89df6f81143..8b6c4210ce6 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -614,6 +614,6 @@

-

BIND 9.15.6 (Development Release)

+

BIND 9.15.7 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index aec6e1eb12d..ecc48bbaaf4 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -146,6 +146,6 @@
-

BIND 9.15.6 (Development Release)

+

BIND 9.15.7 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 9e345d91ee8..a1338364838 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -856,6 +856,6 @@ controls {
-

BIND 9.15.6 (Development Release)

+

BIND 9.15.7 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 76919256087..bab2ac6746f 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -1042,7 +1042,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; yes, DNSSEC validation will only occur if at least one trust anchor has been explicitly configured in named.conf - using a dnssec-keys statement (or the + using a trust-anchors statement (or the managed-keys and trusted-keys statements, both deprecated).

@@ -1057,7 +1057,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};

- The keys specified in dnssec-keys + The keys specified in trust-anchors copies of DNSKEY RRs for zones that are used to form the first link in the cryptographic chain of trust. Keys configured with the keyword static-key or @@ -1071,7 +1071,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};

- dnssec-keys is described in more detail + trust-anchors is described in more detail later in this document.

@@ -1094,7 +1094,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; 

-dnssec-keys {
+trust-anchors {
         /* Root Key */
         "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
                                  JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
@@ -1586,10 +1586,10 @@ options {
     
     
To configure a validating resolver to use RFC 5011 to
     maintain a trust anchor, configure the trust anchor using a
-    dnssec-keys statement and the
+    trust-anchors statement and the
     initial-key or initial-ds
     keyword. Information about this can be found in
-    the section called “dnssec-keys Statement Definition
+    the section called “trust-anchors Statement Definition
             and Usage”.
@@ -2915,6 +2915,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-

BIND 9.15.6 (Development Release)

+

BIND 9.15.7 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index e87c1a72760..a624f899c8a 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -67,8 +67,8 @@
statistics-channels Statement Grammar
statistics-channels Statement Definition and Usage
-
dnssec-keys Statement Grammar
-
dnssec-keys Statement Definition +
trust-anchors Statement Grammar
+
trust-anchors Statement Definition and Usage
dnssec-policy Statement Grammar
dnssec-policy Statement Definition @@ -899,7 +899,7 @@ -

dnssec-keys

+

trust-anchors

@@ -920,9 +920,9 @@

- is identical to dnssec-keys; + is identical to trust-anchors; this option is deprecated in favor - of dnssec-keys with + of trust-anchors with the initial-key keyword, and may be removed in a future release.

@@ -936,7 +936,7 @@

defines permanent trusted DNSSEC keys; this option is deprecated in favor - of dnssec-keys with + of trust-anchors with the static-key keyword, and may be removed in a future release.

@@ -2950,9 +2950,9 @@ badresp:1,adberr:0,findfail:0,valfail:0] The number of seconds to wait between attempts to reopen a closed output stream. The minimum is 1 second, the maximum is 600 seconds (10 minutes), and the default - is 5 seconds. - For convenience, TTL-style time unit suffixes may be - used to specify the value. + is 5 seconds. For convenience, TTL-style time unit + suffixes may be used to specify the value. It also + accepts ISO 8601 duration formats.
@@ -3087,7 +3087,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] track managed DNSSEC keys (i.e., those configured using the initial-key or initial-ds keywords in a - dnssec-keys statement). By default, + trust-anchors statement). By default, this is the working directory. The directory must be writable by the effective user ID of the named process. @@ -3455,7 +3455,7 @@ options { as insecure.

- Configured trust anchors in dnssec-keys + Configured trust anchors in trust-anchors (or managed-keys or trusted-keys, both deprecated) that match a disabled algorithm will be ignored and treated @@ -3487,7 +3487,7 @@ options { they are secure. If no, then normal DNSSEC validation applies allowing for insecure answers to be accepted. The specified domain must be defined as a - trust anchor, for instance in a dnssec-keys + trust anchor, for instance in a trust-anchors statement, or dnssec-validation auto must be active.

@@ -3646,8 +3646,11 @@ options {

For convenience, TTL-style time unit suffixes can be used to specify the NTA lifetime in seconds, minutes - or hours. nta-lifetime defaults to - one hour. It cannot exceed one week. + or hours. It also accepts ISO 8601 duration formats. +

+

+ nta-lifetime defaults to one hour. It + cannot exceed one week.

nta-recheck
@@ -3677,9 +3680,13 @@ options {

For convenience, TTL-style time unit suffixes can be used to specify the NTA recheck interval in seconds, - minutes or hours. The default is five minutes. It - cannot be longer than nta-lifetime - (which cannot be longer than a week). + minutes or hours. It also accepts ISO 8601 duration + formats. +

+

+ The default is five minutes. It cannot be longer than + nta-lifetime (which cannot be longer + than a week).

max-zone-ttl
@@ -3687,7 +3694,10 @@ options {

Specifies a maximum permissible TTL value in seconds. For convenience, TTL-style time unit suffixes may be - used to specify the maximum value. + used to specify the maximum value. It also + accepts ISO 8601 duration formats. +

+

When loading a zone file using a masterfile-format of text or raw, @@ -4500,7 +4510,7 @@ options { Causes named to send specially-formed queries once per day to domains for which trust anchors have been configured via, e.g., - dnssec-keys or + trust-anchors or dnssec-validation auto.

@@ -4691,7 +4701,7 @@ options {

If set to yes, DNSSEC validation is enabled, but a trust anchor must be manually configured - using a dnssec-keys statement (or + using a trust-anchors statement (or the managed-keys or the trusted-keys statements, both deprecated). If there is no configured trust anchor, validation will @@ -6515,7 +6525,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; listen-on configuration), and will stop listening on interfaces that have gone away. For convenience, TTL-style time unit suffixes may be - used to specify the value. + used to specify the value. It also accepts ISO 8601 + duration formats.

@@ -6795,9 +6806,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; stores negative answers. min-ncache-ttl is used to set a minimum retention time for these answers in the server in seconds. For convenience, TTL-style time unit - suffixes may be used to specify the value. The default - min-ncache-ttl is 0 - seconds. min-ncache-ttl cannot exceed 90 + suffixes may be used to specify the value. It also + accepts ISO 8601 duration formats. +

+

+ The default min-ncache-ttl is + 0 seconds. + min-ncache-ttl cannot exceed 90 seconds and will be truncated to 90 seconds if set to a greater value.

@@ -6806,10 +6821,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

Sets the minimum time for which the server will cache ordinary - (positive) answers in seconds. For convenience, TTL-style time - unit suffixes may be used to specify the value. The default - min-cache-ttl is 0 - seconds. min-cache-ttl cannot exceed 90 + (positive) answers in seconds. For convenience, TTL-style + time unit suffixes may be used to specify the value. It also + accepts ISO 8601 duration formats. +

+

+ The default min-cache-ttl is + 0 seconds. + min-cache-ttl cannot exceed 90 seconds and will be truncated to 90 seconds if set to a greater value.

@@ -6818,15 +6837,19 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

To reduce network traffic and increase performance, - the server stores negative answers. max-ncache-ttl is + the server stores negative answers. + max-ncache-ttl is used to set a maximum retention time for these answers in - the server in seconds. - For convenience, TTL-style time unit suffixes may be - used to specify the value. The default - max-ncache-ttl is 10800 seconds (3 hours). - max-ncache-ttl cannot exceed - 7 days and will - be silently truncated to 7 days if set to a greater value. + the server in seconds. For convenience, TTL-style time unit + suffixes may be used to specify the value. It also accepts + ISO 8601 duration formats. +

+

+ The default max-ncache-ttl is + 10800 seconds (3 hours). + max-ncache-ttl cannot exceed 7 days and + will be silently truncated to 7 days if set to a greater + value.

max-cache-ttl
@@ -6835,7 +6858,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; Sets the maximum time for which the server will cache ordinary (positive) answers in seconds. For convenience, TTL-style time unit suffixes may be - used to specify the value. + used to specify the value. It also accepts ISO 8601 + duration formats. +

+

The default is 604800 (one week). A value of zero may cause all queries to return SERVFAIL, because of lost caches of intermediate @@ -8043,7 +8069,9 @@ deny-answer-aliases { "example.net"; }; The max-policy-ttl clause changes the maximum seconds from its default of 5. For convenience, TTL-style time unit suffixes may be - used to specify the value. + used to specify the value. It also accepts ISO 8601 duration + formats. +

@@ -8139,7 +8167,8 @@ example.com CNAME rpz-tcp-only. recent update, then the changes will not be carried out until this interval has elapsed. The default is 60 seconds. For convenience, TTL-style time unit suffixes may be - used to specify the value. + used to specify the value. It also accepts ISO 8601 duration + formats.

@@ -8849,9 +8878,9 @@ example.com CNAME rpz-tcp-only.

-dnssec-keys Statement Grammar

+trust-anchors Statement Grammar
-dnssec-keys { string ( static-key |
+trust-anchors { string ( static-key |
     initial-key | static-ds | initial-ds )
     integer integer integer
     quoted_string; ... };
@@ -8859,11 +8888,11 @@ example.com                 CNAME   rpz-tcp-only.

-dnssec-keys Statement Definition +trust-anchors Statement Definition and Usage

- The dnssec-keys statement defines DNSSEC + The trust-anchors statement defines DNSSEC trust anchors. DNSSEC is described in the section called “DNSSEC”.

@@ -8882,21 +8911,21 @@ example.com CNAME rpz-tcp-only. the validate-except option).

- All keys listed in dnssec-keys, and + All keys listed in trust-anchors, and their corresponding zones, are deemed to exist regardless of what parent zones say. Only keys configured as trust anchors are used to validate the DNSKEY RRset for the corresponding name. The parent's DS RRset will not be used.

- dnssec-keys may be set at the top level + trust-anchors may be set at the top level of named.conf or within a view. If it is set in both places, the configurations are additive: keys defined at the top level are inherited by all views, but keys defined in a view are only used within that view.

- The dnssec-keys statement can contain + The trust-anchors statement can contain multiple trust anchor entries, each consisting of a domain name, followed by an "anchor type" keyword indicating the trust anchor's format, followed by the key or digest data. @@ -8936,7 +8965,7 @@ example.com CNAME rpz-tcp-only. static-ds would be unable to validate this zone any longer; it would reply with a SERVFAIL response code. This would continue until the resolver operator had - updated the dnssec-keys statement with + updated the trust-anchors statement with the new key.

@@ -8972,7 +9001,7 @@ example.com CNAME rpz-tcp-only. initial-key or initial-ds configured in named.conf, it fetches the DNSKEY RRset directly from the zone apex, and validates it - using the trust anchor specified in dnssec-keys. + using the trust anchor specified in trust-anchors. If the DNSKEY RRset is validly signed by a key matching the trust anchor, then it is used as the basis for a new managed keys database. @@ -8981,10 +9010,10 @@ example.com CNAME rpz-tcp-only. From that point on, whenever named runs, it sees the initial-key or initial-ds listed in - dnssec-keys, checks to + trust-anchors, checks to make sure RFC 5011 key maintenance has already been initialized for the specified domain, and if so, it simply moves on. The - key specified in the dnssec-keys + key specified in the trust-anchors statement is not used to validate answers; it is superseded by the key or keys stored in the managed keys database. @@ -8993,7 +9022,7 @@ example.com CNAME rpz-tcp-only. The next time named runs after an initial-key or initial-ds trust anchor has been removed from the - dnssec-keys statement (or changed to + trust-anchors statement (or changed to a static-key or static-ds), the corresponding keys will be removed from the managed keys database, and RFC 5011 key maintenance will no longer be used @@ -9045,8 +9074,8 @@ example.com CNAME rpz-tcp-only. dnssec-policy Statement Grammar

 dnssec-policy string {
-    dnskey-ttl ttlval;
-    keys { ( csk | ksk | zsk ) key-directory duration integer [ integer ] ; ... };
+    dnskey-ttl duration;
+    keys { ( csk | ksk | zsk ) key-directory lifetime duration algorithm integer [ integer ] ; ... };
     parent-ds-ttl duration;
     parent-propagation-delay duration;
     parent-registration-delay duration;
@@ -9136,8 +9165,8 @@ example.com                 CNAME   rpz-tcp-only.
                 

                   A margin that is added to the publish interval in key
                   timing equations to give some extra time to cover
-                  unforeseen events.  Default is PT5M
-                  (5 minutes).
+                  unforeseen events.  Default is PT1H
+                  (1 hour).
                 

               
 
retire-safety

@@ -9145,8 +9174,8 @@ example.com                 CNAME   rpz-tcp-only.
                 

                   A margin that is added to the retire interval in key
                   timing equations to give some extra time to cover
-                  unforeseen events.  Default is PT5M
-                  (5 minutes).
+                  unforeseen events.  Default is PT1H
+                  (1 hour).
                 

               
 
signatures-refresh

@@ -9220,7 +9249,7 @@ example.com                 CNAME   rpz-tcp-only.
 

                 

                   The TTL of the DS RRset that the parent uses.  Default is
-                  PT1H (1 hour).
+                  P1D (1 day).
                 

               

 
parent-propagation-delay

@@ -9261,7 +9290,7 @@ example.com                 CNAME   rpz-tcp-only.
 
           

             The managed-keys statement has been
-            deprecated in favor of the section called “dnssec-keys Statement Grammar”
+            deprecated in favor of the section called “trust-anchors Statement Grammar”
             with the initial-key keyword.
           

         
@@ -9282,7 +9311,7 @@ example.com                 CNAME   rpz-tcp-only.
 
           

             The trusted-keys statement has been
-            deprecated in favor of the section called “dnssec-keys Statement Grammar”
+            deprecated in favor of the section called “trust-anchors Statement Grammar”
             with the static-key keyword.
           

         
@@ -9919,7 +9948,7 @@ view "external" {
                         (KSK) for the zone must be configured as a trust
                         anchor in named.conf: that
                         is, a key for the zone must be specified in
-                        dnssec-keys.  In the case
+                        trust-anchors.  In the case
                         of the root zone, you may also rely on the
                         built-in root trust anchor, which is enabled
                         when dnssec-validation is set to the
@@ -10338,9 +10367,13 @@ view "external" {
 
dnssec-policy

 

                   

-                    The key and signing policy for this zone.  Set to
-                    "default" if you want to make use
-                    of the default policy.
+                    The key and signing policy for this zone.  This is a string
+                    referring to a dnssec-policy statement.
+                    There are two built-in policies:
+                    "default" allows you to use the
+                    default policy, and "none" means
+                    not to use any DNSSEC policy, keeping the zone unsigned.
+                    The default is "none".
                   

                 

 
dnssec-update-mode

@@ -15188,6 +15221,6 @@ HOST-127.EXAMPLE. MX 0 .
 
 
 
-
BIND 9.15.6 (Development Release)

+
BIND 9.15.7 (Development Release)

 
 
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index fea99a3a916..74e5620be30 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -360,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; };
 
 
 
-
BIND 9.15.6 (Development Release)

+
BIND 9.15.7 (Development Release)

 
 
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 090d34a1c52..6cc0fe35cf3 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -191,6 +191,6 @@
 
 
 
-
BIND 9.15.6 (Development Release)

+
BIND 9.15.7 (Development Release)

 
 
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index cab45fea048..b50d0943935 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -36,12 +36,13 @@
 

 
Table of Contents

 

-
Release Notes for BIND Version 9.15.6

+
Release Notes for BIND Version 9.15.7

 

 
Introduction

 
Note on Version Numbering

 
Supported Platforms

 
Download

+
Notes for BIND 9.15.7

 
Notes for BIND 9.15.6

 
Notes for BIND 9.15.5

 
Notes for BIND 9.15.4

@@ -57,7 +58,7 @@
 

       

 

-Release Notes for BIND Version 9.15.6

+Release Notes for BIND Version 9.15.7

   
   

 

@@ -101,11 +102,12 @@
     C compiler.
   

   

-    The OpenSSL cryptography library must be available for the target
-    platform.  A PKCS#11 provider can be used instead for Public Key
-    cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
-    still required for general cryptography operations such as hashing
-    and random number generation.
+    The libuv asynchronous I/O library and the
+    OpenSSL cryptography library must be available for the target
+    platform.  A PKCS#11 provider can be used instead of OpenSSL for
+    Public Key cryptography (i.e., DNSSEC signing and validation),
+    but OpenSSL is still required for general cryptography operations
+    such as hashing and random number generation.
   

   

     More information can be found in the PLATFORMS.md
@@ -130,10 +132,73 @@
 
   

 

+Notes for BIND 9.15.7

+
+  

+

+Feature Changes

+    
    
+
  • 
+        
    
+          The dnssec-keys configuration statement,
+          which was introduced in 9.15.1 and revised in 9.15.6, has now
+          been renamed to the more descriptive
+          trust-anchors. [GL !2702]
+        
    
+        
    
+          (See release notes for
+          BIND 9.15.1
+          and
+          BIND 9.15.6
+          for prior discussion of this feature.)
+        
    
+      
    • 
+
  • 
+        
    
+          Added support for multithreaded listening for TCP connections
+	  in the network manager [GL !2659]
+        
    
+      
    • 
+

+  

+
+  

+

+Bug Fixes

+    
    
+
  • 
+        
    
+          Fixed a bug that caused named to leak memory
+          on reconfiguration when any GeoIP2 database was in use. [GL #1445]
+        
    
+      
    • 
+
  • 
+        
    
+          Fixed several possible race conditions discovered by Thread
+          Sanitizer.
+        
    
+      
    • 
+

+  

+
+

+  

+

 Notes for BIND 9.15.6

 
   

 

+Security Fixes

+    
  • 
+        
    
+          Set a limit on the number of concurrently served pipelined TCP
+          queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
+        
    
+      

+  

+
+  

+

 New Features

     
    
 
  • 
@@ -157,25 +222,32 @@
         
    
       
    • 
 
  • 
-	
    
-	  Two new keywords have been added to the
-	  dnssec-keys statement:
-	  initial-ds and static-ds.
-	  These allow the use of trust anchors in DS format instead of
-	  DNSKEY format.  DS format allows trust anchors to be configured
-	  for keys that have not yet been published; this is the format
-	  used by IANA when announcing future root keys.
-	
    
-	
    
-	  As with the initial-key and
-	  static-key keywords, initial-ds
-	  configures a dynamic trust anchor to be maintained via RFC 5011, and
-	  static-ds configures a permanent trust anchor.
-	
    
-	
    
-	  (Note: Currently, DNSKEY-format and DS-format trust anchors
-	  cannot both be used for the same domain name.) [GL #6] [GL #622]
-	
    
+        
    
+          Two new keywords have been added to the
+          dnssec-keys statement:
+          initial-ds and static-ds.
+          These allow the use of trust anchors in DS format instead of
+          DNSKEY format.  DS format allows trust anchors to be configured
+          for keys that have not yet been published; this is the format
+          used by IANA when announcing future root keys.
+        
    
+        
    
+          As with the initial-key and
+          static-key keywords, initial-ds
+          configures a dynamic trust anchor to be maintained via RFC 5011, and
+          static-ds configures a permanent trust anchor.
+        
    
+        
    
+          (Note: Currently, DNSKEY-format and DS-format trust anchors
+          cannot both be used for the same domain name.) [GL #6] [GL #622]
+        
    
+      
    • 
+
  • 
+        
    
+          Added a new statistics variable tcp-highwater
+          that reports the maximum number of simultaneous TCP clients BIND
+          has handled while running. [GL #1206]
+        
    
       
    • 
 

   

@@ -193,27 +265,14 @@
         

       
 
  • 
-	
    
-	  The DNSSEC validation code has been refactored for clarity and to
-	  reduce code duplication.  [GL #622]
-	
    
+        
    
+          The DNSSEC validation code has been refactored for clarity and to
+          reduce code duplication.  [GL #622]
+        
    
       
    • 
 
    
   
    
 
-  
    
-
    
-Security Fixes
    
-    
    • 
-	
      
-	  Too many simultaneous pipelined TCP queries could cause
-	  resource overuse. We now prevent this by enforcing a limit
-	  on the number of simultaneous requests per active connection.
-	  This flaw`is disclosed in CVE-2019-6477. [GL #1264]
-	
      
-      
    
-  
    
-
 
    
   
    
 
    
@@ -719,9 +778,6 @@
 Thank You
    
   
    
     Thank you to everyone who assisted us in making this release possible.
-    If you would like to contribute to ISC to assist us in continuing to
-    make quality open source software, please visit our donations page at
-    https://www.isc.org/donate/.
   
    
 
    
 
    
@@ -744,6 +800,6 @@
 
 
 
    
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index a3eb5fbe941..079386e12fc 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -148,6 +148,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index b99f9b41056..d7c3d042ed1 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -914,6 +914,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index fa313f9df2e..17084a1f0d4 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -538,6 +538,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index 00867fe2743..11c4f190ea1 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -210,6 +210,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 0a511638872..fffd82c6cfa 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -32,7 +32,7 @@
 
    
 
    
 BIND 9 Administrator Reference Manual
    
-
    BIND Version 9.15.6
    
+
    BIND Version 9.15.7
    
 
    Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")
    
 
    
 
    
@@ -192,8 +192,8 @@
 
    statistics-channels Statement Grammar
    
 
    statistics-channels Statement Definition and
               Usage
    
-
    dnssec-keys Statement Grammar
    
-
    dnssec-keys Statement Definition
+
    trust-anchors Statement Grammar
    
+
    trust-anchors Statement Definition
             and Usage
    
 
    dnssec-policy Statement Grammar
    
 
    dnssec-policy Statement Definition
@@ -248,12 +248,13 @@
 
 
    A. Release Notes
    
 
    
-
    Release Notes for BIND Version 9.15.6
    
+
    Release Notes for BIND Version 9.15.7
    
 
    
 
    Introduction
    
 
    Note on Version Numbering
    
 
    Supported Platforms
    
 
    Download
    
+
    Notes for BIND 9.15.7
    
 
    Notes for BIND 9.15.6
    
 
    Notes for BIND 9.15.5
    
 
    Notes for BIND 9.15.4
    
@@ -448,6 +449,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index af7bbf175f5..514e5e6e197 100644
Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 5519e36137a..97fc2cc31d4 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -90,6 +90,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 7a3ce8d33ad..c8d02090c94 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -220,6 +220,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index c282c413160..8df1a0b8f82 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -215,7 +215,7 @@
 	  
    
 	  
    
 	    Note: When reading the trust anchor file,
-	    delv treats dnssec-keys
+	    delv treats trust-anchors
 	    initial-key and static-key
 	    entries identically.  That is, even if a key is configured
 	    with initial-key, indicating that it is
@@ -621,6 +621,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index f244b24c481..32ca3893c50 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -1188,6 +1188,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html
index 6fb7a96c7b9..69a61af5f92 100644
--- a/doc/arm/man.dnssec-cds.html
+++ b/doc/arm/man.dnssec-cds.html
@@ -376,6 +376,6 @@ nsupdate -l
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index fdf37a853b0..99f4e4377ac 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -156,6 +156,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index f22748ac177..ebea42f590b 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -270,6 +270,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 3cb1b5ba200..8a1d5b38f98 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -341,6 +341,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index 9d8c3125f92..d6b41361537 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -250,6 +250,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 9ba381b7b5a..3a313c4e4b7 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -498,6 +498,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 48737e16122..88e95e8c5e8 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -589,6 +589,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html
index 2192952465c..35d43ecaf42 100644
--- a/doc/arm/man.dnssec-keymgr.html
+++ b/doc/arm/man.dnssec-keymgr.html
@@ -405,6 +405,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 38836fafb58..b1b32e2c026 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -171,6 +171,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index caef6c99812..97574576ea6 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -424,6 +424,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index f19ba5640f1..cd234e748ba 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -707,6 +707,6 @@ db.example.com.signed
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index f27179a2545..e0745506499 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -214,6 +214,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html
index 3f112ad45a7..bf25695f38e 100644
--- a/doc/arm/man.dnstap-read.html
+++ b/doc/arm/man.dnstap-read.html
@@ -143,6 +143,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html
index b2b95d3c7db..88b8246dc2c 100644
--- a/doc/arm/man.filter-aaaa.html
+++ b/doc/arm/man.filter-aaaa.html
@@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 2a4a962a289..512e1ae2df3 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -366,6 +366,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html
index b0d39dcc515..4674290e97a 100644
--- a/doc/arm/man.mdig.html
+++ b/doc/arm/man.mdig.html
@@ -610,6 +610,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 862d9868262..ddcc5d372ef 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -214,6 +214,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 87566d92622..41a4acbf1fb 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -463,6 +463,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 58bfe42a0d8..e3e29744aa4 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -117,6 +117,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html
index 179e23bedeb..d4547154192 100644
--- a/doc/arm/man.named-nzd2nzf.html
+++ b/doc/arm/man.named-nzd2nzf.html
@@ -119,6 +119,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 3d8af355736..2e03dffb384 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -121,6 +121,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index 01fdefd45a0..2bf0d660f5d 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -110,17 +110,7 @@ dlz
   
 
   
    
-
    DNSSEC-KEYS
    
-    

    
-dnssec-keys { string ( static-key |
    
-    initial-key | static-ds | initial-ds )
    
-    integer integer integer
    
-    quoted_string; ... };
    
-
    
-  
    
-
-  
    
-
    DYNDB
    
+
    DYNDB
    
     

    
 dyndb string quoted_string {
    
     unspecified-text };
    
@@ -128,7 +118,7 @@ dyndb
   
    
 
   
    
-
    KEY
    
+
    KEY
    
     

    
 key string {
    
 	algorithm string;
    
@@ -138,7 +128,7 @@ key
   
    
 
   
    
-
    LOGGING
    
+
    LOGGING
    
     

    
 logging {
    
 	category string { string; ... };
    
@@ -159,8 +149,8 @@ logging
   
    
 
   
    
-
    MANAGED-KEYS
    
-  
    Deprecated - see DNSSEC-KEYS.
    
+
    MANAGED-KEYS
    
+  
    Deprecated - see TRUST-ANCHORS.
    
     

    
 managed-keys { string ( static-key
    
     | initial-key | static-ds |
    
@@ -170,7 +160,7 @@ managed-keys
   
    
 
   
    
-
    MASTERS
    
+
    MASTERS
    
     

    
 masters string [ port integer ] [ dscp
    
     integer ] { ( masters | ipv4_address [
    
@@ -180,7 +170,7 @@ masters
   
    
 
   
    
-
    OPTIONS
    
+
    OPTIONS
    
     

    
 options {
    
 	allow-new-zones boolean;
    
@@ -479,7 +469,7 @@ options
   
    
 
   
    
-
    PLUGIN
    
+
    PLUGIN
    
     

    
 plugin ( query ) string [ { unspecified-text
    
     } ];
    
@@ -487,7 +477,7 @@ plugin
   
    
 
   
    
-
    SERVER
    
+
    SERVER
    
     

    
 server netprefix {
    
 	bogus boolean;
    
@@ -525,7 +515,7 @@ server
   
    
 
   
    
-
    STATISTICS-CHANNELS
    
+
    STATISTICS-CHANNELS
    
     

    
 statistics-channels {
    
 	inet ( ipv4_address | ipv6_address |
    
@@ -536,9 +526,19 @@ statistics-channels
 
    
   
    
 
+  
    
+
    TRUST-ANCHORS
    
+    

    
+trust-anchors { string ( static-key |
    
+    initial-key | static-ds | initial-ds )
    
+    integer integer integer
    
+    quoted_string; ... };
    
+
    
+  
    
+
   
    
 
    TRUSTED-KEYS
    
-  
    Deprecated - see DNSSEC-KEYS.
    
+  
    Deprecated - see TRUST-ANCHORS.
    
     

    
 trusted-keys { string integer
    
     integer integer
    
@@ -618,10 +618,6 @@ view
 	dnsrps-options { unspecified-text };
    
 	dnssec-accept-expired boolean;
    
 	dnssec-dnskey-kskonly boolean;
    
-	dnssec-keys { string ( static-key |
    
-	    initial-key | static-ds | initial-ds
    
-	    ) integer integer integer
    
-	    quoted_string; ... };
    
 	dnssec-loadkeys-interval integer;
    
 	dnssec-must-be-secure string boolean;
    
 	dnssec-secure-to-insecure boolean;
    
@@ -812,6 +808,10 @@ view
 	transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * )
    
 	    ] [ dscp integer ];
    
 	trust-anchor-telemetry boolean; // experimental
    
+	trust-anchors { string ( static-key |
    
+	    initial-key | static-ds | initial-ds
    
+	    ) integer integer integer
    
+	    quoted_string; ... };
    
 	trusted-keys { string
    
 	    integer integer
    
 	    integer
    
@@ -1030,7 +1030,7 @@ zone
 
     

    
 dnssec-policy string {
    
-	dnskey-ttl ttlval;
    
+	dnskey-ttl duration;
    
 	keys { ( csk | ksk | zsk ) key-directory lifetime duration algorithm integer [ integer ] ; ... };
    
 	parent-ds-ttl duration;
    
 	parent-propagation-delay duration;
    
@@ -1095,6 +1095,6 @@ dnssec-policy
 
 
 
    
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index ba891658bea..b978e3ef9b0 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -492,6 +492,6 @@
 
 
 
    
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index cb55a7ca50c..25945a9c5b6 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -155,6 +155,6 @@
 
 
 
    
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html
index 72fffc2468d..22384d01642 100644
--- a/doc/arm/man.nslookup.html
+++ b/doc/arm/man.nslookup.html
@@ -437,6 +437,6 @@ nslookup -query=hinfo  -timeout=10
 
 
 
    
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 8b7cf8f348f..a187b9909da 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -818,6 +818,6 @@
 
 
 
    
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html
index 3ad081cc08a..e5ab4b503f3 100644
--- a/doc/arm/man.pkcs11-destroy.html
+++ b/doc/arm/man.pkcs11-destroy.html
@@ -162,6 +162,6 @@
 
 
 
    
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html
index f2c02960717..16a4ae43beb 100644
--- a/doc/arm/man.pkcs11-keygen.html
+++ b/doc/arm/man.pkcs11-keygen.html
@@ -200,6 +200,6 @@
 
 
 
    
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html
index 0dfe6abb74e..6851dc72a34 100644
--- a/doc/arm/man.pkcs11-list.html
+++ b/doc/arm/man.pkcs11-list.html
@@ -158,6 +158,6 @@
 
 
 
    
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html
index 3669753d23c..8ccae13af57 100644
--- a/doc/arm/man.pkcs11-tokens.html
+++ b/doc/arm/man.pkcs11-tokens.html
@@ -123,6 +123,6 @@
 
 
 
    
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 37f663ed3e7..7a3018f6660 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -260,6 +260,6 @@
 
 
 
    
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index d9166b6a7fc..979a2db6409 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -268,6 +268,6 @@
 
 
 
    
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 59ef50a938e..c1f91c2330c 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -670,7 +670,7 @@
 
    
 	  
    
 	    Dump the security roots (i.e., trust anchors
-	    configured via dnssec-keys statements, or the
+	    configured via trust-anchors statements, or the
 	    managed-keys or trusted-keys statements (both deprecated), or
 	    via dnssec-validation auto) and negative trust
 	    anchors for the specified views.  If no view is specified, all
@@ -1021,6 +1021,6 @@
 
 
 
-
    BIND 9.15.6 (Development Release)
    
+
    BIND 9.15.7 (Development Release)
    
 
 
diff --git a/doc/arm/notes-9.15.7.xml b/doc/arm/notes-9.15.7.xml
index 26f6dcdd356..2b470517eb4 100644
--- a/doc/arm/notes-9.15.7.xml
+++ b/doc/arm/notes-9.15.7.xml
@@ -28,6 +28,29 @@
           for prior discussion of this feature.)
         
       
+      
+        
+          Added support for multithreaded listening for TCP connections
+	  in the network manager [GL !2659]
+        
+      
+    
+  
+
+  
    Bug Fixes
+    
+      
+        
+          Fixed a bug that caused named to leak memory
+          on reconfiguration when any GeoIP2 database was in use. [GL #1445]
+        
+      
+      
+        
+          Fixed several possible race conditions discovered by Thread
+          Sanitizer.
+        
+      
     
   
    
 
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 456e64b1ebd..532640ca654 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -15,7 +15,7 @@
 
   
    
 
    
-Release Notes for BIND Version 9.15.6
    
+Release Notes for BIND Version 9.15.7
    
   
   
    
 
    
@@ -59,11 +59,12 @@
     C compiler.
   
    
   
    
-    The OpenSSL cryptography library must be available for the target
-    platform.  A PKCS#11 provider can be used instead for Public Key
-    cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
-    still required for general cryptography operations such as hashing
-    and random number generation.
+    The libuv asynchronous I/O library and the
+    OpenSSL cryptography library must be available for the target
+    platform.  A PKCS#11 provider can be used instead of OpenSSL for
+    Public Key cryptography (i.e., DNSSEC signing and validation),
+    but OpenSSL is still required for general cryptography operations
+    such as hashing and random number generation.
   
    
   
    
     More information can be found in the PLATFORMS.md
@@ -88,10 +89,73 @@
 
   
    
 
    
+Notes for BIND 9.15.7
    
+
+  
    
+
    
+Feature Changes
    
+    
      
+
    • 
+        
      
+          The dnssec-keys configuration statement,
+          which was introduced in 9.15.1 and revised in 9.15.6, has now
+          been renamed to the more descriptive
+          trust-anchors. [GL !2702]
+        
      
+        
      
+          (See release notes for
+          BIND 9.15.1
+          and
+          BIND 9.15.6
+          for prior discussion of this feature.)
+        
      
+      
      • 
+
    • 
+        
      
+          Added support for multithreaded listening for TCP connections
+	  in the network manager [GL !2659]
+        
      
+      
      • 
+
    
+  
    
+
+  
    
+
    
+Bug Fixes
    
+    
      
+
    • 
+        
      
+          Fixed a bug that caused named to leak memory
+          on reconfiguration when any GeoIP2 database was in use. [GL #1445]
+        
      
+      
      • 
+
    • 
+        
      
+          Fixed several possible race conditions discovered by Thread
+          Sanitizer.
+        
      
+      
      • 
+
    
+  
    
+
+
    
+  
    
+
    
 Notes for BIND 9.15.6
    
 
   
    
 
    
+Security Fixes
    
+    
    • 
+        
      
+          Set a limit on the number of concurrently served pipelined TCP
+          queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
+        
      
+      
    
+  
    
+
+  
    
+
    
 New Features
    
     
      
 
    • 
@@ -115,25 +179,32 @@
         
      
       
      • 
 
    • 
-	
      
-	  Two new keywords have been added to the
-	  dnssec-keys statement:
-	  initial-ds and static-ds.
-	  These allow the use of trust anchors in DS format instead of
-	  DNSKEY format.  DS format allows trust anchors to be configured
-	  for keys that have not yet been published; this is the format
-	  used by IANA when announcing future root keys.
-	
      
-	
      
-	  As with the initial-key and
-	  static-key keywords, initial-ds
-	  configures a dynamic trust anchor to be maintained via RFC 5011, and
-	  static-ds configures a permanent trust anchor.
-	
      
-	
      
-	  (Note: Currently, DNSKEY-format and DS-format trust anchors
-	  cannot both be used for the same domain name.) [GL #6] [GL #622]
-	
      
+        
      
+          Two new keywords have been added to the
+          dnssec-keys statement:
+          initial-ds and static-ds.
+          These allow the use of trust anchors in DS format instead of
+          DNSKEY format.  DS format allows trust anchors to be configured
+          for keys that have not yet been published; this is the format
+          used by IANA when announcing future root keys.
+        
      
+        
      
+          As with the initial-key and
+          static-key keywords, initial-ds
+          configures a dynamic trust anchor to be maintained via RFC 5011, and
+          static-ds configures a permanent trust anchor.
+        
      
+        
      
+          (Note: Currently, DNSKEY-format and DS-format trust anchors
+          cannot both be used for the same domain name.) [GL #6] [GL #622]
+        
      
+      
      • 
+
    • 
+        
      
+          Added a new statistics variable tcp-highwater
+          that reports the maximum number of simultaneous TCP clients BIND
+          has handled while running. [GL #1206]
+        
      
       
      • 
 
    
   
    
@@ -151,27 +222,14 @@
         
    
       
 
  • 
-	
    
-	  The DNSSEC validation code has been refactored for clarity and to
-	  reduce code duplication.  [GL #622]
-	
    
+        
    
+          The DNSSEC validation code has been refactored for clarity and to
+          reduce code duplication.  [GL #622]
+        
    
       
    • 
 
    
   
    
 
-  
    
-
    
-Security Fixes
    
-    
    • 
-	
      
-	  Too many simultaneous pipelined TCP queries could cause
-	  resource overuse. We now prevent this by enforcing a limit
-	  on the number of simultaneous requests per active connection.
-	  This flaw`is disclosed in CVE-2019-6477. [GL #1264]
-	
      
-      
    
-  
    
-
 
    
   
    
 
    
@@ -677,9 +735,6 @@
 Thank You
    
   
    
     Thank you to everyone who assisted us in making this release possible.
-    If you would like to contribute to ISC to assist us in continuing to
-    make quality open source software, please visit our donations page at
-    https://www.isc.org/donate/.
   
    
 
    
 
    
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf
index 29d78a170bf..5b39e86d700 100644
Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ
diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt
index 4c61f7ee63e..17f319b9a76 100644
--- a/doc/arm/notes.txt
+++ b/doc/arm/notes.txt
@@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.15.6
+Release Notes for BIND Version 9.15.7
 
 Introduction
 
@@ -29,11 +29,11 @@ To build on UNIX-like systems, BIND requires support for POSIX.1c threads
 (IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and
 standard atomic operations provided by the C compiler.
 
-The OpenSSL cryptography library must be available for the target
-platform. A PKCS#11 provider can be used instead for Public Key
-cryptography (i.e., DNSSEC signing and validation), but OpenSSL is still
-required for general cryptography operations such as hashing and random
-number generation.
+The libuv asynchronous I/O library and the OpenSSL cryptography library
+must be available for the target platform. A PKCS#11 provider can be used
+instead of OpenSSL for Public Key cryptography (i.e., DNSSEC signing and
+validation), but OpenSSL is still required for general cryptography
+operations such as hashing and random number generation.
 
 More information can be found in the PLATFORMS.md file that is included in
 the source distribution of BIND 9. If your compiler and system libraries
@@ -48,8 +48,34 @@ www.isc.org/download/. There you will find additional information about
 each release, source code, and pre-compiled versions for Microsoft Windows
 operating systems.
 
+Notes for BIND 9.15.7
+
+Feature Changes
+
+  * The dnssec-keys configuration statement, which was introduced in
+    9.15.1 and revised in 9.15.6, has now been renamed to the more
+    descriptive trust-anchors. [GL !2702]
+
+    (See release notes for BIND 9.15.1 and BIND 9.15.6 for prior
+    discussion of this feature.)
+
+  * Added support for multithreaded listening for TCP connections in the
+    network manager [GL !2659]
+
+Bug Fixes
+
+  * Fixed a bug that caused named to leak memory on reconfiguration when
+    any GeoIP2 database was in use. [GL #1445]
+
+  * Fixed several possible race conditions discovered by Thread Sanitizer.
+
 Notes for BIND 9.15.6
 
+Security Fixes
+
+  * Set a limit on the number of concurrently served pipelined TCP
+    queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
+
 New Features
 
   * A new asynchronous network communications system based on libuv is now
@@ -77,6 +103,10 @@ New Features
     (Note: Currently, DNSKEY-format and DS-format trust anchors cannot
     both be used for the same domain name.) [GL #6] [GL #622]
 
+  * Added a new statistics variable tcp-highwater that reports the maximum
+    number of simultaneous TCP clients BIND has handled while running. [GL
+    #1206]
+
 Feature Changes
 
   * NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
@@ -87,13 +117,6 @@ Feature Changes
   * The DNSSEC validation code has been refactored for clarity and to
     reduce code duplication. [GL #622]
 
-Security Fixes
-
-  * Too many simultaneous pipelined TCP queries could cause resource
-    overuse. We now prevent this by enforcing a limit on the number of
-    simultaneous requests per active connection. This flaw`is disclosed in
-    CVE-2019-6477. [GL #1264]
-
 Notes for BIND 9.15.5
 
 Security Fixes
@@ -347,7 +370,4 @@ policy.
 
 Thank You
 
-Thank you to everyone who assisted us in making this release possible. If
-you would like to contribute to ISC to assist us in continuing to make
-quality open source software, please visit our donations page at https://
-www.isc.org/donate/.
+Thank you to everyone who assisted us in making this release possible.
diff --git a/doc/misc/options b/doc/misc/options
index e5f44ea0359..c660e49c6d3 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -21,11 +21,6 @@ dlz  {
         search ;
 }; // may occur multiple times
 
-dnssec-keys {  ( static-key |
-    initial-key | static-ds | initial-ds )
-      
-    ; ... }; // may occur multiple times
-
 dnssec-policy  {
         dnskey-ttl ;
         keys { ( csk | ksk | zsk ) ( key-directory ) lifetime 
@@ -459,6 +454,11 @@ statistics-channels {
             } ]; // may occur multiple times
 }; // may occur multiple times
 
+trust-anchors {  ( static-key |
+    initial-key | static-ds | initial-ds )
+      
+    ; ... }; // may occur multiple times
+
 trusted-keys {  
      
     ; ... }; // may occur multiple times, deprecated
@@ -539,10 +539,6 @@ view  [  ] {
         dnssec-accept-expired ;
         dnssec-dnskey-kskonly ;
         dnssec-enable ; // obsolete
-        dnssec-keys {  ( static-key |
-            initial-key | static-ds | initial-ds
-            )   
-            ; ... }; // may occur multiple times
         dnssec-loadkeys-interval ;
         dnssec-lookaside ( 
             trust-anchor  |
@@ -755,6 +751,10 @@ view  [  ] {
         transfer-source-v6 (  | * ) [ port (  | * )
             ] [ dscp  ];
         trust-anchor-telemetry ; // experimental
+        trust-anchors {  ( static-key |
+            initial-key | static-ds | initial-ds
+            )   
+            ; ... }; // may occur multiple times
         trusted-keys { 
              
             
diff --git a/doc/misc/options.active b/doc/misc/options.active
index 0e687277398..58a9c90afff 100644
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -21,11 +21,6 @@ dlz  {
         search ;
 }; // may occur multiple times
 
-dnssec-keys {  ( static-key |
-    initial-key | static-ds | initial-ds )
-      
-    ; ... }; // may occur multiple times
-
 dnssec-policy  {
         dnskey-ttl ;
         keys { ( csk | ksk | zsk ) ( key-directory ) lifetime 
@@ -414,6 +409,11 @@ statistics-channels {
             } ]; // may occur multiple times
 }; // may occur multiple times
 
+trust-anchors {  ( static-key |
+    initial-key | static-ds | initial-ds )
+      
+    ; ... }; // may occur multiple times
+
 trusted-keys {  
      
     ; ... }; // may occur multiple times, deprecated
@@ -487,10 +487,6 @@ view  [  ] {
         dnsrps-options {  }; // not configured
         dnssec-accept-expired ;
         dnssec-dnskey-kskonly ;
-        dnssec-keys {  ( static-key |
-            initial-key | static-ds | initial-ds
-            )   
-            ; ... }; // may occur multiple times
         dnssec-loadkeys-interval ;
         dnssec-must-be-secure  ; // may occur multiple times
         dnssec-policy ;
@@ -682,6 +678,10 @@ view  [  ] {
         transfer-source-v6 (  | * ) [ port (  | * )
             ] [ dscp  ];
         trust-anchor-telemetry ; // experimental
+        trust-anchors {  ( static-key |
+            initial-key | static-ds | initial-ds
+            )   
+            ; ... }; // may occur multiple times
         trusted-keys { 
              
             
diff --git a/lib/bind9/api b/lib/bind9/api
index c65b577dfa4..effc9e71d2c 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -10,6 +10,6 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
-LIBINTERFACE = 1501
-LIBREVISION = 1
+LIBINTERFACE = 1502
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/irs/api b/lib/irs/api
index c65b577dfa4..2cca30a6562 100644
--- a/lib/irs/api
+++ b/lib/irs/api
@@ -11,5 +11,5 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 LIBINTERFACE = 1501
-LIBREVISION = 1
+LIBREVISION = 2
 LIBAGE = 0
diff --git a/lib/isc/api b/lib/isc/api
index 4a2e46bdbb8..289644a9e50 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -10,6 +10,6 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
-LIBINTERFACE = 1504
+LIBINTERFACE = 1505
 LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isccfg/api b/lib/isccfg/api
index effc9e71d2c..d1ed585b1a4 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -11,5 +11,5 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 LIBINTERFACE = 1502
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0
diff --git a/lib/ns/api b/lib/ns/api
index effc9e71d2c..ceb49d16753 100644
--- a/lib/ns/api
+++ b/lib/ns/api
@@ -10,6 +10,6 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
-LIBINTERFACE = 1502
+LIBINTERFACE = 1503
 LIBREVISION = 0
 LIBAGE = 0
diff --git a/version b/version
index 5ecff75a8da..abf698f3f0a 100644
--- a/version
+++ b/version
@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Development Release)"
 MAJORVER=9
 MINORVER=15
-PATCHVER=6
+PATCHVER=7
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=