From: Tinderbox User <tbox@isc.org>
Date: Sun, 23 Apr 2017 01:06:11 +0000 (+0000)
Subject: regen master
X-Git-Tag: v9.12.0a1~350
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5fa65531909cf2169ff08437ecb082b9160d659;p=thirdparty%2Fbind9.git

regen master
---

diff --git a/HISTORY b/HISTORY
index 238e2634155..e69de29bb2d 100644
--- a/HISTORY
+++ b/HISTORY
@@ -1,525 +0,0 @@
-Functional enhancements from prior major releases of BIND 9
-
-BIND 9.11
-
-BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
-releases. New features include:
-
-  * Added support for Catalog Zones, a new method for provisioning
-    servers: a list of zones to be served is stored in a DNS zone, along
-    with their configuration parameters. Changes to the catalog zone are
-    propagated to slaves via normal AXFR/IXFR, whereupon the zones that
-    are listed in it are automatically added, deleted or reconfigured.
-  * Added support for "dnstap", a fast and flexible method of capturing
-    and logging DNS traffic.
-  * Added support for "dyndb", a new API for loading zone data from an
-    external database, developed by Red Hat for the FreeIPA project.
-  * "fetchlimit" quotas are now compiled in by default. These are for the
-    use of recursive resolvers that are are under high query load for
-    domains whose authoritative servers are nonresponsive or are
-    experiencing a denial of service attack:
-      + "fetches-per-server" limits the number of simultaneous queries
-        that can be sent to any single authoritative server. The
-        configured value is a starting point; it is automatically adjusted
-        downward if the server is partially or completely non-responsive.
-        The algorithm used to adjust the quota can be configured via the
-        "fetch-quota-params" option.
-      + "fetches-per-zone" limits the number of simultaneous queries that
-        can be sent for names within a single domain. (Note: Unlike
-        "fetches-per-server", this value is not self-tuning.)
-      + New stats counters have been added to count queries spilled due to
-        these quotas.
-  * Added a new "dnssec-keymgr" key mainenance utility, which can generate
-    or update keys as needed to ensure that a zone's keys match a defined
-    DNSSEC policy.
-  * The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
-    and is no longer optional. EDNS COOKIE is a mechanism enabling clients
-    to detect off-path spoofed responses, and servers to detect
-    spoofed-source queries. Clients that identify themselves using COOKIE
-    options are not subject to response rate limiting (RRL) and can
-    receive larger UDP responses.
-  * SERVFAIL responses can now be cached for a limited time (defaulting to
-    1 second, with an upper limit of 30). This can reduce the frequency of
-    retries when a query is persistently failing.
-  * Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to
-    be skipped if a name server IP address isn't in the cache yet; the
-    address will be looked up and the rule will be applied on future
-    queries.
-  * Added a Python RNDC module. This allows multiple commands to sent over
-    a persistent RNDC channel, which saves time.
-  * The "controls" block in named.conf can now grant read-only "rndc"
-    access to specified clients or keys. Read-only clients could, for
-    example, check "rndc status" but could not reconfigure or shut down
-    the server.
-  * "rndc" commands can now return arbitrarily large amounts of text to
-    the caller.
-  * The zone serial number of a dynamically updatable zone can now be set
-    via "rndc signing -serial ". This allows inline-signing zones to be
-    set to a specific serial number.
-  * The new "rndc nta" command can be used to set a Negative Trust Anchor
-    (NTA), disabling DNSSEC validation for a specific domain; this can be
-    used when responses from a domain are known to be failing validation
-    due to administrative error rather than because of a spoofing attack.
-    Negative trust anchors are strictly temporary; by default they expire
-    after one hour, but can be configured to last up to one week.
-  * "rndc delzone" can now be used on zones that were not originally
-    created by "rndc addzone".
-  * "rndc modzone" reconfigures a single zone, without requiring the
-    entire server to be reconfigured.
-  * "rndc showzone" displays the current configuration of a zone.
-  * "rndc managed-keys" can be used to check the status of RFC 5001
-    managed trust anchors, or to force trust anchors to be refreshed.
-  * "max-cache-size" can now be set to a percentage of available memory.
-    The default is 90%.
-  * Update forwarding performance has been improved by allowing a single
-    TCP connection to be shared by multiple updates.
-  * The EDNS Client Subnet (ECS) option is now supported for authoritative
-    servers; if a query contains an ECS option then ACLs containing
-    "geoip" or "ecs" elements can match against the the address encoded in
-    the option. This can be used to select a view for a query, so that
-    different answers can be provided depending on the client network.
-  * The EDNS EXPIRE option has been implemented on the client side,
-    allowing a slave server to set the expiration timer correctly when
-    transferring zone data from another slave server.
-  * The key generation and manipulation tools (dnssec-keygen,
-    dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take
-    "-Psync" and "-Dsync" options to set the publication and deletion
-    times of CDS and CDNSKEY parent-synchronization records. Both named
-    and dnssec-signzone can now publish and remove these records at the
-    scheduled times.
-  * A new "minimal-any" option reduces the size of UDP responses for query
-    type ANY by returning a single arbitrarily selected RRset instead of
-    all RRsets.
-  * A new "masterfile-style" zone option controls the formatting of text
-    zone files: When set to "full", a zone file is dumped in
-    single-line-per-record format.
-  * "serial-update-method" can now be set to "date". On update, the serial
-    number will be set to the current date in YYYYMMDDNN format.
-  * "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
-  * "named -L " causes named to send log messages to the specified file by
-    default instead of to the system log.
-  * "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m,
-    s for weeks, days, hours, minutes, and seconds.
-  * "dig +unknownformat" prints dig output in RFC 3597 "unknown record"
-    presentation format.
-  * "dig +ednsopt" allows dig to set arbitrary EDNS options on requests.
-  * "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on
-    requests.
-  * "mdig" is an alternate version of dig which sends multiple pipelined
-    TCP queries to a server. Instead of waiting for a response after
-    sending a query, it sends all queries immediately and displays
-    responses in the order received.
-  * "serial-query-rate" no longer controls NOTIFY messages. These are
-    separately controlled by "notify-rate" and "startup-notify-rate".
-  * "nsupdate" now performs "check-names" processing by default on records
-    to be added. This can be disabled with "check-names no".
-  * The statistics channel now supports DEFLATE compression, reducing the
-    size of the data sent over the network when querying statistics.
-  * New counters have been added to the statistics channel to track the
-    sizes of incoming queries and outgoing responses in histogram buckets,
-    as specified in RSSAC002.
-  * A new NXDOMAIN redirect method (option "nxdomain-redirect") has been
-    added, allowing redirection to a specified DNS namespace instead of a
-    single redirect zone.
-  * When starting up, named now ensures that no other named process is
-    already running.
-  * Files created by named to store information, including "mkeys" and
-    "nzf" files, are now named after their corresponding views unless the
-    view name contains characters incompatible with use as a filename. Old
-    style filenames (based on the hash of the view name) will still work.
-
-BIND 9.10.0
-
-BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
-releases. New features include:
-
-  * DNS Response-rate limiting (DNS RRL), which blunts the impact of
-    reflection and amplification attacks, is always compiled in and no
-    longer requires a compile-time option to enable it.
-  * An experimental "Source Identity Token" (SIT) EDNS option is now
-    available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
-    these are designed to enable clients to detect off-path spoofed
-    responses, and to enable servers to detect spoofed-source queries.
-    Servers can be configured to send smaller responses to clients that
-    have not identified themselves using a SIT option, reducing the
-    effectiveness of amplification attacks. RRL processing has also been
-    updated; clients proven to be legitimate via SIT are not subject to
-    rate limiting. Use "configure --enable-sit" to enable this feature in
-    BIND.
-  * A new zone file format, "map", stores zone data in a format that can
-    be mapped directly into memory, allowing significantly faster zone
-    loading.
-  * "delv" (domain entity lookup and validation) is a new tool with
-    dig-like semantics for looking up DNS data and performing internal
-    DNSSEC validation. This allows easy validation in environments where
-    the resolver may not be trustworthy, and assists with troubleshooting
-    of DNSSEC problems. (NOTE: In previous development releases of BIND
-    9.10, this utility was called "delve". The spelling has been changed
-    to avoid confusion with the "delve" utility included with the Xapian
-    search engine.)
-  * Improved EDNS(0) processing for better resolver performance and
-    reliability over slow or lossy connections.
-  * A new "configure --with-tuning=large" option tunes certain compiled-in
-    constants and default settings to values better suited to large
-    servers with abundant memory. This can improve performance on such
-    servers, but will consume more memory and may degrade performance on
-    smaller systems.
-  * Substantial improvement in response-policy zone (RPZ) performance. Up
-    to 32 response-policy zones can be configured with minimal performance
-    loss.
-  * To improve recursive resolver performance, cache records which are
-    still being requested by clients can now be automatically refreshed
-    from the authoritative server before they expire, reducing or
-    eliminating the time window in which no answer is available in the
-    cache.
-  * New "rpz-client-ip" triggers and drop policies allowing response
-    policies based on the IP address of the client.
-  * ACLs can now be specified based on geographic location using the
-    MaxMind GeoIP databases. Use "configure --with-geoip" to enable.
-  * Zone data can now be shared between views, allowing multiple views to
-    serve the same zones authoritatively without storing multiple copies
-    in memory.
-  * New XML schema (version 3) for the statistics channel includes many
-    new statistics and uses a flattened XML tree for faster parsing. The
-    older schema is now deprecated.
-  * A new stylesheet, based on the Google Charts API, displays XML
-    statistics in charts and graphs on javascript-enabled browsers.
-  * The statistics channel can now provide data in JSON format as well as
-    XML.
-  * New stats counters track TCP and UDP queries received per zone, and
-    EDNS options received in total.
-  * The internal and export versions of the BIND libraries (libisc,
-    libdns, etc) have been unified so that external library clients can
-    use the same libraries as BIND itself.
-  * A new compile-time option, "configure --enable-native-pkcs11", allows
-    BIND 9 cryptography functions to use the PKCS#11 API natively, so that
-    BIND can drive a cryptographic hardware service module (HSM) directly
-    instead of using a modified OpenSSL as an intermediary. (Note: This
-    feature requires an HSM to have a full implementation of the PKCS#11
-    API; many current HSMs only have partial implementations. The new
-    "pkcs11-tokens" command can be used to check API completeness. Native
-    PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
-    version 2 from the Open DNSSEC project.)
-  * The new "max-zone-ttl" option enforces maximum TTLs for zones. This
-    can simplify the process of rolling DNSSEC keys by guaranteeing that
-    cached signatures will have expired within the specified amount of
-    time.
-  * "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
-  * "dig +expire" sends an EDNS EXPIRE option when querying. When this
-    option is sent with an SOA query to a server that supports it, it will
-    report the expiry time of a slave zone.
-  * New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
-    report if a lapse in signing coverage has been inadvertently
-    scheduled.
-  * Signing algorithm flexibility and other improvements for the "rndc"
-    control channel.
-  * "named-checkzone" and "named-compilezone" can now read journal files,
-    allowing them to process dynamic zones.
-  * Multiple DLZ databases can now be configured. Individual zones can be
-    configured to be served from a specific DLZ database. DLZ databases
-    now serve zones of type "master" and "redirect".
-  * "rndc zonestatus" reports information about a specified zone.
-  * "named" now listens on IPv6 as well as IPv4 interfaces by default.
-  * "named" now preserves the capitalization of names when responding to
-    queries: for instance, a query for "example.com" may be answered with
-    "example.COM" if the name was configured that way in the zone file.
-    Some clients have a bug causing them to depend on the older behavior,
-    in which the case of the answer always matched the case of the query,
-    rather than the case of the name configured in the DNS. Such clients
-    can now be specified in the new "no-case-compress" ACL; this will
-    restore the older behavior of "named" for those clients only.
-  * new "dnssec-importkey" command allows the use of offline DNSSEC keys
-    with automatic DNSKEY management.
-  * New "named-rrchecker" tool to verify the syntactic correctness of
-    individual resource records.
-  * When re-signing a zone, the new "dnssec-signzone -Q" option drops
-    signatures from keys that are still published but are no longer
-    active.
-  * "named-checkconf -px" will print the contents of configuration files
-    with the shared secrets obscured, making it easier to share
-    configuration (e.g. when submitting a bug report) without revealing
-    private information.
-  * "rndc scan" causes named to re-scan network interfaces for changes in
-    local addresses.
-  * On operating systems with support for routing sockets, network
-    interfaces are re-scanned automatically whenever they change.
-  * "tsig-keygen" is now available as an alternate command name to use for
-    "ddns-confgen".
-
-BIND 9.9.0
-
-BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
-releases. New features include:
-
-  * Inline signing, allowing automatic DNSSEC signing of master zones
-    without modification of the zonefile, or "bump in the wire" signing in
-    slaves.
-  * NXDOMAIN redirection.
-  * New 'rndc flushtree' command clears all data under a given name from
-    the DNS cache.
-  * New 'rndc sync' command dumps pending changes in a dynamic zone to
-    disk without a freeze/thaw cycle.
-  * New 'rndc signing' command displays or clears signing status records
-    in 'auto-dnssec' zones.
-  * NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
-    signing, eliminating the need to initially sign with NSEC.
-  * Startup time improvements on large authoritative servers.
-  * Slave zones are now saved in raw format by default.
-  * Several improvements to response policy zones (RPZ).
-  * Improved hardware scalability by using multiple threads to listen for
-    queries and using finer-grained client locking
-  * The 'also-notify' option now takes the same syntax as 'masters', so it
-    can used named masterlists and TSIG keys.
-  * 'dnssec-signzone -D' writes an output file containing only DNSSEC
-    data, which can be included by the primary zone file.
-  * 'dnssec-signzone -R' forces removal of signatures that are not expired
-    but were created by a key which no longer exists.
-  * 'dnssec-signzone -X' allows a separate expiration date to be specified
-    for DNSKEY signatures from other signatures.
-  * New '-L' option to dnssec-keygen, dnssec-settime, and
-    dnssec-keyfromlabel sets the default TTL for the key.
-  * dnssec-dsfromkey now supports reading from standard input, to make it
-    easier to convert DNSKEY to DS.
-  * RFC 1918 reverse zones have been added to the empty-zones table per
-    RFC 6303.
-  * Dynamic updates can now optionally set the zone's SOA serial number to
-    the current UNIX time.
-  * DLZ modules can now retrieve the source IP address of the querying
-    client.
-  * 'request-ixfr' option can now be set at the per-zone level.
-  * 'dig +rrcomments' turns on comments about DNSKEY records, indicating
-    their key ID, algorithm and function
-  * Simplified nsupdate syntax and added readline support
-
-BIND 9.8.0
-
-BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
-releases. New features include:
-
-  * Built-in trust anchor for the root zone, which can be switched on via
-    "dnssec-validation auto;"
-  * Support for DNS64.
-  * Support for response policy zones (RPZ).
-  * Support for writable DLZ zones.
-  * Improved ease of configuration of GSS/TSIG for interoperability with
-    Active Directory
-  * Support for GOST signing algorithm for DNSSEC.
-  * Removed RTT Banding from server selection algorithm.
-  * New "static-stub" zone type.
-  * Allow configuration of resolver timeouts via "resolver-query-timeout"
-    option.
-  * The DLZ "dlopen" driver is now built by default.
-  * Added a new include file with function typedefs for the DLZ "dlopen"
-    driver.
-  * Made "--with-gssapi" default.
-  * More verbose error reporting from DLZ LDAP.
-
-BIND 9.7.0
-
-BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
-releases. Most are intended to simplify DNSSEC configuration. New features
-include:
-
-  * Fully automatic signing of zones by "named".
-  * Simplified configuration of DNSSEC Lookaside Validation (DLV).
-  * Simplified configuration of Dynamic DNS, using the "ddns-confgen"
-    command line tool or the "local" update-policy option. (As a side
-    effect, this also makes it easier to configure automatic zone
-    re-signing.)
-  * New named option "attach-cache" that allows multiple views to share a
-    single cache.
-  * DNS rebinding attack prevention.
-  * New default values for dnssec-keygen parameters.
-  * Support for RFC 5011 automated trust anchor maintenance
-  * Smart signing: simplified tools for zone signing and key maintenance.
-  * The "statistics-channels" option is now available on Windows.
-  * A new DNSSEC-aware libdns API for use by non-BIND9 applications
-  * On some platforms, named and other binaries can now print out a stack
-    backtrace on assertion failure, to aid in debugging.
-  * A "tools only" installation mode on Windows, which only installs dig,
-    host, nslookup and nsupdate.
-  * Improved PKCS#11 support, including Keyper support and explicit
-    OpenSSL engine selection.
-
-BIND 9.6.0
-
-  * Full NSEC3 support
-  * Automatic zone re-signing
-  * New update-policy methods tcp-self and 6to4-self
-  * The BIND 8 resolver library, libbind, has been removed from the BIND 9
-    distribution and is now available as a separate download.
-  * Change the default pid file location from /var/run to /var/run/
-    {named,lwresd} for improved chroot/setuid support.
-
-BIND 9.5.0
-
-  * GSS-TSIG support (RFC 3645).
-  * DHCID support.
-  * Experimental http server and statistics support for named via xml.
-  * More detailed statistics counters including those supported in BIND 8.
-  * Faster ACL processing.
-  * Use Doxygen to generate internal documentation.
-  * Efficient LRU cache-cleaning mechanism.
-  * NSID support.
-
-BIND 9.4.0
-
-  * Implemented "additional section caching (or acache)", an internal
-    cache framework for additional section content to improve response
-    performance. Several configuration options were provided to control
-    the behavior.
-  * New notify type 'master-only'. Enable notify for master zones only.
-  * Accept 'notify-source' style syntax for query-source.
-  * rndc now allows addresses to be set in the server clauses.
-  * New option "allow-query-cache". This lets "allow-query" be used to
-    specify the default zone access level rather than having to have every
-    zone override the global value. "allow-query-cache" can be set at both
-    the options and view levels. If "allow-query-cache" is not set then
-    "allow-recursion" is used if set, otherwise "allow-query" is used if
-    set unless "recursion no;" is set in which case "none;" is used,
-    otherwise the default (localhost; localnets;) is used.
-  * rndc: the source address can now be specified.
-  * ixfr-from-differences now takes master and slave in addition to yes
-    and no at the options and view levels.
-  * Allow the journal's name to be changed via named.conf.
-  * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
-    specified zone.
-  * 'dig +trace' now randomly selects the next servers to try. Report if
-    there is a bad delegation.
-  * Improve check-names error messages.
-  * Make public the function to read a key file, dst_key_read_public().
-  * dig now returns the byte count for axfr/ixfr.
-  * allow-update is now settable at the options / view level.
-  * named-checkconf now checks the logging configuration.
-  * host now can turn on memory debugging flags with '-m'.
-  * Don't send notify messages to self.
-  * Perform sanity checks on NS records which refer to 'in zone' names.
-  * New zone option "notify-delay". Specify a minimum delay between sets
-    of NOTIFY messages.
-  * Extend adjusting TTL warning messages.
-  * Named and named-checkzone can now both check for non-terminal wildcard
-    records.
-  * "rndc freeze/thaw" now freezes/thaws all zones.
-  * named-checkconf now check acls to verify that they only refer to
-    existing acls.
-  * The server syntax has been extended to support a range of servers.
-  * Report differences between hints and real NS rrset and associated
-    address records.
-  * Preserve the case of domain names in rdata during zone transfers.
-  * Restructured the data locking framework using architecture dependent
-    atomic operations (when available), improving response performance on
-    multi-processor machines significantly. x86, x86_64, alpha, powerpc,
-    and mips are currently supported.
-  * UNIX domain controls are now supported.
-  * Add support for additional zone file formats for improving loading
-    performance. The masterfile-format option in named.conf can be used to
-    specify a non-default format. A separate command named-compilezone was
-    provided to generate zone files in the new format. Additionally, the
-    -I and -O options for dnssec-signzone specify the input and output
-    formats.
-  * dnssec-signzone can now randomize signature end times (dnssec-signzone
-    -j jitter).
-  * Add support for CH A record.
-  * Add additional zone data constancy checks. named-checkzone has
-    extended checking of NS, MX and SRV record and the hosts they
-    reference. named has extended post zone load checks. New zone options:
-    check-mx and integrity-check.
-  * edns-udp-size can now be overridden on a per server basis.
-  * dig can now specify the EDNS version when making a query.
-  * Added framework for handling multiple EDNS versions.
-  * Additional memory debugging support to track size and mctx arguments.
-  * Detect duplicates of UDP queries we are recursing on and drop them.
-    New stats category "duplicates".
-  * "USE INTERNAL MALLOC" is now runtime selectable.
-  * The lame cache is now done on a basis as some servers only appear to
-    be lame for certain query types.
-  * Limit the number of recursive clients that can be waiting for a single
-    query () to resolve. New options clients-per-query and
-    max-clients-per-query.
-  * dig: report the number of extra bytes still left in the packet after
-    processing all the records.
-  * Support for IPSECKEY rdata type.
-  * Raise the UDP recieve buffer size to 32k if it is less than 32k.
-  * x86 and x86_64 now have seperate atomic locking implementations.
-  * named-checkconf now validates update-policy entries.
-  * Attempt to make the amount of work performed in a iteration self
-    tuning. The covers nodes clean from the cache per iteration, nodes
-    written to disk when rewriting a master file and nodes destroyed per
-    iteration when destroying a zone or a cache.
-  * ISC string copy API.
-  * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
-    1918 zones are not yet covered by this but are likely to be in a
-    future release.
-  * New options: empty-server, empty-contact, empty-zones-enable and
-    disable-empty-zone.
-  * dig now has a '-q queryname' and '+showsearch' options.
-  * host/nslookup now continue (default)/fail on SERVFAIL.
-  * dig now warns if 'RA' is not set in the answer when 'RD' was set in
-    the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
-    is set unless a server is explicitly set.
-  * Integrate contibuted DLZ code into named.
-  * Integrate contibuted IDN code from JPNIC.
-  * libbind: corresponds to that from BIND 8.4.7.
-
-BIND 9.3.0
-
-  * DNSSEC is now DS based (RFC 3658).
-  * DNSSEC lookaside validation.
-  * check-names is now implemented.
-  * rrset-order is more complete.
-  * IPv4/IPv6 transition support, dual-stack-servers.
-  * IXFR deltas can now be generated when loading master files,
-    ixfr-from-differences.
-  * It is now possible to specify the size of a journal, max-journal-size.
-  * It is now possible to define a named set of master servers to be used
-    in masters clause, masters.
-  * The advertised EDNS UDP size can now be set, edns-udp-size.
-  * allow-v6-synthesis has been obsoleted.
-  * Zones containing MD and MF will now be rejected.
-  * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
-    NOTIMPL. This will have impact on scripts that are looking for
-    NOTIMPL.
-  * libbind: corresponds to that from BIND 8.4.5.
-
-BIND 9.2.0
-
-  * The size of the cache can now be limited using the "max-cache-size"
-    option.
-  * The server can now automatically convert RFC1886-style recursive
-    lookup requests into RFC2874-style lookups, when enabled using the new
-    option "allow-v6-synthesis". This allows stub resolvers that support
-    AAAA records but not A6 record chains or binary labels to perform
-    lookups in domains that make use of these IPv6 DNS features.
-  * Performance has been improved.
-  * The man pages now use the more portable "man" macros rather than the
-    "mandoc" macros, and are installed by "make install".
-  * The named.conf parser has been completely rewritten. It now supports
-    "include" directives in more places such as inside "view" statements,
-    and it no longer has any reserved words.
-  * The "rndc status" command is now implemented.
-  * rndc can now be configured automatically.
-  * A BIND 8 compatible stub resolver library is now included in lib/bind.
-  * OpenSSL has been removed from the distribution. This means that to use
-    DNSSEC, OpenSSL must be installed and the --with-openssl option must
-    be supplied to configure. This does not apply to the use of TSIG,
-    which does not require OpenSSL.
-  * The source distribution now builds on Windows. See win32utils/
-    readme1.txt and win32utils/win32-build.txt for details.
-  * This distribution also includes a new lightweight stub resolver
-    library and associated resolver daemon that fully support forward and
-    reverse lookups of both IPv4 and IPv6 addresses. This library is
-    considered experimental and is not a complete replacement for the BIND
-    8 resolver library. Applications that use the BIND 8 res_* functions
-    to perform DNS lookups or dynamic updates still need to be linked
-    against the BIND 8 libraries. For DNS lookups, they can also use the
-    new "getrrsetbyname()" API.
-  * BIND 9.2 is capable of acting as an authoritative server for DNSSEC
-    secured zones. This functionality is believed to be stable and
-    complete except for lacking support for verifications involving
-    wildcard records in secure zones.
-  * When acting as a caching server, BIND 9.2 can be configured to perform
-    DNSSEC secure resolution on behalf of its clients. This part of the
-    DNSSEC implementation is still considered experimental. For detailed
-    information about the state of the DNSSEC implementation, see the file
-    doc/misc/dnssec.
-
diff --git a/OPTIONS b/OPTIONS
index 0be74b7aac6..e69de29bb2d 100644
--- a/OPTIONS
+++ b/OPTIONS
@@ -1,25 +0,0 @@
-Setting the STD_CDEFINES environment variable before running configure can
-be used to enable certain compile-time options that are not explicitly
-defined in configure.
-
-Some of these settings are:
-
-Setting                   Description
-                          Don't ovewrite memory when allocating or freeing
--DISC_MEM_FILL=0          it; this improves performance but makes
-                          debugging more difficult.
-                          Don't track memory allocations by file and line
--DISC_MEM_TRACKLINES=0    number; this improves performance but makes
-                          debugging more difficult.
--DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
--DNS_CLIENT_DROPPORT=0    Disable dropping queries from particular
-                          well-known ports:
--DCHECK_SIBLING=0         Don't check sibling glue in named-checkzone
--DCHECK_LOCAL=0           Don't check out-of-zone addresses in
-                          named-checkzone
--DNS_RUN_PID_DIR=0        Create default PID files in ${localstatedir}/run
-                          rather than ${localstatedir}/run/{named,lwresd}/
-                          Enable DNSSEC signature chasing support in dig.
--DDIG_SIGCHASE=1          (Note: This feature is deprecated. Use delv
-                          instead.)
-
diff --git a/README b/README
index 8fb6491d932..e69de29bb2d 100644
--- a/README
+++ b/README
@@ -1,328 +0,0 @@
-BIND 9
-
-Contents
-
- 1. Introduction
- 2. Reporting bugs and getting help
- 3. Contributing to BIND
- 4. BIND 9.12 features
- 5. Building BIND
- 6. Compile-time options
- 7. Automated testing
- 8. Documentation
- 9. Change log
-10. Acknowledgments
-
-Introduction
-
-BIND (Berkeley Internet Name Domain) is a complete, highly portable
-implementation of the DNS (Domain Name System) protocol.
-
-The BIND name server, named, is able to serve as an authoritative name
-server, recursive resolver, DNS forwarder, or all three simultaneously. It
-implements views for split-horizon DNS, automatic DNSSEC zone signing and
-key management, catalog zones to facilitate provisioning of zone data
-throughout a name server constellation, response policy zones (RPZ) to
-protect clients from malicious data, response rate limiting (RRL) and
-recursive query limits to reduce distributed denial of service attacks,
-and many other advanced DNS features. BIND also includes a suite of
-administrative tools, including the dig and delv DNS lookup tools,
-nsupdate for dynamic DNS zone updates, rndc for remote name server
-administration, and more.
-
-BIND 9 is a complete re-write of the BIND architecture that was used in
-versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
-(c)(3) public benefit corporation dedicated to providing software and
-services in support of the Internet infrastructure, developed BIND 9 and
-is responsible for its ongoing maintenance and improvement. BIND is open
-source software licenced under the terms of the Mozilla Public License,
-version 2.0.
-
-For a summary of features introduced in past major releases of BIND, see
-the file HISTORY.
-
-For a detailed list of changes made throughout the history of BIND 9, see
-the file CHANGES. See below for details on the CHANGES file format.
-
-For up-to-date release notes and errata, see http://www.isc.org/software/
-bind9/releasenotes
-
-Reporting bugs and getting help
-
-Please report assertion failure errors and suspected security issues to
-security-officer@isc.org.
-
-General bug reports can be sent to bind9-bugs@isc.org.
-
-Feature requests can be sent to bind-suggest@isc.org.
-
-Please note that, while ISC's ticketing system is not currently publicly
-readable, this may change in the future. Please do not include information
-in bug reports that you consider to be confidential. For example, when
-sending the contents of your configuration file, it is advisable to
-obscure key secrets; this can be done automatically by using
-named-checkconf -px.
-
-Professional support and training for BIND are available from ISC at
-https://www.isc.org/support.
-
-To join the BIND Users mailing list, or view the archives, visit https://
-lists.isc.org/mailman/listinfo/bind-users.
-
-If you're planning on making changes to the BIND 9 source code, you may
-also want to join the BIND Workers mailing list, at https://lists.isc.org/
-mailman/listinfo/bind-workers.
-
-Contributing to BIND
-
-A public git repository for BIND is maintained at http://www.isc.org/git/,
-and also on Github at https://github.com/isc-projects.
-
-Information for BIND contributors can be found in the following files: -
-General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
-style.md - BIND architecture and developer guide: doc/dev/dev.md
-
-Patches for BIND may be submitted either as Github pull requests or via
-email. When submitting a patch via email, please prepend the subject
-header with "[PATCH]" so it will be easier for us to find. If your patch
-introduces a new feature in BIND, please submit it to bind-suggest@isc.org
-; if it fixes a bug, please submit it to bind9-bugs@isc.org.
-
-BIND 9.12 features
-
-BIND 9.12.0 is the newest development branch of BIND 9. It includes a
-number of changes from BIND 9.11 and earlier releases. New features
-include:
-
-  * dnstap-read -x prints a hex dump of the wire format of each logged DNS
-    message.
-  * The query handling code has been substantially refactored for improved
-    readability, maintainability and testability .
-  * dnstap output files can now be configured to roll automatically when
-    reaching a given size.
-  * Log file timestamps can now also be formatted in ISO 8601 (local) or
-    ISO 8601 (UTC) formats.
-  * Logging channels and dnstap output files can now be configured to use
-    a timestamp as the suffix when rolling to a new file.
-  * named-checkconf -l lists zones found in named.conf.
-  * Added support for the EDNS Padding and Keepalive options.
-
-Building BIND
-
-BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
-support, and a 64-bit integer type. Successful builds have been observed
-on many versions of Linux and UNIX, including RedHat, Fedora, Debian,
-Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
-HP-UX, AIX, SCO OpenServer, and OpenWRT.
-
-BIND is also available for Windows XP, 2003, 2008, and higher. See
-win32utils/readme1st.txt for details on building for Windows systems.
-
-To build on a UNIX or Linux system, use:
-
-    $ ./configure
-    $ make
-
-(NOTE: Using multiple processors in make is not reliable and is not
-advised.)
-
-If you're planning on making changes to the BIND 9 source, you should run
-make depend. If you're using Emacs, you might find make tags helpful.
-
-Several environment variables that can be set before running configure
-will affect compilation:
-
-Variable       Description
-CC             The C compiler to use. configure tries to figure out the
-               right one for supported systems.
-               C compiler flags. Defaults to include -g and/or -O2 as
-CFLAGS         supported by the compiler. Please include '-g' if you need
-               to set CFLAGS.
-               System header file directories. Can be used to specify
-STD_CINCLUDES  where add-on thread or IPv6 support is, for example.
-               Defaults to empty string.
-               Any additional preprocessor symbols you want defined.
-STD_CDEFINES   Defaults to empty string. For a list of possible settings,
-               see the file OPTIONS.
-LDFLAGS        Linker flags. Defaults to empty string.
-BUILD_CC       Needed when cross-compiling: the native C compiler to use
-               when building for the target system.
-BUILD_CFLAGS   Optional, used for cross-compiling
-BUILD_CPPFLAGS
-BUILD_LDFLAGS
-BUILD_LIBS
-
-Compile-time options
-
-To see a full list of configuration options, run configure --help.
-
-On most platforms, BIND 9 is built with multithreading support, allowing
-it to take advantage of multiple CPUs. You can configure this by
-specifying --enable-threads or --disable-threads on the configure command
-line. The default is to enable threads, except on some older operating
-systems on which threads are known to have had problems in the past.
-(Note: Prior to BIND 9.10, the default was to disable threads on Linux
-systems; this has now been reversed. On Linux systems, the threaded build
-is known to change BIND's behavior with respect to file permissions; it
-may be necessary to specify a user with the -u option when running named.)
-
-To build shared libraries, specify --with-libtool on the configure command
-line.
-
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying --with-tuning=
-large on the configure command line. This can improve performance on big
-servers, but will consume more memory and may degrade performance on
-smaller systems.
-
-For the server to support DNSSEC, you need to build it with crypto
-support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
-installed. If the OpenSSL library is installed in a nonstandard location,
-specify the prefix using "--with-openssl=/prefix" on the configure command
-line. To use a PKCS#11 hardware service module for cryptographic
-operations, specify the path to the PKCS#11 provider library using
-"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11".
-
-To support the HTTP statistics channel, the server must be linked with at
-least one of the following: libxml2 http://xmlsoft.org or json-c https://
-github.com/json-c. If these are installed at a nonstandard location,
-specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
-
-To support compression on the HTTP statistics channel, the server must be
-linked against libzlib. If this is installed in a nonstandard location,
-specify the prefix using --with-zlib=/prefix.
-
-To support storing configuration data for runtime-added zones in an LMDB
-database, the server must be linked with liblmdb. If this is installed in
-a nonstandard location, specify the prefix using "with-lmdb=/prefix".
-
-To support GeoIP location-based ACLs, the server must be linked with
-libGeoIP. This is not turned on by default; BIND must be configured with
-"--with-geoip". If the library is installed in a nonstandard location, use
-specify the prefix using "--with-geoip=/prefix".
-
-For DNSTAP packet logging, you must have libfstrm https://github.com/
-farsightsec/fstrm and libprotobuf-c https://developers.google.com/
-protocol-buffers, and BIND must be configured with "--enable-dnstap".
-
-Python requires the 'argparse' and 'ply' modules to be available.
-'argparse' is a standard module as of Python 2.7 and Python 3.2. 'ply' is
-available from https://pypi.python.org/pypi/ply.
-
-On some platforms it is necessary to explicitly request large file support
-to handle files bigger than 2GB. This can be done by using
---enable-largefile on the configure command line.
-
-Support for the "fixed" rrset-order option can be enabled or disabled by
-specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
-command line. By default, fixed rrset-order is disabled to reduce memory
-footprint.
-
-If your operating system has integrated support for IPv6, it will be used
-automatically. If you have installed KAME IPv6 separately, use --with-kame
-[=PATH] to specify its location.
-
-make install will install named and the various BIND 9 libraries. By
-default, installation is into /usr/local, but this can be changed with the
---prefix option when running configure.
-
-You may specify the option --sysconfdir to set the directory where
-configuration files like named.conf go by default, and --localstatedir to
-set the default parent directory of run/named.pid. For backwards
-compatibility with BIND 8, --sysconfdir defaults to /etc and
---localstatedir defaults to /var if no --prefix option is given. If there
-is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
-defaults to $prefix/var.
-
-Automated testing
-
-A system test suite can be run with make test. The system tests require
-you to configure a set of virtual IP addresses on your system (this allows
-multiple servers to run locally and communicate with one another). These
-IP addresses can be configured by by running the script bin/tests/system/
-ifconfig.sh up as root.
-
-Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
-and will be skipped if these are not available. Some tests require Python
-and the 'dnspython' module and will be skipped if these are not available.
-See bin/tests/system/README for further details.
-
-Unit tests are implemented using Automated Testing Framework (ATF). To run
-them, use configure --with-atf, then run make test or make unit.
-
-Documentation
-
-The BIND 9 Administrator Reference Manual is included with the source
-distribution, in DocBook XML, HTML and PDF format, in the doc/arm
-directory.
-
-Some of the programs in the BIND 9 distribution have man pages in their
-directories. In particular, the command line options of named are
-documented in bin/named/named.8.
-
-Frequently (and not-so-frequently) asked questions and their answers can
-be found in the ISC Knowledge Base at https://kb.isc.org.
-
-Additional information on various subjects can be found in other README
-files throughout the source tree.
-
-Change log
-
-A detailed list of all changes that have been made throughout the
-development BIND 9 is included in the file CHANGES, with the most recent
-changes listed first. Change notes include tags indicating the category of
-the change that was made; these categories are:
-
-Category       Description
-[func]         New feature
-[bug]          General bug fix
-[security]     Fix for a significant security flaw
-[experimental] Used for new features when the syntax or other aspects of
-               the design are still in flux and may change
-[port]         Portability enhancement
-[maint]        Updates to built-in data such as root server addresses and
-               keys
-[tuning]       Changes to built-in configuration defaults and constants to
-               improve performance
-[performance]  Other changes to improve server performance
-[protocol]     Updates to the DNS protocol such as new RR types
-[test]         Changes to the automatic tests, not affecting server
-               functionality
-[cleanup]      Minor corrections and refactoring
-[doc]          Documentation
-[contrib]      Changes to the contributed tools and libraries in the
-               'contrib' subdirectory
-               Used in the master development branch to reserve change
-[placeholder]  numbers for use in other branches, e.g. when fixing a bug
-               that only exists in older releases
-
-In general, [func] and [experimental] tags will only appear in new-feature
-releases (i.e., those with version numbers ending in zero). Some new
-functionality may be backported to older releases on a case-by-case basis.
-All other change types may be applied to all currently-supported releases.
-
-Acknowledgments
-
-  * The original development of BIND 9 was underwritten by the following
-    organizations:
-
-    Sun Microsystems, Inc.
-    Hewlett Packard
-    Compaq Computer Corporation
-    IBM
-    Process Software Corporation
-    Silicon Graphics, Inc.
-    Network Associates, Inc.
-    U.S. Defense Information Systems Agency
-    USENIX Association
-    Stichting NLnet - NLnet Foundation
-    Nominum, Inc.
-
-  * This product includes software developed by the OpenSSL Project for
-    use in the OpenSSL Toolkit. http://www.OpenSSL.org/
-  * This product includes cryptographic software written by Eric Young
-    (eay@cryptsoft.com)
-  * This product includes software written by Tim Hudson
-    (tjh@cryptsoft.com)
-
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index 316714de6b1..0cf138164af 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -69,7 +69,7 @@ Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the
 .PP
 \-b \fIkeysize\fR
 .RS 4
-Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 512 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
+Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
 .sp
 The key size does not need to be specified if using a default algorithm\&. The default key size is 1024 bits for zone signing keys (ZSKs) and 2048 bits for key signing keys (KSKs, generated with
 \fB\-f KSK\fR)\&. However, if an algorithm is explicitly specified with the
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 0df7d2bb80f..2fee3cbc05e 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -123,7 +123,7 @@
 	  <p>
 	    Specifies the number of bits in the key.  The choice of key
 	    size depends on the algorithm used.  RSA keys must be
-	    between 512 and 2048 bits.  Diffie Hellman keys must be between
+	    between 1024 and 2048 bits.  Diffie Hellman keys must be between
 	    128 and 4096 bits.  DSA keys must be between 512 and 1024
 	    bits and an exact multiple of 64.  HMAC keys must be
 	    between 1 and 512 bits. Elliptic curve algorithms don't need
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 044bb1bf52e..5a5b03e3411 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -10,12 +10,12 @@
 .\"     Title: named.conf
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2014-01-08
+.\"      Date: 2017-03-08
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "NAMED\&.CONF" "5" "2014\-01\-08" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2017\-03\-08" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -62,145 +62,133 @@ acl \fIstring\fR { \fIaddress_match_element\fR; \&.\&.\&. };
 .if n \{\
 .RE
 .\}
-.SH "KEY"
+.SH "CONTROLS"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-key \fIdomain_name\fR {
-	algorithm \fIstring\fR;
-	secret \fIstring\fR;
+controls {
+	inet ( \fIipv4_address\fR | \fIipv6_address\fR |
+	    * ) [ port ( \fIinteger\fR | * ) ] allow
+	    { \fIaddress_match_element\fR; \&.\&.\&. } [
+	    keys { \fIstring\fR; \&.\&.\&. } ] [ read\-only
+	    \fIboolean\fR ];
+	unix \fIquoted_string\fR perm \fIinteger\fR
+	    owner \fIinteger\fR group \fIinteger\fR [
+	    keys { \fIstring\fR; \&.\&.\&. } ] [ read\-only
+	    \fIboolean\fR ];
 };
 .fi
 .if n \{\
 .RE
 .\}
-.SH "MASTERS"
+.SH "DLZ"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-masters \fIstring\fR [ port \fIinteger\fR ] {
-	( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] |
-	\fIipv6_address\fR [port \fIinteger\fR] ) [ key \fIstring\fR ]; \&.\&.\&.
+dlz \fIstring\fR {
+	database \fIstring\fR;
+	search \fIboolean\fR;
 };
 .fi
 .if n \{\
 .RE
 .\}
-.SH "SERVER"
+.SH "DYNDB"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) {
-	bogus \fIboolean\fR;
-	edns \fIboolean\fR;
-	edns\-udp\-size \fIinteger\fR;
-	max\-udp\-size \fIinteger\fR;
-	padding \fIinteger\fR;
-	tcp\-only \fIboolean\fR;
-	tcp\-keepalive \fIboolean\fR;
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	keys \fIserver_key\fR;
-	transfers \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	support\-ixfr \fIboolean\fR; // obsolete
-};
+dyndb \fIstring\fR \fIquoted_string\fR {
+    \fIunspecified\-text\fR };
 .fi
 .if n \{\
 .RE
 .\}
-.SH "TRUSTED-KEYS"
+.SH "KEY"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-trusted\-keys {
-	\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; \&.\&.\&.
+key \fIstring\fR {
+	algorithm \fIstring\fR;
+	secret \fIstring\fR;
 };
 .fi
 .if n \{\
 .RE
 .\}
-.SH "MANAGED-KEYS"
+.SH "LOGGING"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-managed\-keys {
-	\fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; \&.\&.\&.
+logging {
+	category \fIstring\fR { \fIstring\fR; \&.\&.\&. };
+	channel \fIstring\fR {
+		buffered \fIboolean\fR;
+		file \fIquoted_string\fR [ versions ( unlimited | \fIinteger\fR ) ]
+		    [ size \fIsize\fR ] [ suffix ( increment | timestamp ) ];
+		null;
+		print\-category \fIboolean\fR;
+		print\-severity \fIboolean\fR;
+		print\-time ( iso8601 | iso8601\-utc | local | \fIboolean\fR );
+		severity \fIlog_severity\fR;
+		stderr;
+		syslog [ \fIsyslog_facility\fR ];
+	};
 };
 .fi
 .if n \{\
 .RE
 .\}
-.SH "CONTROLS"
+.SH "LWRES"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-controls {
-	inet ( \fIipv4_address\fR | \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ]
-		allow { \fIaddress_match_element\fR; \&.\&.\&. }
-		[ keys { \fIstring\fR; \&.\&.\&. } ];
-	unix \fIunsupported\fR; // not implemented
+lwres {
+	listen\-on [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fIipv4_address\fR
+	    | \fIipv6_address\fR ) [ port \fIinteger\fR ] [ dscp \fIinteger\fR ]; \&.\&.\&. };
+	lwres\-clients \fIinteger\fR;
+	lwres\-tasks \fIinteger\fR;
+	ndots \fIinteger\fR;
+	search { \fIstring\fR; \&.\&.\&. };
+	view \fIstring\fR [ \fIclass\fR ];
 };
 .fi
 .if n \{\
 .RE
 .\}
-.SH "LOGGING"
+.SH "MANAGED-KEYS"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-logging {
-	channel \fIstring\fR {
-		file \fIlog_file\fR;
-		syslog \fIoptional_facility\fR;
-		null;
-		stderr;
-		severity \fIlog_severity\fR;
-		print\-time \fIboolean\fR;
-		print\-severity \fIboolean\fR;
-		print\-category \fIboolean\fR;
-	};
-	category \fIstring\fR { \fIstring\fR; \&.\&.\&. };
-};
+managed\-keys { \fIstring\fR \fIstring\fR \fIinteger\fR
+    \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
 .fi
 .if n \{\
 .RE
 .\}
-.SH "LWRES"
+.SH "MASTERS"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-lwres {
-	listen\-on [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
-	};
-	view \fIstring\fR \fIoptional_class\fR;
-	search { \fIstring\fR; \&.\&.\&. };
-	ndots \fIinteger\fR;
-	lwres\-tasks \fIinteger\fR;
-	lwres\-clients \fIinteger\fR;
-};
+masters \fIstring\fR [ port \fIinteger\fR ] [ dscp
+    \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [
+    port \fIinteger\fR ] | \fIipv6_address\fR [ port
+    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
 .fi
 .if n \{\
 .RE
@@ -212,389 +200,721 @@ lwres {
 .\}
 .nf
 options {
-	avoid\-v4\-udp\-ports { \fIport\fR; \&.\&.\&. };
-	avoid\-v6\-udp\-ports { \fIport\fR; \&.\&.\&. };
+	acache\-cleaning\-interval \fIinteger\fR;
+	acache\-enable \fIboolean\fR;
+	additional\-from\-auth \fIboolean\fR;
+	additional\-from\-cache \fIboolean\fR;
+	allow\-new\-zones \fIboolean\fR;
+	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-cache { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-cache\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
+	also\-notify [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR |
+	    \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+	alt\-transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR |
+	    * ) ] [ dscp \fIinteger\fR ];
+	attach\-cache \fIstring\fR;
+	auth\-nxdomain \fIboolean\fR; // default changed
+	auto\-dnssec ( allow | maintain | off );
+	automatic\-interface\-scan \fIboolean\fR;
+	avoid\-v4\-udp\-ports { \fIportrange\fR; \&.\&.\&. };
+	avoid\-v6\-udp\-ports { \fIportrange\fR; \&.\&.\&. };
+	bindkeys\-file \fIquoted_string\fR;
 	blackhole { \fIaddress_match_element\fR; \&.\&.\&. };
-	coresize \fIsize\fR;
-	datasize \fIsize\fR;
+	cache\-file \fIquoted_string\fR;
+	catalog\-zones { zone \fIquoted_string\fR [ default\-masters [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [
+	    port \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
+	    \fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
+	    in\-memory \fIboolean\fR ] [ min\-update\-interval \fIinteger\fR ]; \&.\&.\&. };
+	check\-dup\-records ( fail | warn | ignore );
+	check\-integrity \fIboolean\fR;
+	check\-mx ( fail | warn | ignore );
+	check\-mx\-cname ( fail | warn | ignore );
+	check\-names ( master | slave | response
+	    ) ( fail | warn | ignore );
+	check\-sibling \fIboolean\fR;
+	check\-spf ( warn | ignore );
+	check\-srv\-cname ( fail | warn | ignore );
+	check\-wildcard \fIboolean\fR;
+	cleaning\-interval \fIinteger\fR;
+	clients\-per\-query \fIinteger\fR;
+	cookie\-algorithm ( aes | sha1 | sha256 );
+	cookie\-secret \fIstring\fR;
+	coresize ( default | unlimited | \fIsizeval\fR );
+	datasize ( default | unlimited | \fIsizeval\fR );
+	deny\-answer\-addresses { \fIaddress_match_element\fR; \&.\&.\&. } [
+	    except\-from { \fIquoted_string\fR; \&.\&.\&. } ];
+	deny\-answer\-aliases { \fIquoted_string\fR; \&.\&.\&. } [ except\-from {
+	    \fIquoted_string\fR; \&.\&.\&. } ];
+	dialup ( notify | notify\-passive | passive | refresh | \fIboolean\fR );
 	directory \fIquoted_string\fR;
-	dnstap { \fImessage_type\fR; \&.\&.\&. };
-	dnstap\-output ( file | unix ) \fIpath_name\fR;
-	dnstap\-identity ( \fIstring\fR | hostname | none );
-	dnstap\-version ( \fIstring\fR | none );
+	disable\-algorithms \fIstring\fR { \fIstring\fR;
+	    \&.\&.\&. };
+	disable\-ds\-digests \fIstring\fR { \fIstring\fR;
+	    \&.\&.\&. };
+	disable\-empty\-zone \fIstring\fR;
+	dns64 \fInetprefix\fR {
+		break\-dnssec \fIboolean\fR;
+		clients { \fIaddress_match_element\fR; \&.\&.\&. };
+		exclude { \fIaddress_match_element\fR; \&.\&.\&. };
+		mapped { \fIaddress_match_element\fR; \&.\&.\&. };
+		recursive\-only \fIboolean\fR;
+		suffix \fIipv6_address\fR;
+	};
+	dns64\-contact \fIstring\fR;
+	dns64\-server \fIstring\fR;
+	dnssec\-accept\-expired \fIboolean\fR;
+	dnssec\-dnskey\-kskonly \fIboolean\fR;
+	dnssec\-enable \fIboolean\fR;
+	dnssec\-loadkeys\-interval \fIinteger\fR;
+	dnssec\-lookaside ( \fIstring\fR trust\-anchor
+	    \fIstring\fR | auto | no );
+	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
+	dnssec\-secure\-to\-insecure \fIboolean\fR;
+	dnssec\-update\-mode ( maintain | no\-resign );
+	dnssec\-validation ( yes | no | auto );
+	dnstap { ( all | auth | client | forwarder |
+	    resolver ) [ ( query | response ) ]; \&.\&.\&. };
+	dnstap\-identity ( \fIquoted_string\fR | none |
+	    hostname );
+	dnstap\-output ( file | unix ) \fIquoted_string\fR [
+	    size ( unlimited | \fIsize\fR ) ] [ versions (
+	    unlimited | \fIinteger\fR ) ] [ suffix ( increment
+	    | timestamp ) ];
+	dnstap\-version ( \fIquoted_string\fR | none );
+	dscp \fIinteger\fR;
+	dual\-stack\-servers [ port \fIinteger\fR ] { ( \fIquoted_string\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv4_address\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] ); \&.\&.\&. };
 	dump\-file \fIquoted_string\fR;
-	files \fIsize\fR;
-	fstrm\-set\-buffer\-hint \fInumber\fR;
-	fstrm\-set\-flush\-timeout \fInumber\fR;
-	fstrm\-set\-input\-queue\-size \fInumber\fR;
-	fstrm\-set\-output\-notify\-threshold \fInumber\fR;
-	fstrm\-set\-output\-queue\-model ( \fImpsc\fR | \fIspsc\fR ) ;
-	fstrm\-set\-output\-queue\-size \fInumber\fR;
-	fstrm\-set\-reopen\-interval \fInumber\fR;
+	edns\-udp\-size \fIinteger\fR;
+	empty\-contact \fIstring\fR;
+	empty\-server \fIstring\fR;
+	empty\-zones\-enable \fIboolean\fR;
+	fetch\-quota\-params \fIinteger\fR \fIfixedpoint\fR \fIfixedpoint\fR \fIfixedpoint\fR;
+	fetches\-per\-server \fIinteger\fR [ ( drop | fail ) ];
+	fetches\-per\-zone \fIinteger\fR [ ( drop | fail ) ];
+	files ( default | unlimited | \fIsizeval\fR );
+	filter\-aaaa { \fIaddress_match_element\fR; \&.\&.\&. };
+	filter\-aaaa\-on\-v4 ( break\-dnssec | \fIboolean\fR );
+	filter\-aaaa\-on\-v6 ( break\-dnssec | \fIboolean\fR );
+	flush\-zones\-on\-shutdown \fIboolean\fR;
+	forward ( first | only );
+	forwarders [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fIipv4_address\fR
+	    | \fIipv6_address\fR ) [ port \fIinteger\fR ] [ dscp \fIinteger\fR ]; \&.\&.\&. };
+	fstrm\-set\-buffer\-hint \fIinteger\fR;
+	fstrm\-set\-flush\-timeout \fIinteger\fR;
+	fstrm\-set\-input\-queue\-size \fIinteger\fR;
+	fstrm\-set\-output\-notify\-threshold \fIinteger\fR;
+	fstrm\-set\-output\-queue\-model ( mpsc | spsc );
+	fstrm\-set\-output\-queue\-size \fIinteger\fR;
+	fstrm\-set\-reopen\-interval \fIinteger\fR;
+	geoip\-directory ( \fIquoted_string\fR | none );
+	geoip\-use\-ecs ( \fIquoted_string\fR | none );
 	heartbeat\-interval \fIinteger\fR;
-	host\-statistics \fIboolean\fR; // not implemented
-	host\-statistics\-max \fInumber\fR; // not implemented
 	hostname ( \fIquoted_string\fR | none );
+	inline\-signing \fIboolean\fR;
 	interface\-interval \fIinteger\fR;
+	ixfr\-from\-differences ( master | slave | \fIboolean\fR );
 	keep\-response\-order { \fIaddress_match_element\fR; \&.\&.\&. };
-	listen\-on [ port \fIinteger\fR ] { \fIaddress_match_element\fR; \&.\&.\&. };
-	listen\-on\-v6 [ port \fIinteger\fR ] { \fIaddress_match_element\fR; \&.\&.\&. };
+	key\-directory \fIquoted_string\fR;
+	lame\-ttl \fIttlval\fR;
+	listen\-on [ port \fIinteger\fR ] [ dscp
+	    \fIinteger\fR ] {
+	    \fIaddress_match_element\fR; \&.\&.\&. };
+	listen\-on\-v6 [ port \fIinteger\fR ] [ dscp
+	    \fIinteger\fR ] {
+	    \fIaddress_match_element\fR; \&.\&.\&. };
+	lock\-file ( \fIquoted_string\fR | none );
+	managed\-keys\-directory \fIquoted_string\fR;
+	masterfile\-format ( map | raw | text );
+	masterfile\-style ( full | relative );
 	match\-mapped\-addresses \fIboolean\fR;
+	max\-acache\-size ( unlimited | \fIsizeval\fR );
+	max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
+	max\-cache\-ttl \fIinteger\fR;
+	max\-clients\-per\-query \fIinteger\fR;
+	max\-journal\-size ( unlimited | \fIsizeval\fR );
+	max\-ncache\-ttl \fIinteger\fR;
+	max\-records \fIinteger\fR;
+	max\-recursion\-depth \fIinteger\fR;
+	max\-recursion\-queries \fIinteger\fR;
+	max\-refresh\-time \fIinteger\fR;
+	max\-retry\-time \fIinteger\fR;
+	max\-rsa\-exponent\-size \fIinteger\fR;
+	max\-transfer\-idle\-in \fIinteger\fR;
+	max\-transfer\-idle\-out \fIinteger\fR;
+	max\-transfer\-time\-in \fIinteger\fR;
+	max\-transfer\-time\-out \fIinteger\fR;
+	max\-udp\-size \fIinteger\fR;
+	max\-zone\-ttl ( unlimited | \fIttlval\fR );
+	memstatistics \fIboolean\fR;
 	memstatistics\-file \fIquoted_string\fR;
+	message\-compression \fIboolean\fR;
+	min\-refresh\-time \fIinteger\fR;
+	min\-retry\-time \fIinteger\fR;
+	minimal\-any \fIboolean\fR;
+	minimal\-responses ( no\-auth | no\-auth\-recursive | \fIboolean\fR );
+	multi\-master \fIboolean\fR;
+	no\-case\-compress { \fIaddress_match_element\fR; \&.\&.\&. };
+	nocookie\-udp\-size \fIinteger\fR;
+	notify ( explicit | master\-only | \fIboolean\fR );
+	notify\-delay \fIinteger\fR;
+	notify\-rate \fIinteger\fR;
+	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
+	    [ dscp \fIinteger\fR ];
+	notify\-to\-soa \fIboolean\fR;
+	nsec3\-test\-zone \fIboolean\fR; // test only
+	nta\-lifetime \fIttlval\fR;
+	nta\-recheck \fIttlval\fR;
+	nxdomain\-redirect \fIstring\fR;
 	pid\-file ( \fIquoted_string\fR | none );
 	port \fIinteger\fR;
+	preferred\-glue \fIstring\fR;
+	prefetch \fIinteger\fR [ \fIinteger\fR ];
+	provide\-ixfr \fIboolean\fR;
+	query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv4_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	query\-source\-v6 ( ( [ address ] ( \fIipv6_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv6_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
 	querylog \fIboolean\fR;
-	recursing\-file \fIquoted_string\fR;
-	reserved\-sockets \fIinteger\fR;
 	random\-device \fIquoted_string\fR;
+	rate\-limit {
+		all\-per\-second \fIinteger\fR;
+		errors\-per\-second \fIinteger\fR;
+		exempt\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
+		ipv4\-prefix\-length \fIinteger\fR;
+		ipv6\-prefix\-length \fIinteger\fR;
+		log\-only \fIboolean\fR;
+		max\-table\-size \fIinteger\fR;
+		min\-table\-size \fIinteger\fR;
+		nodata\-per\-second \fIinteger\fR;
+		nxdomains\-per\-second \fIinteger\fR;
+		qps\-scale \fIinteger\fR;
+		referrals\-per\-second \fIinteger\fR;
+		responses\-per\-second \fIinteger\fR;
+		slip \fIinteger\fR;
+		window \fIinteger\fR;
+	};
+	recursing\-file \fIquoted_string\fR;
+	recursion \fIboolean\fR;
 	recursive\-clients \fIinteger\fR;
+	request\-expire \fIboolean\fR;
+	request\-ixfr \fIboolean\fR;
+	request\-nsid \fIboolean\fR;
+	require\-server\-cookie \fIboolean\fR;
+	reserved\-sockets \fIinteger\fR;
+	resolver\-query\-timeout \fIinteger\fR;
+	response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
+	    \fIinteger\fR;
+	response\-policy { zone \fIquoted_string\fR [ log \fIboolean\fR ] [
+	    max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
+	    policy ( cname | disabled | drop | given | no\-op | nodata |
+	    nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
+	    recursive\-only \fIboolean\fR ]; \&.\&.\&. } [ break\-dnssec \fIboolean\fR ] [
+	    max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
+	    min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [
+	    qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ];
+	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
+	rrset\-order { [ class \fIstring\fR ] [ type \fIstring\fR ] [ name
+	    \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&. };
+	secroots\-file \fIquoted_string\fR;
+	send\-cookie \fIboolean\fR;
 	serial\-query\-rate \fIinteger\fR;
-	server\-id ( \fIquoted_string\fR | hostname | none );
-	stacksize \fIsize\fR;
+	serial\-update\-method ( date | increment | unixtime );
+	server\-id ( \fIquoted_string\fR | none | hostname );
+	servfail\-ttl \fIttlval\fR;
+	session\-keyalg \fIstring\fR;
+	session\-keyfile ( \fIquoted_string\fR | none );
+	session\-keyname \fIstring\fR;
+	sig\-signing\-nodes \fIinteger\fR;
+	sig\-signing\-signatures \fIinteger\fR;
+	sig\-signing\-type \fIinteger\fR;
+	sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
+	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
+	stacksize ( default | unlimited | \fIsizeval\fR );
+	startup\-notify\-rate \fIinteger\fR;
 	statistics\-file \fIquoted_string\fR;
-	statistics\-interval \fIinteger\fR; // not yet implemented
+	tcp\-advertised\-timeout \fIinteger\fR;
 	tcp\-clients \fIinteger\fR;
+	tcp\-idle\-timeout \fIinteger\fR;
+	tcp\-initial\-timeout \fIinteger\fR;
+	tcp\-keepalive\-timeout \fIinteger\fR;
 	tcp\-listen\-queue \fIinteger\fR;
 	tkey\-dhkey \fIquoted_string\fR \fIinteger\fR;
+	tkey\-domain \fIquoted_string\fR;
 	tkey\-gssapi\-credential \fIquoted_string\fR;
 	tkey\-gssapi\-keytab \fIquoted_string\fR;
-	tkey\-domain \fIquoted_string\fR;
+	transfer\-format ( many\-answers | one\-answer );
 	transfer\-message\-size \fIinteger\fR;
-	transfers\-per\-ns \fIinteger\fR;
+	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
 	transfers\-in \fIinteger\fR;
 	transfers\-out \fIinteger\fR;
-	version ( \fIquoted_string\fR | none );
-	allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
-	topology { \fIaddress_match_element\fR; \&.\&.\&. }; // not implemented
-	auth\-nxdomain \fIboolean\fR; // default changed
-	minimal\-any \fIboolean\fR;
-	minimal\-responses ( \fIboolean\fR | no\-auth | no\-auth\-recursive );
-	recursion \fIboolean\fR;
-	rrset\-order {
-		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&.
-	};
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	rfc2308\-type1 \fIboolean\fR; // not yet implemented
-	additional\-from\-auth \fIboolean\fR;
-	additional\-from\-cache \fIboolean\fR;
-	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	use\-queryport\-pool \fIboolean\fR;
-	queryport\-pool\-ports \fIinteger\fR;
-	queryport\-pool\-updateinterval \fIinteger\fR;
-	cleaning\-interval \fIinteger\fR;
-	resolver\-query\-timeout \fIinteger\fR;
-	min\-roots \fIinteger\fR; // not implemented
-	lame\-ttl \fIinteger\fR;
-	max\-ncache\-ttl \fIinteger\fR;
-	max\-cache\-ttl \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize\fR;
-	max\-acache\-size \fIsize\fR;
-	clients\-per\-query \fInumber\fR;
-	max\-clients\-per\-query \fInumber\fR;
-	check\-names ( master | slave | response )
-		( fail | warn | ignore );
-	check\-mx ( fail | warn | ignore );
-	check\-integrity \fIboolean\fR;
-	check\-mx\-cname ( fail | warn | ignore );
-	check\-srv\-cname ( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR; // test option
-	catalog\-zones {
-	    zone \fIquoted_string\fR
-		[ default\-masters
-		[port \fIip_port\fR]
-		[dscp \fIip_dscp\fR]
-		{ ( \fImasters_list\fR | \fIip_addr\fR [port \fIip_port\fR] [key \fIkey\fR] ) ; [\&.\&.\&.] }]
-	    [in\-memory \fIyes_or_no\fR]
-	    [min\-update\-interval \fIinterval\fR]
-	    ; \&.\&.\&. };
-	;
-	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
-	preferred\-glue \fIstring\fR;
-	dual\-stack\-servers [ port \fIinteger\fR ] {
-		( \fIquoted_string\fR [port \fIinteger\fR] |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [port \fIinteger\fR] ); \&.\&.\&.
-	};
-	edns\-udp\-size \fIinteger\fR;
-	max\-udp\-size \fIinteger\fR;
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
-	disable\-algorithms \fIstring\fR { \fIstring\fR; \&.\&.\&. };
-	disable\-ds\-digests \fIstring\fR { \fIstring\fR; \&.\&.\&. };
-	dnssec\-enable \fIboolean\fR;
-	dnssec\-validation \fIboolean\fR;
-	dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
-	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
-	dnssec\-accept\-expired \fIboolean\fR;
-	dns64\-server \fIstring\fR;
-	dns64\-contact \fIstring\fR;
-	dns64 \fIprefix\fR {
-		clients { \fIacl\fR; };
-		exclude { \fIacl\fR; };
-		mapped { \fIacl\fR; };
-		break\-dnssec \fIboolean\fR;
-		recursive\-only \fIboolean\fR;
-		suffix \fIipv6_address\fR;
-	};
-	empty\-server \fIstring\fR;
-	empty\-contact \fIstring\fR;
-	empty\-zones\-enable \fIboolean\fR;
-	disable\-empty\-zone \fIstring\fR;
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIixfrdiff\fR;
-	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-cache { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-cache\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
+	transfers\-per\-ns \fIinteger\fR;
+	trust\-anchor\-telemetry \fIboolean\fR; // experimental
+	try\-tcp\-refresh \fIboolean\fR;
 	update\-check\-ksk \fIboolean\fR;
-	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	masterfile\-format ( text | raw | map );
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-delay \fIseconds\fR;
-	notify\-to\-soa \fIboolean\fR;
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; \&.\&.\&.
-		[ key \fIkeyname\fR ] \&.\&.\&. };
-	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
-	};
-	max\-journal\-size \fIsize_no_default\fR;
-	max\-records \fIinteger\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
-	max\-transfer\-idle\-in \fIinteger\fR;
-	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
-	min\-refresh\-time \fIinteger\fR;
-	multi\-master \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	sig\-re\-signing\-interval \fIinteger\fR;
-	sig\-signing\-nodes \fIinteger\fR;
-	sig\-signing\-signatures \fIinteger\fR;
-	sig\-signing\-type \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
 	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
-	managed\-keys\-directory \fIquoted_string\fR;
-	auto\-dnssec \fBallow\fR|\fBmaintain\fR|\fBoff\fR;
-	try\-tcp\-refresh \fIboolean\fR;
+	use\-v4\-udp\-ports { \fIportrange\fR; \&.\&.\&. };
+	use\-v6\-udp\-ports { \fIportrange\fR; \&.\&.\&. };
+	v6\-bias \fIinteger\fR;
+	version ( \fIquoted_string\fR | none );
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
-	dnssec\-secure\-to\-insecure \fIboolean\fR;
-	automatic\-interface\-scan \fIboolean\fR;
-	cookie\-algorithm ( \fIaes\fR | \fIsha1\fR | \fIsha256\fR );
-	cookie\-secret \fIstring\fR;
-	require\-server\-cookie \fIboolean\fR;
+	zone\-statistics ( full | terse | none | \fIboolean\fR );
+};
+.fi
+.if n \{\
+.RE
+.\}
+.SH "SERVER"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+server \fInetprefix\fR {
+	bogus \fIboolean\fR;
+	edns \fIboolean\fR;
+	edns\-udp\-size \fIinteger\fR;
+	edns\-version \fIinteger\fR;
+	keys \fIserver_key\fR;
+	max\-udp\-size \fIinteger\fR;
+	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
+	    [ dscp \fIinteger\fR ];
+	padding \fIinteger\fR;
+	provide\-ixfr \fIboolean\fR;
+	query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv4_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	query\-source\-v6 ( ( [ address ] ( \fIipv6_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv6_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	request\-expire \fIboolean\fR;
+	request\-ixfr \fIboolean\fR;
+	request\-nsid \fIboolean\fR;
 	send\-cookie \fIboolean\fR;
-	nocookie\-udp\-size \fIinteger\fR;
-	response\-padding {
-		\fIaddress_match_list\fR
-	} block\-size \fIinteger\fR;
-	deny\-answer\-addresses {
-		\fIaddress_match_list\fR
-	} [ except\-from { \fInamelist\fR } ];
-	deny\-answer\-aliases {
-		\fInamelist\fR
-	} [ except\-from { \fInamelist\fR } ];
-	nsec3\-test\-zone \fIboolean\fR;  // testing only
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; \&.\&.\&. }; // obsolete
-	deallocate\-on\-exit \fIboolean\fR; // obsolete
-	fake\-iquery \fIboolean\fR; // obsolete
-	fetch\-glue \fIboolean\fR; // obsolete
-	has\-old\-clients \fIboolean\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-	multiple\-cnames \fIboolean\fR; // obsolete
-	named\-xfer \fIquoted_string\fR; // obsolete
-	serial\-queries \fIinteger\fR; // obsolete
-	treat\-cr\-as\-space \fIboolean\fR; // obsolete
-	use\-id\-pool \fIboolean\fR; // obsolete
-	use\-ixfr \fIboolean\fR; // obsolete
+	tcp\-keepalive \fIboolean\fR;
+	tcp\-only \fIboolean\fR;
+	transfer\-format ( many\-answers | one\-answer );
+	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	transfers \fIinteger\fR;
 };
 .fi
 .if n \{\
 .RE
 .\}
+.SH "STATISTICS-CHANNELS"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+statistics\-channels {
+	inet ( \fIipv4_address\fR | \fIipv6_address\fR |
+	    * ) [ port ( \fIinteger\fR | * ) ] [
+	    allow { \fIaddress_match_element\fR; \&.\&.\&.
+	    } ];
+};
+.fi
+.if n \{\
+.RE
+.\}
+.SH "TRUSTED-KEYS"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+trusted\-keys { \fIstring\fR \fIinteger\fR \fIinteger\fR
+    \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
+.fi
+.if n \{\
+.RE
+.\}
 .SH "VIEW"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-view \fIstring\fR \fIoptional_class\fR {
-	match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
-	match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. };
-	match\-recursive\-only \fIboolean\fR;
-	key \fIstring\fR {
-		algorithm \fIstring\fR;
-		secret \fIstring\fR;
-	};
-	zone \fIstring\fR \fIoptional_class\fR {
-		\&.\&.\&.
-	};
-	server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) {
-		\&.\&.\&.
-	};
-	trusted\-keys {
-		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
-		[\&.\&.\&.]
-	};
-	managed\-keys {
-		\fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR;
-		[\&.\&.\&.]
-	};
+view \fIstring\fR [ \fIclass\fR ] {
+	acache\-cleaning\-interval \fIinteger\fR;
+	acache\-enable \fIboolean\fR;
+	additional\-from\-auth \fIboolean\fR;
+	additional\-from\-cache \fIboolean\fR;
+	allow\-new\-zones \fIboolean\fR;
+	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-cache { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-cache\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
-	topology { \fIaddress_match_element\fR; \&.\&.\&. }; // not implemented
+	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
+	also\-notify [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR |
+	    \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+	alt\-transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR |
+	    * ) ] [ dscp \fIinteger\fR ];
+	attach\-cache \fIstring\fR;
 	auth\-nxdomain \fIboolean\fR; // default changed
-	minimal\-any \fIboolean\fR;
-	minimal\-responses \fIboolean\fR;
-	recursion \fIboolean\fR;
-	rrset\-order {
-		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&.
-	};
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	rfc2308\-type1 \fIboolean\fR; // not yet implemented
-	additional\-from\-auth \fIboolean\fR;
-	additional\-from\-cache \fIboolean\fR;
-	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	use\-queryport\-pool \fIboolean\fR;
-	queryport\-pool\-ports \fIinteger\fR;
-	queryport\-pool\-updateinterval \fIinteger\fR;
-	cleaning\-interval \fIinteger\fR;
-	resolver\-query\-timeout \fIinteger\fR;
-	min\-roots \fIinteger\fR; // not implemented
-	lame\-ttl \fIinteger\fR;
-	max\-ncache\-ttl \fIinteger\fR;
-	max\-cache\-ttl \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize\fR;
-	max\-acache\-size \fIsize\fR;
-	clients\-per\-query \fInumber\fR;
-	max\-clients\-per\-query \fInumber\fR;
-	check\-names ( master | slave | response )
-		( fail | warn | ignore );
-	check\-mx ( fail | warn | ignore );
+	auto\-dnssec ( allow | maintain | off );
+	cache\-file \fIquoted_string\fR;
+	catalog\-zones { zone \fIquoted_string\fR [ default\-masters [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [
+	    port \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
+	    \fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
+	    in\-memory \fIboolean\fR ] [ min\-update\-interval \fIinteger\fR ]; \&.\&.\&. };
+	check\-dup\-records ( fail | warn | ignore );
 	check\-integrity \fIboolean\fR;
+	check\-mx ( fail | warn | ignore );
 	check\-mx\-cname ( fail | warn | ignore );
+	check\-names ( master | slave | response
+	    ) ( fail | warn | ignore );
+	check\-sibling \fIboolean\fR;
+	check\-spf ( warn | ignore );
 	check\-srv\-cname ( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR; // test option
-	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
-	preferred\-glue \fIstring\fR;
-	dual\-stack\-servers [ port \fIinteger\fR ] {
-		( \fIquoted_string\fR [port \fIinteger\fR] |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [port \fIinteger\fR] ); \&.\&.\&.
+	check\-wildcard \fIboolean\fR;
+	cleaning\-interval \fIinteger\fR;
+	clients\-per\-query \fIinteger\fR;
+	deny\-answer\-addresses { \fIaddress_match_element\fR; \&.\&.\&. } [
+	    except\-from { \fIquoted_string\fR; \&.\&.\&. } ];
+	deny\-answer\-aliases { \fIquoted_string\fR; \&.\&.\&. } [ except\-from {
+	    \fIquoted_string\fR; \&.\&.\&. } ];
+	dialup ( notify | notify\-passive | passive | refresh | \fIboolean\fR );
+	disable\-algorithms \fIstring\fR { \fIstring\fR;
+	    \&.\&.\&. };
+	disable\-ds\-digests \fIstring\fR { \fIstring\fR;
+	    \&.\&.\&. };
+	disable\-empty\-zone \fIstring\fR;
+	dlz \fIstring\fR {
+		database \fIstring\fR;
+		search \fIboolean\fR;
 	};
-	edns\-udp\-size \fIinteger\fR;
-	max\-udp\-size \fIinteger\fR;
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
-	disable\-algorithms \fIstring\fR { \fIstring\fR; \&.\&.\&. };
-	disable\-ds\-digests \fIstring\fR { \fIstring\fR; \&.\&.\&. };
-	dnssec\-enable \fIboolean\fR;
-	dnssec\-validation \fIboolean\fR;
-	dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
-	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
-	dnssec\-accept\-expired \fIboolean\fR;
-	dns64\-server \fIstring\fR;
-	dns64\-contact \fIstring\fR;
-	dns64 \fIprefix\fR {
-		clients { \fIacl\fR; };
-		exclude { \fIacl\fR; };
-		mapped { \fIacl\fR; };
+	dns64 \fInetprefix\fR {
 		break\-dnssec \fIboolean\fR;
+		clients { \fIaddress_match_element\fR; \&.\&.\&. };
+		exclude { \fIaddress_match_element\fR; \&.\&.\&. };
+		mapped { \fIaddress_match_element\fR; \&.\&.\&. };
 		recursive\-only \fIboolean\fR;
 		suffix \fIipv6_address\fR;
 	};
-	empty\-server \fIstring\fR;
+	dns64\-contact \fIstring\fR;
+	dns64\-server \fIstring\fR;
+	dnssec\-accept\-expired \fIboolean\fR;
+	dnssec\-dnskey\-kskonly \fIboolean\fR;
+	dnssec\-enable \fIboolean\fR;
+	dnssec\-loadkeys\-interval \fIinteger\fR;
+	dnssec\-lookaside ( \fIstring\fR trust\-anchor
+	    \fIstring\fR | auto | no );
+	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
+	dnssec\-secure\-to\-insecure \fIboolean\fR;
+	dnssec\-update\-mode ( maintain | no\-resign );
+	dnssec\-validation ( yes | no | auto );
+	dnstap { ( all | auth | client | forwarder |
+	    resolver ) [ ( query | response ) ]; \&.\&.\&. };
+	dual\-stack\-servers [ port \fIinteger\fR ] { ( \fIquoted_string\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv4_address\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] [ dscp \fIinteger\fR ] ); \&.\&.\&. };
+	dyndb \fIstring\fR \fIquoted_string\fR {
+	    \fIunspecified\-text\fR };
+	edns\-udp\-size \fIinteger\fR;
 	empty\-contact \fIstring\fR;
+	empty\-server \fIstring\fR;
 	empty\-zones\-enable \fIboolean\fR;
-	disable\-empty\-zone \fIstring\fR;
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIixfrdiff\fR;
-	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-cache { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-query\-cache\-on { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
-	update\-check\-ksk \fIboolean\fR;
-	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	masterfile\-format ( text | raw | map );
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-delay \fIseconds\fR;
-	notify\-to\-soa \fIboolean\fR;
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; \&.\&.\&.
-		[ key \fIkeyname\fR ] \&.\&.\&. };
-	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
+	fetch\-quota\-params \fIinteger\fR \fIfixedpoint\fR \fIfixedpoint\fR \fIfixedpoint\fR;
+	fetches\-per\-server \fIinteger\fR [ ( drop | fail ) ];
+	fetches\-per\-zone \fIinteger\fR [ ( drop | fail ) ];
+	filter\-aaaa { \fIaddress_match_element\fR; \&.\&.\&. };
+	filter\-aaaa\-on\-v4 ( break\-dnssec | \fIboolean\fR );
+	filter\-aaaa\-on\-v6 ( break\-dnssec | \fIboolean\fR );
 	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
+	forwarders [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fIipv4_address\fR
+	    | \fIipv6_address\fR ) [ port \fIinteger\fR ] [ dscp \fIinteger\fR ]; \&.\&.\&. };
+	inline\-signing \fIboolean\fR;
+	ixfr\-from\-differences ( master | slave | \fIboolean\fR );
+	key \fIstring\fR {
+		algorithm \fIstring\fR;
+		secret \fIstring\fR;
 	};
-	max\-journal\-size \fIsize_no_default\fR;
+	key\-directory \fIquoted_string\fR;
+	lame\-ttl \fIttlval\fR;
+	managed\-keys { \fIstring\fR \fIstring\fR
+	    \fIinteger\fR \fIinteger\fR \fIinteger\fR
+	    \fIquoted_string\fR; \&.\&.\&. };
+	masterfile\-format ( map | raw | text );
+	masterfile\-style ( full | relative );
+	match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
+	match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. };
+	match\-recursive\-only \fIboolean\fR;
+	max\-acache\-size ( unlimited | \fIsizeval\fR );
+	max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
+	max\-cache\-ttl \fIinteger\fR;
+	max\-clients\-per\-query \fIinteger\fR;
+	max\-journal\-size ( unlimited | \fIsizeval\fR );
+	max\-ncache\-ttl \fIinteger\fR;
 	max\-records \fIinteger\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
+	max\-recursion\-depth \fIinteger\fR;
+	max\-recursion\-queries \fIinteger\fR;
+	max\-refresh\-time \fIinteger\fR;
+	max\-retry\-time \fIinteger\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
 	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
+	max\-transfer\-time\-in \fIinteger\fR;
+	max\-transfer\-time\-out \fIinteger\fR;
+	max\-udp\-size \fIinteger\fR;
+	max\-zone\-ttl ( unlimited | \fIttlval\fR );
+	message\-compression \fIboolean\fR;
 	min\-refresh\-time \fIinteger\fR;
+	min\-retry\-time \fIinteger\fR;
+	minimal\-any \fIboolean\fR;
+	minimal\-responses ( no\-auth | no\-auth\-recursive | \fIboolean\fR );
 	multi\-master \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
+	no\-case\-compress { \fIaddress_match_element\fR; \&.\&.\&. };
+	nocookie\-udp\-size \fIinteger\fR;
+	notify ( explicit | master\-only | \fIboolean\fR );
+	notify\-delay \fIinteger\fR;
+	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
+	    [ dscp \fIinteger\fR ];
+	notify\-to\-soa \fIboolean\fR;
+	nsec3\-test\-zone \fIboolean\fR; // test only
+	nta\-lifetime \fIttlval\fR;
+	nta\-recheck \fIttlval\fR;
+	nxdomain\-redirect \fIstring\fR;
+	preferred\-glue \fIstring\fR;
+	prefetch \fIinteger\fR [ \fIinteger\fR ];
+	provide\-ixfr \fIboolean\fR;
+	query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv4_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	query\-source\-v6 ( ( [ address ] ( \fIipv6_address\fR | * ) [ port (
+	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv6_address\fR | * ) ]
+	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
+	rate\-limit {
+		all\-per\-second \fIinteger\fR;
+		errors\-per\-second \fIinteger\fR;
+		exempt\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
+		ipv4\-prefix\-length \fIinteger\fR;
+		ipv6\-prefix\-length \fIinteger\fR;
+		log\-only \fIboolean\fR;
+		max\-table\-size \fIinteger\fR;
+		min\-table\-size \fIinteger\fR;
+		nodata\-per\-second \fIinteger\fR;
+		nxdomains\-per\-second \fIinteger\fR;
+		qps\-scale \fIinteger\fR;
+		referrals\-per\-second \fIinteger\fR;
+		responses\-per\-second \fIinteger\fR;
+		slip \fIinteger\fR;
+		window \fIinteger\fR;
+	};
+	recursion \fIboolean\fR;
+	request\-expire \fIboolean\fR;
+	request\-ixfr \fIboolean\fR;
+	request\-nsid \fIboolean\fR;
+	require\-server\-cookie \fIboolean\fR;
+	resolver\-query\-timeout \fIinteger\fR;
+	response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
+	    \fIinteger\fR;
+	response\-policy { zone \fIquoted_string\fR [ log \fIboolean\fR ] [
+	    max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
+	    policy ( cname | disabled | drop | given | no\-op | nodata |
+	    nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
+	    recursive\-only \fIboolean\fR ]; \&.\&.\&. } [ break\-dnssec \fIboolean\fR ] [
+	    max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
+	    min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [
+	    qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ];
+	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
+	rrset\-order { [ class \fIstring\fR ] [ type \fIstring\fR ] [ name
+	    \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&. };
+	send\-cookie \fIboolean\fR;
+	serial\-update\-method ( date | increment | unixtime );
+	server \fInetprefix\fR {
+		bogus \fIboolean\fR;
+		edns \fIboolean\fR;
+		edns\-udp\-size \fIinteger\fR;
+		edns\-version \fIinteger\fR;
+		keys \fIserver_key\fR;
+		max\-udp\-size \fIinteger\fR;
+		notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | *
+		    ) ] [ dscp \fIinteger\fR ];
+		notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR
+		    | * ) ] [ dscp \fIinteger\fR ];
+		padding \fIinteger\fR;
+		provide\-ixfr \fIboolean\fR;
+		query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port
+		    ( \fIinteger\fR | * ) ] ) | ( [ [ address ] (
+		    \fIipv4_address\fR | * ) ] port ( \fIinteger\fR | * ) ) ) [
+		    dscp \fIinteger\fR ];
+		query\-source\-v6 ( ( [ address ] ( \fIipv6_address\fR | * ) [
+		    port ( \fIinteger\fR | * ) ] ) | ( [ [ address ] (
+		    \fIipv6_address\fR | * ) ] port ( \fIinteger\fR | * ) ) ) [
+		    dscp \fIinteger\fR ];
+		request\-expire \fIboolean\fR;
+		request\-ixfr \fIboolean\fR;
+		request\-nsid \fIboolean\fR;
+		send\-cookie \fIboolean\fR;
+		tcp\-keepalive \fIboolean\fR;
+		tcp\-only \fIboolean\fR;
+		transfer\-format ( many\-answers | one\-answer );
+		transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR |
+		    * ) ] [ dscp \fIinteger\fR ];
+		transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port (
+		    \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
+		transfers \fIinteger\fR;
+	};
+	servfail\-ttl \fIttlval\fR;
+	sig\-signing\-nodes \fIinteger\fR;
+	sig\-signing\-signatures \fIinteger\fR;
+	sig\-signing\-type \fIinteger\fR;
+	sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
+	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
+	transfer\-format ( many\-answers | one\-answer );
+	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	trust\-anchor\-telemetry \fIboolean\fR; // experimental
+	trusted\-keys { \fIstring\fR \fIinteger\fR
+	    \fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
+	    \&.\&.\&. };
 	try\-tcp\-refresh \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
+	update\-check\-ksk \fIboolean\fR;
+	use\-alt\-transfer\-source \fIboolean\fR;
+	v6\-bias \fIinteger\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
-	dnssec\-secure\-to\-insecure \fIboolean\fR;
-	require\-server\-cookie \fIboolean\fR;
-	send\-cookie \fIboolean\fR;
-	nocookie\-udp\-size \fIinteger\fR;
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; \&.\&.\&. }; // obsolete
-	fetch\-glue \fIboolean\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
+	zone \fIstring\fR [ \fIclass\fR ] {
+		allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
+		allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
+		also\-notify [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { (
+		    \fImasters\fR | \fIipv4_address\fR [ port \fIinteger\fR ] |
+		    \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ];
+		    \&.\&.\&. };
+		alt\-transfer\-source ( \fIipv4_address\fR | * ) [ port (
+		    \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
+		alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port (
+		    \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
+		auto\-dnssec ( allow | maintain | off );
+		check\-dup\-records ( fail | warn | ignore );
+		check\-integrity \fIboolean\fR;
+		check\-mx ( fail | warn | ignore );
+		check\-mx\-cname ( fail | warn | ignore );
+		check\-names ( fail | warn | ignore );
+		check\-sibling \fIboolean\fR;
+		check\-spf ( warn | ignore );
+		check\-srv\-cname ( fail | warn | ignore );
+		check\-wildcard \fIboolean\fR;
+		database \fIstring\fR;
+		delegation\-only \fIboolean\fR;
+		dialup ( notify | notify\-passive | passive | refresh |
+		    \fIboolean\fR );
+		dlz \fIstring\fR;
+		dnssec\-dnskey\-kskonly \fIboolean\fR;
+		dnssec\-loadkeys\-interval \fIinteger\fR;
+		dnssec\-secure\-to\-insecure \fIboolean\fR;
+		dnssec\-update\-mode ( maintain | no\-resign );
+		file \fIquoted_string\fR;
+		forward ( first | only );
+		forwarders [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { (
+		    \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ] [
+		    dscp \fIinteger\fR ]; \&.\&.\&. };
+		in\-view \fIstring\fR;
+		inline\-signing \fIboolean\fR;
+		ixfr\-from\-differences \fIboolean\fR;
+		journal \fIquoted_string\fR;
+		key\-directory \fIquoted_string\fR;
+		masterfile\-format ( map | raw | text );
+		masterfile\-style ( full | relative );
+		masters [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR
+		    | \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [
+		    port \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+		max\-ixfr\-log\-size ( default | unlimited |
+		max\-journal\-size ( unlimited | \fIsizeval\fR );
+		max\-records \fIinteger\fR;
+		max\-refresh\-time \fIinteger\fR;
+		max\-retry\-time \fIinteger\fR;
+		max\-transfer\-idle\-in \fIinteger\fR;
+		max\-transfer\-idle\-out \fIinteger\fR;
+		max\-transfer\-time\-in \fIinteger\fR;
+		max\-transfer\-time\-out \fIinteger\fR;
+		max\-zone\-ttl ( unlimited | \fIttlval\fR );
+		min\-refresh\-time \fIinteger\fR;
+		min\-retry\-time \fIinteger\fR;
+		multi\-master \fIboolean\fR;
+		notify ( explicit | master\-only | \fIboolean\fR );
+		notify\-delay \fIinteger\fR;
+		notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | *
+		    ) ] [ dscp \fIinteger\fR ];
+		notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR
+		    | * ) ] [ dscp \fIinteger\fR ];
+		notify\-to\-soa \fIboolean\fR;
+		nsec3\-test\-zone \fIboolean\fR; // test only
+		pubkey \fIinteger\fR
+		    \fIinteger\fR
+		    \fIinteger\fR
+		request\-expire \fIboolean\fR;
+		request\-ixfr \fIboolean\fR;
+		serial\-update\-method ( date | increment | unixtime );
+		server\-addresses { ( \fIipv4_address\fR | \fIipv6_address\fR ) [
+		    port \fIinteger\fR ]; \&.\&.\&. };
+		server\-names { \fIquoted_string\fR; \&.\&.\&. };
+		sig\-signing\-nodes \fIinteger\fR;
+		sig\-signing\-signatures \fIinteger\fR;
+		sig\-signing\-type \fIinteger\fR;
+		sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
+		transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR |
+		    * ) ] [ dscp \fIinteger\fR ];
+		transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port (
+		    \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
+		try\-tcp\-refresh \fIboolean\fR;
+		type ( delegation\-only | forward | hint | master | redirect
+		    | slave | static\-stub | stub );
+		update\-check\-ksk \fIboolean\fR;
+		update\-policy ( local | { ( deny | grant ) \fIstring\fR (
+		    6to4\-self | external | krb5\-self | krb5\-subdomain |
+		    ms\-self | ms\-subdomain | name | self | selfsub |
+		    selfwild | subdomain | tcp\-self | wildcard | zonesub )
+		    [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. };
+		use\-alt\-transfer\-source \fIboolean\fR;
+		zero\-no\-soa\-ttl \fIboolean\fR;
+		zone\-statistics ( full | terse | none | \fIboolean\fR );
+	};
+	zone\-statistics ( full | terse | none | \fIboolean\fR );
 };
 .fi
 .if n \{\
@@ -606,87 +926,98 @@ view \fIstring\fR \fIoptional_class\fR {
 .RS 4
 .\}
 .nf
-zone \fIstring\fR \fIoptional_class\fR {
-	type ( master | slave | stub | hint | redirect |
-		forward | delegation\-only );
-	file \fIquoted_string\fR;
-	masters [ port \fIinteger\fR ] {
-		( \fImasters\fR |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&.
-	};
-	database \fIstring\fR;
-	delegation\-only \fIboolean\fR;
-	check\-names ( fail | warn | ignore );
-	check\-mx ( fail | warn | ignore );
-	check\-integrity \fIboolean\fR;
-	check\-mx\-cname ( fail | warn | ignore );
-	check\-srv\-cname ( fail | warn | ignore );
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIboolean\fR;
-	journal \fIquoted_string\fR;
-	zero\-no\-soa\-ttl \fIboolean\fR;
-	dnssec\-secure\-to\-insecure \fIboolean\fR;
+zone \fIstring\fR [ \fIclass\fR ] {
+	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
-	update\-policy \fIlocal\fR | \fI {
-		( grant | deny ) \fR\fI\fIstring\fR\fR\fI
-		( name | subdomain | wildcard | self | selfsub | selfwild |
-		  krb5\-self | ms\-self | krb5\-subdomain | ms\-subdomain |
-		  tcp\-self | zonesub | 6to4\-self ) \fR\fI\fIstring\fR\fR\fI
-		\fR\fI\fIrrtypelist\fR\fR\fI;
-		\fR\fI[\&.\&.\&.]\fR\fI
-	}\fR;
-	update\-check\-ksk \fIboolean\fR;
+	also\-notify [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR |
+	    \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+	alt\-transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
+	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR |
+	    * ) ] [ dscp \fIinteger\fR ];
+	auto\-dnssec ( allow | maintain | off );
+	check\-dup\-records ( fail | warn | ignore );
+	check\-integrity \fIboolean\fR;
+	check\-mx ( fail | warn | ignore );
+	check\-mx\-cname ( fail | warn | ignore );
+	check\-names ( fail | warn | ignore );
+	check\-sibling \fIboolean\fR;
+	check\-spf ( warn | ignore );
+	check\-srv\-cname ( fail | warn | ignore );
+	check\-wildcard \fIboolean\fR;
+	database \fIstring\fR;
+	delegation\-only \fIboolean\fR;
+	dialup ( notify | notify\-passive | passive | refresh | \fIboolean\fR );
+	dlz \fIstring\fR;
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	masterfile\-format ( text | raw | map );
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-delay \fIseconds\fR;
-	notify\-to\-soa \fIboolean\fR;
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; \&.\&.\&.
-		[ key \fIkeyname\fR ] \&.\&.\&. };
-	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
+	dnssec\-loadkeys\-interval \fIinteger\fR;
+	dnssec\-secure\-to\-insecure \fIboolean\fR;
+	dnssec\-update\-mode ( maintain | no\-resign );
+	file \fIquoted_string\fR;
 	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
-	};
-	max\-journal\-size \fIsize_no_default\fR;
+	forwarders [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fIipv4_address\fR
+	    | \fIipv6_address\fR ) [ port \fIinteger\fR ] [ dscp \fIinteger\fR ]; \&.\&.\&. };
+	in\-view \fIstring\fR;
+	inline\-signing \fIboolean\fR;
+	ixfr\-from\-differences \fIboolean\fR;
+	journal \fIquoted_string\fR;
+	key\-directory \fIquoted_string\fR;
+	masterfile\-format ( map | raw | text );
+	masterfile\-style ( full | relative );
+	masters [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR |
+	    \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port
+	    \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. };
+	max\-journal\-size ( unlimited | \fIsizeval\fR );
 	max\-records \fIinteger\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
+	max\-refresh\-time \fIinteger\fR;
+	max\-retry\-time \fIinteger\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
 	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
+	max\-transfer\-time\-in \fIinteger\fR;
+	max\-transfer\-time\-out \fIinteger\fR;
+	max\-zone\-ttl ( unlimited | \fIttlval\fR );
 	min\-refresh\-time \fIinteger\fR;
+	min\-retry\-time \fIinteger\fR;
 	multi\-master \fIboolean\fR;
+	notify ( explicit | master\-only | \fIboolean\fR );
+	notify\-delay \fIinteger\fR;
+	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
+	    [ dscp \fIinteger\fR ];
+	notify\-to\-soa \fIboolean\fR;
+	nsec3\-test\-zone \fIboolean\fR; // test only
+	pubkey \fIinteger\fR \fIinteger\fR
+	request\-expire \fIboolean\fR;
 	request\-ixfr \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
+	serial\-update\-method ( date | increment | unixtime );
+	server\-addresses { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port
+	    \fIinteger\fR ]; \&.\&.\&. };
+	server\-names { \fIquoted_string\fR; \&.\&.\&. };
+	sig\-signing\-nodes \fIinteger\fR;
+	sig\-signing\-signatures \fIinteger\fR;
+	sig\-signing\-type \fIinteger\fR;
+	sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
+	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
+	    dscp \fIinteger\fR ];
+	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
+	    ] [ dscp \fIinteger\fR ];
 	try\-tcp\-refresh \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
-	nsec3\-test\-zone \fIboolean\fR;  // testing only
-	ixfr\-base \fIquoted_string\fR; // obsolete
-	ixfr\-tmp\-file \fIquoted_string\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-	pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; // obsolete
+	type ( delegation\-only | forward | hint | master | redirect | slave
+	    | static\-stub | stub );
+	update\-check\-ksk \fIboolean\fR;
+	update\-policy ( local | { ( deny | grant ) \fIstring\fR ( 6to4\-self |
+	    external | krb5\-self | krb5\-subdomain | ms\-self | ms\-subdomain
+	    | name | self | selfsub | selfwild | subdomain | tcp\-self |
+	    wildcard | zonesub ) [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. };
+	use\-alt\-transfer\-source \fIboolean\fR;
+	zero\-no\-soa\-ttl \fIboolean\fR;
+	zone\-statistics ( full | terse | none | \fIboolean\fR );
 };
 .fi
 .if n \{\
@@ -697,9 +1028,11 @@ zone \fIstring\fR \fIoptional_class\fR {
 /etc/named\&.conf
 .SH "SEE ALSO"
 .PP
+\fBddns-confgen\fR(8),
 \fBnamed\fR(8),
 \fBnamed-checkconf\fR(8),
 \fBrndc\fR(8),
+\fBrndc-confgen\fR(8),
 BIND 9 Administrator Reference Manual\&.
 .SH "AUTHOR"
 .PP
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index 7044d18761e..3fe2ed0f632 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -62,127 +62,113 @@
 
     <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.9"></a><h2>KEY</h2>
+<a name="id-1.9"></a><h2>CONTROLS</h2>
 
     <div class="literallayout"><p><br>
-key <em class="replaceable"><code>domain_name</code></em> {<br>
-	algorithm <em class="replaceable"><code>string</code></em>;<br>
-	secret <em class="replaceable"><code>string</code></em>;<br>
+controls {<br>
+	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
+	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] allow<br>
+	    { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
+	    <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	unix <em class="replaceable"><code>quoted_string</code></em> perm <em class="replaceable"><code>integer</code></em><br>
+	    owner <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [<span class="optional"><br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
+	    <em class="replaceable"><code>boolean</code></em> </span>];<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.10"></a><h2>MASTERS</h2>
+<a name="id-1.10"></a><h2>DLZ</h2>
 
     <div class="literallayout"><p><br>
-masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-	<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
+dlz <em class="replaceable"><code>string</code></em> {<br>
+	database <em class="replaceable"><code>string</code></em>;<br>
+	search <em class="replaceable"><code>boolean</code></em>;<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.11"></a><h2>SERVER</h2>
+<a name="id-1.11"></a><h2>DYNDB</h2>
 
     <div class="literallayout"><p><br>
-server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-	bogus <em class="replaceable"><code>boolean</code></em>;<br>
-	edns <em class="replaceable"><code>boolean</code></em>;<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	padding <em class="replaceable"><code>integer</code></em>;<br>
-	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
-	tcp-keepalive <em class="replaceable"><code>boolean</code></em>;<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	keys <em class="replaceable"><code>server_key</code></em>;<br>
-	transfers <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	support-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-};<br>
+dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
+    <em class="replaceable"><code>unspecified-text</code></em> };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.12"></a><h2>TRUSTED-KEYS</h2>
+<a name="id-1.12"></a><h2>KEY</h2>
 
     <div class="literallayout"><p><br>
-trusted-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
+key <em class="replaceable"><code>string</code></em> {<br>
+	algorithm <em class="replaceable"><code>string</code></em>;<br>
+	secret <em class="replaceable"><code>string</code></em>;<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.13"></a><h2>MANAGED-KEYS</h2>
+<a name="id-1.13"></a><h2>LOGGING</h2>
 
     <div class="literallayout"><p><br>
-managed-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
+logging {<br>
+	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
+	channel <em class="replaceable"><code>string</code></em> {<br>
+		buffered <em class="replaceable"><code>boolean</code></em>;<br>
+		file <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> versions ( unlimited | <em class="replaceable"><code>integer</code></em> ) </span>]<br>
+		    [<span class="optional"> size <em class="replaceable"><code>size</code></em> </span>] [<span class="optional"> suffix ( increment | timestamp ) </span>];<br>
+		null;<br>
+		print-category <em class="replaceable"><code>boolean</code></em>;<br>
+		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
+		print-time ( iso8601 | iso8601-utc | local | <em class="replaceable"><code>boolean</code></em> );<br>
+		severity <em class="replaceable"><code>log_severity</code></em>;<br>
+		stderr;<br>
+		syslog [<span class="optional"> <em class="replaceable"><code>syslog_facility</code></em> </span>];<br>
+	};<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14"></a><h2>CONTROLS</h2>
+<a name="id-1.14"></a><h2>LWRES</h2>
 
     <div class="literallayout"><p><br>
-controls {<br>
-	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-		allow { <em class="replaceable"><code>address_match_element</code></em>; ... }<br>
-		[<span class="optional"> keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br>
-	unix <em class="replaceable"><code>unsupported</code></em>; // not implemented<br>
+lwres {<br>
+	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	lwres-clients <em class="replaceable"><code>integer</code></em>;<br>
+	lwres-tasks <em class="replaceable"><code>integer</code></em>;<br>
+	ndots <em class="replaceable"><code>integer</code></em>;<br>
+	search { <em class="replaceable"><code>string</code></em>; ... };<br>
+	view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>];<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.15"></a><h2>LOGGING</h2>
+<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
 
     <div class="literallayout"><p><br>
-logging {<br>
-	channel <em class="replaceable"><code>string</code></em> {<br>
-		file <em class="replaceable"><code>log_file</code></em>;<br>
-		syslog <em class="replaceable"><code>optional_facility</code></em>;<br>
-		null;<br>
-		stderr;<br>
-		severity <em class="replaceable"><code>log_severity</code></em>;<br>
-		print-time <em class="replaceable"><code>boolean</code></em>;<br>
-		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
-		print-category <em class="replaceable"><code>boolean</code></em>;<br>
-	};<br>
-	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-};<br>
+managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.16"></a><h2>LWRES</h2>
+<a name="id-1.16"></a><h2>MASTERS</h2>
 
     <div class="literallayout"><p><br>
-lwres {<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-	view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em>;<br>
-	search { <em class="replaceable"><code>string</code></em>; ... };<br>
-	ndots <em class="replaceable"><code>integer</code></em>;<br>
-	lwres-tasks <em class="replaceable"><code>integer</code></em>;<br>
-	lwres-clients <em class="replaceable"><code>integer</code></em>;<br>
-};<br>
+masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+    <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
 </p></div>
   </div>
 
@@ -191,535 +177,827 @@ lwres
 
     <div class="literallayout"><p><br>
 options {<br>
-	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	avoid-v6-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
+	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
+	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	attach-cache <em class="replaceable"><code>string</code></em>;<br>
+	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	automatic-interface-scan <em class="replaceable"><code>boolean</code></em>;<br>
+	avoid-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	avoid-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	bindkeys-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	coresize <em class="replaceable"><code>size</code></em>;<br>
-	datasize <em class="replaceable"><code>size</code></em>;<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+	    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
+	    <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( master | slave | response<br>
+	    ) ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	cookie-algorithm ( aes | sha1 | sha256 );<br>
+	cookie-secret <em class="replaceable"><code>string</code></em>;<br>
+	coresize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	datasize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
 	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	dnstap { <em class="replaceable"><code>message_type</code></em>; ... };<br>
-	dnstap-output ( <code class="literal">file</code> | <code class="literal">unix</code> ) <em class="replaceable"><code>path_name</code></em>;<br>
-	dnstap-identity ( <em class="replaceable"><code>string</code></em> | <code class="literal">hostname</code> | <code class="literal">none</code> );<br>
-	dnstap-version ( <em class="replaceable"><code>string</code></em> | <code class="literal">none</code> );<br>
+	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
+	dns64 <em class="replaceable"><code>netprefix</code></em> {<br>
+		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
+	};<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
+	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
+	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	dnssec-validation ( yes | no | auto );<br>
+	dnstap { ( all | auth | client | forwarder |<br>
+	    resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
+	dnstap-identity ( <em class="replaceable"><code>quoted_string</code></em> | none |<br>
+	    hostname );<br>
+	dnstap-output ( file | unix ) <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"><br>
+	    size ( unlimited | <em class="replaceable"><code>size</code></em> ) </span>] [<span class="optional"> versions (<br>
+	    unlimited | <em class="replaceable"><code>integer</code></em> ) </span>] [<span class="optional"> suffix ( increment<br>
+	    | timestamp ) </span>];<br>
+	dnstap-version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	dscp <em class="replaceable"><code>integer</code></em>;<br>
+	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
 	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	files <em class="replaceable"><code>size</code></em>;<br>
-	fstrm-set-buffer-hint <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-flush-timeout <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-input-queue-size <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-output-notify-threshold <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-output-queue-model ( <em class="replaceable"><code>mpsc</code></em> | <em class="replaceable"><code>spsc</code></em> ) ;<br>
-	fstrm-set-output-queue-size <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-reopen-interval <em class="replaceable"><code>number</code></em>;<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	files ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	flush-zones-on-shutdown <em class="replaceable"><code>boolean</code></em>;<br>
+	forward ( first | only );<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	fstrm-set-buffer-hint <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-flush-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-input-queue-size <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-output-notify-threshold <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-output-queue-model ( mpsc | spsc );<br>
+	fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-reopen-interval <em class="replaceable"><code>integer</code></em>;<br>
+	geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	geoip-use-ecs ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
-	host-statistics <em class="replaceable"><code>boolean</code></em>; // not implemented<br>
-	host-statistics-max <em class="replaceable"><code>number</code></em>; // not implemented<br>
 	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
 	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
+	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
 	keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	lock-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	masterfile-format ( map | raw | text );<br>
+	masterfile-style ( full | relative );<br>
 	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
+	max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
+	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-records <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-rsa-exponent-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+	memstatistics <em class="replaceable"><code>boolean</code></em>;<br>
 	memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	message-compression <em class="replaceable"><code>boolean</code></em>;<br>
+	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
+	minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
+	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-rate <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
+	nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
+	nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
 	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	port <em class="replaceable"><code>integer</code></em>;<br>
+	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
 	querylog <em class="replaceable"><code>boolean</code></em>;<br>
-	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
 	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
+	rate-limit {<br>
+		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		log-only <em class="replaceable"><code>boolean</code></em>;<br>
+		max-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		min-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		qps-scale <em class="replaceable"><code>integer</code></em>;<br>
+		referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		slip <em class="replaceable"><code>integer</code></em>;<br>
+		window <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	recursion <em class="replaceable"><code>boolean</code></em>;<br>
 	recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
+	    <em class="replaceable"><code>integer</code></em>;<br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    policy ( cname | disabled | drop | given | no-op | nodata |<br>
+	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"><br>
+	    recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	secroots-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
 	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
-	server-id ( <em class="replaceable"><code>quoted_string</code></em> | hostname | none );<br>
-	stacksize <em class="replaceable"><code>size</code></em>;<br>
+	serial-update-method ( date | increment | unixtime );<br>
+	server-id ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );<br>
+	servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	session-keyalg <em class="replaceable"><code>string</code></em>;<br>
+	session-keyfile ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	session-keyname <em class="replaceable"><code>string</code></em>;<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	startup-notify-rate <em class="replaceable"><code>integer</code></em>;<br>
 	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	statistics-interval <em class="replaceable"><code>integer</code></em>; // not yet implemented<br>
+	tcp-advertised-timeout <em class="replaceable"><code>integer</code></em>;<br>
 	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
+	tcp-idle-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	tcp-initial-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	tcp-keepalive-timeout <em class="replaceable"><code>integer</code></em>;<br>
 	tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
 	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
+	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
 	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
 	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
+	transfer-format ( many-answers | one-answer );<br>
 	transfer-message-size <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
 	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
 	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
-	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
-	minimal-responses ( <em class="replaceable"><code>boolean</code></em> | no-auth | no-auth-recursive );<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	catalog-zones {<br>
-	    zone <em class="replaceable"><code>quoted_string</code></em><br>
-		[<span class="optional"> default-masters<br>
-		[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]<br>
-		[<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]<br>
-		{ ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }</span>]<br>
-	    [<span class="optional">in-memory <em class="replaceable"><code>yes_or_no</code></em></span>]<br>
-	    [<span class="optional">min-update-interval <em class="replaceable"><code>interval</code></em></span>]<br>
-	    ; ... };<br>
-	;<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <em class="replaceable"><code>acl</code></em>; };<br>
-		exclude { <em class="replaceable"><code>acl</code></em>; };<br>
-		mapped { <em class="replaceable"><code>acl</code></em>; };<br>
-		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
-		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
-	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
-	empty-contact <em class="replaceable"><code>string</code></em>;<br>
-	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
+	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
+	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
 	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-	sig-re-signing-interval <em class="replaceable"><code>integer</code></em>;<br>
-	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
-	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
-	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>;<br>
-	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
+	use-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	use-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	v6-bias <em class="replaceable"><code>integer</code></em>;<br>
+	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-	automatic-interface-scan <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	cookie-algorithm ( <em class="replaceable"><code>aes</code></em> | <em class="replaceable"><code>sha1</code></em> | <em class="replaceable"><code>sha256</code></em> );<br>
-	cookie-secret <em class="replaceable"><code>string</code></em>;<br>
-	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	response-padding {<br>
-		<em class="replaceable"><code>address_match_list</code></em><br>
-	} block-size <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	deny-answer-addresses {<br>
-		<em class="replaceable"><code>address_match_list</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-	deny-answer-aliases {<br>
-		<em class="replaceable"><code>namelist</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fake-iquery <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	has-old-clients <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	multiple-cnames <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	named-xfer <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	serial-queries <em class="replaceable"><code>integer</code></em>; // obsolete<br>
-	treat-cr-as-space <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-id-pool <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.18"></a><h2>VIEW</h2>
+<a name="id-1.18"></a><h2>SERVER</h2>
 
     <div class="literallayout"><p><br>
-view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	key <em class="replaceable"><code>string</code></em> {<br>
-		algorithm <em class="replaceable"><code>string</code></em>;<br>
-		secret <em class="replaceable"><code>string</code></em>;<br>
-	};<br>
-<br>
-	zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-		...<br>
-	};<br>
-<br>
-	server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-		...<br>
-	};<br>
-<br>
-	trusted-keys {<br>
-		<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	};<br>
-<br>
-	managed-keys {<br>
-		<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	};<br>
-<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
+server <em class="replaceable"><code>netprefix</code></em> {<br>
+	bogus <em class="replaceable"><code>boolean</code></em>;<br>
+	edns <em class="replaceable"><code>boolean</code></em>;<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	edns-version <em class="replaceable"><code>integer</code></em>;<br>
+	keys <em class="replaceable"><code>server_key</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	padding <em class="replaceable"><code>integer</code></em>;<br>
 	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	tcp-keepalive <em class="replaceable"><code>boolean</code></em>;<br>
+	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfers <em class="replaceable"><code>integer</code></em>;<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.19"></a><h2>STATISTICS-CHANNELS</h2>
+
+    <div class="literallayout"><p><br>
+statistics-channels {<br>
+	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
+	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    allow { <em class="replaceable"><code>address_match_element</code></em>; ...<br>
+	    } </span>];<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.20"></a><h2>TRUSTED-KEYS</h2>
+
+    <div class="literallayout"><p><br>
+trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.21"></a><h2>VIEW</h2>
+
+    <div class="literallayout"><p><br>
+view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
+	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	attach-cache <em class="replaceable"><code>string</code></em>;<br>
+	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+	    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
+	    <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	check-dup-records ( fail | warn | ignore );<br>
 	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
 	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( master | slave | response<br>
+	    ) ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
 	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
+	dlz <em class="replaceable"><code>string</code></em> {<br>
+		database <em class="replaceable"><code>string</code></em>;<br>
+		search <em class="replaceable"><code>boolean</code></em>;<br>
 	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <em class="replaceable"><code>acl</code></em>; };<br>
-		exclude { <em class="replaceable"><code>acl</code></em>; };<br>
-		mapped { <em class="replaceable"><code>acl</code></em>; };<br>
+	dns64 <em class="replaceable"><code>netprefix</code></em> {<br>
 		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
 		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
 	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
+	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
+	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	dnssec-validation ( yes | no | auto );<br>
+	dnstap { ( all | auth | client | forwarder |<br>
+	    resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
+	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
+	    <em class="replaceable"><code>unspecified-text</code></em> };<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
 	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
 	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
+	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
+	key <em class="replaceable"><code>string</code></em> {<br>
+		algorithm <em class="replaceable"><code>string</code></em>;<br>
+		secret <em class="replaceable"><code>string</code></em>;<br>
 	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em><br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	masterfile-format ( map | raw | text );<br>
+	masterfile-style ( full | relative );<br>
+	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+	max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
+	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+	message-compression <em class="replaceable"><code>boolean</code></em>;<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
+	minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
+	nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
+	nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
+	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	rate-limit {<br>
+		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		log-only <em class="replaceable"><code>boolean</code></em>;<br>
+		max-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		min-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		qps-scale <em class="replaceable"><code>integer</code></em>;<br>
+		referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		slip <em class="replaceable"><code>integer</code></em>;<br>
+		window <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	recursion <em class="replaceable"><code>boolean</code></em>;<br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
+	    <em class="replaceable"><code>integer</code></em>;<br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    policy ( cname | disabled | drop | given | no-op | nodata |<br>
+	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"><br>
+	    recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	serial-update-method ( date | increment | unixtime );<br>
+	server <em class="replaceable"><code>netprefix</code></em> {<br>
+		bogus <em class="replaceable"><code>boolean</code></em>;<br>
+		edns <em class="replaceable"><code>boolean</code></em>;<br>
+		edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+		edns-version <em class="replaceable"><code>integer</code></em>;<br>
+		keys <em class="replaceable"><code>server_key</code></em>;<br>
+		max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		padding <em class="replaceable"><code>integer</code></em>;<br>
+		provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port<br>
+		    ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"><br>
+		    port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+		send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+		tcp-keepalive <em class="replaceable"><code>boolean</code></em>;<br>
+		tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
+		transfer-format ( many-answers | one-answer );<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfers <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
+	trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
+	    ... };<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	v6-bias <em class="replaceable"><code>integer</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
+	zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+		allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
+		    <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] |<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>];<br>
+		    ... };<br>
+		alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		auto-dnssec ( allow | maintain | off );<br>
+		check-dup-records ( fail | warn | ignore );<br>
+		check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+		check-mx ( fail | warn | ignore );<br>
+		check-mx-cname ( fail | warn | ignore );<br>
+		check-names ( fail | warn | ignore );<br>
+		check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+		check-spf ( warn | ignore );<br>
+		check-srv-cname ( fail | warn | ignore );<br>
+		check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+		database <em class="replaceable"><code>string</code></em>;<br>
+		delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
+		dialup ( notify | notify-passive | passive | refresh |<br>
+		    <em class="replaceable"><code>boolean</code></em> );<br>
+		dlz <em class="replaceable"><code>string</code></em>;<br>
+		dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+		dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+		dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+		dnssec-update-mode ( maintain | no-resign );<br>
+		file <em class="replaceable"><code>quoted_string</code></em>;<br>
+		forward ( first | only );<br>
+		forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		in-view <em class="replaceable"><code>string</code></em>;<br>
+		inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+		ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
+		journal <em class="replaceable"><code>quoted_string</code></em>;<br>
+		key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+		masterfile-format ( map | raw | text );<br>
+		masterfile-style ( full | relative );<br>
+		masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em><br>
+		    | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"><br>
+		    port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+		max-ixfr-log-size ( default | unlimited |<br>
+		max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+		max-records <em class="replaceable"><code>integer</code></em>;<br>
+		max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+		max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+		max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+		min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+		min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+		notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+		notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+		nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+		pubkey <em class="replaceable"><code>integer</code></em><br>
+		    <em class="replaceable"><code>integer</code></em><br>
+		    <em class="replaceable"><code>integer</code></em><br>
+		request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		serial-update-method ( date | increment | unixtime );<br>
+		server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"><br>
+		    port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+		sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+		sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+		sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+		sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
+		type ( delegation-only | forward | hint | master | redirect<br>
+		    | slave | static-stub | stub );<br>
+		update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+		update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> (<br>
+		    6to4-self | external | krb5-self | krb5-subdomain |<br>
+		    ms-self | ms-subdomain | name | self | selfsub |<br>
+		    selfwild | subdomain | tcp-self | wildcard | zonesub )<br>
+		    [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+		use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+		zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+		zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
+	};<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.19"></a><h2>ZONE</h2>
+<a name="id-1.22"></a><h2>ZONE</h2>
 
     <div class="literallayout"><p><br>
-zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	type ( master | slave | stub | hint | redirect |<br>
-		forward | delegation-only );<br>
-	file <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>masters</code></em> |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	database <em class="replaceable"><code>string</code></em>;<br>
-	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
-	check-names ( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
-	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
-	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
+zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-policy <em class="replaceable"><code>local</code></em> | <em class="replaceable"><code> {<br>
-		( grant | deny ) <em class="replaceable"><code>string</code></em><br>
-		( name | subdomain | wildcard | self | selfsub | selfwild |<br>
-		  krb5-self | ms-self | krb5-subdomain | ms-subdomain |<br>
-		  tcp-self | zonesub | 6to4-self ) <em class="replaceable"><code>string</code></em><br>
-		<em class="replaceable"><code>rrtypelist</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	}</code></em>;<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	database <em class="replaceable"><code>string</code></em>;<br>
+	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	dlz <em class="replaceable"><code>string</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	in-view <em class="replaceable"><code>string</code></em>;<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
+	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	masterfile-format ( map | raw | text );<br>
+	masterfile-style ( full | relative );<br>
+	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	serial-update-method ( date | increment | unixtime );<br>
+	server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	ixfr-base <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	ixfr-tmp-file <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
+	type ( delegation-only | forward | hint | master | redirect | slave<br>
+	    | static-stub | stub );<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self |<br>
+	    external | krb5-self | krb5-subdomain | ms-self | ms-subdomain<br>
+	    | name | self | selfsub | selfwild | subdomain | tcp-self |<br>
+	    wildcard | zonesub ) [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.20"></a><h2>FILES</h2>
+<a name="id-1.23"></a><h2>FILES</h2>
 
     <p><code class="filename">/etc/named.conf</code>
     </p>
   </div>
 
   <div class="refsection">
-<a name="id-1.21"></a><h2>SEE ALSO</h2>
+<a name="id-1.24"></a><h2>SEE ALSO</h2>
 
     <p><span class="citerefentry">
+	<span class="refentrytitle">ddns-confgen</span>(8)
+      </span>,
+      <span class="citerefentry">
 	<span class="refentrytitle">named</span>(8)
       </span>,
       <span class="citerefentry">
@@ -728,6 +1006,9 @@ zone
       <span class="citerefentry">
 	<span class="refentrytitle">rndc</span>(8)
       </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">rndc-confgen</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
   </div>
diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8
index 3746dbdebbf..d01bc7c8898 100644
--- a/bin/rndc/rndc.8
+++ b/bin/rndc/rndc.8
@@ -214,7 +214,7 @@ causes the output file to be rolled automatically, similar to log files; the mos
 is specified, then the number of backup log files is limited to that number\&.
 .RE
 .PP
-\fBdumpdb \fR\fB[\-all|\-cache|\-zone|\-adb|\-bad|\-fail]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
+\fBdumpdb \fR\fB[\-all|\-cache|\-zones|\-adb|\-bad|\-fail]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
 .RS 4
 Dump the server\*(Aqs caches (default) and/or zones to the dump file for the specified views\&. If no view is specified, all views are dumped\&. (See the
 \fBdump\-file\fR
diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html
index f47f4e562ee..895f056a03d 100644
--- a/bin/rndc/rndc.html
+++ b/bin/rndc/rndc.html
@@ -274,14 +274,12 @@
 	    number of backup log files is limited to that number.
 	  </p>
 	</dd>
-<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
+<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zones|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
 <dd>
 	  <p>
 	    Dump the server's caches (default) and/or zones to
-	    the
-	    dump file for the specified views.  If no view is
-	    specified, all
-	    views are dumped.
+	    the dump file for the specified views.  If no view
+            is specified, all views are dumped.
 	    (See the <span class="command"><strong>dump-file</strong></span> option in
 	    the BIND 9 Administrator Reference Manual.)
 	  </p>
diff --git a/bin/tools/dnstap-read.1 b/bin/tools/dnstap-read.1
index dd2435970c9..7b04ae47147 100644
--- a/bin/tools/dnstap-read.1
+++ b/bin/tools/dnstap-read.1
@@ -39,7 +39,7 @@
 dnstap-read \- print dnstap data in human\-readable form
 .SH "SYNOPSIS"
 .HP \w'\fBdnstap\-read\fR\ 'u
-\fBdnstap\-read\fR [\fB\-m\fR] [\fB\-p\fR] [\fB\-y\fR] {\fIfile\fR}
+\fBdnstap\-read\fR [\fB\-m\fR] [\fB\-p\fR] [\fB\-x\fR] [\fB\-y\fR] {\fIfile\fR}
 .SH "DESCRIPTION"
 .PP
 \fBdnstap\-read\fR
@@ -66,6 +66,15 @@ data, print the text form of the DNS message that was encapsulated in the
 frame\&.
 .RE
 .PP
+\-x
+.RS 4
+After printing the
+\fBdnstap\fR
+data, print a hex dump of the wire form of the DNS message that was encapsulated in the
+\fBdnstap\fR
+frame\&.
+.RE
+.PP
 \-y
 .RS 4
 Print
diff --git a/bin/tools/dnstap-read.html b/bin/tools/dnstap-read.html
index 1b5a3c36603..30476599e4b 100644
--- a/bin/tools/dnstap-read.html
+++ b/bin/tools/dnstap-read.html
@@ -35,6 +35,7 @@
       <code class="command">dnstap-read</code> 
        [<code class="option">-m</code>]
        [<code class="option">-p</code>]
+       [<code class="option">-x</code>]
        [<code class="option">-y</code>]
        {<em class="replaceable"><code>file</code></em>}
     </p></div>
@@ -72,6 +73,14 @@
             <span class="command"><strong>dnstap</strong></span> frame.
           </p>
         </dd>
+<dt><span class="term">-x</span></dt>
+<dd>
+          <p>
+            After printing the <span class="command"><strong>dnstap</strong></span> data, print
+            a hex dump of the wire form of the DNS message that was
+            encapsulated in the <span class="command"><strong>dnstap</strong></span> frame.
+          </p>
+        </dd>
 <dt><span class="term">-y</span></dt>
 <dd>
           <p>
diff --git a/configure b/configure
index 3dac59d422c..399e309641c 100755
--- a/configure
+++ b/configure
@@ -956,7 +956,6 @@ infodir
 docdir
 oldincludedir
 includedir
-runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -1112,7 +1111,6 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1365,15 +1363,6 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
-  -runstatedir | --runstatedir | --runstatedi | --runstated \
-  | --runstate | --runstat | --runsta | --runst | --runs \
-  | --run | --ru | --r)
-    ac_prev=runstatedir ;;
-  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
-  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
-  | --run=* | --ru=* | --r=*)
-    runstatedir=$ac_optarg ;;
-
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1511,7 +1500,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir runstatedir
+		libdir localedir mandir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1664,7 +1653,6 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
-  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index 75074130a0e..c9a5a9e4b2a 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -83,11 +83,6 @@
         option can be used to limit the amount of memory used by the cache,
         at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym>
         traffic.
-        Additionally, if additional section caching
-        (<a class="xref" href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called &#8220;Additional Section Caching&#8221;</a>) is enabled,
-        the <span class="command"><strong>max-acache-size</strong></span> option can be used to
-        limit the amount
-        of memory used by the mechanism.
         It is still good practice to have enough memory to load
         all zone and cache data into memory &#8212; unfortunately, the best
         way
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 4aa5b7c1843..f09fd3571df 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -2644,8 +2644,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
   [ <span class="command"><strong>nta-recheck</strong></span> <em class="replaceable"><code>duration</code></em> ; ]
   [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ; ]
   [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ; ]
-  [ <span class="command"><strong>additional-from-auth</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>additional-from-cache</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
   [ <span class="command"><strong>random-device</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
   [ <span class="command"><strong>max-cache-size</strong></span> <em class="replaceable"><code>size_or_percent</code></em> ; ]
   [ <span class="command"><strong>match-mapped-addresses</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
@@ -2671,9 +2669,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
   [ <span class="command"><strong>querylog</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
   [ <span class="command"><strong>disable-algorithms</strong></span> <em class="replaceable"><code>domain</code></em> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>algorithm</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
   [ <span class="command"><strong>disable-ds-digests</strong></span> <em class="replaceable"><code>domain</code></em> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>digest_type</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
-  [ <span class="command"><strong>acache-enable</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-  [ <span class="command"><strong>acache-cleaning-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-  [ <span class="command"><strong>max-acache-size</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
   [ <span class="command"><strong>max-recursion-depth</strong></span> <em class="replaceable"><code>number</code></em> ; ]
   [ <span class="command"><strong>max-recursion-queries</strong></span> <em class="replaceable"><code>number</code></em> ; ]
   [ <span class="command"><strong>masterfile-format</strong></span> ( <code class="option">text</code> | <code class="option">raw</code> | <code class="option">map</code> ) ; ]
@@ -4197,7 +4192,7 @@ options {
                   both authoritative and recursive queries.
                 </p>
                 <p>
-                  The default is <strong class="userinput"><code>no</code></strong>.
+                  The default is <strong class="userinput"><code>yes</code></strong>.
                 </p>
               </dd>
 <dt><span class="term"><span class="command"><strong>minimal-any</strong></span></span></dt>
@@ -4527,92 +4522,6 @@ options {
                   and the option is ignored.
                 </p>
               </dd>
-<dt>
-<span class="term"><span class="command"><strong>additional-from-auth</strong></span>, </span><span class="term"><span class="command"><strong>additional-from-cache</strong></span></span>
-</dt>
-<dd>
-
-                <p>
-                  These options control the behavior of an authoritative
-                  server when
-                  answering queries which have additional data, or when
-                  following CNAME
-                  and DNAME chains.
-                </p>
-
-                <p>
-                  When both of these options are set to <strong class="userinput"><code>yes</code></strong>
-                  (the default) and a
-                  query is being answered from authoritative data (a zone
-                  configured into the server), the additional data section of
-                  the
-                  reply will be filled in using data from other authoritative
-                  zones
-                  and from the cache.  In some situations this is undesirable,
-                  such
-                  as when there is concern over the correctness of the cache,
-                  or
-                  in servers where slave zones may be added and modified by
-                  untrusted third parties.  Also, avoiding
-                  the search for this additional data will speed up server
-                  operations
-                  at the possible expense of additional queries to resolve
-                  what would
-                  otherwise be provided in the additional section.
-                </p>
-
-                <p>
-                  For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
-                  and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
-                  records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
-                  if known, even though they are not in the example.com zone.
-                  Setting these options to <span class="command"><strong>no</strong></span>
-                  disables this behavior and makes
-                  the server only search for additional data in the zone it
-                  answers from.
-                </p>
-
-                <p>
-                  These options are intended for use in authoritative-only
-                  servers, or in authoritative-only views.  Attempts to set
-                  them to <span class="command"><strong>no</strong></span> without also
-                  specifying
-                  <span class="command"><strong>recursion no</strong></span> will cause the
-                  server to
-                  ignore the options and log a warning message.
-                </p>
-
-                <p>
-                  Specifying <span class="command"><strong>additional-from-cache no</strong></span> actually
-                  disables the use of the cache not only for additional data
-                  lookups
-                  but also when looking up the answer.  This is usually the
-                  desired
-                  behavior in an authoritative-only server where the
-                  correctness of
-                  the cached data is an issue.
-                </p>
-
-                <p>
-                  When a name server is non-recursively queried for a name
-                  that is not
-                  below the apex of any served zone, it normally answers with
-                  an
-                  "upwards referral" to the root servers or the servers of
-                  some other
-                  known parent of the query name.  Since the data in an
-                  upwards referral
-                  comes from the cache, the server will not be able to provide
-                  upwards
-                  referrals when <span class="command"><strong>additional-from-cache no</strong></span>
-                  has been specified.  Instead, it will respond to such
-                  queries
-                  with REFUSED.  This should not cause any problems since
-                  upwards referrals are not required for the resolution
-                  process.
-                </p>
-
-              </dd>
 <dt><span class="term"><span class="command"><strong>match-mapped-addresses</strong></span></span></dt>
 <dd>
                 <p>
@@ -6612,7 +6521,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
           <p>
             The response to a DNS query may consist of multiple resource
-            records (RRs) forming a resource records set (RRset).
+            records (RRs) forming a resource record set (RRset).
             The name server will normally return the
             RRs within the RRset in an indeterminate order
             (but see the <span class="command"><strong>rrset-order</strong></span>
@@ -6728,17 +6637,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
           <p>
             When multiple records are returned in an answer it may be
             useful to configure the order of the records placed into the
-            response.
-            The <span class="command"><strong>rrset-order</strong></span> statement permits
-            configuration
-            of the ordering of the records in a multiple record response.
+            response.  The <span class="command"><strong>rrset-order</strong></span> statement permits
+            configuration of the ordering of the records in a
+            multiple-record response.
             See also the <span class="command"><strong>sortlist</strong></span> statement,
             <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span class="command"><strong>sortlist</strong></span> Statement&#8221;</a>.
           </p>
-
           <p>
-            An <span class="command"><strong>order_spec</strong></span> is defined as
-            follows:
+            An <span class="command"><strong>order_spec</strong></span> is defined as follows:
           </p>
           <p>
             [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
@@ -6768,7 +6674,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 <td>
                     <p>
                       Records are returned in the order they
-                      are defined in the zone file.
+                      are defined in the zone file. This option
+                      is only available if <acronym class="acronym">BIND</acronym>
+                      is configured with "--enable-fixed-rrset" at
+                      compile time.
                     </p>
                   </td>
 </tr>
@@ -6788,29 +6697,45 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   </td>
 <td>
                     <p>
-                      Records are returned in a cyclic round-robin order.
+                      Records are returned in a cyclic round-robin order,
+                      rotating by one record per query.
                     </p>
                     <p>
-                      If <acronym class="acronym">BIND</acronym> is configured with the
-                      "--enable-fixed-rrset" option at compile time, then
+                      If <acronym class="acronym">BIND</acronym> is configured with
+                      "--enable-fixed-rrset" at compile time, then
                       the initial ordering of the RRset will match the
-                      one specified in the zone file.
+                      one specified in the zone file; otherwise the
+                      initial ordering is indeterminate.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><span class="command"><strong>none</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Records are returned in whatever order they were
+                      retrieved from the database.  This order is
+                      indeterminate, but will be consistent as long as the
+                      database is not modified. When no ordering is
+                      specified, this is the default.
                     </p>
                   </td>
 </tr>
 </tbody>
 </table>
           </div>
+          <p>
+          </p>
           <p>
             For example:
           </p>
-
 <pre class="programlisting">rrset-order {
    class IN type A name "host.example.com" order random;
    order cyclic;
 };
 </pre>
-
           <p>
             will cause any responses for type A records in class IN that
             have "<code class="literal">host.example.com</code>" as a
@@ -6822,7 +6747,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
             appear, they are not combined &#8212; the last one applies.
           </p>
           <p>
-            By default, all records are returned in random order.
+            By default, records are returned in indeterminate but
+            consistent order (see <span class="command"><strong>none</strong></span> above).
           </p>
 
           <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
@@ -7520,113 +7446,6 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
         <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="acache"></a>Additional Section Caching</h4></div></div></div>
-
-
-          <p>
-            The additional section cache, also called <span class="command"><strong>acache</strong></span>,
-            is an internal cache to improve the response performance of BIND 9.
-            When additional section caching is enabled, BIND 9 will
-            cache an internal short-cut to the additional section content for
-            each answer RR.
-            Note that <span class="command"><strong>acache</strong></span> is an internal caching
-            mechanism of BIND 9, and is not related to the DNS caching
-            server function.
-          </p>
-
-          <p>
-            Additional section caching does not change the
-            response content (except the RRsets ordering of the additional
-            section, see below), but can improve the response performance
-            significantly.
-            It is particularly effective when BIND 9 acts as an authoritative
-            server for a zone that has many delegations with many glue RRs.
-          </p>
-
-          <p>
-            In order to obtain the maximum performance improvement
-            from additional section caching, setting
-            <span class="command"><strong>additional-from-cache</strong></span>
-            to <span class="command"><strong>no</strong></span> is recommended, since the current
-            implementation of <span class="command"><strong>acache</strong></span>
-            does not short-cut of additional section information from the
-            DNS cache data.
-          </p>
-
-          <p>
-            One obvious disadvantage of <span class="command"><strong>acache</strong></span> is
-            that it requires much more
-            memory for the internal cached data.
-            Thus, if the response performance does not matter and memory
-            consumption is much more critical, the
-            <span class="command"><strong>acache</strong></span> mechanism can be
-            disabled by setting <span class="command"><strong>acache-enable</strong></span> to
-            <span class="command"><strong>no</strong></span>.
-            It is also possible to specify the upper limit of memory
-            consumption
-            for acache by using <span class="command"><strong>max-acache-size</strong></span>.
-          </p>
-
-          <p>
-            Additional section caching also has a minor effect on the
-            RRset ordering in the additional section.
-            Without <span class="command"><strong>acache</strong></span>,
-            <span class="command"><strong>cyclic</strong></span> order is effective for the additional
-            section as well as the answer and authority sections.
-            However, additional section caching fixes the ordering when it
-            first caches an RRset for the additional section, and the same
-            ordering will be kept in succeeding responses, regardless of the
-            setting of <span class="command"><strong>rrset-order</strong></span>.
-            The effect of this should be minor, however, since an
-            RRset in the additional section
-            typically only contains a small number of RRs (and in many cases
-            it only contains a single RR), in which case the
-            ordering does not matter much.
-          </p>
-
-          <p>
-            The following is a summary of options related to
-            <span class="command"><strong>acache</strong></span>.
-          </p>
-
-          <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>acache-enable</strong></span></span></dt>
-<dd>
-                <p>
-                  If <span class="command"><strong>yes</strong></span>, additional section caching is
-                  enabled.  The default value is <span class="command"><strong>no</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>acache-cleaning-interval</strong></span></span></dt>
-<dd>
-                <p>
-                  The server will remove stale cache entries, based on an LRU
-                  based
-                  algorithm, every <span class="command"><strong>acache-cleaning-interval</strong></span> minutes.
-                  The default is 60 minutes.
-                  If set to 0, no periodic cleaning will occur.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>max-acache-size</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum amount of memory in bytes to use for the server's acache.
-                  When the amount of data in the acache reaches this limit,
-                  the server
-                  will clean more aggressively so that the limit is not
-                  exceeded.
-                  In a server with multiple views, the limit applies
-                  separately to the
-                  acache of each view.
-                  The default is <code class="literal">16M</code>.
-                </p>
-              </dd>
-</dl></div>
-
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
 <a name="content_filtering"></a>Content Filtering</h4></div></div></div>
 
           <p>
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 0ad287cfa4a..096e070c316 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -197,6 +197,58 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+        <p>
+	  Many aspects of <span class="command"><strong>named</strong></span> have been modified
+	  to improve query performance, and in particular, performance
+	  for delegation-heavy zones:
+	</p>
+	<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
+<li class="listitem">
+	    <p>
+	      The additional cache ("acache") was found not to
+	      significantly improve performance and has been removed;
+	      the <span class="command"><strong>acache-enable</strong></span> and
+	      <span class="command"><strong>acache-cleaning-interval</strong></span> options are now
+	      deprecated.
+	    </p>
+	  </li>
+<li class="listitem">
+	    <p>
+	      In place of the acache, <span class="command"><strong>named</strong></span> now uses
+	      a glue cache to speed up retrieval of glue records when sending
+	      delegation responses.
+	    </p>
+	  </li>
+<li class="listitem">
+	    <p>
+	      The <span class="command"><strong>additional-from-cache</strong></span>
+	      and <span class="command"><strong>additional-from-auth</strong></span> options have been
+	      deprecated.
+	    </p>
+	  </li>
+<li class="listitem">
+	    <p>
+	      <span class="command"><strong>minimal-responses</strong></span> is now set
+	      to <code class="literal">yes</code> by default.
+	    </p>
+	  </li>
+<li class="listitem">
+	    <p>
+	      Several functions have been refactored to improve
+	      performance, including name compression, owner name
+	      case restoration, hashing, and buffers.
+	    </p>
+	  </li>
+</ul></div>
+      </li>
+<li class="listitem">
+        <p>
+	  The <span class="command"><strong>dnstap-read -x</strong></span> option prints a hex
+	  dump of the wire format DNS message encapsulated in each
+	  <span class="command"><strong>dnstap</strong></span> log entry. [RT #44816]
+	</p>
+      </li>
 <li class="listitem">
         <p>
 	  The <span class="command"><strong>host -A</strong></span> option returns most
@@ -309,6 +361,16 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+	<p>
+	  Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
+	  names to assist debugging on operating systems that support that.
+	  Threads will have names such as "isc-timer", "isc-sockmgr",
+	  "isc-worker0001", and so on. This will affect the reporting of
+	  subsidiary thread names in <span class="command"><strong>ps</strong></span> and
+	  <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
+	</p>
+      </li>
 <li class="listitem">
 	<p>
 	  The Response Policy Zone (RPZ) implementation has been
@@ -355,61 +417,11 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  A synthesized CNAME record appearing in a response before the
-	  associated DNAME could be cached, when it should not have been.
-	  This was a regression introduced while addressing CVE-2016-8864.
-	  [RT #44318]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could deadlock if multiple changes
-	  to NSEC/NSEC3 parameters for the same zone were being processed
-	  at the same time. [RT #42770]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could trigger an assertion when
-	  sending NOTIFY messages. [RT #44019]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
-	  statement could cause an assertion failure during configuration.
-	  [RT #43787]
-	</p>
-      </li>
-<li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  <span class="command"><strong>rndc addzone</strong></span> could cause a crash
-	  when attempting to add a zone with a type other than
-	  <span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
-	  Such zones are now rejected. [RT #43665]
+	  None.
 	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could hang when encountering log
-	  file names with large apparent gaps in version number (for
-	  example, when files exist called "logfile.0", "logfile.1",
-	  and "logfile.1482954169").  This is now handled correctly.
-	  [RT #38688]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  If a zone was updated while <span class="command"><strong>named</strong></span> was
-	  processing a query for nonexistent data, it could return
-	  out-of-sync NSEC3 records causing potential DNSSEC validation
-	  failure. [RT #43247]
-	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index e5977e7bc2e..cfca830eca9 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -141,7 +141,7 @@
 	  <p>
 	    Specifies the number of bits in the key.  The choice of key
 	    size depends on the algorithm used.  RSA keys must be
-	    between 512 and 2048 bits.  Diffie Hellman keys must be between
+	    between 1024 and 2048 bits.  Diffie Hellman keys must be between
 	    128 and 4096 bits.  DSA keys must be between 512 and 1024
 	    bits and an exact multiple of 64.  HMAC keys must be
 	    between 1 and 512 bits. Elliptic curve algorithms don't need
diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html
index 1d3b2bb2351..c71f5d9a7ba 100644
--- a/doc/arm/man.dnstap-read.html
+++ b/doc/arm/man.dnstap-read.html
@@ -53,6 +53,7 @@
       <code class="command">dnstap-read</code> 
        [<code class="option">-m</code>]
        [<code class="option">-p</code>]
+       [<code class="option">-x</code>]
        [<code class="option">-y</code>]
        {<em class="replaceable"><code>file</code></em>}
     </p></div>
@@ -90,6 +91,14 @@
             <span class="command"><strong>dnstap</strong></span> frame.
           </p>
         </dd>
+<dt><span class="term">-x</span></dt>
+<dd>
+          <p>
+            After printing the <span class="command"><strong>dnstap</strong></span> data, print
+            a hex dump of the wire form of the DNS message that was
+            encapsulated in the <span class="command"><strong>dnstap</strong></span> frame.
+          </p>
+        </dd>
 <dt><span class="term">-y</span></dt>
 <dd>
           <p>
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index 8601cbe646c..536c2035a40 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -80,127 +80,113 @@
 
     <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.9"></a><h2>KEY</h2>
+<a name="id-1.14.20.9"></a><h2>CONTROLS</h2>
 
     <div class="literallayout"><p><br>
-key <em class="replaceable"><code>domain_name</code></em> {<br>
-	algorithm <em class="replaceable"><code>string</code></em>;<br>
-	secret <em class="replaceable"><code>string</code></em>;<br>
+controls {<br>
+	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
+	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] allow<br>
+	    { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
+	    <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	unix <em class="replaceable"><code>quoted_string</code></em> perm <em class="replaceable"><code>integer</code></em><br>
+	    owner <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [<span class="optional"><br>
+	    keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
+	    <em class="replaceable"><code>boolean</code></em> </span>];<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.10"></a><h2>MASTERS</h2>
+<a name="id-1.14.20.10"></a><h2>DLZ</h2>
 
     <div class="literallayout"><p><br>
-masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-	<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
+dlz <em class="replaceable"><code>string</code></em> {<br>
+	database <em class="replaceable"><code>string</code></em>;<br>
+	search <em class="replaceable"><code>boolean</code></em>;<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.11"></a><h2>SERVER</h2>
+<a name="id-1.14.20.11"></a><h2>DYNDB</h2>
 
     <div class="literallayout"><p><br>
-server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-	bogus <em class="replaceable"><code>boolean</code></em>;<br>
-	edns <em class="replaceable"><code>boolean</code></em>;<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	padding <em class="replaceable"><code>integer</code></em>;<br>
-	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
-	tcp-keepalive <em class="replaceable"><code>boolean</code></em>;<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	keys <em class="replaceable"><code>server_key</code></em>;<br>
-	transfers <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	support-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-};<br>
+dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
+    <em class="replaceable"><code>unspecified-text</code></em> };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.12"></a><h2>TRUSTED-KEYS</h2>
+<a name="id-1.14.20.12"></a><h2>KEY</h2>
 
     <div class="literallayout"><p><br>
-trusted-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
+key <em class="replaceable"><code>string</code></em> {<br>
+	algorithm <em class="replaceable"><code>string</code></em>;<br>
+	secret <em class="replaceable"><code>string</code></em>;<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.13"></a><h2>MANAGED-KEYS</h2>
+<a name="id-1.14.20.13"></a><h2>LOGGING</h2>
 
     <div class="literallayout"><p><br>
-managed-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
+logging {<br>
+	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
+	channel <em class="replaceable"><code>string</code></em> {<br>
+		buffered <em class="replaceable"><code>boolean</code></em>;<br>
+		file <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> versions ( unlimited | <em class="replaceable"><code>integer</code></em> ) </span>]<br>
+		    [<span class="optional"> size <em class="replaceable"><code>size</code></em> </span>] [<span class="optional"> suffix ( increment | timestamp ) </span>];<br>
+		null;<br>
+		print-category <em class="replaceable"><code>boolean</code></em>;<br>
+		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
+		print-time ( iso8601 | iso8601-utc | local | <em class="replaceable"><code>boolean</code></em> );<br>
+		severity <em class="replaceable"><code>log_severity</code></em>;<br>
+		stderr;<br>
+		syslog [<span class="optional"> <em class="replaceable"><code>syslog_facility</code></em> </span>];<br>
+	};<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.14"></a><h2>CONTROLS</h2>
+<a name="id-1.14.20.14"></a><h2>LWRES</h2>
 
     <div class="literallayout"><p><br>
-controls {<br>
-	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-		allow { <em class="replaceable"><code>address_match_element</code></em>; ... }<br>
-		[<span class="optional"> keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br>
-	unix <em class="replaceable"><code>unsupported</code></em>; // not implemented<br>
+lwres {<br>
+	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	lwres-clients <em class="replaceable"><code>integer</code></em>;<br>
+	lwres-tasks <em class="replaceable"><code>integer</code></em>;<br>
+	ndots <em class="replaceable"><code>integer</code></em>;<br>
+	search { <em class="replaceable"><code>string</code></em>; ... };<br>
+	view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>];<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.15"></a><h2>LOGGING</h2>
+<a name="id-1.14.20.15"></a><h2>MANAGED-KEYS</h2>
 
     <div class="literallayout"><p><br>
-logging {<br>
-	channel <em class="replaceable"><code>string</code></em> {<br>
-		file <em class="replaceable"><code>log_file</code></em>;<br>
-		syslog <em class="replaceable"><code>optional_facility</code></em>;<br>
-		null;<br>
-		stderr;<br>
-		severity <em class="replaceable"><code>log_severity</code></em>;<br>
-		print-time <em class="replaceable"><code>boolean</code></em>;<br>
-		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
-		print-category <em class="replaceable"><code>boolean</code></em>;<br>
-	};<br>
-	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-};<br>
+managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.16"></a><h2>LWRES</h2>
+<a name="id-1.14.20.16"></a><h2>MASTERS</h2>
 
     <div class="literallayout"><p><br>
-lwres {<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-	view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em>;<br>
-	search { <em class="replaceable"><code>string</code></em>; ... };<br>
-	ndots <em class="replaceable"><code>integer</code></em>;<br>
-	lwres-tasks <em class="replaceable"><code>integer</code></em>;<br>
-	lwres-clients <em class="replaceable"><code>integer</code></em>;<br>
-};<br>
+masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+    <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
 </p></div>
   </div>
 
@@ -209,535 +195,827 @@ lwres
 
     <div class="literallayout"><p><br>
 options {<br>
-	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	avoid-v6-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
+	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
+	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	attach-cache <em class="replaceable"><code>string</code></em>;<br>
+	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	automatic-interface-scan <em class="replaceable"><code>boolean</code></em>;<br>
+	avoid-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	avoid-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	bindkeys-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	coresize <em class="replaceable"><code>size</code></em>;<br>
-	datasize <em class="replaceable"><code>size</code></em>;<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+	    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
+	    <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( master | slave | response<br>
+	    ) ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	cookie-algorithm ( aes | sha1 | sha256 );<br>
+	cookie-secret <em class="replaceable"><code>string</code></em>;<br>
+	coresize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	datasize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
 	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	dnstap { <em class="replaceable"><code>message_type</code></em>; ... };<br>
-	dnstap-output ( <code class="literal">file</code> | <code class="literal">unix</code> ) <em class="replaceable"><code>path_name</code></em>;<br>
-	dnstap-identity ( <em class="replaceable"><code>string</code></em> | <code class="literal">hostname</code> | <code class="literal">none</code> );<br>
-	dnstap-version ( <em class="replaceable"><code>string</code></em> | <code class="literal">none</code> );<br>
+	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
+	dns64 <em class="replaceable"><code>netprefix</code></em> {<br>
+		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
+	};<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
+	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
+	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	dnssec-validation ( yes | no | auto );<br>
+	dnstap { ( all | auth | client | forwarder |<br>
+	    resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
+	dnstap-identity ( <em class="replaceable"><code>quoted_string</code></em> | none |<br>
+	    hostname );<br>
+	dnstap-output ( file | unix ) <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"><br>
+	    size ( unlimited | <em class="replaceable"><code>size</code></em> ) </span>] [<span class="optional"> versions (<br>
+	    unlimited | <em class="replaceable"><code>integer</code></em> ) </span>] [<span class="optional"> suffix ( increment<br>
+	    | timestamp ) </span>];<br>
+	dnstap-version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	dscp <em class="replaceable"><code>integer</code></em>;<br>
+	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
 	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	files <em class="replaceable"><code>size</code></em>;<br>
-	fstrm-set-buffer-hint <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-flush-timeout <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-input-queue-size <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-output-notify-threshold <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-output-queue-model ( <em class="replaceable"><code>mpsc</code></em> | <em class="replaceable"><code>spsc</code></em> ) ;<br>
-	fstrm-set-output-queue-size <em class="replaceable"><code>number</code></em>;<br>
-	fstrm-set-reopen-interval <em class="replaceable"><code>number</code></em>;<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	files ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	flush-zones-on-shutdown <em class="replaceable"><code>boolean</code></em>;<br>
+	forward ( first | only );<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	fstrm-set-buffer-hint <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-flush-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-input-queue-size <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-output-notify-threshold <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-output-queue-model ( mpsc | spsc );<br>
+	fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-reopen-interval <em class="replaceable"><code>integer</code></em>;<br>
+	geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	geoip-use-ecs ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
-	host-statistics <em class="replaceable"><code>boolean</code></em>; // not implemented<br>
-	host-statistics-max <em class="replaceable"><code>number</code></em>; // not implemented<br>
 	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
 	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
+	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
 	keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] {<br>
+	    <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	lock-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	masterfile-format ( map | raw | text );<br>
+	masterfile-style ( full | relative );<br>
 	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
+	max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
+	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-records <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-rsa-exponent-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+	memstatistics <em class="replaceable"><code>boolean</code></em>;<br>
 	memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	message-compression <em class="replaceable"><code>boolean</code></em>;<br>
+	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
+	minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
+	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-rate <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
+	nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
+	nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
 	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	port <em class="replaceable"><code>integer</code></em>;<br>
+	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
 	querylog <em class="replaceable"><code>boolean</code></em>;<br>
-	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
 	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
+	rate-limit {<br>
+		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		log-only <em class="replaceable"><code>boolean</code></em>;<br>
+		max-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		min-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		qps-scale <em class="replaceable"><code>integer</code></em>;<br>
+		referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		slip <em class="replaceable"><code>integer</code></em>;<br>
+		window <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	recursion <em class="replaceable"><code>boolean</code></em>;<br>
 	recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
+	    <em class="replaceable"><code>integer</code></em>;<br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    policy ( cname | disabled | drop | given | no-op | nodata |<br>
+	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"><br>
+	    recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	secroots-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
 	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
-	server-id ( <em class="replaceable"><code>quoted_string</code></em> | hostname | none );<br>
-	stacksize <em class="replaceable"><code>size</code></em>;<br>
+	serial-update-method ( date | increment | unixtime );<br>
+	server-id ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );<br>
+	servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	session-keyalg <em class="replaceable"><code>string</code></em>;<br>
+	session-keyfile ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
+	session-keyname <em class="replaceable"><code>string</code></em>;<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	startup-notify-rate <em class="replaceable"><code>integer</code></em>;<br>
 	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	statistics-interval <em class="replaceable"><code>integer</code></em>; // not yet implemented<br>
+	tcp-advertised-timeout <em class="replaceable"><code>integer</code></em>;<br>
 	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
+	tcp-idle-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	tcp-initial-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	tcp-keepalive-timeout <em class="replaceable"><code>integer</code></em>;<br>
 	tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
 	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
+	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
 	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
 	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
+	transfer-format ( many-answers | one-answer );<br>
 	transfer-message-size <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
 	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
 	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
-	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
-	minimal-responses ( <em class="replaceable"><code>boolean</code></em> | no-auth | no-auth-recursive );<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	catalog-zones {<br>
-	    zone <em class="replaceable"><code>quoted_string</code></em><br>
-		[<span class="optional"> default-masters<br>
-		[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]<br>
-		[<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]<br>
-		{ ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }</span>]<br>
-	    [<span class="optional">in-memory <em class="replaceable"><code>yes_or_no</code></em></span>]<br>
-	    [<span class="optional">min-update-interval <em class="replaceable"><code>interval</code></em></span>]<br>
-	    ; ... };<br>
-	;<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <em class="replaceable"><code>acl</code></em>; };<br>
-		exclude { <em class="replaceable"><code>acl</code></em>; };<br>
-		mapped { <em class="replaceable"><code>acl</code></em>; };<br>
-		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
-		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
-	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
-	empty-contact <em class="replaceable"><code>string</code></em>;<br>
-	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
+	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
+	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
 	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-	sig-re-signing-interval <em class="replaceable"><code>integer</code></em>;<br>
-	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
-	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
-	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>;<br>
-	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
+	use-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	use-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
+	v6-bias <em class="replaceable"><code>integer</code></em>;<br>
+	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-	automatic-interface-scan <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	cookie-algorithm ( <em class="replaceable"><code>aes</code></em> | <em class="replaceable"><code>sha1</code></em> | <em class="replaceable"><code>sha256</code></em> );<br>
-	cookie-secret <em class="replaceable"><code>string</code></em>;<br>
-	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	response-padding {<br>
-		<em class="replaceable"><code>address_match_list</code></em><br>
-	} block-size <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	deny-answer-addresses {<br>
-		<em class="replaceable"><code>address_match_list</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-	deny-answer-aliases {<br>
-		<em class="replaceable"><code>namelist</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fake-iquery <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	has-old-clients <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	multiple-cnames <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	named-xfer <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	serial-queries <em class="replaceable"><code>integer</code></em>; // obsolete<br>
-	treat-cr-as-space <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-id-pool <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.18"></a><h2>VIEW</h2>
+<a name="id-1.14.20.18"></a><h2>SERVER</h2>
 
     <div class="literallayout"><p><br>
-view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	key <em class="replaceable"><code>string</code></em> {<br>
-		algorithm <em class="replaceable"><code>string</code></em>;<br>
-		secret <em class="replaceable"><code>string</code></em>;<br>
-	};<br>
-<br>
-	zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-		...<br>
-	};<br>
-<br>
-	server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-		...<br>
-	};<br>
-<br>
-	trusted-keys {<br>
-		<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	};<br>
-<br>
-	managed-keys {<br>
-		<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	};<br>
-<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
+server <em class="replaceable"><code>netprefix</code></em> {<br>
+	bogus <em class="replaceable"><code>boolean</code></em>;<br>
+	edns <em class="replaceable"><code>boolean</code></em>;<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	edns-version <em class="replaceable"><code>integer</code></em>;<br>
+	keys <em class="replaceable"><code>server_key</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	padding <em class="replaceable"><code>integer</code></em>;<br>
 	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	tcp-keepalive <em class="replaceable"><code>boolean</code></em>;<br>
+	tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfers <em class="replaceable"><code>integer</code></em>;<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.20.19"></a><h2>STATISTICS-CHANNELS</h2>
+
+    <div class="literallayout"><p><br>
+statistics-channels {<br>
+	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
+	    * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    allow { <em class="replaceable"><code>address_match_element</code></em>; ...<br>
+	    } </span>];<br>
+};<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.20.20"></a><h2>TRUSTED-KEYS</h2>
+
+    <div class="literallayout"><p><br>
+trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.14.20.21"></a><h2>VIEW</h2>
+
+    <div class="literallayout"><p><br>
+view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
+	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	attach-cache <em class="replaceable"><code>string</code></em>;<br>
+	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
+	    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
+	    <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	check-dup-records ( fail | warn | ignore );<br>
 	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
 	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( master | slave | response<br>
+	    ) ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
 	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
+	    except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
+	    ... };<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
+	dlz <em class="replaceable"><code>string</code></em> {<br>
+		database <em class="replaceable"><code>string</code></em>;<br>
+		search <em class="replaceable"><code>boolean</code></em>;<br>
 	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <em class="replaceable"><code>acl</code></em>; };<br>
-		exclude { <em class="replaceable"><code>acl</code></em>; };<br>
-		mapped { <em class="replaceable"><code>acl</code></em>; };<br>
+	dns64 <em class="replaceable"><code>netprefix</code></em> {<br>
 		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
 		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
 	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
+	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
+	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	dnssec-validation ( yes | no | auto );<br>
+	dnstap { ( all | auth | client | forwarder |<br>
+	    resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
+	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
+	dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
+	    <em class="replaceable"><code>unspecified-text</code></em> };<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
 	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
 	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
+	fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
+	fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
+	filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
+	filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
+	key <em class="replaceable"><code>string</code></em> {<br>
+		algorithm <em class="replaceable"><code>string</code></em>;<br>
+		secret <em class="replaceable"><code>string</code></em>;<br>
 	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em><br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	masterfile-format ( map | raw | text );<br>
+	masterfile-style ( full | relative );<br>
+	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+	max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
+	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
+	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
+	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+	message-compression <em class="replaceable"><code>boolean</code></em>;<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
+	minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
+	nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
+	nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
+	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
+	prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+	    <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
+	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	rate-limit {<br>
+		all-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
+		log-only <em class="replaceable"><code>boolean</code></em>;<br>
+		max-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		min-table-size <em class="replaceable"><code>integer</code></em>;<br>
+		nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		qps-scale <em class="replaceable"><code>integer</code></em>;<br>
+		referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
+		slip <em class="replaceable"><code>integer</code></em>;<br>
+		window <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	recursion <em class="replaceable"><code>boolean</code></em>;<br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
+	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
+	    <em class="replaceable"><code>integer</code></em>;<br>
+	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    policy ( cname | disabled | drop | given | no-op | nodata |<br>
+	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"><br>
+	    recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+	    min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
+	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
+	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
+	rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
+	    <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
+	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+	serial-update-method ( date | increment | unixtime );<br>
+	server <em class="replaceable"><code>netprefix</code></em> {<br>
+		bogus <em class="replaceable"><code>boolean</code></em>;<br>
+		edns <em class="replaceable"><code>boolean</code></em>;<br>
+		edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+		edns-version <em class="replaceable"><code>integer</code></em>;<br>
+		keys <em class="replaceable"><code>server_key</code></em>;<br>
+		max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		padding <em class="replaceable"><code>integer</code></em>;<br>
+		provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port<br>
+		    ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"><br>
+		    port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
+		send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
+		tcp-keepalive <em class="replaceable"><code>boolean</code></em>;<br>
+		tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
+		transfer-format ( many-answers | one-answer );<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfers <em class="replaceable"><code>integer</code></em>;<br>
+	};<br>
+	servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	transfer-format ( many-answers | one-answer );<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
+	trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
+	    ... };<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	v6-bias <em class="replaceable"><code>integer</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
-	nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
+	zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+		allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+		also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
+		    <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] |<br>
+		    <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>];<br>
+		    ... };<br>
+		alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		auto-dnssec ( allow | maintain | off );<br>
+		check-dup-records ( fail | warn | ignore );<br>
+		check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+		check-mx ( fail | warn | ignore );<br>
+		check-mx-cname ( fail | warn | ignore );<br>
+		check-names ( fail | warn | ignore );<br>
+		check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+		check-spf ( warn | ignore );<br>
+		check-srv-cname ( fail | warn | ignore );<br>
+		check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+		database <em class="replaceable"><code>string</code></em>;<br>
+		delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
+		dialup ( notify | notify-passive | passive | refresh |<br>
+		    <em class="replaceable"><code>boolean</code></em> );<br>
+		dlz <em class="replaceable"><code>string</code></em>;<br>
+		dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
+		dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+		dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+		dnssec-update-mode ( maintain | no-resign );<br>
+		file <em class="replaceable"><code>quoted_string</code></em>;<br>
+		forward ( first | only );<br>
+		forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
+		    <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
+		    dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		in-view <em class="replaceable"><code>string</code></em>;<br>
+		inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+		ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
+		journal <em class="replaceable"><code>quoted_string</code></em>;<br>
+		key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+		masterfile-format ( map | raw | text );<br>
+		masterfile-style ( full | relative );<br>
+		masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em><br>
+		    | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"><br>
+		    port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+		max-ixfr-log-size ( default | unlimited |<br>
+		max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
+		max-records <em class="replaceable"><code>integer</code></em>;<br>
+		max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+		max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+		max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+		max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
+		min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+		min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+		notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+		notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+		notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
+		    ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
+		    | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+		nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+		pubkey <em class="replaceable"><code>integer</code></em><br>
+		    <em class="replaceable"><code>integer</code></em><br>
+		    <em class="replaceable"><code>integer</code></em><br>
+		request-expire <em class="replaceable"><code>boolean</code></em>;<br>
+		request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+		serial-update-method ( date | increment | unixtime );<br>
+		server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"><br>
+		    port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+		server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+		sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+		sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+		sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+		sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+		    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
+		    <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+		try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
+		type ( delegation-only | forward | hint | master | redirect<br>
+		    | slave | static-stub | stub );<br>
+		update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+		update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> (<br>
+		    6to4-self | external | krb5-self | krb5-subdomain |<br>
+		    ms-self | ms-subdomain | name | self | selfsub |<br>
+		    selfwild | subdomain | tcp-self | wildcard | zonesub )<br>
+		    [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+		use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+		zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+		zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
+	};<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.19"></a><h2>ZONE</h2>
+<a name="id-1.14.20.22"></a><h2>ZONE</h2>
 
     <div class="literallayout"><p><br>
-zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	type ( master | slave | stub | hint | redirect |<br>
-		forward | delegation-only );<br>
-	file <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>masters</code></em> |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	database <em class="replaceable"><code>string</code></em>;<br>
-	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
-	check-names ( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
-	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
-	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
+zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
+	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-policy <em class="replaceable"><code>local</code></em> | <em class="replaceable"><code> {<br>
-		( grant | deny ) <em class="replaceable"><code>string</code></em><br>
-		( name | subdomain | wildcard | self | selfsub | selfwild |<br>
-		  krb5-self | ms-self | krb5-subdomain | ms-subdomain |<br>
-		  tcp-self | zonesub | 6to4-self ) <em class="replaceable"><code>string</code></em><br>
-		<em class="replaceable"><code>rrtypelist</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	}</code></em>;<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
+	    * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	auto-dnssec ( allow | maintain | off );<br>
+	check-dup-records ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-names ( fail | warn | ignore );<br>
+	check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
+	check-spf ( warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
+	database <em class="replaceable"><code>string</code></em>;<br>
+	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
+	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
+	dlz <em class="replaceable"><code>string</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw | map );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
+	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-update-mode ( maintain | no-resign );<br>
+	file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
+	    | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	in-view <em class="replaceable"><code>string</code></em>;<br>
+	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
+	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
+	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
+	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	masterfile-format ( map | raw | text );<br>
+	masterfile-style ( full | relative );<br>
+	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
+	    <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
+	max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
 	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
+	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
+	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
+	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
+	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
+	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
+	    [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
+	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+	request-expire <em class="replaceable"><code>boolean</code></em>;<br>
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	serial-update-method ( date | increment | unixtime );<br>
+	server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port<br>
+	    <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
+	server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
+	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
+	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
+	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
+	    </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	ixfr-base <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	ixfr-tmp-file <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
+	type ( delegation-only | forward | hint | master | redirect | slave<br>
+	    | static-stub | stub );<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self |<br>
+	    external | krb5-self | krb5-subdomain | ms-self | ms-subdomain<br>
+	    | name | self | selfsub | selfwild | subdomain | tcp-self |<br>
+	    wildcard | zonesub ) [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
+	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
+	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.20"></a><h2>FILES</h2>
+<a name="id-1.14.20.23"></a><h2>FILES</h2>
 
     <p><code class="filename">/etc/named.conf</code>
     </p>
   </div>
 
   <div class="refsection">
-<a name="id-1.14.20.21"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.20.24"></a><h2>SEE ALSO</h2>
 
     <p><span class="citerefentry">
+	<span class="refentrytitle">ddns-confgen</span>(8)
+      </span>,
+      <span class="citerefentry">
 	<span class="refentrytitle">named</span>(8)
       </span>,
       <span class="citerefentry">
@@ -746,6 +1024,9 @@ zone
       <span class="citerefentry">
 	<span class="refentrytitle">rndc</span>(8)
       </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">rndc-confgen</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
   </div>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index f69d326c73b..9f5de9eacf7 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -292,14 +292,12 @@
 	    number of backup log files is limited to that number.
 	  </p>
 	</dd>
-<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
+<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zones|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
 <dd>
 	  <p>
 	    Dump the server's caches (default) and/or zones to
-	    the
-	    dump file for the specified views.  If no view is
-	    specified, all
-	    views are dumped.
+	    the dump file for the specified views.  If no view
+            is specified, all views are dumped.
 	    (See the <span class="command"><strong>dump-file</strong></span> option in
 	    the BIND 9 Administrator Reference Manual.)
 	  </p>
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index c246ce5abea..d80396ab9c8 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -9,180 +9,224 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title></title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 </head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
+
+  <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id-1.2"></a>Release Notes for BIND Version 9.12.0-pre-alpha</h2></div></div></div>
-<div class="section">
+  
+  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
-<p>
+    <p>
       BIND 9.12.0 is a new feature release of BIND, still under development.
       This document summarizes new features and functional changes that
       have been introduced on this branch.  With each development
       release leading up to the final BIND 9.12.0 release, this document
       will be updated with additional features added and bugs fixed.
     </p>
-</div>
-<div class="section">
+  </div>
+
+  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_download"></a>Download</h3></div></div></div>
-<p>
+    <p>
       The latest versions of BIND 9 software can always be found at
       <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
       There you will find additional information about each release,
       source code, and pre-compiled versions for Microsoft Windows
       operating systems.
     </p>
-</div>
-<div class="section">
+  </div>
+
+  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License Change</h3></div></div></div>
-<p>
+    <p>
       With the release of BIND 9.11.0, ISC changed to the open
       source license for BIND from the ISC license to the Mozilla
       Public License (MPL 2.0).
     </p>
-<p>
+    <p>
       The MPL-2.0 license requires that if you make changes to
       licensed software (e.g. BIND) and distribute them outside
       your organization, that you publish those changes under that
       same license. It does not require that you publish or disclose
       anything other than the changes you made to our software.
     </p>
-<p>
+    <p>
       This new requirement will not affect anyone who is using BIND
       without redistributing it, nor anyone redistributing it without
       changes, therefore this change will be without consequence
       for most individuals and organizations who are using BIND.
     </p>
-<p>
+    <p>
       Those unsure whether or not the license change affects their
       use of BIND, or who wish to discuss how to comply with the
       license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
       https://www.isc.org/mission/contact/</a>.
     </p>
-</div>
-<div class="section">
+  </div>
+
+  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+	<p>
 	  <span class="command"><strong>rndc ""</strong></span> could trigger an assertion failure
 	  in <span class="command"><strong>named</strong></span>. This flaw is disclosed in
 	  (CVE-2017-3138). [RT #44924]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
 	  queries could trigger assertion failures. This flaw is disclosed
 	  in CVE-2017-3137. [RT #44734]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
 	  can result in an assertion failure. This flaw is disclosed in
 	  CVE-2017-3136. [RT #44653]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  If a server is configured with a response policy zone (RPZ)
 	  that rewrites an answer with local data, and is also configured
 	  for DNS64 address mapping, a NULL pointer can be read
 	  triggering a server crash.  This flaw is disclosed in
 	  CVE-2017-3135. [RT #44434]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  A coding error in the <code class="option">nxdomain-redirect</code>
 	  feature could lead to an assertion failure if the redirection
 	  namespace was served from a local authoritative data source
 	  such as a local zone or a DLZ instead of via recursive
 	  lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  <span class="command"><strong>named</strong></span> could mishandle authority sections
 	  with missing RRSIGs, triggering an assertion failure. This
 	  flaw is disclosed in CVE-2016-9444. [RT #43632]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  <span class="command"><strong>named</strong></span> mishandled some responses where
 	  covering RRSIG records were returned without the requested
 	  data, resulting in an assertion failure. This flaw is
 	  disclosed in CVE-2016-9147. [RT #43548]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
 	  records which could trigger an assertion failure when there was
 	  a class mismatch. This flaw is disclosed in CVE-2016-9131.
 	  [RT #43522]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  It was possible to trigger assertions when processing
 	  responses containing answers of type DNAME. This flaw is
 	  disclosed in CVE-2016-8864. [RT #43465]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  Added the ability to specify the maximum number of records
 	  permitted in a zone (<code class="option">max-records #;</code>).
 	  This provides a mechanism to block overly large zone
 	  transfers, which is a potential risk with slave zones from
 	  other parties, as described in CVE-2016-6170.
 	  [RT #42143]
-	</p></li>
+	</p>
+      </li>
 </ul></div>
-</div>
-<div class="section">
+  </div>
+
+  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-<p>
+        <p>
 	  Many aspects of <span class="command"><strong>named</strong></span> have been modified
 	  to improve query performance, and in particular, performance
 	  for delegation-heavy zones:
 	</p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
-<li class="listitem"><p>
+	<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
+<li class="listitem">
+	    <p>
 	      The additional cache ("acache") was found not to
 	      significantly improve performance and has been removed;
 	      the <span class="command"><strong>acache-enable</strong></span> and
 	      <span class="command"><strong>acache-cleaning-interval</strong></span> options are now
 	      deprecated.
-	    </p></li>
-<li class="listitem"><p>
+	    </p>
+	  </li>
+<li class="listitem">
+	    <p>
 	      In place of the acache, <span class="command"><strong>named</strong></span> now uses
 	      a glue cache to speed up retrieval of glue records when sending
 	      delegation responses.
-	    </p></li>
-<li class="listitem"><p>
+	    </p>
+	  </li>
+<li class="listitem">
+	    <p>
 	      The <span class="command"><strong>additional-from-cache</strong></span>
 	      and <span class="command"><strong>additional-from-auth</strong></span> options have been
 	      deprecated.
-	    </p></li>
-<li class="listitem"><p>
+	    </p>
+	  </li>
+<li class="listitem">
+	    <p>
 	      <span class="command"><strong>minimal-responses</strong></span> is now set
 	      to <code class="literal">yes</code> by default.
-	    </p></li>
-<li class="listitem"><p>
+	    </p>
+	  </li>
+<li class="listitem">
+	    <p>
 	      Several functions have been refactored to improve
 	      performance, including name compression, owner name
 	      case restoration, hashing, and buffers.
-	    </p></li>
+	    </p>
+	  </li>
 </ul></div>
-</li>
-<li class="listitem"><p>
+      </li>
+<li class="listitem">
+        <p>
 	  The <span class="command"><strong>dnstap-read -x</strong></span> option prints a hex
 	  dump of the wire format DNS message encapsulated in each
 	  <span class="command"><strong>dnstap</strong></span> log entry. [RT #44816]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+        <p>
 	  The <span class="command"><strong>host -A</strong></span> option returns most
 	  records for a name, but omits types RRSIG, NSEC and NSEC3.
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+        <p>
 	  Query logic has been substantially refactored (e.g. query_find
 	  function has been split into smaller functions) for improved
 	  readability, maintainability and testability. [RT #43929]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  <span class="command"><strong>dnstap</strong></span> logfiles can now be configured to
 	  automatically roll when they reach a specified size. If
 	  <span class="command"><strong>dnstap-output</strong></span> is configured with mode
@@ -192,8 +236,10 @@
 	  (These have the same semantics as the corresponding
 	  options in a <span class="command"><strong>logging</strong></span> channel statement.)
 	  [RT #44502]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  Logging channels and <span class="command"><strong>dnstap-output</strong></span> files can
 	  now be configured with a <span class="command"><strong>suffix</strong></span> option,
 	  set to either <code class="literal">increment</code> or
@@ -203,26 +249,34 @@
 	  <code class="filename">.1</code>, <code class="filename">.2</code>, etc)
 	  or suffixes indicating the time of the roll. The default
 	  is <code class="literal">increment</code>.  [RT #42838]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
 	  for EDNS options in addition to numeric values. For example,
 	  an EDNS Client-Subnet option could be sent using
 	  <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
 	  John Worley of Secure64 for the contribution. [RT #44461]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  Added support for the EDNS TCP Keepalive option (RFC 7828);
 	  this allows negotiation of longer-lived TCP sessions
 	  to reduce the overhead of setting up TCP for individual
 	  queries. [RT #42126]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  Added support for the EDNS Padding option (RFC 7830),
 	  which obfuscates packet size analysis when DNS queries
 	  are sent over an encrypted channel. [RT #42094]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  The <code class="option">print-time</code> option in the
 	  <code class="option">logging</code> configuration can now take arguments
 	  <strong class="userinput"><code>local</code></strong>, <strong class="userinput"><code>iso8601</code></strong> or
@@ -230,49 +284,58 @@
 	  which the date and time should be logged. For backward
 	  compatibility, <strong class="userinput"><code>yes</code></strong> is a synonym for
 	  <strong class="userinput"><code>local</code></strong>.  [RT #42585]
-	</p></li>
+	</p>
+      </li>
 <li class="listitem">
-<p>
+	<p>
 	  <span class="command"><strong>rndc</strong></span> commands which refer to zone names
 	  can now reference a zone of type <span class="command"><strong>redirect</strong></span>
 	  by using the special zone name "-redirect". (Previously this
 	  was not possible because <span class="command"><strong>redirect</strong></span> zones
 	  always have the name ".", which can be ambiguous.)
 	</p>
-<p>
+	<p>
 	  In the event you need to manipulate a zone actually
 	  called "-redirect", use a trailing dot: "-redirect."
 	</p>
-<p>
+	<p>
 	  Note: This change does not appply to the
 	  <span class="command"><strong>rndc addzone</strong></span> or
 	  <span class="command"><strong>rndc modzone</strong></span> commands.
 	</p>
-</li>
-<li class="listitem"><p>
+      </li>
+<li class="listitem">
+	<p>
 	  <span class="command"><strong>named-checkconf -l</strong></span> lists the zones found
 	  in <code class="filename">named.conf</code>. [RT #43154]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  Query logging now includes the ECS option, if one was
 	  present in the query, in the format
 	  "[ECS <em class="replaceable"><code>address/source/scope</code></em>]".
-	</p></li>
+	</p>
+      </li>
 </ul></div>
-</div>
-<div class="section">
+  </div>
+
+  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+	<p>
 	  Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
 	  names to assist debugging on operating systems that support that.
 	  Threads will have names such as "isc-timer", "isc-sockmgr",
 	  "isc-worker0001", and so on. This will affect the reporting of
 	  subsidiary thread names in <span class="command"><strong>ps</strong></span> and
 	  <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  The Response Policy Zone (RPZ) implementation has been
 	  substantially refactored: updates to the RPZ summary
 	  database are no longer directly performed by the zone
@@ -282,8 +345,10 @@
 	  Summary database updates can be rate-limited by using the
 	  <span class="command"><strong>min-update-interval</strong></span> option in a
 	  <span class="command"><strong>response-policy</strong></span> statement. [RT #43449]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+        <p>
 	  <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
 	  addresses for all messages, instead of only the remote address.
 	  The default output format for <span class="command"><strong>dnstap-read</strong></span> has
@@ -291,46 +356,57 @@
 	  address first and the responding address second, separated by
 	  "-%gt;" or "%lt;-" to indicate in which direction the message
 	  was sent. [RT #43595]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  Expanded and improved the YAML output from
 	  <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
 	  size and a detailed breakdown of message contents.
 	  [RT #43622] [RT #43642]
-	</p></li>
-<li class="listitem"><p>
+	</p>
+      </li>
+<li class="listitem">
+	<p>
 	  If an ACL is specified with an address prefix in which the
 	  prefix length is longer than the address portion (for example,
 	  192.0.2.1/8), it will now be treated as a fatal error during
 	  configuration. [RT #43367]
-	</p></li>
+	</p>
+      </li>
 </ul></div>
-</div>
-<div class="section">
+  </div>
+
+  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+	<p>
 	  None.
-	</p></li></ul></div>
-</div>
-<div class="section">
+	</p>
+      </li></ul></div>
+  </div>
+
+  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
-<p>
+    <p>
       The end of life for BIND 9.12 is yet to be determined but
       will not be before BIND 9.14.0 has been released for 6 months.
       <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
     </p>
-</div>
-<div class="section">
+  </div>
+  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
-<p>
+
+    <p>
       Thank you to everyone who assisted us in making this release possible.
       If you would like to contribute to ISC to assist us in continuing to
       make quality open source software, please visit our donations page at
       <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
     </p>
+  </div>
 </div>
-</div></div></body>
+</div></body>
 </html>