+ --- 9.12.2rc1 released ---
+
4968. [bug] If glue records are signed, attempt to validate them.
[GL #209]
DNSSEC implementation is still considered experimental. For detailed
information about the state of the DNSSEC implementation, see the file
doc/misc/dnssec.
-
may be useful when debugging
-DISC_HEAP_CHECK Test heap consistency after every heap
operation; used when debugging
-
default without a configure option.
* The obsolete isc-hmac-fixup command has been removed.
+BIND 9.12.2
+
+BIND 9.12.2 is a maintenance release, and addresses security
+vulnerabilities disclosed in CVE-2018-5736, CVE-2018-5737 and
+CVE-2018-5738.
+
BIND 9.12.1
BIND 9.12.1 is a maintenance release.
by default without a configure option.
* The obsolete `isc-hmac-fixup` command has been removed.
+#### BIND 9.12.2
+
+BIND 9.12.2 is a maintenance release, and addresses security
+vulnerabilities disclosed in CVE-2018-5736, CVE-2018-5737 and
+CVE-2018-5738.
+
#### BIND 9.12.1
BIND 9.12.1 is a maintenance release.
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000-2002, 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2002, 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
.PP
\-i
.RS 4
-Do reverse IPv6 lookups using the obsolete RFC1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC2874) are not attempted\&.
+Do reverse IPv6 lookups using the obsolete RFC 1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC 2874) are not attempted\&.
.RE
.PP
\-k \fIkeyfile\fR
.PP
\-t \fItype\fR
.RS 4
-The resource record type to query\&. It can be any valid query type which is supported in BIND 9\&. The default query type is "A", unless the
+The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup\&. A zone transfer can be requested by specifying a type of AXFR\&. When an incremental zone transfer (IXFR) is required, set the
\fItype\fR
to
ixfr=N\&. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone\*(Aqs SOA record was
\fIN\fR\&.
+.sp
+All resource record types can be expressed as "TYPEnn", where "nn" is the number of the type\&. If the resource record type is not supported in BIND 9, the result will be displayed as described in RFC 3597\&.
.RE
.PP
\-u
option is enabled\&. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer\&.
.RE
.PP
+\fB+[no]idnin\fR
+.RS 4
+Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to process IDN input\&.
+.RE
+.PP
\fB+[no]idnout\fR
.RS 4
Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to convert output\&.
\fBdig\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBdig\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, defines the
-\fBIDN_DISABLE\fR
-environment variable\&. The IDN support is disabled if the variable is set when
-\fBdig\fR
-runs\&.
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters
+\fI+noidnin\fR
+and
+\fI+noidnout\fR\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
\fBhost\fR(1),
\fBnamed\fR(8),
\fBdnssec-keygen\fR(8),
-RFC1035\&.
+RFC 1035\&.
.SH "BUGS"
.PP
There are probably too many query options\&.
<dt><span class="term">-i</span></dt>
<dd>
<p>
- Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT
+ Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
domain, which is no longer in use. Obsolete bit string
- label queries (RFC2874) are not attempted.
+ label queries (RFC 2874) are not attempted.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
- The resource record type to query. It can be any valid query type
- which is
- supported in BIND 9. The default query type is "A", unless the
- <code class="option">-x</code> option is supplied to indicate a reverse lookup.
- A zone transfer can be requested by specifying a type of AXFR. When
+ The resource record type to query. It can be any valid query
+ type. If it is a resource record type supported in BIND 9, it
+ can be given by the type mnemonic (such as "NS" or "AAAA").
+ The default query type is "A", unless the <code class="option">-x</code>
+ option is supplied to indicate a reverse lookup. A zone
+ transfer can be requested by specifying a type of AXFR. When
an incremental zone transfer (IXFR) is required, set the
<em class="parameter"><code>type</code></em> to <code class="literal">ixfr=N</code>.
The incremental zone transfer will contain the changes
record was
<em class="parameter"><code>N</code></em>.
</p>
+ <p>
+ All resource record types can be expressed as "TYPEnn", where
+ "nn" is the number of the type. If the resource record type is
+ not supported in BIND 9, the result will be displayed as
+ described in RFC 3597.
+ </p>
</dd>
<dt><span class="term">-u</span></dt>
<dd>
server that provided the answer.
</p>
</dd>
+<dt><span class="term"><code class="option">+[no]idnin</code></span></dt>
+<dd>
+ <p>
+ Process [do not process] IDN domain names on input.
+ This requires IDN SUPPORT to have been enabled at
+ compile time. The default is to process IDN input.
+ </p>
+ </dd>
<dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
<dd>
<p>
<dd>
<p>
This feature is now obsolete and has been removed;
- use <span class="command"><strong>delv</strong></span> instead.
+ use <span class="command"><strong>delv</strong></span> instead.
</p>
</dd>
<dt><span class="term"><code class="option">+split=W</code></span></dt>
<dd>
<p>
This feature is related to <span class="command"><strong>dig +sigchase</strong></span>,
- which is obsolete and has been removed. Use
- <span class="command"><strong>delv</strong></span> instead.
+ which is obsolete and has been removed. Use
+ <span class="command"><strong>delv</strong></span> instead.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]trace</code></span></dt>
<dd>
<p>
Formerly specified trusted keys for use with
- <span class="command"><strong>dig +sigchase</strong></span>. This feature is now
- obsolete and has been removed; use
- <span class="command"><strong>delv</strong></span> instead.
+ <span class="command"><strong>dig +sigchase</strong></span>. This feature is now
+ obsolete and has been removed; use
+ <span class="command"><strong>delv</strong></span> instead.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
<span class="command"><strong>dig</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
- If you'd like to turn off the IDN support for some reason, defines
- the <code class="envar">IDN_DISABLE</code> environment variable.
- The IDN support is disabled if the variable is set when
- <span class="command"><strong>dig</strong></span> runs.
+ If you'd like to turn off the IDN support for some reason, use
+ parameters <em class="parameter"><code>+noidnin</code></em> and
+ <em class="parameter"><code>+noidnout</code></em>.
</p>
</div>
<span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
- <em class="citetitle">RFC1035</em>.
+ <em class="citetitle">RFC 1035</em>.
</p>
</div>
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2004-2007, 2010, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2004-2007, 2010, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2004-2007, 2010, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2008-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2008-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2008-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2000-2005, 2007-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000-2005, 2007-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2005, 2007-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009-2011, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009-2011, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009-2011, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2000-2009, 2011-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2009, 2011-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000-2009, 2011-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2009, 2011-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2009, 2011-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2009, 2011-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000, 2001, 2003-2009, 2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2003-2009, 2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2000-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2012-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2012-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2012-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2012-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2012-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2012-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2016-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2016-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2016-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
\fBrndc managed\-keys\fR\&.
.RE
.PP
-\fBserve\-stale ( on | off | status | reset ) \fR\fB[\fIclass\fR [\fIview\fR]]\fR
+\fBserve\-stale ( on | off | reset | status ) \fR\fB[\fIclass\fR [\fIview\fR]]\fR
.RS 4
-Enable, disable, or reset the serving of stale answers as configured in named\&.conf\&. Serving of stale answers will remain disabled across
-named\&.conf
-reloads if disabled via rndc until it is reset via rndc\&.
+Enable, disable, reset, or report the current status of the serving of stale answers as configured in
+named\&.conf\&.
+.sp
+If serving of stale answers is disabled by
+\fBrndc\-serve\-stale off\fR, then it will remain disabled even if
+\fBnamed\fR
+is reloaded or reconfigured\&.
+\fBrndc serve\-stale reset\fR
+restores the setting as configured in
+named\&.conf\&.
.sp
-Status will report whether serving of stale answers is currently enabled, disabled or not configured for a view\&. If serving of stale records is configured then the values of stale\-answer\-ttl and max\-stale\-ttl are reported\&.
+\fBrndc serve\-stale status\fR
+will report whether serving of stale answers is currently enabled, disabled by the configuration, or disabled by
+\fBrndc\fR\&. It will also report the values of
+\fBstale\-answer\-ttl\fR
+and
+\fBmax\-stale\-ttl\fR\&.
.RE
.PP
\fBshowzone \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR\fB \fR
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
See also <span class="command"><strong>rndc managed-keys</strong></span>.
</p>
</dd>
-<dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | status | reset ) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
+<dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | reset | status ) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
- Enable, disable, or reset the serving of stale answers
- as configured in named.conf. Serving of stale answers
- will remain disabled across <code class="filename">named.conf</code>
- reloads if disabled via rndc until it is reset via rndc.
+ Enable, disable, reset, or report the current status
+ of the serving of stale answers as configured in
+ <code class="filename">named.conf</code>.
</p>
<p>
- Status will report whether serving of stale answers is
- currently enabled, disabled or not configured for a
- view. If serving of stale records is configured then
- the values of stale-answer-ttl and max-stale-ttl are
- reported.
+ If serving of stale answers is disabled by
+ <span class="command"><strong>rndc-serve-stale off</strong></span>, then it
+ will remain disabled even if <span class="command"><strong>named</strong></span>
+ is reloaded or reconfigured.
+ <span class="command"><strong>rndc serve-stale reset</strong></span> restores
+ the setting as configured in <code class="filename">named.conf</code>.
+ </p>
+ <p>
+ <span class="command"><strong>rndc serve-stale status</strong></span> will report
+ whether serving of stale answers is currently enabled,
+ disabled by the configuration, or disabled by
+ <span class="command"><strong>rndc</strong></span>. It will also report the
+ values of <span class="command"><strong>stale-answer-ttl</strong></span> and
+ <span class="command"><strong>max-stale-ttl</strong></span>.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
-.\" Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2015-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2015-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2015-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2015-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2015-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2015-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009-2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009-2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2015-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2015-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2015-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2015-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2015-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2015-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
Internet Systems Consortium
.SH "COPYRIGHT"
.br
-Copyright \(co 2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
/* have __attribute__s used in librpz.h */
#undef LIBRPZ_HAVE_ATTR
-/* Define to the sub-directory in which libtool stores uninstalled libraries.
- */
+/* Define to the sub-directory where libtool stores uninstalled libraries. */
#undef LT_OBJDIR
/* Defined if extern char *optarg is not declared. */
/* end confdefs.h. */
#include <stdio.h>
+
+int
main() {
size_t j = 0;
char buf[100];
buf[0] = 0;
sprintf(buf, "%zu", j);
- exit(strcmp(buf, "0") != 0);
+ return ((buf[0] == '0' && buf[1] == '\0') ? 0 : 1);
}
_ACEOF
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
syslog daemon;
// only send priority info and higher
severity info;
+};
channel default_debug {
// write to named.run in the working directory
</td>
</tr>
<tr>
+<td>
+ <p><span class="command"><strong>serve-stale</strong></span></p>
+ </td>
+<td>
+ <p>
+ Whether or not a stale answer is used
+ following a resolver failure.
+ </p>
+ </td>
+</tr>
+<tr>
<td>
<p><span class="command"><strong>spill</strong></span></p>
</td>
Specifies the TTL to be returned on stale answers.
The default is 1 second. The minimum allowed is
also 1 second; a value of 0 will be updated silently
- to 1 second. For stale answers to be returned,
- they must be enabled (either in the configuration file
- using <span class="command"><strong>stale-answer-enable</strong></span> or via
- <span class="command"><strong>rndc</strong></span>), and
- <code class="option">max-stale-ttl</code> must be set to a
- nonzero value.
+ to 1 second.
+ </p>
+ <p>
+ For stale answers to be returned, they must be enabled,
+ either in the configuration file using
+ <span class="command"><strong>stale-answer-enable</strong></span> or via
+ <span class="command"><strong>rndc serve-stale on</strong></span>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
Not implemented in BIND 9.
</p>
</dd>
+<dt><span class="term"><span class="command"><strong>root-key-sentinel</strong></span></span></dt>
+<dd>
+ <p>
+ Respond to root key sentinel probes as described in
+ draft-ietf-dnsop-kskroll-sentinel-08. The default is
+ <strong class="userinput"><code>yes</code></strong>.
+ </p>
+ </dd>
<dt><span class="term"><span class="command"><strong>maintain-ixfr-base</strong></span></span></dt>
<dd>
<p>
server cookie.
</p>
</dd>
+<dt><span class="term"><span class="command"><strong>answer-cookie</strong></span></span></dt>
+<dd>
+ <p>
+ When set to the default value of <strong class="userinput"><code>yes</code></strong>,
+ COOKIE EDNS options will be sent when applicable in
+ replies to client queries. If set to
+ <strong class="userinput"><code>no</code></strong>, COOKIE EDNS options will not
+ be sent in replies. This can only be set at the global
+ options level, not per-view.
+ </p>
+ <p>
+ <span class="command"><strong>answer-cookie</strong></span> is only available
+ as a temporary measure, for use when
+ <span class="command"><strong>named</strong></span> shares an IP address
+ with other servers that do not yet support DNS
+ COOKIE. A mismatch between servers on the same
+ address is not expected to cause operational
+ problems, but the option to disable COOKIE responses
+ so that all servers have the same behavior is
+ provided out of an abundance of caution. DNS COOKIE
+ is an important security mechanism and should not be
+ disabled unless absolutely necessary. The
+ <span class="command"><strong>answer-cookie</strong></span> option is obsolete
+ as of BIND 9.13.
+ </p>
+ </dd>
<dt><span class="term"><span class="command"><strong>send-cookie</strong></span></span></dt>
<dd>
<p>
<dt><span class="term"><span class="command"><strong>stale-answer-enable</strong></span></span></dt>
<dd>
<p>
- Enable the returning of stale answers when the
- nameservers for the zone are not answering. This
- is off by default, but can be enabled/disabled via
- <span class="command"><strong>rndc serve-stale on</strong></span> and
- <span class="command"><strong>rndc serve-stale off</strong></span>, which
- override the <code class="filename">named.conf</code>
- setting. <span class="command"><strong>rndc serve-stale reset</strong></span>
+ Enable the returning of "stale" cached answers when
+ the nameservers for a zone are not answering. The
+ default is not to return stale answers.
+ </p>
+ <p>
+ Stale answers can also be enabled or disabled at
+ runtime via <span class="command"><strong>rndc serve-stale on</strong></span> or
+ <span class="command"><strong>rndc serve-stale off</strong></span>; these
+ override the configured setting.
+ <span class="command"><strong>rndc serve-stale reset</strong></span>
restores the setting to the one specified in
- <code class="filename">named.conf</code>. Note that
- reloading or reconfiguring <span class="command"><strong>named</strong></span>
- will not re-enable serving of stale records if they
- have been disabled via <span class="command"><strong>rndc</strong></span>.
+ <code class="filename">named.conf</code>. Note that if
+ stale answers have been disabled by <span class="command"><strong>rndc</strong></span>,
+ then they cannot be re-enabled by reloading or
+ reconfiguring <span class="command"><strong>named</strong></span>;
+ they must be re-enabled with
+ <span class="command"><strong>rndc serve-stale on</strong></span>,
+ or the server must be restarted.
+ </p>
+ <p>
+ Information about stale answers is logged under
+ the <span class="command"><strong>serve-stale</strong></span> log category.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>nocookie-udp-size</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>max-stale-ttl</strong></span></span></dt>
<dd>
<p>
- Sets the maximum time for which the server will
+ If stale answers are enabled,
+ <span class="command"><strong>max-stale-ttl</strong></span>
+ sets the maximum time for which the server will
retain records past their normal expiry to
return them as stale records when the servers
- for those records are not reachable. The default
- is to not retain the record.
+ for those records are not reachable.
+ The default is 1 week. The minimum allowed is
+ 1 second; a value of 0 will be updated silently
+ to 1 second.
</p>
<p>
- <span class="command"><strong>rndc serve-stale</strong></span> can be used
- to disable and re-enable the serving of stale
- records at runtime. Reloading or reconfiguring
- <span class="command"><strong>named</strong></span> will not re-enable serving
- of stale records if they have been disabled via
- <span class="command"><strong>rndc</strong></span>.
+ For stale answers to be returned, they must be enabled,
+ either in the configuration file using
+ <span class="command"><strong>stale-answer-enable</strong></span> or via
+ <span class="command"><strong>rndc serve-stale on</strong></span>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>min-roots</strong></span></span></dt>
<li class="listitem">9.E.F.IP6.ARPA</li>
<li class="listitem">A.E.F.IP6.ARPA</li>
<li class="listitem">B.E.F.IP6.ARPA</li>
+<li class="listitem">EMPTY.AS112.ARPA</li>
+<li class="listitem">HOME.ARPA</li>
</ul></div>
<p>
</p>
If an update to a RPZ zone (for example, via IXFR) happens less
than <code class="option">min-update-interval</code> seconds after the most
recent update, then the changes will not be carried out until this
- interval has elapsed. The default is <code class="literal">5</code> seconds.
+ interval has elapsed. The default is <code class="literal">60</code> seconds.
</p>
</div>
<span class="command"><strong>update-policy</strong></span> option, respectively.
</p>
<p>
- The <span class="command"><strong>allow-update</strong></span> clause works the
- same way as in previous versions of <acronym class="acronym">BIND</acronym>.
- It grants given clients the permission to update any
- record of any name in the zone.
+ The <span class="command"><strong>allow-update</strong></span> clause is a simple
+ access control list. Any client that matches
+ the ACL is granted permission to update any record
+ in the zone.
</p>
<p>
The <span class="command"><strong>update-policy</strong></span> clause
allows more fine-grained control over what updates are
- allowed. A set of rules is specified, where each rule
- either grants or denies permissions for one or more
- names to be updated by one or more identities. If
- the dynamic update request message is signed (that is,
- it includes either a TSIG or SIG(0) record), the
- identity of the signer can be determined.
+ allowed. It specifies a set of rules, in which each rule
+ either grants or denies permission for one or more
+ names in the zone to be updated by one or more
+ identities. Identity is determined by the key that
+ signed the update request using either TSIG or SIG(0).
+ In most cases, <span class="command"><strong>update-policy</strong></span> rules
+ only apply to key-based identities. There is no way
+ to specify update permissions based on client source
+ address.
</p>
<p>
- Rules are specified in the <span class="command"><strong>update-policy</strong></span>
- zone option, and are only meaningful for master zones.
- When the <span class="command"><strong>update-policy</strong></span> statement
- is present, it is a configuration error for the
- <span class="command"><strong>allow-update</strong></span> statement to be
- present. The <span class="command"><strong>update-policy</strong></span> statement
- (except when set to <code class="literal">local</code>) only
- examines the signer of a message; the source
- address is not relevant.
+ <span class="command"><strong>update-policy</strong></span> rules are only meaningful
+ for zones of type <span class="command"><strong>master</strong></span>, and are
+ not allowed in any other zone type.
+ It is a configuration error to specify both
+ <span class="command"><strong>allow-update</strong></span> and
+ <span class="command"><strong>update-policy</strong></span> at the same time.
</p>
<p>
A pre-defined <span class="command"><strong>update-policy</strong></span> rule can be
switched on with the command
<span class="command"><strong>update-policy local;</strong></span>.
- Switching on this rule in a zone causes
- <span class="command"><strong>named</strong></span> to generate a TSIG session key and
- place it in a file. That key will then be allowed to update
- the zone, if the update request is sent from localhost.
+ Using this in a zone causes
+ <span class="command"><strong>named</strong></span> to generate a TSIG session key
+ when starting up and store it in a file; this key can then
+ be used by local clients to update the zone while
+ <span class="command"><strong>named</strong></span> is running.
By default, the session key is stored in the file
- <code class="filename">/var/run/named/session.key</code>; the key name
- is "local-ddns" and the key algorithm is HMAC-SHA256.
+ <code class="filename">/var/run/named/session.key</code>, the key name
+ is "local-ddns", and the key algorithm is HMAC-SHA256.
These values are configurable with the
<span class="command"><strong>session-keyfile</strong></span>,
<span class="command"><strong>session-keyname</strong></span> and
- <span class="command"><strong>session-keyalg</strong></span> options, respectively).
- </p>
- <p>
- A client on the local system, if it is run with appropriate
+ <span class="command"><strong>session-keyalg</strong></span> options, respectively.
+ A client running on the local system, if run with appropriate
permissions, may read the session key from the key file and
- use the key to sign update requests. The zone's update
+ use it to sign update requests. The zone's update
policy will be set to allow that key to change any record
within the zone. Assuming the key name is "local-ddns",
- this policy is:
+ this policy is equivalent to:
</p>
<pre class="programlisting">update-policy { grant local-ddns zonesub any; };
</pre>
<p>
- ...with an additional restriction that only clients
+ ...with the additional restriction that only clients
connecting from the local system will be permitted to send
updates.
</p>
<p>
- Note that only one session key is generated; all zones
- configured to use <span class="command"><strong>update-policy local</strong></span>
- will accept the same key.
+ Note that only one session key is generated by
+ <span class="command"><strong>named</strong></span>; all zones configured to use
+ <span class="command"><strong>update-policy local</strong></span> will accept the same key.
</p>
<p>
The command <span class="command"><strong>nsupdate -l</strong></span> implements this
</p>
<pre class="programlisting">
-( <span class="command"><strong>grant</strong></span> | <span class="command"><strong>deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
+( <span class="command"><strong>grant</strong></span> | <span class="command"><strong>deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>ruletype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
</pre>
<p>
- Each rule grants or denies privileges. Once a message has
- successfully matched a rule, the operation is immediately
- granted or denied and no further rules are examined. A rule
- is matched when the signer matches the identity field, the
- name matches the name field in accordance with the nametype
- field, and the type matches the types specified in the type
- field.
+ Each rule grants or denies privileges. Rules are checked
+ in the order in which they are specified in the
+ <span class="command"><strong>update-policy</strong></span> statement. Once a message
+ has successfully matched a rule, the operation is immediately
+ granted or denied, and no further rules are examined. There
+ are 13 types of rules; the rule type is specified by the
+ <span class="command"><strong>ruletype</strong></span> field, and the interpretation
+ of other fields varies depending on the rule type.
+ </p>
+ <p>
+ In general, a rule is matched when the
+ key that signed an update request matches the
+ <span class="command"><strong>identity</strong></span> field, the name of the record
+ to be updated matches the <span class="command"><strong>name</strong></span> field
+ (in the manner specified by the <span class="command"><strong>ruletype</strong></span>
+ field), and the type of the record to be updated matches the
+ <span class="command"><strong>types</strong></span> field. Details for each rule type
+ are described below.
</p>
<p>
- No signer is required for <em class="replaceable"><code>tcp-self</code></em>
- or <em class="replaceable"><code>6to4-self</code></em> however the standard
- reverse mapping / prefix conversion must match the identity
- field.
+ The <span class="command"><strong>identity</strong></span> field must be set to
+ a fully-qualified domain name. In most cases, this
+ represensts the name of the TSIG or SIG(0) key that must be
+ used to sign the update request. If the specified name is a
+ wildcard, it is subject to DNS wildcard expansion, and the
+ rule may apply to multiple identities. When a TKEY exchange
+ has been used to create a shared secret, the identity of
+ the key used to authenticate the TKEY exchange will be
+ used as the identity of the shared secret. Some rule types
+ use indentities matching the client's Kerberos principal
+ (e.g, <strong class="userinput"><code>"host/machine@REALM"</code></strong>) or
+ Windows realm (<strong class="userinput"><code>machine$@REALM</code></strong>).
</p>
<p>
- The identity field specifies a name or a wildcard
- name. Normally, this is the name of the TSIG or
- SIG(0) key used to sign the update request. When a
- TKEY exchange has been used to create a shared secret,
- the identity of the shared secret is the same as the
- identity of the key used to authenticate the TKEY
- exchange. TKEY is also the negotiation method used
- by GSS-TSIG, which establishes an identity that is
- the Kerberos principal of the client, such as
- <strong class="userinput"><code>"user@host.domain"</code></strong>. When the
- <em class="replaceable"><code>identity</code></em> field specifies
- a wildcard name, it is subject to DNS wildcard
- expansion, so the rule will apply to multiple identities.
- The <em class="replaceable"><code>identity</code></em> field must
- contain a fully-qualified domain name.
+ The <em class="replaceable"><code>name</code></em> field also specifies
+ a fully-qualified domain name. This often
+ represents the name of the record to be updated.
+ Interpretation of this field is dependent on rule type.
</p>
<p>
- For nametypes <code class="varname">krb5-self</code>,
- <code class="varname">ms-self</code>, <code class="varname">krb5-subdomain</code>,
- and <code class="varname">ms-subdomain</code> the
- <em class="replaceable"><code>identity</code></em> field specifies
- the Windows or Kerberos realm of the machine belongs to.
+ If no <span class="command"><strong>types</strong></span> are explicitly specified,
+ then a rule matches all types except RRSIG, NS, SOA, NSEC
+ and NSEC3. Types may be specified by name, including
+ "ANY" (ANY matches all types except NSEC and NSEC3,
+ which can never be updated). Note that when an attempt
+ is made to delete all records associated with a name,
+ the rules are checked for each existing record type.
</p>
<p>
- The <em class="replaceable"><code>nametype</code></em> field has 13
+ The <em class="replaceable"><code>ruletype</code></em> field has 13
values:
<code class="varname">name</code>, <code class="varname">subdomain</code>,
<code class="varname">wildcard</code>, <code class="varname">self</code>,
</td>
<td>
<p>
- This rule matches when the name being updated
- matches the contents of the
+ This rule matches when the name of the record
+ being updated matches the contents of the
<em class="replaceable"><code>identity</code></em> field.
The <em class="replaceable"><code>name</code></em> field
- is ignored, but should be the same as the
- <em class="replaceable"><code>identity</code></em> field or
+ is ignored. To avoid confusion, it is recommended
+ that this field be set to the same value as the
+ <em class="replaceable"><code>identity</code></em> field or to
"."
- The <code class="varname">self</code> nametype is
- most useful when allowing using one key per
+ </p>
+ <p>
+ The <code class="varname">self</code> rule type is
+ most useful when allowing one key per
name to update, where the key has the same
- name as the name to be updated. The
- <em class="replaceable"><code>identity</code></em> would
- be specified as <code class="constant">*</code> (an asterisk) in
- this case.
+ name as the record to be updated. In this case,
+ the <em class="replaceable"><code>identity</code></em> field
+ can be specified as <code class="constant">*</code>
+ (an asterisk).
</p>
</td>
</tr>
</td>
<td>
<p>
- Allow updates that have been sent via TCP and
- for which the standard mapping from the initiating
- IP address into the IN-ADDR.ARPA and IP6.ARPA
- namespaces match the name to be updated. The
- name field should be set to "."
+ This rule allows updates that have been sent via
+ TCP and for which the standard mapping from the
+ client's IP address into the
+ <code class="literal">in-addr.arpa</code> and
+ <code class="literal">ip6.arpa</code>
+ namespaces match the name to be updated.
+ The <span class="command"><strong>identity</strong></span> field must match
+ that name. The <span class="command"><strong>name</strong></span> field
+ should be set to ".".
+ Note that, since identity is based on the client's
+ IP address, it is not necessary for update request
+ messages to be signed.
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
</td>
<td>
<p>
- Allow the 6to4 prefix to be update by any TCP
- connection from the 6to4 network or from the
- corresponding IPv4 address. This is intended
- to allow NS or DNAME RRsets to be added to the
- reverse tree.
+ This allows the name matching a 6to4 IPv6 prefix,
+ as specified in RFC 3056, to be updated by any
+ TCP connection from either the 6to4 network or
+ from the corresponding IPv4 address. This is
+ intended to allow NS or DNAME RRsets to be added
+ to the <code class="literal">ip6.arpa</code> reverse tree.
+ </p>
+ <p>
+ The <span class="command"><strong>identity</strong></span> field must match
+ the 6to4 prefix in <code class="literal">ip6.arpa</code>.
+ The <span class="command"><strong>name</strong></span> field should
+ be set to ".".
+ Note that, since identity is based on the client's
+ IP address, it is not necessary for update request
+ messages to be signed.
+ </p>
+ <p>
+ In addition, if specified for an
+ <code class="literal">ip6.arpa</code> name outside of the
+ <code class="literal">2.0.0.2.ip6.arpa</code> namespace,
+ the corresponding /48 reverse name can be updated.
+ For example, TCP/IPv6 connections
+ from 2001:DB8:ED0C::/48 can update records at
+ <code class="literal">C.0.D.E.8.B.D.0.1.0.0.2.ip6.arpa</code>.
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
</tbody>
</table>
</div>
-
- <p>
- In all cases, the <em class="replaceable"><code>name</code></em>
- field must specify a fully-qualified domain name.
- </p>
-
- <p>
- If no types are explicitly specified, this rule matches
- all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
- may be specified by name, including "ANY" (ANY matches
- all types except NSEC and NSEC3, which can never be
- updated). Note that when an attempt is made to delete
- all records associated with a name, the rules are
- checked for each existing record type.
- </p>
</div>
<div class="section">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.2rc1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.12.1</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.12.2rc1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
+ and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
+ should be limited to local networks, but they were inadvertently set
+ to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
+ remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The serve-stale feature could cause an assertion failure in
+ rbtdb.c even when stale-answer-enable was false. The
+ simultaneous use of stale cache records and NSEC aggressive
+ negative caching could trigger a recursion loop in the
+ <span class="command"><strong>named</strong></span> process. This flaw is disclosed in
+ CVE-2018-5737. [GL #185]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ A bug in zone database reference counting could lead to a crash
+ when multiple versions of a slave zone were transferred from a
+ master in close succession. This flaw is disclosed in
+ CVE-2018-5736. [GL #134]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_features"></a>New Features</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>update-policy</strong></span> rules that otherwise ignore the
+ name field now require that it be set to "." to ensure that any
+ type list present is properly interpreted. Previously, if the
+ name field was omitted from the rule declaration but a type list
+ was present, it wouldn't be interpreted as expected.
+ </p>
+ </li>
+<li class="listitem">
<p>
- update-policy rules that otherwise ignore the name field now
- require that it be set to "." to ensure that any type list
- present is properly interpreted. Previously, if the name field
- was omitted from the rule declaration but a type list was
- present, it wouldn't be interpreted as expected.
+ <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
+ mechanism. This enables validating resolvers to indicate
+ which trust anchors are configured for the root, so that
+ information about root key rollover status can be gathered.
+ To disable this feature, add
+ <span class="command"><strong>root-key-sentinel no;</strong></span> to
+ <code class="filename">named.conf</code>. [GL #37]
</p>
- </li></ul></div>
+ </li>
+<li class="listitem">
+ <p>
+ Add the ability to not return a DNS COOKIE option when one
+ is present in the request. To prevent a cookie being returned
+ add 'answer-cookie no;' to named.conf. [GL #173]
+ </p>
+ <p>
+ <span class="command"><strong>answer-cookie</strong></span> is only available as a
+ temporary measure, for use when <span class="command"><strong>named</strong></span>
+ shares an IP address with other servers that do not yet
+ support DNS COOKIE. A mismatch between servers on the
+ same address is not expected to cause operational problems,
+ but the option to disable COOKIE responses so that all
+ servers have the same behavior is provided out of an
+ abundance of caution. DNS COOKIE is an important security
+ mechanism and should not be disabled unless absolutely
+ necessary. The <span class="command"><strong>answer-cookie</strong></span> option
+ is obsolete as of BIND 9.13.
+ </p>
+ </li>
+</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now log a warning if the old
root DNSSEC key is explicitly configured and has not been updated.
[RT #43670]
</p>
- </li></ul></div>
+ </li>
+<li class="listitem">
+ <p>
+ BIND now can be compiled against libidn2 library to add
+ IDNA2008 support. Previously BIND only supported IDNA2003
+ using (now obsolete) idnkit-1 library.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
+ processing on the input domain name, when BIND is compiled
+ with IDN support.
+ </p>
+ </li>
+</ul></div>
</div>
<div class="section">
completed. [RT #47076]
</p>
</li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> could crash when rolling a
+ <span class="command"><strong>dnstap</strong></span> log file. [RT #46942]
+ </p>
+ </li>
</ul></div>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.12.1</p></div>
+<div><p class="releaseinfo">BIND Version 9.12.2rc1</p></div>
<div><p class="copyright">Copyright © 2000-2018 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.2rc1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
<dt><span class="term">-i</span></dt>
<dd>
<p>
- Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT
+ Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
domain, which is no longer in use. Obsolete bit string
- label queries (RFC2874) are not attempted.
+ label queries (RFC 2874) are not attempted.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
- The resource record type to query. It can be any valid query type
- which is
- supported in BIND 9. The default query type is "A", unless the
- <code class="option">-x</code> option is supplied to indicate a reverse lookup.
- A zone transfer can be requested by specifying a type of AXFR. When
+ The resource record type to query. It can be any valid query
+ type. If it is a resource record type supported in BIND 9, it
+ can be given by the type mnemonic (such as "NS" or "AAAA").
+ The default query type is "A", unless the <code class="option">-x</code>
+ option is supplied to indicate a reverse lookup. A zone
+ transfer can be requested by specifying a type of AXFR. When
an incremental zone transfer (IXFR) is required, set the
<em class="parameter"><code>type</code></em> to <code class="literal">ixfr=N</code>.
The incremental zone transfer will contain the changes
record was
<em class="parameter"><code>N</code></em>.
</p>
+ <p>
+ All resource record types can be expressed as "TYPEnn", where
+ "nn" is the number of the type. If the resource record type is
+ not supported in BIND 9, the result will be displayed as
+ described in RFC 3597.
+ </p>
</dd>
<dt><span class="term">-u</span></dt>
<dd>
server that provided the answer.
</p>
</dd>
+<dt><span class="term"><code class="option">+[no]idnin</code></span></dt>
+<dd>
+ <p>
+ Process [do not process] IDN domain names on input.
+ This requires IDN SUPPORT to have been enabled at
+ compile time. The default is to process IDN input.
+ </p>
+ </dd>
<dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
<dd>
<p>
<dd>
<p>
This feature is now obsolete and has been removed;
- use <span class="command"><strong>delv</strong></span> instead.
+ use <span class="command"><strong>delv</strong></span> instead.
</p>
</dd>
<dt><span class="term"><code class="option">+split=W</code></span></dt>
<dd>
<p>
This feature is related to <span class="command"><strong>dig +sigchase</strong></span>,
- which is obsolete and has been removed. Use
- <span class="command"><strong>delv</strong></span> instead.
+ which is obsolete and has been removed. Use
+ <span class="command"><strong>delv</strong></span> instead.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]trace</code></span></dt>
<dd>
<p>
Formerly specified trusted keys for use with
- <span class="command"><strong>dig +sigchase</strong></span>. This feature is now
- obsolete and has been removed; use
- <span class="command"><strong>delv</strong></span> instead.
+ <span class="command"><strong>dig +sigchase</strong></span>. This feature is now
+ obsolete and has been removed; use
+ <span class="command"><strong>delv</strong></span> instead.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
<span class="command"><strong>dig</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
- If you'd like to turn off the IDN support for some reason, defines
- the <code class="envar">IDN_DISABLE</code> environment variable.
- The IDN support is disabled if the variable is set when
- <span class="command"><strong>dig</strong></span> runs.
+ If you'd like to turn off the IDN support for some reason, use
+ parameters <em class="parameter"><code>+noidnin</code></em> and
+ <em class="parameter"><code>+noidnout</code></em>.
</p>
</div>
<span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
- <em class="citetitle">RFC1035</em>.
+ <em class="citetitle">RFC 1035</em>.
</p>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
See also <span class="command"><strong>rndc managed-keys</strong></span>.
</p>
</dd>
-<dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | status | reset ) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
+<dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | reset | status ) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
- Enable, disable, or reset the serving of stale answers
- as configured in named.conf. Serving of stale answers
- will remain disabled across <code class="filename">named.conf</code>
- reloads if disabled via rndc until it is reset via rndc.
+ Enable, disable, reset, or report the current status
+ of the serving of stale answers as configured in
+ <code class="filename">named.conf</code>.
</p>
<p>
- Status will report whether serving of stale answers is
- currently enabled, disabled or not configured for a
- view. If serving of stale records is configured then
- the values of stale-answer-ttl and max-stale-ttl are
- reported.
+ If serving of stale answers is disabled by
+ <span class="command"><strong>rndc-serve-stale off</strong></span>, then it
+ will remain disabled even if <span class="command"><strong>named</strong></span>
+ is reloaded or reconfigured.
+ <span class="command"><strong>rndc serve-stale reset</strong></span> restores
+ the setting as configured in <code class="filename">named.conf</code>.
+ </p>
+ <p>
+ <span class="command"><strong>rndc serve-stale status</strong></span> will report
+ whether serving of stale answers is currently enabled,
+ disabled by the configuration, or disabled by
+ <span class="command"><strong>rndc</strong></span>. It will also report the
+ values of <span class="command"><strong>stale-answer-ttl</strong></span> and
+ <span class="command"><strong>max-stale-ttl</strong></span>.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.2rc1</p>
</body>
</html>
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.12.1</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.12.2rc1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
+ and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
+ should be limited to local networks, but they were inadvertently set
+ to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
+ remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The serve-stale feature could cause an assertion failure in
+ rbtdb.c even when stale-answer-enable was false. The
+ simultaneous use of stale cache records and NSEC aggressive
+ negative caching could trigger a recursion loop in the
+ <span class="command"><strong>named</strong></span> process. This flaw is disclosed in
+ CVE-2018-5737. [GL #185]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ A bug in zone database reference counting could lead to a crash
+ when multiple versions of a slave zone were transferred from a
+ master in close succession. This flaw is disclosed in
+ CVE-2018-5736. [GL #134]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_features"></a>New Features</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>update-policy</strong></span> rules that otherwise ignore the
+ name field now require that it be set to "." to ensure that any
+ type list present is properly interpreted. Previously, if the
+ name field was omitted from the rule declaration but a type list
+ was present, it wouldn't be interpreted as expected.
+ </p>
+ </li>
+<li class="listitem">
<p>
- update-policy rules that otherwise ignore the name field now
- require that it be set to "." to ensure that any type list
- present is properly interpreted. Previously, if the name field
- was omitted from the rule declaration but a type list was
- present, it wouldn't be interpreted as expected.
+ <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
+ mechanism. This enables validating resolvers to indicate
+ which trust anchors are configured for the root, so that
+ information about root key rollover status can be gathered.
+ To disable this feature, add
+ <span class="command"><strong>root-key-sentinel no;</strong></span> to
+ <code class="filename">named.conf</code>. [GL #37]
</p>
- </li></ul></div>
+ </li>
+<li class="listitem">
+ <p>
+ Add the ability to not return a DNS COOKIE option when one
+ is present in the request. To prevent a cookie being returned
+ add 'answer-cookie no;' to named.conf. [GL #173]
+ </p>
+ <p>
+ <span class="command"><strong>answer-cookie</strong></span> is only available as a
+ temporary measure, for use when <span class="command"><strong>named</strong></span>
+ shares an IP address with other servers that do not yet
+ support DNS COOKIE. A mismatch between servers on the
+ same address is not expected to cause operational problems,
+ but the option to disable COOKIE responses so that all
+ servers have the same behavior is provided out of an
+ abundance of caution. DNS COOKIE is an important security
+ mechanism and should not be disabled unless absolutely
+ necessary. The <span class="command"><strong>answer-cookie</strong></span> option
+ is obsolete as of BIND 9.13.
+ </p>
+ </li>
+</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now log a warning if the old
root DNSSEC key is explicitly configured and has not been updated.
[RT #43670]
</p>
- </li></ul></div>
+ </li>
+<li class="listitem">
+ <p>
+ BIND now can be compiled against libidn2 library to add
+ IDNA2008 support. Previously BIND only supported IDNA2003
+ using (now obsolete) idnkit-1 library.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
+ processing on the input domain name, when BIND is compiled
+ with IDN support.
+ </p>
+ </li>
+</ul></div>
</div>
<div class="section">
completed. [RT #47076]
</p>
</li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> could crash when rolling a
+ <span class="command"><strong>dnstap</strong></span> log file. [RT #46942]
+ </p>
+ </li>
</ul></div>
</div>
-Release Notes for BIND Version 9.13.0
+Release Notes for BIND Version 9.12.2rc1
Introduction
-BIND 9.13 is an unstable development release of BIND. This document
-summarizes new features and functional changes that have been introduced
-on this branch. With each development release leading up to the stable
-BIND 9.14 release, this document will be updated with additional features
-added and bugs fixed.
-
-Note on Version Numbering
-
-Prior to BIND 9.13, new feature development releases were tagged as
-"alpha" and "beta", leading up to the first stable release for a given
-development branch, which always ended in ".0".
-
-Now, however, BIND has adopted the "odd-unstable/even-stable" release
-numbering convention. There will be no "alpha" or "beta" releases in the
-9.13 branch, only increasing version numbers. So, for example, what would
-previously have been called 9.13.0a1, 9.13.0a2, 9.13.0b1, and so on, will
-instead be called 9.13.0, 9.13.1, 9.13.2, etc.
-
-The first stable release from this development branch will be renamed as
-9.14.0. Thereafter, maintenance releases will continue on the 9.14 branch,
-while unstable feature development proceeds in 9.15.
+This document summarizes changes since the last production release on the
+BIND 9.12 branch. Please see the CHANGES for a further list of bug fixes
+and other changes.
Download
Security Fixes
- * None.
+ * When recursion is enabled but the allow-recursion and
+ allow-query-cache ACLs are not specified, they should be limited to
+ local networks, but they were inadvertently set to match the default
+ allow-query, thus allowing remote queries. This flaw is disclosed in
+ CVE-2018-5738. [GL #309]
+
+ * The serve-stale feature could cause an assertion failure in rbtdb.c
+ even when stale-answer-enable was false. The simultaneous use of stale
+ cache records and NSEC aggressive negative caching could trigger a
+ recursion loop in the named process. This flaw is disclosed in
+ CVE-2018-5737. [GL #185]
+
+ * A bug in zone database reference counting could lead to a crash when
+ multiple versions of a slave zone were transferred from a master in
+ close succession. This flaw is disclosed in CVE-2018-5736. [GL #134]
New Features
- * BIND now can be compiled against the libidn2 library to add IDNA2008
- support. Previously, BIND supported IDNA2003 using the (now obsolete
- and unsupported) idnkit-1 library.
+ * update-policy rules that otherwise ignore the name field now require
+ that it be set to "." to ensure that any type list present is properly
+ interpreted. Previously, if the name field was omitted from the rule
+ declaration but a type list was present, it wouldn't be interpreted as
+ expected.
* named now supports the "root key sentinel" mechanism. This enables
- validating resolvers to indicate to which trust anchors are configured
+ validating resolvers to indicate which trust anchors are configured
for the root, so that information about root key rollover status can
be gathered. To disable this feature, add root-key-sentinel no; to
- named.conf.
-
- * The dnskey-sig-validity option allows the sig-validity-interval to be
- overriden for signatures covering DNSKEY RRsets. [GL #145]
-
-Removed Features
-
- * dnssec-keygen can no longer generate HMAC keys for TSIG
- authentication. Use tsig-keygen to generate these keys. [RT #46404]
-
- * Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or
- greater, or LibreSSL is now required.
-
- * The configure --enable-seccomp option, which formerly turned on
- system-call filtering on Linux, has been removed. [GL #93]
+ named.conf. [GL #37]
- * IPv4 addresses in forms other than dotted-quad are no longer accepted
- in master files. [GL #13] [GL #56]
+ * Add the ability to not return a DNS COOKIE option when one is present
+ in the request. To prevent a cookie being returned add 'answer-cookie
+ no;' to named.conf. [GL #173]
- * IDNA2003 support via (bundled) idnkit-1.0 has been removed.
-
- * The "rbtdb64" database implementation (a parallel implementation of
- "rbt") has been removed. [GL #217]
-
- * The -r randomdev option to explicitly select random device has been
- removed from the ddns-confgen, rndc-confgen, nsupdate, dnssec-confgen,
- and dnssec-signzone commands.
-
- The -p option to use pseudo-random data has been removed from the
- dnssec-signzone command.
+ answer-cookie is only available as a temporary measure, for use when
+ named shares an IP address with other servers that do not yet support
+ DNS COOKIE. A mismatch between servers on the same address is not
+ expected to cause operational problems, but the option to disable
+ COOKIE responses so that all servers have the same behavior is
+ provided out of an abundance of caution. DNS COOKIE is an important
+ security mechanism and should not be disabled unless absolutely
+ necessary. The answer-cookie option is obsolete as of BIND 9.13.
Feature Changes
- * BIND will now always use the best CSPRNG (cryptographically-secure
- pseudo-random number generator) available on the platform where it is
- compiled. It will use arc4random() family of functions on BSD
- operating systems, getrandom() on Linux and Solaris, CryptGenRandom on
- Windows, and the selected cryptography provider library (OpenSSL or
- PKCS#11) as the last resort. [GL #221]
-
- * BIND can no longer be built without DNSSEC support. A cryptography
- provder (i.e., OpenSSL or a hardware service module with PKCS#11
- support) must be available. [GL #244]
-
- * Zone types primary and secondary are now available as synonyms for
- master and slave, respectively, in named.conf.
-
* named will now log a warning if the old root DNSSEC key is explicitly
configured and has not been updated. [RT #43670]
- * dig +nssearch will now list name servers that have timed out, in
- addition to those that respond. [GL #64]
+ * BIND now can be compiled against libidn2 library to add IDNA2008
+ support. Previously BIND only supported IDNA2003 using (now obsolete)
+ idnkit-1 library.
* dig +noidnin can be used to disable IDN processing on the input domain
name, when BIND is compiled with IDN support.
- * Up to 64 response-policy zones are now supported by default;
- previously the limit was 32. [GL #123]
+Bug Fixes
- * Several configuration options for time periods can now use TTL value
- suffixes (for example, 2h or 1d) in addition to an integer number of
- seconds. These include fstrm-set-reopen-interval, interface-interval,
- max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval
- . [GL #203]
+ * When answering authoritative queries, named does not return the target
+ of a cross-zone CNAME between two locally served zones; this prevents
+ accidental cache poisoning. This same restriction was incorrectly
+ applied to recursive queries as well; this has been fixed. [RT #47078]
-Bug Fixes
+ * named could crash when acting as a slave for a catalog zone if zone
+ contained a master definition without an IP address. [RT #45999]
+
+ * named could crash due to a race condition when rolling dnstap log
+ files. [RT #46942]
- * None.
+ * rndc reload could cause named to leak memory if it was invoked before
+ the zone loading actions from a previous rndc reload command were
+ completed. [RT #47076]
+
+ * named could crash when rolling a dnstap log file. [RT #46942]
License
End of Life
-BIND 9.13 is an unstable development branch. When its development is
-complete, it will be renamed to BIND 9.14, which will be a stable branch.
-
-The end of life date for BIND 9.14 has not yet been determined. For those
-needing long term support, the current Extended Support Version (ESV) is
-BIND 9.11, which will be supported until at least December 2021. See
+The end-of-life date for BIND 9.12 has not yet been determined. However,
+it is not intended to be an Extended Support Version (ESV) branch;
+accordingly, support will end after the next stable branch (9.14) becomes
+available. Those needing a longer-lived branch are encouraged to use the
+current ESV, BIND 9.11, which will be supported until December 2021. See
https://www.isc.org/downloads/software-support-policy/ for details of
ISC's software support policy.
] [ dscp <integer> ];
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
* ) ] [ dscp <integer> ];
+ answer-cookie <boolean>;
attach-cache <string>;
auth-nxdomain <boolean>; // default changed
auto-dnssec ( allow | maintain | off );
dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
} ];
rfc2308-type1 <boolean>; // not yet implemented
- root-key-sentinel <boolean>;
root-delegation-only [ exclude { <quoted_string>; ... } ];
+ root-key-sentinel <boolean>;
rrset-order { [ class <string> ] [ type <string> ] [ name
<quoted_string> ] <string> <string>; ... };
send-cookie <boolean>;
-.\" Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
LIBINTERFACE = 1200
-LIBREVISION = 5
+LIBREVISION = 6
LIBAGE = 0
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
-LIBINTERFACE = 1204
-LIBREVISION = 1
-LIBAGE = 1
+LIBINTERFACE = 1205
+LIBREVISION = 0
+LIBAGE = 0
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
LIBINTERFACE = 1200
-LIBREVISION = 1
+LIBREVISION = 2
LIBAGE = 0
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
LIBINTERFACE = 1203
-LIBREVISION = 1
+LIBREVISION = 2
LIBAGE = 3
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
LIBINTERFACE = 1200
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 0
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
-LIBINTERFACE = 1201
+LIBINTERFACE = 1202
LIBREVISION = 0
-LIBAGE = 1
+LIBAGE = 2
# 9.10-sub: 180-189
# 9.11: 160-169
# 9.12: 1200-1299
-LIBINTERFACE = 1203
+LIBINTERFACE = 1204
LIBREVISION = 0
-LIBAGE = 0
+LIBAGE = 1
DESCRIPTION=
MAJORVER=9
MINORVER=12
-PATCHVER=1
-RELEASETYPE=
-RELEASEVER=
+PATCHVER=2
+RELEASETYPE=rc
+RELEASEVER=1
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
