+ --- 9.15.2 released ---
+
5263. [cleanup] Use atomics and isc_refcount_t wherever possible.
[GL #1038]
Several environment variables that can be set before running configure
will affect compilation:
-Variable Description
+ Variable Description
CC The C compiler to use. configure tries to figure out the
right one for supported systems.
C compiler flags. Defaults to include -g and/or -O2 as
changes listed first. Change notes include tags indicating the category of
the change that was made; these categories are:
-Category Description
+ Category Description
[func] New feature
[bug] General bug fix
[security] Fix for a significant security flaw
* The original development of BIND 9 was underwritten by the following
organizations:
- Sun Microsystems, Inc.
- Hewlett Packard
- Compaq Computer Corporation
- IBM
- Process Software Corporation
- Silicon Graphics, Inc.
- Network Associates, Inc.
- U.S. Defense Information Systems Agency
- USENIX Association
- Stichting NLnet - NLnet Foundation
- Nominum, Inc.
+ Sun Microsystems, Inc.
+ Hewlett Packard
+ Compaq Computer Corporation
+ IBM
+ Process Software Corporation
+ Silicon Graphics, Inc.
+ Network Associates, Inc.
+ U.S. Defense Information Systems Agency
+ USENIX Association
+ Stichting NLnet - NLnet Foundation
+ Nominum, Inc.
* This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit. http://www.OpenSSL.org/
+
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
+
* This product includes software written by Tim Hudson
(tjh@cryptsoft.com)
statements to be ignored\&.
.RE
.PP
+\-i
+.RS 4
+Ignore warnings on deprecated options\&.
+.RE
+.PP
\-p
.RS 4
Print out the
<span class="command"><strong>plugin</strong></span> statements to be ignored.
</p>
</dd>
+<dt><span class="term">-i</span></dt>
+<dd>
+ <p>
+ Ignore warnings on deprecated options.
+ </p>
+ </dd>
<dt><span class="term">-p</span></dt>
<dd>
<p>
.RS 4
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
.sp
-If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with
-\fB\-f KSK\fR) default to 2048 bits\&.
+If the key size is not specified, some algorithms have pre\-defined defaults\&. For instance, RSA keys have a default size of 2048 bits\&.
.RE
.PP
\-C
</p>
<p>
If the key size is not specified, some algorithms have
- pre-defined defaults. For example, RSA keys for use as
- DNSSEC zone signing keys have a default size of 1024 bits;
- RSA keys for use as key signing keys (KSKs, generated with
- <code class="option">-f KSK</code>) default to 2048 bits.
+ pre-defined defaults. For instance, RSA keys have a default
+ size of 2048 bits.
</p>
</dd>
<dt><span class="term">-C</span></dt>
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 2019-05-10
+.\" Date: 2019-06-28
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
-.TH "NAMED\&.CONF" "5" "2019\-05\-10" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2019\-06\-28" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\}
.SH "MANAGED-KEYS"
.PP
-See DNSSEC\-KEYS\&.
+Deprecated \- see DNSSEC\-KEYS\&.
.sp
.if n \{\
.RS 4
.\}
.nf
-managed\-keys { \fIstring\fR ( static\-key |
- initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
- \fIquoted_string\fR; \&.\&.\&. };
+managed\-keys { \fIstring\fR ( static\-key
+ | initial\-key ) \fIinteger\fR
+ \fIinteger\fR \fIinteger\fR
+ \fIquoted_string\fR; \&.\&.\&. }; deprecated
.fi
.if n \{\
.RE
check\-spf ( warn | ignore );
check\-srv\-cname ( fail | warn | ignore );
check\-wildcard \fIboolean\fR;
- cleaning\-interval \fIinteger\fR;
clients\-per\-query \fIinteger\fR;
cookie\-algorithm ( aes | sha1 | sha256 );
cookie\-secret \fIstring\fR;
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
- dnssec\-lookaside ( \fIstring\fR trust\-anchor
- \fIstring\fR | auto | no );
+ dnssec\-lookaside ( \fIstring\fR
+ trust\-anchor \fIstring\fR |
+ auto | no ); deprecated
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
.nf
trusted\-keys { \fIstring\fR \fIinteger\fR
\fIinteger\fR \fIinteger\fR
- \fIquoted_string\fR; \&.\&.\&. };, deprecated
+ \fIquoted_string\fR; \&.\&.\&. }; deprecated
.fi
.if n \{\
.RE
check\-spf ( warn | ignore );
check\-srv\-cname ( fail | warn | ignore );
check\-wildcard \fIboolean\fR;
- cleaning\-interval \fIinteger\fR;
clients\-per\-query \fIinteger\fR;
deny\-answer\-addresses { \fIaddress_match_element\fR; \&.\&.\&. } [
except\-from { \fIstring\fR; \&.\&.\&. } ];
initial\-key ) \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
dnssec\-loadkeys\-interval \fIinteger\fR;
- dnssec\-lookaside ( \fIstring\fR trust\-anchor
- \fIstring\fR | auto | no );
+ dnssec\-lookaside ( \fIstring\fR
+ trust\-anchor \fIstring\fR |
+ auto | no ); deprecated
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
key\-directory \fIquoted_string\fR;
lame\-ttl \fIttlval\fR;
lmdb\-mapsize \fIsizeval\fR;
- managed\-keys { \fIstring\fR ( static\-key |
- initial\-key ) \fIinteger\fR \fIinteger\fR
- \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
+ managed\-keys { \fIstring\fR (
+ static\-key | initial\-key
+ ) \fIinteger\fR \fIinteger\fR
+ \fIinteger\fR
+ \fIquoted_string\fR; \&.\&.\&. }; deprecated
masterfile\-format ( map | raw | text );
masterfile\-style ( full | relative );
match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
trusted\-keys { \fIstring\fR
\fIinteger\fR \fIinteger\fR
\fIinteger\fR
- \fIquoted_string\fR; \&.\&.\&. };, deprecated
+ \fIquoted_string\fR; \&.\&.\&. }; deprecated
try\-tcp\-refresh \fIboolean\fR;
update\-check\-ksk \fIboolean\fR;
use\-alt\-transfer\-source \fIboolean\fR;
<div class="refsection">
<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
- <p>See DNSSEC-KEYS.</p>
+ <p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
-managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
+    | initial-key ) <em class="replaceable"><code>integer</code></em><br>
+Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
</p></div>
</div>
check-spf ( warn | ignore );<br>
check-srv-cname ( fail | warn | ignore );<br>
check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
- cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
cookie-algorithm ( aes | sha1 | sha256 );<br>
cookie-secret <em class="replaceable"><code>string</code></em>;<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
- dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
-     <em class="replaceable"><code>string</code></em> | auto | no );<br>
+ dnssec-lookaside ( <em class="replaceable"><code>string</code></em><br>
+     trust-anchor <em class="replaceable"><code>string</code></em> |<br>
+     auto | no ); deprecated<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
+    <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
</p></div>
</div>
check-spf ( warn | ignore );<br>
check-srv-cname ( fail | warn | ignore );<br>
check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
- cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<br>
    except-from { <em class="replaceable"><code>string</code></em>; ... } ];<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
- dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
-     <em class="replaceable"><code>string</code></em> | auto | no );<br>
+ dnssec-lookaside ( <em class="replaceable"><code>string</code></em><br>
+     trust-anchor <em class="replaceable"><code>string</code></em> |<br>
+     auto | no ); deprecated<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
- managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-     initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+ managed-keys { <em class="replaceable"><code>string</code></em> (<br>
+     static-key | initial-key<br>
+ Â Â Â Â )Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+ Â Â Â Â <em class="replaceable"><code>integer</code></em><br>
+     <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
masterfile-format ( map | raw | text );<br>
masterfile-style ( full | relative );<br>
match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
trusted-keys { <em class="replaceable"><code>string</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em><br>
-     <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
+     <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
.RS 4
Dump the security roots (i\&.e\&., trust anchors configured via
\fBdnssec\-keys\fR
-statements, or the synonymous
-\fBmanaged\-keys\fR
-or the deprecated
-\fBtrusted\-keys\fR
-statements, or via
+statements, or the managed\-keys or trusted\-keys statements (both deprecated), or via
\fBdnssec\-validation auto\fR) and negative trust anchors for the specified views\&. If no view is specified, all views are dumped\&. Security roots will indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query)\&.
.sp
If the first argument is "\-", then the output is returned via the
<dd>
<p>
Dump the security roots (i.e., trust anchors
- configured via <span class="command"><strong>dnssec-keys</strong></span> statements,
- or the synonymous <span class="command"><strong>managed-keys</strong></span> or
- the deprecated <span class="command"><strong>trusted-keys</strong></span> statements, or
+ configured via <span class="command"><strong>dnssec-keys</strong></span> statements, or the
+ managed-keys or trusted-keys statements (both deprecated), or
via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
anchors for the specified views. If no view is specified, all
views are dumped. Security roots will indicate whether
docdir
oldincludedir
includedir
-runstatedir
localstatedir
sharedstatedir
sysconfdir
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
- -runstatedir | --runstatedir | --runstatedi | --runstated \
- | --runstate | --runstat | --runsta | --runst | --runs \
- | --run | --ru | --r)
- ac_prev=runstatedir ;;
- -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
- | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
- | --run=* | --ru=* | --r=*)
- runstatedir=$ac_optarg ;;
-
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir runstatedir
+ libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
- --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
if at least one trust anchor has been explicitly configured
in <code class="filename">named.conf</code>
using a <span class="command"><strong>dnssec-keys</strong></span> statement (or the
- synonymous <span class="command"><strong>managed-keys</strong></span> or the deprecated
- <span class="command"><strong>trusted-keys</strong></span> statements).
+ <span class="command"><strong>managed-keys</strong></span> and <span class="command"><strong>trusted-keys</strong></span>
+ statements, both deprecated).
</p>
<p>
When <span class="command"><strong>dnssec-validation</strong></span> is set to
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
keys are kept up to date using RFC 5011
trust anchor maintenance, and if used with
<span class="command"><strong>static-key</strong></span>, keys are permanent.
- Identical to <span class="command"><strong>managed-keys</strong></span>,
- but has been added for improved clarity.
</p>
</td>
</tr>
</td>
<td>
<p>
- is identical to <span class="command"><strong>dnssec-keys</strong></span>,
- and is retained for backward compatibility.
+ is identical to <span class="command"><strong>dnssec-keys</strong></span>;
+ this option is deprecated in favor
+ of <span class="command"><strong>dnssec-keys</strong></span> with
+ the <span class="command"><strong>initial-key</strong></span> keyword,
+ and may be removed in a future release.
</p>
</td>
</tr>
<span class="command"><strong>check-spf</strong></span> ( warn | ignore );
<span class="command"><strong>check-srv-cname</strong></span> ( fail | warn | ignore );
<span class="command"><strong>check-wildcard</strong></span> <em class="replaceable"><code>boolean</code></em>;
- <span class="command"><strong>cleaning-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>clients-per-query</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>cookie-algorithm</strong></span> ( aes | sha1 | sha256 );
<span class="command"><strong>cookie-secret</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>dnssec-accept-expired</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
- <span class="command"><strong>dnssec-lookaside</strong></span> ( <em class="replaceable"><code>string</code></em> trust-anchor
- <em class="replaceable"><code>string</code></em> | auto | no );
+ <span class="command"><strong>dnssec-lookaside</strong></span> ( <em class="replaceable"><code>string</code></em>
+ <span class="command"><strong>trust-anchor</strong></span> <em class="replaceable"><code>string</code></em> |
+ <span class="command"><strong>auto</strong></span> | no ); deprecated
<span class="command"><strong>dnssec-must-be-secure</strong></span> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
<dt><span class="term"><span class="command"><strong>geoip-directory</strong></span></span></dt>
<dd>
<p>
- Specifies the directory containing GeoIP
- <code class="filename">.dat</code> database files for GeoIP
- initialization. By default, this option is unset
- and the GeoIP support will use libGeoIP's
- built-in directory.
- (For details, see <a class="xref" href="Bv9ARM.ch05.html#acl" title="acl Statement Definition and Usage">the section called “<span class="command"><strong>acl</strong></span> Statement Definition and
- Usage”</a> about the
- <span class="command"><strong>geoip</strong></span> ACL.)
+ When <span class="command"><strong>named</strong></span> is compiled using the
+ MaxMind GeoIP2 geolocation API,
+ this specifies the directory containing GeoIP
+ database files. By default, the option is set based on
+ the prefix used to build the <span class="command"><strong>libmaxminddb</strong></span>
+ module: for example, if the library is installed in
+ <code class="filename">/usr/local/lib</code>, then the default
+ <span class="command"><strong>geoip-directory</strong></span> will be
+ <code class="filename">/usr/local/share/GeoIP</code>. On Windows,
+ the default is the <span class="command"><strong>named</strong></span> working
+ directory. See <a class="xref" href="Bv9ARM.ch05.html#acl" title="acl Statement Definition and Usage">the section called “<span class="command"><strong>acl</strong></span> Statement Definition and
+ Usage”</a> for details about
+ <span class="command"><strong>geoip</strong></span> ACLs.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt>
as insecure.
</p>
<p>
- Configured trust anchors in <span class="command"><strong>trusted-keys</strong></span>
- or <span class="command"><strong>managed-keys</strong></span> that match a disabled
- algorithm will be ignored and treated as if they were not
- configured at all.
+ Configured trust anchors in <span class="command"><strong>dnssec-keys</strong></span>
+ (or <span class="command"><strong>managed-keys</strong></span> or
+ <span class="command"><strong>trusted-keys</strong></span>, both deprecated)
+ that match a disabled algorithm will be ignored and treated
+ as if they were not configured at all.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>disable-ds-digests</strong></span></span></dt>
<strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
is not used.
</p>
+ <p>
+ This option is deprecated and its use is discouraged.
+ </p>
<p>
NOTE: The ISC-provided DLV service at
<code class="literal">dlv.isc.org</code>, has been shut down.
<span class="command"><strong>zone-statistics terse</strong></span> or
<span class="command"><strong>zone-statistics none</strong></span>
in the <span class="command"><strong>zone</strong></span> statement).
+ These include, for example, DNSSEC signing operations
+ and the number of authoritative answers per query type.
The default is <strong class="userinput"><code>terse</code></strong>, providing
minimal statistics on zones (including name and
current serial number, but not query type
If set to <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is
enabled, but a trust anchor must be manually configured
using a <span class="command"><strong>dnssec-keys</strong></span> statement (or
- the synonymous <span class="command"><strong>managed-keys</strong></span>, or the
- deprecated <span class="command"><strong>trusted-keys</strong></span> statements).
+ the <span class="command"><strong>managed-keys</strong></span> or the
+ <span class="command"><strong>trusted-keys</strong></span> statements, both deprecated).
If there is no configured trust anchor, validation will
not take place.
</p>
<div class="titlepage"><div><div><h3 class="title">
<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
-<span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
- <span class="command"><strong>initial-key</strong></span> ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
- <em class="replaceable"><code>quoted_string</code></em>; ... };
+<span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key
+ | initial-key ) <em class="replaceable"><code>integer</code></em>
+ <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
+ <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated
</pre>
</div>
<div class="section">
and Usage</h3></div></div></div>
<p>
- The <span class="command"><strong>managed-keys</strong></span> statement is
- identical to the <span class="command"><strong>dnssec-keys</strong></span>, and is
- retained for backward compatibility.
+ The <span class="command"><strong>managed-keys</strong></span> statement has been
+ deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#dnssec_keys" title="dnssec-keys Statement Grammar">the section called “<span class="command"><strong>dnssec-keys</strong></span> Statement Grammar”</a>
+ with the <span class="command"><strong>initial-key</strong></span> keyword.
</p>
</div>
<pre class="programlisting">
<span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
- <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated
+ <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated
</pre>
</div>
<div class="section">
<p>
The <span class="command"><strong>trusted-keys</strong></span> statement has been
deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#dnssec_keys" title="dnssec-keys Statement Grammar">the section called “<span class="command"><strong>dnssec-keys</strong></span> Statement Grammar”</a>
- with the <span class="command"><strong>static</strong></span> keyword.
+ with the <span class="command"><strong>static-key</strong></span> keyword.
</p>
</div>
For validation to succeed, a key-signing key
(KSK) for the zone must be configured as a trust
anchor in <code class="filename">named.conf</code>: that
- is, a key for the zone must either be specified
- in <span class="command"><strong>managed-keys</strong></span> or
- <span class="command"><strong>trusted-keys</strong></span>. In the case
+ is, a key for the zone must be specified in
+ <span class="command"><strong>dnssec-keys</strong></span>. In the case
of the root zone, you may also rely on the
built-in root trust anchor, which is enabled
when <a class="xref" href="Bv9ARM.ch05.html#dnssec_validation"><span class="command"><strong>dnssec-validation</strong></span></a> is set to the
<acronym class="acronym">BIND</acronym> 8 statistics, if applicable.
</p>
+ <p>
+ Note: BIND statistics counters are signed 64-bit values on
+ all platforms except one: 32-bit Windows, where they are
+ signed 32-bit values. Given that 32-bit values have a
+ vastly smaller range than 64-bit values, BIND statistics
+ counters in 32-bit Windows builds overflow significantly
+ more quickly than on all other platforms.
+ </p>
+
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="stats_counters"></a>Name Server Statistics Counters</h4></div></div></div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
to search for a match. Available fields are "country",
"region", "city", "continent", "postal" (postal code),
"metro" (metro code), "area" (area code), "tz" (timezone),
- "isp", "org", "asnum", "domain" and "netspeed".
+ "isp", "asnum", and "domain".
</p>
<p>
<em class="replaceable"><code>value</code></em> is the value to search
for within the database. A string may be quoted if it
- contains spaces or other special characters. If this is
- an "asnum" search, then the leading "ASNNNN" string can be
- used, otherwise the full description must be used (e.g.
- "ASNNNN Example Company Name"). If this is a "country"
- search and the string is two characters long, then it must
- be a standard ISO-3166-1 two-letter country code, and if it
- is three characters long then it must be an ISO-3166-1
- three-letter country code; otherwise it is the full name
- of the country. Similarly, if this is a "region" search
- and the string is two characters long, then it must be a
- standard two-letter state or province abbreviation;
- otherwise it is the full name of the state or province.
+ contains spaces or other special characters. An "asnum"
+ search for autonomous system number can be specified using
+ the string "ASNNNN" or the integer NNNN.
+ When "country" search is specified with a string is two
+ characters long, then it must be a standard ISO-3166-1
+ two-letter country code; otherwise it is interpreted as
+ the full name of the country. Similarly, if this is a
+ "region" search and the string is two characters long,
+ then it treated as a standard two-letter state or province
+ abbreviation; otherwise it treated as the full name of the
+ state or province.
</p>
<p>
The <em class="replaceable"><code>database</code></em> field indicates which
GeoIP database to search for a match. In most cases this is
unnecessary, because most search fields can only be found in
- a single database. However, searches for country can be
- answered from the "city", "region", or "country" databases,
- and searches for region (i.e., state or province) can be
- answered from the "city" or "region" databases. For these
- search types, specifying a <em class="replaceable"><code>database</code></em>
+ a single database. However, searches for "continent" or "country"
+ can be answered from either the "city" or "country" databases,
+ so for these search types, specifying a
+ <em class="replaceable"><code>database</code></em>
will force the query to be answered from that database and no
other. If <em class="replaceable"><code>database</code></em> is not
specified, then these queries will be answered from the "city",
- database if it is installed, or the "region" database if it is
- installed, or the "country" database, in that order.
+ database if it is installed, or the "country" database if it
+ is installed, in that order. Valid database names are
+ "country", "city", "asnum", "isp", and "domain".
</p>
<p>
Some example GeoIP ACLs:
</p>
<pre class="programlisting">geoip country US;
-geoip country JAP;
+geoip country JP;
geoip db country country Canada;
-geoip db region region WA;
+geoip region WA;
geoip city "San Francisco";
geoip region Oklahoma;
geoip postal 95062;
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.2</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.1</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.2</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ The GeoIP2 API from MaxMind is now supported. Geolocation support
+ will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
+ library is found at compile time, but can be turned off by using
+ <span class="command"><strong>configure --disable-geoip</strong></span>.
+ </p>
+ <p>
+ The default path to the GeoIP2 databases will be set based
+ on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
+ for example, if it is in <code class="filename">/usr/local/lib</code>,
+ then the default path will be
+ <code class="filename">/usr/local/share/GeoIP</code>.
+ This value can be overridden in <code class="filename">named.conf</code>
+ using the <span class="command"><strong>geoip-directory</strong></span> option.
+ </p>
+ <p>
+ Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
+ legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
+ <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
+ no longer work when using GeoIP2. Supported GeoIP2 database
+ types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
+ <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
+ <span class="command"><strong>as</strong></span>. All of these databases support both IPv4
+ and IPv6 lookups. [GL #182] [GL #1112]
+ </p>
+ </li>
<li class="listitem">
<p>
In order to clarify the configuration of DNSSEC keys,
[GL #865]
</p>
</li>
+<li class="listitem">
+ <p>
+ Two new metrics have been added to the
+ <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
+ signing operations. For each key in each zone, the
+ <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
+ number of signatures <span class="command"><strong>named</strong></span> has generated
+ using that key since server startup, and the
+ <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
+ many of those signatures were refreshed during zone
+ maintenance, as opposed to having been generated
+ as a result of a zone update. [GL #513]
+ </p>
+ </li>
</ul></div>
</div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- The <span class="command"><strong>dnssec-enable</strong></span> option has been deprecated and
+ The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
removed. [GL !1731]
</p>
</li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>dnssec-lookaside</strong></span> option has been deprecated.
+ The feature still works, but it is discouraged to use it. [GL #7]
+ </p>
+ </li>
</ul></div>
</div>
the problem. [GL #1055]
</p>
</li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>./configure</strong></span> no longer sets
+ <span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
+ <span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
+ when <span class="command"><strong>--prefix</strong></span> is not specified and the
+ aforementioned options are not specified explicitly. Instead,
+ Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
+ <span class="command"><strong>$prefix/var</strong></span> are respected.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Glue address records were not being returned in responses
+ to root priming queries; this has been corrected. [GL #1092]
+ </p>
+ </li>
</ul></div>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.15.1</p></div>
+<div><p class="releaseinfo">BIND Version 9.15.2</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.2</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</p>
<p>
If the key size is not specified, some algorithms have
- pre-defined defaults. For example, RSA keys for use as
- DNSSEC zone signing keys have a default size of 1024 bits;
- RSA keys for use as key signing keys (KSKs, generated with
- <code class="option">-f KSK</code>) default to 2048 bits.
+ pre-defined defaults. For instance, RSA keys have a default
+ size of 2048 bits.
</p>
</dd>
<dt><span class="term">-C</span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
<span class="command"><strong>plugin</strong></span> statements to be ignored.
</p>
</dd>
+<dt><span class="term">-i</span></dt>
+<dd>
+ <p>
+ Ignore warnings on deprecated options.
+ </p>
+ </dd>
<dt><span class="term">-p</span></dt>
<dd>
<p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
<div class="refsection">
<a name="id-1.13.27.15"></a><h2>MANAGED-KEYS</h2>
- <p>See DNSSEC-KEYS.</p>
+ <p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
-managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
+    | initial-key ) <em class="replaceable"><code>integer</code></em><br>
+Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
</p></div>
</div>
check-spf ( warn | ignore );<br>
check-srv-cname ( fail | warn | ignore );<br>
check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
- cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
cookie-algorithm ( aes | sha1 | sha256 );<br>
cookie-secret <em class="replaceable"><code>string</code></em>;<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
- dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
-     <em class="replaceable"><code>string</code></em> | auto | no );<br>
+ dnssec-lookaside ( <em class="replaceable"><code>string</code></em><br>
+     trust-anchor <em class="replaceable"><code>string</code></em> |<br>
+     auto | no ); deprecated<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
+    <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
</p></div>
</div>
check-spf ( warn | ignore );<br>
check-srv-cname ( fail | warn | ignore );<br>
check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
- cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<br>
    except-from { <em class="replaceable"><code>string</code></em>; ... } ];<br>
    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
- dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
-     <em class="replaceable"><code>string</code></em> | auto | no );<br>
+ dnssec-lookaside ( <em class="replaceable"><code>string</code></em><br>
+     trust-anchor <em class="replaceable"><code>string</code></em> |<br>
+     auto | no ); deprecated<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
- managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-     initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+ managed-keys { <em class="replaceable"><code>string</code></em> (<br>
+     static-key | initial-key<br>
+ Â Â Â Â )Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+ Â Â Â Â <em class="replaceable"><code>integer</code></em><br>
+     <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
masterfile-format ( map | raw | text );<br>
masterfile-style ( full | relative );<br>
match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
trusted-keys { <em class="replaceable"><code>string</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em><br>
-     <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
+     <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
<dd>
<p>
Dump the security roots (i.e., trust anchors
- configured via <span class="command"><strong>dnssec-keys</strong></span> statements,
- or the synonymous <span class="command"><strong>managed-keys</strong></span> or
- the deprecated <span class="command"><strong>trusted-keys</strong></span> statements, or
+ configured via <span class="command"><strong>dnssec-keys</strong></span> statements, or the
+ managed-keys or trusted-keys statements (both deprecated), or
via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
anchors for the specified views. If no view is specified, all
views are dumped. Security roots will indicate whether
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.15.1</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.15.2</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ The GeoIP2 API from MaxMind is now supported. Geolocation support
+ will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
+ library is found at compile time, but can be turned off by using
+ <span class="command"><strong>configure --disable-geoip</strong></span>.
+ </p>
+ <p>
+ The default path to the GeoIP2 databases will be set based
+ on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
+ for example, if it is in <code class="filename">/usr/local/lib</code>,
+ then the default path will be
+ <code class="filename">/usr/local/share/GeoIP</code>.
+ This value can be overridden in <code class="filename">named.conf</code>
+ using the <span class="command"><strong>geoip-directory</strong></span> option.
+ </p>
+ <p>
+ Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
+ legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
+ <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
+ no longer work when using GeoIP2. Supported GeoIP2 database
+ types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
+ <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
+ <span class="command"><strong>as</strong></span>. All of these databases support both IPv4
+ and IPv6 lookups. [GL #182] [GL #1112]
+ </p>
+ </li>
<li class="listitem">
<p>
In order to clarify the configuration of DNSSEC keys,
[GL #865]
</p>
</li>
+<li class="listitem">
+ <p>
+ Two new metrics have been added to the
+ <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
+ signing operations. For each key in each zone, the
+ <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
+ number of signatures <span class="command"><strong>named</strong></span> has generated
+ using that key since server startup, and the
+ <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
+ many of those signatures were refreshed during zone
+ maintenance, as opposed to having been generated
+ as a result of a zone update. [GL #513]
+ </p>
+ </li>
</ul></div>
</div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- The <span class="command"><strong>dnssec-enable</strong></span> option has been deprecated and
+ The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
removed. [GL !1731]
</p>
</li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>dnssec-lookaside</strong></span> option has been deprecated.
+ The feature still works, but it is discouraged to use it. [GL #7]
+ </p>
+ </li>
</ul></div>
</div>
the problem. [GL #1055]
</p>
</li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>./configure</strong></span> no longer sets
+ <span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
+ <span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
+ when <span class="command"><strong>--prefix</strong></span> is not specified and the
+ aforementioned options are not specified explicitly. Instead,
+ Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
+ <span class="command"><strong>$prefix/var</strong></span> are respected.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Glue address records were not being returned in responses
+ to root priming queries; this has been corrected. [GL #1092]
+ </p>
+ </li>
</ul></div>
</div>
-Release Notes for BIND Version 9.15.1
+Release Notes for BIND Version 9.15.2
Introduction
New Features
+ * The GeoIP2 API from MaxMind is now supported. Geolocation support will
+ be compiled in by default if the libmaxminddb library is found at
+ compile time, but can be turned off by using configure --disable-geoip
+ .
+
+ The default path to the GeoIP2 databases will be set based on the
+ location of the libmaxminddb library; for example, if it is in /usr/
+ local/lib, then the default path will be /usr/local/share/GeoIP. This
+ value can be overridden in named.conf using the geoip-directory
+ option.
+
+ Some geoip ACL settings that were available with legacy GeoIP,
+ including searches for netspeed, org, and three-letter ISO country
+ codes, will no longer work when using GeoIP2. Supported GeoIP2
+ database types are country, city, domain, isp, and as. All of these
+ databases support both IPv4 and IPv6 lookups. [GL #182] [GL #1112]
+
* In order to clarify the configuration of DNSSEC keys, the trusted-keys
and managed-keys statements have been deprecated, and the new
dnssec-keys statement should now be used for both types of key.
zone's SOA record should be included in the additional section of RPZ
responses. [GL #865]
+ * Two new metrics have been added to the statistics-channel to report
+ DNSSEC signing operations. For each key in each zone, the dnssec-sign
+ counter indicates the total number of signatures named has generated
+ using that key since server startup, and the dnssec-refresh counter
+ indicates how many of those signatures were refreshed during zone
+ maintenance, as opposed to having been generated as a result of a zone
+ update. [GL #513]
+
Removed Features
- * The dnssec-enable option has been deprecated and no longer has any
+ * The dnssec-enable option has been obsoleted and no longer has any
effect. DNSSEC responses are always enabled if signatures and other
DNSSEC data are present. [GL #866]
* The cleaning-interval option has been removed. [GL !1731]
+ * The dnssec-lookaside option has been deprecated. The feature still
+ works, but it is discouraged to use it. [GL #7]
+
Feature Changes
* named will now log a warning if a static key is configured for the
minimal queries in order to reduce the likelihood of encountering the
problem. [GL #1055]
+ * ./configure no longer sets --sysconfdir to /etc or --localstatedir to
+ /var when --prefix is not specified and the aforementioned options are
+ not specified explicitly. Instead, Autoconf's defaults of $prefix/etc
+ and $prefix/var are respected.
+
+ * Glue address records were not being returned in responses to root
+ priming queries; this has been corrected. [GL #1092]
+
License
BIND is open source software licensed under the terms of the Mozilla
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured
- geoip-directory ( <quoted_string> | none );
+ geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // ancient
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> (
static-key | initial-key
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 0
DESCRIPTION="(Development Release)"
MAJORVER=9
MINORVER=15
-PATCHVER=1
+PATCHVER=2
RELEASETYPE=
RELEASEVER=
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
